Richardm
What Doug saw in his logs were unsuccessful attempts, however even if the
virus managed to infect the machine, you will see same results in logs. Except, you
open IIS and you see all vhosts are stopped.
Wissam
Richard Z. Ward [[EMAIL PROTECTED]] wrote:
> Doug,
>
> What I've been doing is using Analog to resolve the IP address of the
> machine that sent the worm and if it's a recognizable ISP (to me), I send a
> message with a copy of the log lines to [EMAIL PROTECTED] I think all
> ISPs have an "abuse@" e-mail address. They in turn notify their customers
> that their Web server is infected.
>
> I believe the reason the line appears in the failure report is because it
> does not contain any success or failure codes. Many of the lines with these
> attacks that I see on my server has a success code of 200 even though I have
> the patch installed and the virus is not doing anything to my Web server.
> Other times, the log has a failure code of 400. Most of the time, however,
> there is no success or failure code. This is how your line appears and
> perhaps Analog takes that to mean failure.
>
> You can visit a number of Web sites to learn more about the Code Red virus
> (ex. www.mcafee.com). Such Web sites will tell you how to recognize if the
> attack has been successful. Microsoft's web site has the patch for your
> Windows machine at www.microsoft.com.
>
> There is also a tool that you can run on your IP address that will tell you
> if your Web server has the patch installed or not. I believe this too was at
> www.mcafee.com.
>
> I tried to use Analog to build a DNSCACHE file that *only* includes IP
> addresses that sent the default.ida line but was not successful. Even when I
> excluded everything but default.ida the DNSCACHE file still accumulated
> every single IP address in my web log file. I think I missed setting another
> option. I was doing this so I could get a list of all infected machines and
> send a bunch of e-mails out to ISPs.
>
> I hope this helps.
>
> Richard
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Wissam Elassaad
> Sent: Tuesday, August 21, 2001 12:49 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [analog-help] default.ida
>
>
> An attack by the Code Red Worm virus. If you are running IIS then as soon as
> you can, install the patch released from Microsoft. However, if you are
> running Apache then it is ok, since the virus doesnot infect Apacher
> servers. There is a nice script that you can use for Apache in drooping all
> this from log files.
>
> If you see /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
> It is also Code Red Worm virus, it is the second generation of it.
>
> Thnx,
> Wissam
>
>
> Doug Nelson [[EMAIL PROTECTED]] wrote:
> > Does anybody know what would cause the following to appear in the "Failure
> > Report"?
> >
> > 34: /default.ida
> > 34:
> > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
> > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
> > 078%u0000%u00=a
> >
> > +------------------------------------------------------------------------
> > | This is the analog-help mailing list. To unsubscribe from this
> > | mailing list, go to
> > | http://lists.isite.net/listgate/analog-help/unsubscribe.html
> > |
> > | List archives are available at
> > | http://www.mail-archive.com/[email protected]/
> > | http://lists.isite.net/listgate/analog-help/archives/
> > | http://www.tallylist.com/archives/index.cfm/mlist.7
> > +------------------------------------------------------------------------
> +------------------------------------------------------------------------
> | This is the analog-help mailing list. To unsubscribe from this
> | mailing list, go to
> | http://lists.isite.net/listgate/analog-help/unsubscribe.html
> |
> | List archives are available at
> | http://www.mail-archive.com/[email protected]/
> | http://lists.isite.net/listgate/analog-help/archives/
> | http://www.tallylist.com/archives/index.cfm/mlist.7
> +------------------------------------------------------------------------
>
> +------------------------------------------------------------------------
> | This is the analog-help mailing list. To unsubscribe from this
> | mailing list, go to
> | http://lists.isite.net/listgate/analog-help/unsubscribe.html
> |
> | List archives are available at
> | http://www.mail-archive.com/[email protected]/
> | http://lists.isite.net/listgate/analog-help/archives/
> | http://www.tallylist.com/archives/index.cfm/mlist.7
> +------------------------------------------------------------------------
+------------------------------------------------------------------------
| This is the analog-help mailing list. To unsubscribe from this
| mailing list, go to
| http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
| List archives are available at
| http://www.mail-archive.com/[email protected]/
| http://lists.isite.net/listgate/analog-help/archives/
| http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------
