RE: Code Red Sniffer
- From: "Telecomms" <bvSysAdminsS@xxxxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 8 Aug 2001 16:52:58 +0100
Jim
Thanks for the sniffr.
I ran it on my system and it came up with nothing found.
I had patched my servers last week, but had not yet patched for V3.
This morning I found this in the logs:
2001-08-08 11:35:12 217.32.129.249 - 217.32.157.92 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
2001-08-08 11:35:39 217.32.129.91 - 217.32.157.92 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
which would lead me to believe that the Server MUST be infected.
I cannot find any trace of the files that are supposed to be on my system,
neither can the sniffer programme.
What caused the entry?
Do I really need to rebuild?
I am fully patched now, but am not sure what to do next.
TIA
Saira
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 08 August 2001 07:45
To: [ISAserver.org Discussion List]
Cc: CommuniGate Pro Discussions
Subject: [isalist] Code Red Sniffer
Importance: High
http://www.ISAserver.org
This is a multi-part message in MIME format.
Other related posts:
