RE: [isalist] Code Red SnifferKeep sniffing at least daily. Code Red hides for at least 24 hours after infection BEFORE it start its games. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Telecomms To: [ISAserver.org Discussion List] Sent: Wednesday, August 08, 2001 08:52 Subject: [isalist] RE: Code Red Sniffer http://www.ISAserver.org Jim Thanks for the sniffr. I ran it on my system and it came up with nothing found. I had patched my servers last week, but had not yet patched for V3. This morning I found this in the logs: 2001-08-08 11:35:12 217.32.129.249 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - 2001-08-08 11:35:39 217.32.129.91 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - which would lead me to believe that the Server MUST be infected. I cannot find any trace of the files that are supposed to be on my system, neither can the sniffer programme. What caused the entry? Do I really need to rebuild? I am fully patched now, but am not sure what to do next. TIA Saira -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 August 2001 07:45 To: [ISAserver.org Discussion List] Cc: CommuniGate Pro Discussions Subject: [isalist] Code Red Sniffer Importance: High http://www.ISAserver.org This is a multi-part message in MIME format. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')