Another noteworthy piece for everyone, if you see an entry like: http://<whatever>/msadc/root.exe?/c+dir+c:\ http://<whatever>/scripts/root.exe?/c+dir+c:\ in your ISA logs, you've definitely ID'd a CR2-infected machine in the source IP. That's the backdoor it creates for itself (and that the script looks for). Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 09, 2001 09:59 Subject: [isalist] RE: More CodeRed Stuff http://www.ISAserver.org Hi Greg, You bet. My logs are loaded with this stuff. Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Thursday, August 09, 2001 11:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: More CodeRed Stuff http://www.ISAserver.org Tom, One more thing... Looking at this log. Does it mean that the 12.32.141.18 machine is infected and is trying to infect our network? Thanks Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Thursday, August 09, 2001 12:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: More CodeRed Stuff http://www.ISAserver.org Thanks Tom! I just don't like to see garbage in my log files and I am also really tired of dealing with this CodeRed crap. I've spent a ton of money and man hours trying to put this ISA server in place. It's nice to see that it is doing it's JOB! Just imagine all the wonderful things we all could do if we didn't have to deal with crap like this! Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, August 09, 2001 12:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: More CodeRed Stuff http://www.ISAserver.org Hi Greg, That is correct! Tom Thomas W Shinder, M.D., MCSE, MCT > -----Original Message----- > From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] > Sent: Thursday, August 09, 2001 11:37 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] More CodeRed Stuff > > Going through my logs (Since my reports won't work!) > > I'm seeing a number of these connection logged. The 12202 does mean > that the connection is being refused correct? > > 12.32.141.18 anonymous - 2001-08-09 16:30:51 > GATEKEEPER - 12.32.70.211 - - 31 3818 > - - GET > http://12.32.70.211/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801 > %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00 > c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a - 12202 > > Greg Foulks, MCP > NewFound Technologies, Inc. > http://www.nfti.com > Email: greg.foulks@xxxxxxxx > Voice: 614.318.5036 > Fax: 614.318.5005 > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')