RE: code red---- on system that is already (and has been) patched

Well this is getting weirder - as the log file says it get /default.ida - 200 means request complete - wouldn't I find (by doing a system search) default.ida?

Well I don't
Others files that are not found when searching Root.exe
Admin.dll (in the root directories)
Any .eml or .nws files
And when I ran the code red 2 removal tool - it said nothing to remove.

There are other logs that showed the system was being scanned looking for /c+ and /cmd.exe but those had a 404 indicator or a 500 - it was only the get /default.ida that had the 200 indicator... and it happened on one day 6 times. Since that day it hasn't showed up....

Strange and mysterious.

Thanks for all your help

Sandy Ryan

-----Original Message-----

From: Nunzio Morretti [mailto:nmorretti@mathsoft.com] Sent: Monday, March 03, 2003 4:18 PM
To: 'Mike Heitz'; Sandy Ryan; 'focus-ms@securityfocus.com' Subject: RE: code red---- on system that is already (and has been) patched

Response 200 is an "OK-Request completed"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----

From: Mike Heitz [mailto:mikeheitz@upshotmail.com] Sent: Monday, March 03, 2003 2:30 PM
To: Sandy Ryan; focus-ms@securityfocus.com Subject: RE: code red---- on system that is already (and has been) patched

I'm not 100% sure Sandy, but when I see Code Red hits (my server is patched, and patched on top of patched...) I see a 404 reply instead of a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----

From: Sandy Ryan [mailto:sryan@seewolf.com] Sent: Monday, March 03, 2003 10:47 AM
To: focus-ms@securityfocus.com
Subject: code red---- on system that is already (and has been) patched

well - I doubt that the log is right - because I think the 200 implies

that its not infected - by when my customer sees his report - and path

taken through the site he sees worm.com

here's the log (simplified to get through the moderator)

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

GET /default.ida

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the

url]- - - Received on Tue Mar 4 10:32:47 2003