RE: 'Code Red' does not seem to be scanning for IIS

[Tony Langdon <tlangdon () atctraining com au>]

> From what i read about the 'Code Red'-worm, it was supposed 
> to be scanning
> for IIS-servers. It obviously is'nt, i believe it tries to infect
> everything they find on port 80, or something as simple as that.

I suspect you're right.  I've noticed exploit attempts on all web servers
here, but only one of them is running IIS.  The IDS has been monitoring a
rapid increase in IIS related attacks, which are presumably related to this
worm.  It started about 2-3 days ago, but the last 24 hours have been
particularly intense.  It's certainly not picky about what servers it will
try and attack (though I can't see the exploits succeeding on the UNIX
Apache servers ;) ).

> About three to four days ago, i started to get those 
> default.ida-GET's in
> my Apache-logs. I shut down the server as fast as i could, 
> and checked for
> outgoing connections from my computer, and then did some research.
> I was told that it was an IIS-worm, and that it could'nt affect
> Apache-servers, so i was safe. I turned the server back on, 
> and from that
> day i have received forty-one attempts.

I've had a lot more than 41.  Every attempt is logged and archived here.