Am I infected?

[NightWatcher]

Hi..

I have just been visited by a worm, am I infected?

The following are the log lines of the strange visit:

2001-08-01 13:44:07 208.36.124.212 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:31:01 217.0.175.67 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:35:11 195.112.16.172 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:42:03 202.108.221.82 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -

Thank you.


NightWatcher

 

[epohl]

Nightwatcher,

Looks like you have been visited by the "Code Red" worm. If you have not already installed the patch you may be infected. Rebooting the server should remove it from memory and applying one of the patches below should prevent you from being reinfected.

Microsoft Windows NT version 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Microsoft Windows 2000 Professional, Server and Advanced Server:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

 

[wushutwist]

Please avoid from cross-posting. Wushutwist

 

[jaeddy]

Note that you are only vulnerable if youy have Index Server running on IIS (Content Index in the services applet). If there is no Index server, you have nothing to fear from THIS worm...

 

[maxod]

Well, I tried to apply the patch to the NT4.0 server and it gave me an error saying that it could not locate the reair.log file in the repair folder. I checked and the repair.log file is in WINNT/Repair folder.

Anyone have this problem. How do I know if the patch worked or not?

Winston

 

[NightWatcher]

I don't have the patch, neither will I install it.
MS patches are only good to screw my system up.
I have reinstalled Win2KServer many times over in the past because of those patches and service packs, so, on my last reinstallation I choose, a, no patch policy and the server runs fine ever since.
I have developed ways to self-patch myself, in this case by disabling index service that I don't need, and removing IDA and IDQ ISAPI extensions from IIS, so CODE RED can't exploit them..
I have just realised that the logs actually have a 404 code by the end, which means, that the DEFAULT.IDA file he was looking for was not found, in other words CODE RED won't affect me.

Thank you all.


NightWatcher