.ida is part of the indexing service which is vulnerable to the hack via
buffer overflow; you should remove the ISAP filter from the IIS manager
configuration
~~
Structure your ColdFusion code with Fusebox. Get the official book at
I keep seeing on the log files some default.ida request.
are those hacking attempts? what is this file do?
If your running IIS, you're probably in trouble.
~~
Structure your ColdFusion code with Fusebox. Get the official book at
Index server, similar to .idq I think.
I'm pretty sure that's one of the ways the code red worm tries to get in.
We don't use index server here, so we disabled all references to it in IIS
application management.
-Original Message-
From: Michael Lugassy [mailto:[EMAIL PROTECTED]]
Sent:
Michael,
The .ida extension is used as part of Microsoft Indexing Services for IIS.
It is currently the focal point for the Code Red worm that is in the press.
If you have not patched you server you may want to download the patch from
Microsoft and read the associated press release.
- Steve
-Original Message-
I keep seeing on the log files some default.ida request.
are those hacking attempts? what is this file do?
YOU ARE INFECTED WITH CODE RED
Please shut down your IIS, patch it and then restart!
best wishes,
-= Ed
If you want others to be
Michael Lugassy wrote:
I keep seeing on the log files some default.ida request.
are those hacking attempts? what is this file do?
You've got to be kidding. Doesn't Code Red ring any bells?
Jochem
~~
Structure your ColdFusion code with
To find that entry in your logs does not mean that you're infected
obviously.
- Original Message -
From: Edward Chanter [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, August 02, 2001 3:13 PM
Subject: RE: default.ida?
-Original Message-
I keep seeing
Do you run IIS? If you don't run IIS or have applied the latest MS patches
and rebooted you have nothing to worry about.
Rich
-Original Message-
From: Chuck Hergenroeder [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 9:37 AM
To: CF-Talk
Subject: RE: default.ida?
Here
Here is my scenario. I view the stats on my web site, and the page
requested is default.ida. Now those requests are on my list
of error pages
not found. Does this mean that I have Code Red, or does this
mean that Code
Red is trying to get into my system?
If it's comming from
have Code Red, but the patch has already been installed on my server.
-Original Message-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 9:13 AM
To: CF-Talk
Subject: RE: default.ida?
-Original Message-
I keep seeing on the log files some
That's right (whoops). I'm getting this confused with something else. Not
sure if there is a patch for this after all.
-Original Message-
From: Neil Clark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 8:52 AM
To: CF-Talk
Subject: RE: default.ida?
.ida is part
-Talk
Subject: RE: default.ida?
Here is my scenario. I view the stats on my web site, and the page
requested is default.ida. Now those requests are on my list
of error pages
not found. Does this mean that I have Code Red, or does this
mean that Code
Red is trying to get into my system
I don't actually think it's hysteria mate, do you want to see a copy of my
IDS logs There are a large number of attacks going on as I write this
and anyone running an unpatched/unprotected IIS server needs to do something
about it asap.
best wishes,
-= Ed
If you want
Has the .ida
mapping been removed too (that would give you an error like
your seeing) ?
(YES)
Well, guess why your .ida URL fails then ?
~~
Structure your ColdFusion code with Fusebox. Get the official book at
I don't actually think it's hysteria mate, do you want to see
a copy of my
IDS logs
Not really, no. They tend to be boring and full of kidz getting 404's.
There are a large number of attacks going on as
I write this
Woo-wee - where have you been ? An ongoing scan of your system is
Edward Chanter wrote:
I don't actually think it's hysteria mate, do you want to see a copy of my
IDS logs There are a large number of attacks going on as I write this
and anyone running an unpatched/unprotected IIS server needs to do something
about it asap.
So let's establish first
I don't actually think it's hysteria mate, do you want to see
a copy of my IDS logs There are a large number of attacks
going on as I write this and anyone running an unpatched/
unprotected IIS server needs to do something about it asap.
I think that Mr. Chiverton's complaint was that
protect your system.
-Original Message-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 7:03 AM
To: CF-Talk
Subject: RE: default.ida?
I don't actually think it's hysteria mate, do you want to see a copy of my
IDS logs There are a large number of attacks
Yup. Some hole in IIS that permits viewing the source of ASP pages (wonder
if it works for CF as well). There's a patch for it. Search around at
http://www.microsoft.com/security/ .
Regards,
Eric Carlisle
-Original Message-
From: Michael Lugassy [mailto:[EMAIL
-Original Message-
I don't actually think it's hysteria mate, do you want to see
a copy of my
IDS logs
Not really, no. They tend to be boring and full of kidz getting 404's.
:-) I did say IDS logs though, they filter out all the crap and only show me
the ISAPI Extension
, 2001 10:32 AM
To: CF-Talk
Subject: RE: default.ida?
-Original Message-
I don't actually think it's hysteria mate, do you want to see
a copy of my
IDS logs
Not really, no. They tend to be boring and full of kidz getting 404's.
:-) I did say IDS logs though, they filter out all
193.122.20.5 - Production
193.122.20.8 - Development
Why?
-Original Message-
From: Tangorre, Mike [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 3:34 PM
To: CF-Talk
Subject: RE: default.ida?
whats yur ip? :-)
Michael T. Tangorre
I apologize for my out of context responses to this issue. Exchange
server problems earlier this morning delayed the messages and sent them in
the wrong order. :/
Sincerely,
Eric Carlisle
x4739
~~
Structure your ColdFusion code
doh! If you didn't have red wormy you'll probably get it now - posting ip's
to a chat list - shame on you... ;-)
J
-Original Message-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: 02 August 2001 15:50
To: CF-Talk
Subject: RE: default.ida?
193.122.20.5 - Production
you are talking about the .htr bug
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives:
James! Back to the UK cfug list! do some work!
-Original Message-
From: James Maltby [mailto:[EMAIL PROTECTED]]
Sent: 02 August 2001 15:52
To: CF-Talk
Subject: RE: default.ida?
doh! If you didn't have red wormy you'll probably get it now
- posting ip's
to a chat list
PROTECTED]]
Sent: Thursday, August 02, 2001 10:52 AM
To: CF-Talk
Subject: RE: default.ida?
doh! If you didn't have red wormy you'll probably get it now - posting ip's
to a chat list - shame on you... ;-)
J
-Original Message-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: 02 August
Your system is Patched! NT 4 system According to the code red scanner.
Rich
-Original Message-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 10:50 AM
To: CF-Talk
Subject: RE: default.ida?
193.122.20.5 - Production
193.122.20.8 - Development
Why
server.
If it does get in, you'll find IIS will stop responding to page requests
after a while.
Shawn Grover
-Original Message-
From: Neil Clark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 6:52 AM
To: CF-Talk
Subject: RE: default.ida?
.ida is part of the indexing service which
1st Ask Why, THEN give info. :)
Eric Carlisle
-Original Message-
From: James Maltby [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 10:52 AM
To: CF-Talk
Subject: RE: default.ida?
doh! If you didn't have red wormy you'll probably get it now - posting ip's
-
From: Edward Chanter [mailto:[EMAIL PROTECTED]]
Sent: 02 August 2001 15:50
To: CF-Talk
Subject: RE: default.ida?
193.122.20.5 - Production
193.122.20.8 - Development
Why?
-Original Message-
From: Tangorre, Mike [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 3:34
: www.handynetworks.com http://www.handynetworks.com
-
Providing reseller and dedicated Windows 2000 web hosting solutions.
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 9:18 AM
To: CF-Talk
Subject: Re: default.ida?
Michael
I'm getting quite a few requests like this:
00:38:13 202.109.105.67 GET /default.ida 401
...
Interestingly though, my server is password protected. Does
IIS log the request even if the page doesn't exist, and even
if it did, couldn't be access due to the password protection
anyway?
Yeah that's the address of one of Aol's many proxies
I think our firewall just blocked a large swathe of Aol users.
-Original Message-
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: 2 August 2001 5:03 PM
To: CF-Talk
Subject: RE: default.ida?
IP: 172.158.23.29
Ok, we get it. It's not wise to post your IP info on a user group, but any
IT person with half a brain can get it anyways. I think the horse is dead.
Michael Corrigan
Programmer
~~
Structure your ColdFusion code with Fusebox. Get the official
On 8/2/01, Stephen Moretti penned:
Never put this kind of information out on the list. You are openning
yourself up to abuse by the few unscrupulous people on this list...
Why? Anyone can get your IP by doing a trace route or nslookup on
your domain name.
--
Bud Schneehagen - Tropical Web
there's something SERIOUSLY wrong with your DNS Thomas - I'd sort out that
dodgy 10 mate - it's reserved for M$ back-office! :-)
J
-Original Message-
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: 02 August 2001 16:47
To: CF-Talk
Subject: RE: default.ida?
doesn't need me
IP: 172.158.23.29
DNS: AC9E171D.ipt.aol.com
Looks like a dial-up luser.
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Amen!
-Original Message-
his email domain is cc.uk.com. which i can ping and see the IP
193.122.20.2.
so i could do a port scan in that range and see any machine
running port 80.
so can you explain to us all what he revealed that wouldn't take
more than 1
or 2 minutes for
that...
Dan.
-Original Message-
From: Stephen Moretti [mailto:[EMAIL PROTECTED]]
Sent: 02 August 2001 16:05
To: CF-Talk
Subject: RE: default.ida?
Might be an idea to go away and change the IP addresses on your servers now
and abandon these two for all eternity
Never put this kind
-
From: Stephen Moretti [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 8:05 AM
To: CF-Talk
Subject: RE: default.ida?
Might be an idea to go away and change the IP addresses on your servers now
and abandon these two for all eternity
Never put this kind of information out
Ok, so who is
IP: 172.158.23.29
DNS: AC9E171D.ipt.aol.com
One of you lot?
best wishes,
-= Ed
If you want others to be happy, practice compassion.
If you want to be happy, practice compassion.
~The 14th Dalai Lama
~~
Structure
.
-Original Message-
From: Stephen Moretti [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 11:05 AM
To: CF-Talk
Subject: RE: default.ida?
Might be an idea to go away and change the IP addresses on your servers now
and abandon these two for all eternity
Never put this kind
LOL, like someone on this list couldn't work it out simply by doing a dig on
our DNS info based on my email address domain Anyone serious about it
doesn't need me or anyone else to tell them my (or your) IP address.
Besides, they're public servers and I'd like to see Code Red do anything at
I should hope so too!!!
-Original Message-
From: Richard Kuryk [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 4:01 PM
To: CF-Talk
Subject: RE: default.ida?
Your system is Patched! NT 4 system According to the code red scanner.
Rich
-Original Message-
From
Subject: RE: default.ida?
LOL, like someone on this list couldn't work it out simply by doing a dig on
our DNS info based on my email address domain Anyone serious about it
doesn't need me or anyone else to tell them my (or your) IP address.
Besides, they're public servers and I'd like to see Code
doesn't need me or anyone else to tell them my (or your) IP address.
Well, mines 10.255.x.y so it wouldn't make much difference :_)
~~
Structure your ColdFusion code with Fusebox. Get the official book at
wallet.
Brian
- Original Message -
From: Daniel Lancelot [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, August 02, 2001 10:24 AM
Subject: RE: default.ida?
Come on - If anyone wanted to get the ip for his live server - all they
have
to do is:
C:\ping www.cc.uk.com
Whomever that was at the time, they'll be something different the next time
they log in
- Original Message -
From: Edward Chanter [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, August 02, 2001 10:23 AM
Subject: RE: default.ida?
Ok, so who is
IP: 172.158.23.29
No, anyone running an unpatched/unprotected IIS server on a
public network needs to fired, as their not doing their job.
Actually we have an unpatched (default install) remote box
unconnected to the rest of out network put out as a sitting duck, so
we can go see what happens to it every few
On 8/2/01, Dave Watts penned:
I think that Mr. Chiverton's complaint was that simply seeing a request
doesn't mean that the server is infected. My servers are receiving quite a
few of these requests, for example, although they've been patched and don't
respond to .ida requests in any case.
Hey.
, August 02, 2001 11:18 AM
To: CF-Talk
Subject: RE: default.ida?
sorry for asking!!! I didn't think you'd take me seriosuly!
Wow, I'd change the IPs also; that is good advice.
Michael T. Tangorre
Web Applications Developer
Office Phone
you mean AOL doesn't assign static IPs to its dial-up users?
argh! we've all been had!
-Original Message-
From: G [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 8:51 AM
To: CF-Talk
Subject: Re: default.ida?
Whomever that was at the time, they'll be something different
]]
Sent: 2 August 2001 4:40 PM
To: CF-Talk
Subject: RE: default.ida?
good bit of a boost for your page impressions though (as everyone on the
list browses and pings you) eh? ;-)
J
(our IP is http://194.164.87.20 if anyone wants to have a look!)
-Original Message-
From: Edward Chanter
-Original Message-
While I think it's of utmost important to patch systems, it's also
kinda cool to try and work out the nitty-gritty of what's actually
going on.
The latest excitement is the h..p://www.worm.com text changing from
black to red :)
I'm sure people are going to have
, August 02, 2001 9:44 AM
To: CF-Talk
Subject: RE: default.ida?
You had better never give out your FQDN either.. you can find the IP
from that pretty easily.. lol
Jeff Beer
Senior Programmer Architect
Hydrogen Media, Inc
(727) 530-5500 x303
[EMAIL PROTECTED]
-Original Message
Honeypot's can be pretty interesting
Check out http://project.honeynet.org/
They recorded some IRC conversations too
-Original Message-
From: Daniel Kemp [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 12:00 PM
To: CF-Talk
Subject: RE: default.ida?
No, anyone running
Subject: RE: default.ida?
his email domain is cc.uk.com. which i can ping and see the IP
193.122.20.2.
so i could do a port scan in that range and see any machine
running port 80.
so can you explain to us all what he revealed that wouldn't take
more than 1
or 2 minutes for anyone to figure out
Message-
From: Stephen Moretti [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 9:17 AM
To: CF-Talk
Subject: RE: default.ida?
Well since he posted his IP addresses to this list they have been pinged,
tracert'd, checked for code red vunerability, checked for all the usual CF
Actually we have an unpatched (default install) remote box
unconnected to the rest of out network put out as a sitting duck, so
we can go see what happens to it every few hours,
Honey pots rock, but tend to stick out like a sore thumb to anyone seriously
trying to breach your network for
there's something SERIOUSLY wrong with your DNS Thomas - I'd
sort out that
dodgy 10 mate - it's reserved for M$ back-office! :-)
It is, really is it ?
RFC's 1918,1597 etc. reserves 10.0.0.0 to 10.255.255.255 for Intranet use
(i.e. they are internal addresses).
Its listed as 'IANA-reserved'
61 matches
Mail list logo
