Doug,
What I've been doing is using Analog to resolve the IP address of the
machine that sent the worm and if it's a recognizable ISP (to me), I send a
message with a copy of the log lines to [EMAIL PROTECTED] I think all
ISPs have an "abuse@" e-mail address. They in turn notify their customers
that their Web server is infected.
I believe the reason the line appears in the failure report is because it
does not contain any success or failure codes. Many of the lines with these
attacks that I see on my server has a success code of 200 even though I have
the patch installed and the virus is not doing anything to my Web server.
Other times, the log has a failure code of 400. Most of the time, however,
there is no success or failure code. This is how your line appears and
perhaps Analog takes that to mean failure.
You can visit a number of Web sites to learn more about the Code Red virus
(ex. www.mcafee.com). Such Web sites will tell you how to recognize if the
attack has been successful. Microsoft's web site has the patch for your
Windows machine at www.microsoft.com.
There is also a tool that you can run on your IP address that will tell you
if your Web server has the patch installed or not. I believe this too was at
www.mcafee.com.
I tried to use Analog to build a DNSCACHE file that *only* includes IP
addresses that sent the default.ida line but was not successful. Even when I
excluded everything but default.ida the DNSCACHE file still accumulated
every single IP address in my web log file. I think I missed setting another
option. I was doing this so I could get a list of all infected machines and
send a bunch of e-mails out to ISPs.
I hope this helps.
Richard
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Wissam Elassaad
Sent: Tuesday, August 21, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject: Re: [analog-help] default.ida
An attack by the Code Red Worm virus. If you are running IIS then as soon as
you can, install the patch released from Microsoft. However, if you are
running Apache then it is ok, since the virus doesnot infect Apacher
servers. There is a nice script that you can use for Apache in drooping all
this from log files.
If you see /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN
It is also Code Red Worm virus, it is the second generation of it.
Thnx,
Wissam
Doug Nelson [[EMAIL PROTECTED]] wrote:
> Does anybody know what would cause the following to appear in the "Failure
> Report"?
>
> 34: /default.ida
> 34:
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
> 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
> 078%u0000%u00=a
>
> +------------------------------------------------------------------------
> | This is the analog-help mailing list. To unsubscribe from this
> | mailing list, go to
> | http://lists.isite.net/listgate/analog-help/unsubscribe.html
> |
> | List archives are available at
> | http://www.mail-archive.com/[email protected]/
> | http://lists.isite.net/listgate/analog-help/archives/
> | http://www.tallylist.com/archives/index.cfm/mlist.7
> +------------------------------------------------------------------------
+------------------------------------------------------------------------
| This is the analog-help mailing list. To unsubscribe from this
| mailing list, go to
| http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
| List archives are available at
| http://www.mail-archive.com/[email protected]/
| http://lists.isite.net/listgate/analog-help/archives/
| http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------
+------------------------------------------------------------------------
| This is the analog-help mailing list. To unsubscribe from this
| mailing list, go to
| http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
| List archives are available at
| http://www.mail-archive.com/[email protected]/
| http://lists.isite.net/listgate/analog-help/archives/
| http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------
