OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: akomolafe (dejiprontomail.com)
Date: Fri Aug 17 2001 - 16:00:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well, you are patched, but patching does NOT stop the worm from probing you.
    It only stops the probe from overflowing your .ida and delicvering its
    payload. If you are patched but still have the .ida, .idq .htr (etc) script
    mappings in place, you will still let the worm in. It just wouldn't be able
    to infect you.

    .... and unless you are patched all the way up to the latest "cummulative"
    hotfixes, the original patch still does not kill all of Code-Red problems.

    HTH

    Deji
    ----- Original Message -----
    From: "Joe Lyman" <JLymangraphicproducts.com>
    To: <imrannetwave.ca>; <dejiprontomail.com>;
    <focus-virussecurityfocus.com>
    Cc: <focus-mssecurityfocus.com>
    Sent: Friday, August 17, 2001 1:17 PM
    Subject: Re: Infected with code red II ?

    We patched the day the security advisory was released. Our servers have
    always returned 200- examine the following:

    2001-08-02 02:50:35 IPHERE - IPHERE GET /default.ida
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 62
    HTTP/1.0 - - -

    2001-08-17 00:26:25 IPHERE - IPHERE GET /default.ida
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 234
    HTTP/1.0 - - -

    The end user/worm gets a page that states:

    "File . Error 0x80040e14 caught while processing query "

    I'll assume our servers are safe, but can anyone confirm that their patch
    (but otherwise unmodified) servers do in fact return anything other than a
    200 range reply? Thanks.

    -Joseph Lyman
    Graphic Products, Inc.
    503-644-5572 ex 5662
    800-788-5572 Toll Free
    jlymangraphicproducts.com

    >>> "akomolafe" <dejiprontomail.com> 08/17/01 10:36AM >>>
    The 200 looks like the request got in. That is the way I would read it. To
    be certain, look in your IIS log and try to match the date/time in your IIS
    log with the ones in your firewall log. Did the request reach the IIS
    server?

    I would also manually investigate the IIS server for tell-tale signs of the
    Code-RedII just to be sure.

    It seems to me that you are publishing your web service by IP addresses. I
    would suggest you do it by FQDN instead. That way, your firewall will not be
    passing requests that just happen to hit your IP.

    Good luck.
    ----- Original Message -----
    From: "Imrannetwave.ca" <imrannetwave.ca>
    To: <focus-virussecurityfocus.com>
    Cc: <focus-mssecurityfocus.com>
    Sent: Thursday, August 16, 2001 4:43 PM
    Subject: Infected with code red II ?

    > The following is a sample from my IIS 4.0 server (I get the same activity
    on
    > my IIS 5.0). I have patched the server and I ran the coderedscanner on my
    > server and it showed that the server is clean. I read on this list that a
    > return code of 200 indicates success and if the server is virus proof it
    > should return an error code ... can someone please confirm this and what
    > error code should be returned. What should the log look like if the
    > infection is cleaned up and this is just a probe?
    >
    > best regards
    > Imran.
    >
    >
    > 2001-08-15 09:34:31 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
    >
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
    > 2001-08-15 09:57:52 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
    >
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
    > 2001-08-15 10:14:51 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
    >
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
    > 2001-08-15 11:32:32 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
    >