clutch 1 Posted August 2, 2001 Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new "parameters" field that I have never bothered with before. Well, the reason why I noticed is that there are a bunch of "N"s followed by a specific series of characters. In addition, all four IPs were IIS boxes (1 from Spain, 2 from The Netherlands, and 1 from South Korea), all four were looking for the same file, and all four passed the same amount of info (via the parameter string, I imagine). I just wondered how many others have been swept here. Share this post Link to post
CUViper 0 Posted August 2, 2001 I work at an isp, and today we were logging code red probes on our servers about every 15 seconds.... pretty insane... Share this post Link to post
clutch 1 Posted August 2, 2001 Ouch. Still kinda hard to believe that so much havoc can be averted with a patch that doesn't even require a reboot (at least in Win2K anyway). Share this post Link to post
Brian Frank 0 Posted August 2, 2001 I got Win2k at home and grabbed that patch ASAP. I guess it's nowhere near as bad as for a server--which I have no clue how bad it must be for you guys. Whew! Disaster avoided...for now. ;( Share this post Link to post
Toby 0 Posted August 2, 2001 No reboot eh? You lucky bastard I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot. All with NT4 and Wink2SP2 I had to reboot. The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8) If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network. /Toby Share this post Link to post
clutch 1 Posted August 2, 2001 That's odd, Toby. I patched 5 servers running Win2K SP2, and none of them needed the reboot. Also, you will be getting an email from me. Share this post Link to post
Ge0ph 0 Posted August 2, 2001 The patch requires at least SP1 and if you don't have that then you will need a reboot. However none of mine needed are reboot for just the patch. Share this post Link to post
clutch 1 Posted August 2, 2001 Cool, I thought I was going crazy for a moment there. Share this post Link to post
waddy 0 Posted August 2, 2001 i downloaded and installed SP2 about a week ago ... yesterday i downloaded the patch for Code Red and it says i dont need it >?? is that right ? Share this post Link to post
Toby 0 Posted August 2, 2001 Quote: Cool, I thought I was going crazy for a moment there. Now it's me feeling like that, wondering why I had to reboot I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now Clutch you got mail... Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway... /Toby Share this post Link to post
Toby 0 Posted August 2, 2001 While we're in the subject of pathing.. Go this site and dowload the trail *NOW* !! This is one of the best products I have ever used and I'll keep telling that to my boss until I get money for licenses And no, I don't work for them http://www.stbernard.com/products/updateexpert/products_updateexpert.asp /Toby Share this post Link to post
cablehog 0 Posted August 28, 2001 Be warned! I too downloaded the Microsoft patch from their site the first day they offered it, but unfortunately, they came out with another one down the road because the first one didn't work. Go figure, here I was thinking, "Yeah, go ahead with your Code Red crap" and it turned out that I wasn't protected. Oh well. Just wanted to give a heads up! Share this post Link to post
HELLBRINGER 0 Posted September 6, 2001 i get over 200 hits a day by it on my megabytemike.com server... damn that thing to hell... but i hate IIS and dont use it so it h as not caused any problems yet except for the annoying norton antivirus popping up every 5 seconds "YOU GOT THE CODE RED WORM!!!!!" lol so annoying... how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way. Share this post Link to post
clutch 1 Posted September 6, 2001 Install the patch, then reboot. That should clear it out and keep it from coming back. In addition, if you are infected you are generating a ton of traffic and would be in fact, part of the problem rather than the solution. Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot. Share this post Link to post
ftmiranda 0 Posted September 7, 2001 Quick question.... This RED CODE just affect Windows 2000 Server? or the PRO as well? Share this post Link to post
clutch 1 Posted September 7, 2001 Short answer; it affects Pro as well. Long answer: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp Share this post Link to post
clutch 1 Posted September 7, 2001 Also, here is a tool for those that have been infected, but you should read the "CAUTIONS" section of this page. It points out that there may be other effects of these worms that may not be easily spotted. http://www.microsoft.com/technet/treevie...ools/redfix.asp Share this post Link to post
kgeissler 0 Posted September 17, 2001 Here is a sample from my IIS 5 Log: 2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - - Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log. I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it. I have installed all the patches and such. TIA Share this post Link to post
clutch 1 Posted September 18, 2001 That just means you are getting probed. If you use the IIS tool "URLScan", it will actually refer the incoming request against a set of rules, and will simply generate a 404 error and return that to the client. Share this post Link to post
clutch 1 Posted September 19, 2001 Well, it appears that there's another automated tool for attacking web servers. Please look out for anything request is trying to get to the system directory. Atreyu and myself are getting pounded with the $hit out of nowhere, but URLScan has been canning all of the requests on my server. Share this post Link to post
kgeissler 0 Posted September 19, 2001 I was looking through my logs yesterday and found some entries of an IP trying to GET /winnt/cmd.exe and such. It gave them a 404 error. I think that is because we have installed all our patches. Share this post Link to post
Xiven 0 Posted September 19, 2001 Yep, since 13 September we've been getting an insane number of these scans. This kind of thing: 2001-09-19 23:59:40 66.0.101.74 - xx.xx.xx.xx 80 GET /scripts/root.exe /c+dir 404 - 2001-09-19 23:59:40 66.0.101.74 - xx.xx.xx.xx 80 GET /MSADC/root.exe /c+dir 403 - Got 40657 of them in just one day Share this post Link to post
