RE: code red---- on system that is already (and has been) patched

HTTP server response code 200 (200-299 actually) is "client request successful". The reason why people are usually getting 404s and 401s in their logs is because IISLockdown tool removes unwanted ISAPI extensions and extensions-related files, like default.ida. If you patch your machine but don't run IISLockdown tool, appropriate ISAPI extension dll is being updated, in Code Red case it's idq.dll. So when attacker tries to overrun the buffer, the actual HTTP GET request succeeds (hence the HTTP response code 200) but the attack is unsuccessful because the system is patched. Since your client machine is obviously hacked, I suggest you check the machine for damage, install IISLockdown tool and re-apply all patches.

Thanks,

Dimitri

|---------+---------------------------->

|         |           "Mike Heitz"     |
|         |                   |
|         |                            |
|         |           03/03/2003 02:29 |
|         |           PM               |
|         |                            |

|---------+---------------------------->

  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                                              |
  |       To:       "Sandy Ryan" ,                                |
  |       cc:                                                                                                    |
  |       Subject:  RE: code red---- on system that is already (and has been) patched                            |
  >--------------------------------------------------------------------------------------------------------------|

I'm not 100% sure Sandy, but when I see Code Red hits (my server is patched, and patched on top of patched...) I see a 404 reply instead of
a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Sandy Ryan [mailto:sryan@seewolf.com] Sent: Monday, March 03, 2003 10:47 AM
To: focus-ms@securityfocus.com
Subject: code red---- on system that is already (and has been) patched

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

well - I doubt that the log is right - because I think the 200 implies

that its not infected - by when my customer sees his report - and path

taken through the site he sees worm.com

here's the log (simplified to get through the moderator)

GET /default.ida

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the

url]- - - Received on Tue Mar 4 10:38:03 2003

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek