The utility is just a quick and easy way to see if a system is vulnerable.
If the app running on the server doesn't use .ida or .idq, then go ahead and
disable them.
-----Original Message-----
From: H C [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Tuesday, March 04, 2003 10:58 AM
To: Dill, Stephen; 'Mike Heitz'; Sandy Ryan; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: code red---- on system that is already (and has been)
patched
Just out of curiosity, why use a utility that you have
to download, when all you have to do is disable the
.ida and .idq script mappings? Are you really using
them?
--- "Dill, Stephen" <SDill (at) MassMutual (dot) com [email concealed]> wrote:
> In a nutshell, if a 200 reply was logged for a "code
> red" request, then your
> server received the request and processed it as a
> vulnerable system should.
>
> Symantec has a little utility (I don't work for
> them. Just a happy user.)
> that will check for the vulnerabiltiy and if found
> to be vulnerable, look
> for the worm.
>
> http://www.sarc.com/avcenter/fixcodered.zip
>
> If system is found to be vulnerable, I suggest
> disconnect, clean (if
> infected), patch, reboot, check again, and if
> everything looks good,
> reconnect.
>
> -----Original Message-----
> From: Mike Heitz [mailto:mikeheitz (at) upshotmail (dot) com [email concealed]]
> Sent: Monday, March 03, 2003 2:30 PM
> To: Sandy Ryan; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: code red---- on system that is already
> (and has been)
> patched
>
>
> I'm not 100% sure Sandy, but when I see Code Red
> hits (my server is
> patched, and patched on top of patched...) I see a
> 404 reply instead of
> a 200...
>
> mike heitz ** sr it manager ** UPSHOT
> 312-943-0900 x5190
>
> -----Original Message-----
> From: Sandy Ryan [mailto:sryan (at) seewolf (dot) com [email concealed]]
> Sent: Monday, March 03, 2003 10:47 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: code red---- on system that is already (and
> has been) patched
>
>
>
> well - I doubt that the log is right - because I
> think the 200 implies
>
> that its not infected - by when my customer sees his
> report - and path
>
> taken through the site he sees worm.com
>
>
>
> here's the log (simplified to get through the
> moderator)
>
> GET /default.ida
>
>
>
>
NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%
>
> u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266
> HTTP/1.0 [you know the
>
> url]- - -
>
>
>
------------------------------------------------------------------------
----
--
> This e-mail transmission may contain information
> that is proprietary, privileged and/or confidential
> and is intended exclusively for the person(s) to
> whom it is addressed. Any use, copying, retention or
> disclosure by any person other than the intended
> recipient or the intended recipient's designees is
> strictly prohibited. If you are not the intended
> recipient or their designee, please notify the
> sender immediately by return e-mail and delete all
> copies.
>
>
>
========================================================================
====
==
>
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
------------------------------------------------------------------------
------
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
If the app running on the server doesn't use .ida or .idq, then go ahead and
disable them.
-----Original Message-----
From: H C [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Tuesday, March 04, 2003 10:58 AM
To: Dill, Stephen; 'Mike Heitz'; Sandy Ryan; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: code red---- on system that is already (and has been)
patched
Just out of curiosity, why use a utility that you have
to download, when all you have to do is disable the
.ida and .idq script mappings? Are you really using
them?
--- "Dill, Stephen" <SDill (at) MassMutual (dot) com [email concealed]> wrote:
> In a nutshell, if a 200 reply was logged for a "code
> red" request, then your
> server received the request and processed it as a
> vulnerable system should.
>
> Symantec has a little utility (I don't work for
> them. Just a happy user.)
> that will check for the vulnerabiltiy and if found
> to be vulnerable, look
> for the worm.
>
> http://www.sarc.com/avcenter/fixcodered.zip
>
> If system is found to be vulnerable, I suggest
> disconnect, clean (if
> infected), patch, reboot, check again, and if
> everything looks good,
> reconnect.
>
> -----Original Message-----
> From: Mike Heitz [mailto:mikeheitz (at) upshotmail (dot) com [email concealed]]
> Sent: Monday, March 03, 2003 2:30 PM
> To: Sandy Ryan; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: code red---- on system that is already
> (and has been)
> patched
>
>
> I'm not 100% sure Sandy, but when I see Code Red
> hits (my server is
> patched, and patched on top of patched...) I see a
> 404 reply instead of
> a 200...
>
> mike heitz ** sr it manager ** UPSHOT
> 312-943-0900 x5190
>
> -----Original Message-----
> From: Sandy Ryan [mailto:sryan (at) seewolf (dot) com [email concealed]]
> Sent: Monday, March 03, 2003 10:47 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: code red---- on system that is already (and
> has been) patched
>
>
>
> well - I doubt that the log is right - because I
> think the 200 implies
>
> that its not infected - by when my customer sees his
> report - and path
>
> taken through the site he sees worm.com
>
>
>
> here's the log (simplified to get through the
> moderator)
>
> GET /default.ida
>
>
>
>
NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%
>
> u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266
> HTTP/1.0 [you know the
>
> url]- - -
>
>
>
------------------------------------------------------------------------
----
--
> This e-mail transmission may contain information
> that is proprietary, privileged and/or confidential
> and is intended exclusively for the person(s) to
> whom it is addressed. Any use, copying, retention or
> disclosure by any person other than the intended
> recipient or the intended recipient's designees is
> strictly prohibited. If you are not the intended
> recipient or their designee, please notify the
> sender immediately by return e-mail and delete all
> copies.
>
>
>
========================================================================
====
==
>
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
------------------------------------------------------------------------
------
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
========================================================================
======
[ reply ]