Hosting Provided By

RE: code red---- on system that is already (and has been) patched

From: Dill, Stephen <SDill(at)MassMutual.com>
Date: Mon Mar 03 2003 - 17:24:42 EST

In a nutshell, if a 200 reply was logged for a "code red" request, then your server received the request and processed it as a vulnerable system should.

Symantec has a little utility (I don't work for them. Just a happy user.) that will check for the vulnerabiltiy and if found to be vulnerable, look for the worm.

http://www.sarc.com/avcenter/fixcodered.zip

If system is found to be vulnerable, I suggest disconnect, clean (if infected), patch, reboot, check again, and if everything looks good, reconnect.

-----Original Message-----

From: Mike Heitz [mailto:mikeheitz@upshotmail.com] Sent: Monday, March 03, 2003 2:30 PM
To: Sandy Ryan; focus-ms@securityfocus.com Subject: RE: code red---- on system that is already (and has been) patched

I'm not 100% sure Sandy, but when I see Code Red hits (my server is patched, and patched on top of patched...) I see a 404 reply instead of a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----

From: Sandy Ryan [mailto:sryan@seewolf.com] Sent: Monday, March 03, 2003 10:47 AM
To: focus-ms@securityfocus.com
Subject: code red---- on system that is already (and has been) patched

Do you need help?

well - I doubt that the log is right - because I think the 200 implies

that its not infected - by when my customer sees his report - and path

taken through the site he sees worm.com

here's the log (simplified to get through the moderator)

GET /default.ida

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the

url]- - -

This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.

Received on Tue Mar 4 10:24:56 2003

Do you need more help?

This message: [ Message body ]
Next message: Mike Heitz: "RE: code red---- on system that is already (and has been) patched"
Previous message: Levinson, Karl: "RE: code red---- on system that is already (and has been) patched"
Maybe in reply to: Sandy Ryan: "code red---- on system that is already (and has been) patched"
Next in thread: H C: "RE: code red---- on system that is already (and has been) patched"
Reply: H C: "RE: code red---- on system that is already (and has been) patched"
Reply: Dill, Stephen: "RE: code red---- on system that is already (and has been) patched"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:27 EDT