Results 1 to 4 of 4

Thread: COde Red II Attempts

  1. #1

    COde Red II Attempts

    Hello,

    Here's a stupid question...

    I am running Windows 2000 with all the current patches for IIS 5.0. I have been viewing my LogFiles daily and I am seeing almost 2000 hits daily (about 95% from @HOME users) to default.ida. Now when I look at the logs it looks something like this..

    [date/time] [attacker address] default.ida 200

    Now, my question is.. what does that 200 mean after the request? Does that mean the command was successful or did it not go through? I am worried that it could be going through.. I would expect to see 1 of 2 things... either a 404 FILE NTO FOUND or a 500 INTERNAL SERVER ERROR. Yet i see this error code 200.

    My other question is... How come IIS only shows the default.ida part and not the rest of the garbage after it that is actually the executable code to run the worm? I would just like to see what this request looks like and how it is able to cause so much damn damage.

    Thanks!
    Regards,
    Absolut

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    196

    Re: COde Red II Attempts

    If you can't see the stuff afterwards, it means you are infected or not patched.



    Originally posted by Absolut
    Hello,

    Here's a stupid question...

    I am running Windows 2000 with all the current patches for IIS 5.0. I have been viewing my LogFiles daily and I am seeing almost 2000 hits daily (about 95% from @HOME users) to default.ida. Now when I look at the logs it looks something like this..

    [date/time] [attacker address] default.ida 200

    Now, my question is.. what does that 200 mean after the request? Does that mean the command was successful or did it not go through? I am worried that it could be going through.. I would expect to see 1 of 2 things... either a 404 FILE NTO FOUND or a 500 INTERNAL SERVER ERROR. Yet i see this error code 200.

    My other question is... How come IIS only shows the default.ida part and not the rest of the garbage after it that is actually the executable code to run the worm? I would just like to see what this request looks like and how it is able to cause so much damn damage.

    Thanks!

  3. #3
    I already downloaded the patch.... I've been patched up since late June so I don't see how I can be infected. How can I tell if I really am infected.. I know I dont have Code Red II because there is no root.exe, etc or anything. And Code Red I can be erased by simply rebooting and I know ive rebooted several times since installing the patch.
    Regards,
    Absolut

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    196
    Everyone seems to point to Code Red, so I guess it doesn't matter if you are patched or not, it still shows up in the log files.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •