Originally posted by Absolut
Here's a stupid question...
I am running Windows 2000 with all the current patches for IIS 5.0. I have been viewing my LogFiles daily and I am seeing almost 2000 hits daily (about 95% from @HOME users) to default.ida. Now when I look at the logs it looks something like this..
[date/time] [attacker address] default.ida 200
Now, my question is.. what does that 200 mean after the request? Does that mean the command was successful or did it not go through? I am worried that it could be going through.. I would expect to see 1 of 2 things... either a 404 FILE NTO FOUND or a 500 INTERNAL SERVER ERROR. Yet i see this error code 200.
My other question is... How come IIS only shows the default.ida part and not the rest of the garbage after it that is actually the executable code to run the worm? I would just like to see what this request looks like and how it is able to cause so much damn damage.