RE: Code Red Sniffer
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 8 Aug 2001 13:07:28 -0700
Unfortunately, it's still a guessing game. CR3 is now in the wild, too. I
haven't seen the results yet, but they should be very interesting.
If you've never seen any activity, you might be ok. Keep running the script
over the next few day anyway just to feel better.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Telecomms" <bvSysAdminsS@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 11:44 AM
Subject: [isalist] RE: Code Red Sniffer
http://www.ISAserver.org
Jim
But shouldn't I at least find explorer.exe, or root.exe, or some sort of
evidence?
If I have an entry in the IIS logs I would have thought there should be some
physical evidence already on the Server?
I patched the server a week ago, and there were no signs of anything then,
like I say only today did something appear and then I got another patch from
MS.
Does this mean that if anything has happened it is the V3?
Saira
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 08 August 2001 17:18
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Code Red Sniffer
http://www.ISAserver.org
Keep sniffing at least daily. Code Red hides for at least 24 hours after
infection BEFORE it start its games.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: Telecomms <mailto:bvSysAdminsS@xxxxxxxxxxxxxxxxxxx>
To: [ISAserver.org <mailto:isalist@xxxxxxxxxxxxx> Discussion List]
Sent: Wednesday, August 08, 2001 08:52
Subject: [isalist] RE: Code Red Sniffer
http://www.ISAserver.org <http://www.ISAserver.org>
Jim
Thanks for the sniffr.
I ran it on my system and it came up with nothing found.
I had patched my servers last week, but had not yet patched for V3.
This morning I found this in the logs:
2001-08-08 11:35:12 217.32.129.249 - 217.32.157.92 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
2001-08-08 11:35:39 217.32.129.91 - 217.32.157.92 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
which would lead me to believe that the Server MUST be infected.
I cannot find any trace of the files that are supposed to be on my system,
neither can the sniffer programme.
What caused the entry?
Do I really need to rebuild?
I am fully patched now, but am not sure what to do next.
TIA
Saira
-----Original Message-----
From: Jim Harrison [ mailto:jim@xxxxxxxxxxxx <mailto:jim@xxxxxxxxxxxx> ]
Sent: 08 August 2001 07:45
To: [ISAserver.org Discussion List]
Cc: CommuniGate Pro Discussions
Subject: [isalist] Code Red Sniffer
Importance: High
http://www.ISAserver.org <http://www.ISAserver.org>
This is a multi-part message in MIME format.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bvSysAdminsS@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
