EVERYTHING gets logged.
----- Original Message -----
From: "Chris Haaker" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Monday, August 20, 2001 12:29 PM
Subject: Re: Code red
> This appears in my log just once:
>
> 2001-08-20 16:28:41 61.187.115.20 - 172.17.1.217 80 GET /default.ida
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
>
> successful? I thought this only showed up in your logs if it *was*
> successful!
>
> TIA.
>
> Chris
> ---------------------------------------------------------
> I was thinking about how people seem to read the Bible a whole lot more as
> they get older, then it dawned on me...they were cramming for their
> finals...
> ---------------------------------------------------------
> ----- Original Message -----
> From: "Andy David" <[EMAIL PROTECTED]>
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Sent: Monday, August 20, 2001 1:16 PM
> Subject: RE: Code red
>
>
> > But he's apparently seeing it in the logs as well.
> > Chris, What do the w3svc logs say? Is the attack successful or not?
> > You can test your server here:
> > http://www.eeye.com/html/Research/Tools/codered.html
> >
> >
> >
> >
> > Andy David
> > J Muller International
> >
> >
> >
> >
> > -----Original Message-----
> > From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, August 20, 2001 1:02 PM
> > To: Exchange Discussions
> > Subject: RE: Code red
> >
> >
> > Get rid of the Symantec scanner. My dead grandma has a better chance of
> > telling you accurately whether you have Code Red.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker
> > Sent: Monday, August 20, 2001 11:56 AM
> > To: ExchangeList@swynk
> > Subject: OT: Code red
> >
> >
> > anyone have an idea that has been working with code red?
> >
> > I have a win2k server that was infected. I re-formatted all hard drives,
> > re-installed OS w/SP2 built-in and patched for CR. Within about 10
> > minutes I
> > was infected again according to the w3svc log and the symantec scanner
> > for
> > code red.
> >
> > disconnected from network and did same as above. Ran the patch from a
> > floppy. re-connected to the network, ran the new MS Security scanner at:
> > www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there
> > as
> > well. Note: I ran the CR hotfix and rebooted before I ever attached to
> > the
> > network. 1 hour later CR shows up in the w3svc log again and symantec
> > scanner says I am infected again.
> >
> > Ideas?
> >
> > ---------------------------------------------------------
> > I was thinking about how people seem to read the Bible a whole lot more
> > as
> > they get older, then it dawned on me...they were cramming for their
> > finals...
> > ---------------------------------------------------------
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
