This appears in my log just once:
2001-08-20 16:28:41 61.187.115.20 - 172.17.1.217 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
successful? I thought this only showed up in your logs if it *was*
successful!
TIA.
Chris
---------------------------------------------------------
I was thinking about how people seem to read the Bible a whole lot more as
they get older, then it dawned on me...they were cramming for their
finals...
---------------------------------------------------------
----- Original Message -----
From: "Andy David" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Monday, August 20, 2001 1:16 PM
Subject: RE: Code red
> But he's apparently seeing it in the logs as well.
> Chris, What do the w3svc logs say? Is the attack successful or not?
> You can test your server here:
> http://www.eeye.com/html/Research/Tools/codered.html
>
>
>
>
> Andy David
> J Muller International
>
>
>
>
> -----Original Message-----
> From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 20, 2001 1:02 PM
> To: Exchange Discussions
> Subject: RE: Code red
>
>
> Get rid of the Symantec scanner. My dead grandma has a better chance of
> telling you accurately whether you have Code Red.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker
> Sent: Monday, August 20, 2001 11:56 AM
> To: ExchangeList@swynk
> Subject: OT: Code red
>
>
> anyone have an idea that has been working with code red?
>
> I have a win2k server that was infected. I re-formatted all hard drives,
> re-installed OS w/SP2 built-in and patched for CR. Within about 10
> minutes I
> was infected again according to the w3svc log and the symantec scanner
> for
> code red.
>
> disconnected from network and did same as above. Ran the patch from a
> floppy. re-connected to the network, ran the new MS Security scanner at:
> www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there
> as
> well. Note: I ran the CR hotfix and rebooted before I ever attached to
> the
> network. 1 hour later CR shows up in the w3svc log again and symantec
> scanner says I am infected again.
>
> Ideas?
>
> ---------------------------------------------------------
> I was thinking about how people seem to read the Bible a whole lot more
> as
> they get older, then it dawned on me...they were cramming for their
> finals...
> ---------------------------------------------------------
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
