OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marcus Karlsson (sypoxswip.net)
Date: Fri Aug 03 2001 - 10:36:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hm, I'm a hopeless poster I just noticed, the correct way to handle this
    is by for example using the following bat-file in your corresponding
    IIS-Log directory:

    echo off
    echo.
    echo this will take a while...
    echo.
    echo Scanning 2001-08-XX
    echo.
    echo Search for Code Red: 2001-08-XX And found the Following Entries: >
    aug_worm_search.txt
    for %%f in (EX0108*.*) do find /I /N "default.ida" %%f >>
    aug_worm_search.txt
    echo.
    echo Scanning 2001-06-XX
    echo.
    echo Search for Code Red: 2001-06-XX And found the Following Entries: >
    jun_worm_search.txt
    for %%f in (EX0106*.*) do find /I /N "default.ida" %%f >>
    jun_worm_search.txt
    echo.
    echo Scanning 2001-07-XX
    echo.
    echo Search for Code Red: 2001-07-XX And found the Following Entries: >
    jul_worm_search.txt
    for %%f in (EX0107*.*) do find /I /N "default.ida" %%f >>
    jul_worm_search.txt
    echo done...
    pause

    sorry about all these postings

    /Best Regards, Marcus

    -----Original Message-----
    From: Marcus Karlsson [mailto:sypoxswip.net]
    Sent: Friday, August 03, 2001 4:48 PM
    To: Focus on Microsoft Mailing List (FOCUS-MSSECURITYFOCUS.COM)
    Subject: RE: Searching for Code Red Log-Entries

    Looks like I've been misstaken, the correct way would be to search for
    the string default.ida, wouldn't it?

    /Marcus Karlsson

    -----Original Message-----
    From: Marcus Karlsson [mailto:sypoxswip.net]
    Sent: Friday, August 03, 2001 10:45 AM
    To: Focus on Microsoft Mailing List (FOCUS-MSSECURITYFOCUS.COM)
    Subject: Searching for Code Red Log-Entries

    I'm just wondering if the correct procedure for investigating your logs
    for attempts by the CR-worm would be something like a cmd line:

    find /C /I "80 GET /x.ida" EX0106*.* > found_entries.txt
    and of course:
    find /C /I "80 GET /x.ida" EX0107*.* >> found_entries.txt

    I don't have a IDS or such, but i'm correctly patched, so please don't
    just post a links to MS-Bulletin #033. =) All other feedback and ideas
    of a more smooth way to handle this is more than welcome.

    The reason why I ask is because there is a huge amount of data to work
    through, and I don't want to have a machine chopping through all these
    logs and later find out that I searched for the wrong signature.

    /Marcus Karlsson - SysAdminSWIPNET