RE: Code Red hits

[Dave Salovesh <salovesh () ramassociates com>]

A server should return 200 if ida.dll is mapped to handle *.ida and ida.dll
is found as expected - patched or not.

A server will return another code in other circumstances - 400 is "Bad
Request" so I'd assume something else went wrong with the attempt.  404 is
"Not Found" (of course) and appears if the *.ida is unmapped or not found.

A server in my block got infected last time (a colo I didn't build, and I
fixed it within an hour of initial infection, so I plead
innocent/ignorant/virtuous).  All logged attacks there returned 200 until
the server was patched.  The colo client has no use for Index Server, so
after the patch I also unmapped its extensions and deleted ida.dll.  Now I
get 404s for -most- of the attempts.

In 200 attempts today across 25 IP addresses (grepping all IIS logs for
"Default.ida") they've all returned 404 -except- 3 attacks where they
returned 400.  The same servers also returned proper 404's for other failed
attempts, so I'm betting the 400s are actual bad requests.  It happens...

-- 
Dave Salovesh
RAM Associates, Inc.
(800) 543-3635



> -----Original Message-----
> From: Michael Tavares [mailto:miketavares () mediaone net]
> Sent: Wednesday, August 01, 2001 4:30 PM
> To: incidents () securityfocus com
> Subject: Re: Code Red hits
>
>
> This brings up an interesting point.  I was scanning the logs 
> on one of my
> servers and came across a several attempts, every other 
> attempt is 200,
> while the rest are 400's.  Below is 1 of each.  The box is 
> patched (and has
> been since MS released the patch).  I have confirmed the 
> patch with the Code
> Red Scanner posted by eeye.  Anyone care to explain why this is?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com