Sho did; that's what the "12202" entry is. ISA says "go away boy, ya bother me." Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Mark Strangways" <strangconst@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, August 05, 2001 8:41 AM Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org Cool, got hit. I hope ISA blocked it :) ----- Original Message ----- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, August 05, 2001 11:35 AM Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org My log entry: 216.227.101.189, anonymous, -, N, 8/5/2001, 0:25:02, W3ReverseProxy, MIDAS, -, 216.87.141.208, -, 0, 1692, 3818, 0, -, TCP, GET, http://216.87.141.208/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default rule, - Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] Sent: Sunday, August 05, 2001 7:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org Look for default.ida?XXX for a quick count. 69 against my ISA server so far. Uses IP addresses, so as long as your web publishing is name based, it'll still go splat. If this guy had been intelligent to do reverse DNS lookups, then hit the DNS name, some would wind up getting through, and (presumably :-) go splat against the patch installed. Or the fact that one has removed the index server script mappings, unless one is actually using script mappings. :-) As usual, Slashdot (http://slashdot.org) has information and lively discussion on this very topic. -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, August 05, 2001 12:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org Hi Hugo, Thanks for the heads-up. I'll look for signs of this in my Web Proxy logs. Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx] Sent: Saturday, August 04, 2001 10:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] FW: Alert: New version of Code Red, XXXX http://www.ISAserver.org FYI -----Original Message----- From: Russ [mailto:Russ.Cooper@xxxxxxxx] Sent: domingo, 5 de agosto de 2001 00:48 To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx Subject: Alert: New version of Code Red, XXXX -----BEGIN PGP SIGNED MESSAGE----- Just a quick FYI, there is a new version of Code Red which appears to be spreading rather rapidly. - - Appears to be a new re-write. - - Drops some sort of remote access trojan. - - Turns off System File Checker (Windows File Protection.) - - Moves CMD.EXE to the scripts directory in IIS - - Looks like the way they make the entry into code very differently than before. - - If your IDS is looking for "NNNN", forget it (but then you should have been shot if you used this string anyway) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor p.s. if we don't respond right away its because we're now going to go and light the fireworks here at my retreat. Might as well have lots of fireworks tonight! -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO2zCARBh2Kw/l7p5AQH95wQAqjGp7vRYK8SYky/ydyU1wxBmCe2c8Mpd DBdxrv+TY9112ZuH663ZspUOXThS9oeEyT4sdbVYNv8Z28nMipbioyTXYa5dw8po 21tkilo6ZoGX+AmKJ6Kz7WDvMpHpEfzDr3JHGtxuev0/rclXeRSN4urypMR3YnRz uw5ZW/F3U/I= =OhCV -----END PGP SIGNATURE----- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: slebrun@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')