RE: Code red
If it gets a not found error, it wasn't successful. It'll appear right after the attempt in your logs. -Original Message- From: Chris Haaker [mailto:[EMAIL PROTECTED]] Posted At: Monday, August 20, 2001 12:37 PM Posted To: MSExchange Mailing List Conversation: Code red Subject: Re: Code red How do you tell the diff? - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - - Original Message - From: Martin Blackstone [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:31 PM Subject: RE: Code red That is just the attempt. Besides, isn't code red asleep right now? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Haaker Sent: Monday, August 20, 2001 10:29 AM To: Exchange Discussions Subject: Re: Code red This appears in my log just once: 2001-08-20 16:28:41 61.187.115.20 - 172.17.1.217 80 GET /default.ida XX XX XX XX XX XX %u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u90 90%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a 200 - successful? I thought this only showed up in your logs if it *was* successful! TIA. Chris - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - - Original Message - From: Andy David [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:16 PM Subject: RE: Code red But he's apparently seeing it in the logs as well. Chris, What do the w3svc logs say? Is the attack successful or not? You can test your server here: http://www.eeye.com/html/Research/Tools/codered.html Andy David J Muller International -Original Message- From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 1:02 PM To: Exchange Discussions Subject: RE: Code red Get rid of the Symantec scanner. My dead grandma has a better chance of telling you accurately whether you have Code Red. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker Sent: Monday, August 20, 2001 11:56 AM To: ExchangeList@swynk Subject: OT: Code red anyone have an idea that has been working with code red? I have a win2k server that was infected. I re-formatted all hard drives, re-installed OS w/SP2 built-in and patched for CR. Within about 10 minutes I was infected again according to the w3svc log and the symantec scanner for code red. disconnected from network and did same as above. Ran the patch from a floppy. re-connected to the network, ran the new MS Security scanner at: www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there as well. Note: I ran the CR hotfix and rebooted before I ever attached to the network. 1 hour later CR shows up in the w3svc log again and symantec scanner says I am infected again. Ideas? - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED
Re: Code red
The logfiles show the _attempt_ to infect. Symantec's scanner is broken. - Original Message - From: Chris Haaker [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 12:12 PM Subject: Re: Code red It also shows up in the logfiles for w3svc and that is the ultimate tell-tale, right? - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - - Original Message - From: Bill Kuhn - MCSE [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:02 PM Subject: RE: Code red Get rid of the Symantec scanner. My dead grandma has a better chance of telling you accurately whether you have Code Red. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker Sent: Monday, August 20, 2001 11:56 AM To: ExchangeList@swynk Subject: OT: Code red anyone have an idea that has been working with code red? I have a win2k server that was infected. I re-formatted all hard drives, re-installed OS w/SP2 built-in and patched for CR. Within about 10 minutes I was infected again according to the w3svc log and the symantec scanner for code red. disconnected from network and did same as above. Ran the patch from a floppy. re-connected to the network, ran the new MS Security scanner at: www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there as well. Note: I ran the CR hotfix and rebooted before I ever attached to the network. 1 hour later CR shows up in the w3svc log again and symantec scanner says I am infected again. Ideas? - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Code red
EVERYTHING gets logged. - Original Message - From: Chris Haaker [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 12:29 PM Subject: Re: Code red This appears in my log just once: 2001-08-20 16:28:41 61.187.115.20 - 172.17.1.217 80 GET /default.ida %u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a 200 - successful? I thought this only showed up in your logs if it *was* successful! TIA. Chris - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - - Original Message - From: Andy David [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:16 PM Subject: RE: Code red But he's apparently seeing it in the logs as well. Chris, What do the w3svc logs say? Is the attack successful or not? You can test your server here: http://www.eeye.com/html/Research/Tools/codered.html Andy David J Muller International -Original Message- From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 1:02 PM To: Exchange Discussions Subject: RE: Code red Get rid of the Symantec scanner. My dead grandma has a better chance of telling you accurately whether you have Code Red. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker Sent: Monday, August 20, 2001 11:56 AM To: ExchangeList@swynk Subject: OT: Code red anyone have an idea that has been working with code red? I have a win2k server that was infected. I re-formatted all hard drives, re-installed OS w/SP2 built-in and patched for CR. Within about 10 minutes I was infected again according to the w3svc log and the symantec scanner for code red. disconnected from network and did same as above. Ran the patch from a floppy. re-connected to the network, ran the new MS Security scanner at: www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there as well. Note: I ran the CR hotfix and rebooted before I ever attached to the network. 1 hour later CR shows up in the w3svc log again and symantec scanner says I am infected again. Ideas? - I was thinking about how people seem to read the Bible a whole lot more as they get older, then it dawned on me...they were cramming for their finals... - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]