Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange Data in Error Logs..Please Help? 1

Status
Not open for further replies.
TWillard

TWillard

Programmer
Apr 26, 2001
263
US
Recently my application has been logging some strange data and is not granting access to my site. It will not even render a test.html page. I get the white screen of death 'The page cannot be displayed'. The site was working fine several weeks ago and iis was logging everything fine.
The application and computer have not been messed with at all since the application was first installed.

I am aware of the Code Red Virus and our IT Software Engineer said that he patched the computer with the Code Red Patch. I do not think I have the Code Red Virus for several reasons -

1. We did not get the Hacked By Chineese Screen
2. Our logs did not record 'NNNNNNN' just 'XXXXXX'
3. I downloaded a ran a IP and DNS check for our computer using the virus scanner 'Code Red Finder'.

The following is one line entry in our IIS Logs. Could some one please help me analysis this log and help me fix the problem? What are all the xxx's?


2001-08-20 00:36:48 12.5.23.188 - W3SVC1 GSONTI2W3 192.168.201.122 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 0 165 3818 78 80 HTTP/1.0 - - -
 
Sort by date Sort by votes
This is Code Red. The XXX's are just to cause a Buffer Overflow and hack your system. If the logs do not indicate that default.ida was not found (ie 404 Error) then your System has been compromised. I don't care what the Code Red finder says, it can't possibly detect every possible strain of Code Red.

Again, if the file was not 404 then you are infected. Take the proper precautions or you will most likely regret it in the future. Wushutwist
 
Upvote 0 Downvote
thanks wushutwist,

I always wondered what the 'XXXXXXXXXXX' were in the logs. As it turns out, our IT Software Engineer had reconfigured our firewall and had not informed me. I was chasing down an error in the wrong place. However, you are correct about take the correct measures for working with IIS bugs and patches. 'Code Red' is just a headache that none of need.

Tim

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
730
gbaughma
gbaughma
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
657
Aquiles Vidal
Aquiles Vidal
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
458
DeepuM
DeepuM
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
315
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top