RE: More CodeRed Stuff

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 9 Aug 2001 11:33:44 -0700

Another noteworthy piece for everyone, if you see an entry like:
            http://<whatever>/msadc/root.exe?/c+dir+c:\
            http://<whatever>/scripts/root.exe?/c+dir+c:\
in your ISA logs, you've definitely ID'd a CR2-infected machine in the
source IP.  That's the backdoor it creates for itself (and that the script
looks for).

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message -----
From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 09, 2001 09:59
Subject: [isalist] RE: More CodeRed Stuff


http://www.ISAserver.org


Hi Greg,

You bet. My logs are loaded with this stuff.

Tom
www.isaserver.org/shinder


Thomas W Shinder, M.D., MCSE, MCT



-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Thursday, August 09, 2001 11:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: More CodeRed Stuff


http://www.ISAserver.org


Tom,
One more thing...

Looking at this log. Does it mean that the 12.32.141.18 machine is
infected
and is trying to infect our network?

Thanks

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Thursday, August 09, 2001 12:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: More CodeRed Stuff


http://www.ISAserver.org


Thanks Tom! I just don't like to see garbage in my log files and I am
also
really tired of dealing with this CodeRed crap.
I've spent a ton of money and man hours trying to put this ISA server in
place. It's nice to see that it is doing it's JOB!

Just imagine all the wonderful things we all could do if we didn't have
to
deal with crap like this!

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, August 09, 2001 12:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: More CodeRed Stuff


http://www.ISAserver.org


Hi Greg,

That is correct!

Tom

Thomas W Shinder, M.D., MCSE, MCT

>  -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Thursday, August 09, 2001 11:37 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] More CodeRed Stuff
>
> Going through my logs (Since my reports won't work!)
>
> I'm seeing a number of these connection logged. The 12202 does mean
> that the connection is being refused correct?
>
> 12.32.141.18 anonymous - 2001-08-09 16:30:51
> GATEKEEPER - 12.32.70.211 - - 31 3818
> - - GET
> http://12.32.70.211/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801
> %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00
> c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a - 12202
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2001