Hosting Provided By

RE: code red---- on system that is already (and has been) patched

From: Mike Heitz <mikeheitz(at)upshotmail.com>
Date: Mon Mar 03 2003 - 16:27:15 EST

So, in this instance, since Sandy is seeing a 200 level response, does that mean her system is in fact infected? Wouldn't a 200 level response indicate that the server is responding positively to the query? My 404 leads me to believe that the request is being cut off right there... "sorry pal, page not found"...

Or am I reading this the wrong way?

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Kurt Keys [mailto:kkeys@sddpc.org] Sent: Monday, March 03, 2003 3:19 PM
To: focus-ms@securityfocus.com; sryan@seewolf.com; Mike Heitz Subject: RE: code red---- on system that is already (and has been) patched

On the following web-site a list of HTTP Status codes is found. For a code 200 it says:
200 OK
The request has succeeded. The information returned with the response is dependent on the method used in the request, for example:

GET an entity corresponding to the requested resource is sent in the response;

HEAD the entity-header fields corresponding to the requested resource are sent in the response without any message-body;

POST an entity describing or containing the result of the action;

Do you need help?

TRACE an entity containing the request message as received by the end server.

Respectfully,

Kurt M. Keys

Kurt M. Keys
Information Security Specialist
San Diego Data Processing Corporation
858-581-7844
kkeys@sddpc.org

Bill Martin
Information Security Officer
San Diego Data Processing Corporation
858-581-9726
bmartin@sddpc.org

>>> "Mike Heitz" <mikeheitz@upshotmail.com> 03/03/03 11:29AM >>>
I'm not 100% sure Sandy, but when I see Code Red hits (my server is patched, and patched on top of patched...) I see a 404 reply instead of a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Sandy Ryan [mailto:sryan@seewolf.com] Sent: Monday, March 03, 2003 10:47 AM
To: focus-ms@securityfocus.com
Subject: code red---- on system that is already (and has been) patched

well - I doubt that the log is right - because I think the 200 implies

that its not infected - by when my customer sees his report - and path

Do you need more help?

taken through the site he sees worm.com

here's the log (simplified to get through the moderator)

GET /default.ida

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the

url]- - - Received on Tue Mar 4 10:26:11 2003

This message: [ Message body ]
Next message: Leonard.Ong(at)nokia.com: "RE: 5 security questions"
Previous message: Dill, Stephen: "RE: code red---- on system that is already (and has been) patched"
Maybe in reply to: Sandy Ryan: "code red---- on system that is already (and has been) patched"
In reply to Kurt Keys: "RE: code red---- on system that is already (and has been) patched"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:27 EDT