Am I infected?

[NightWatcher]

Hi..

I have just been visited by a worm, am I infected?

The following are the log lines of the strange visit:

2001-08-01 13:44:07 208.36.124.212 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:31:01 217.0.175.67 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:35:11 195.112.16.172 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:42:03 202.108.221.82 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -

Thank you.


NightWatcher

 

[epohl]

Nightwatcher,

Looks like you have been visited by the "Code Red" worm. If you have not already installed the patch you may be infected. Rebooting the server should remove it from memory and applying one of the patches below should prevent you from being reinfected.

Microsoft Windows NT version 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Microsoft Windows 2000 Professional, Server and Advanced Server:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

 

[sobak]

epohl,
Does this patch work for IIS running on Terminal Server? I attempted to install the patch on my TS and it tells me that it can not be installed on TS. Should I not run IIS on my TS?

Thanks

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[epohl]

I guess the real question is why are you running IIS on TS? I have not seen a patch that mentioned compatibility with TS.

 

[sobak]

Well, it is just an interface to our web e-mail. We have very few (4) people use out TS so I loaded IIS on it to add some extra services to it. Now I am getting this sinking feeling that is not what I should have done. It's not a major problem to move to another server but I would like to know if I'm wrong with my configurations......

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[wardo]

I just got this one line,is this the worm.
I have all patches.

170.210.161.141, -, 8/1/2001, 13:32:02, W3SVC1, GRIFFINW-OOE2U7, 192.168.0.9, 1693, 4039, 171, 200, 0, GET, /default.ida, NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a,

http://www.wardgriffin.com

 

[epohl]

This does not mean you are infected, this is the GET request Code Red will send in an ATTEMPT to infect your server. If you have already applied the patch you should be fine.

 

[NightWatcher]

I don't have the patch, neither will I install it.
MS patches are only good to screw my system up.
I have reinstalled Win2KServer many times over in the past because of those patches and service packs, so, on my last reinstallation I choose, a, no patch policy and the server runs fine ever since.
I have developed ways to self-patch myself, in this case by disabling index service that I don't need, and removing IDA and IDQ ISAPI extensions from IIS, so CODE RED can't exploit them..
I have just realised that the logs actually have a 404 code by the end, which means, that the DEFAULT.IDA file he was looking for was not found, in other words CODE RED won't affect me.

In WARDO's log entry, I don't find the 404 code which suggests that CODE RED actually found your DEFAULT.IDA, and don't know what he done with it, but if you have the MS patch, and your default and all sites don't have the 'hacked by chinese' sentence, I assume that you are not infected.

Thank you all.


NightWatcher