[21688] in bugtraq
RE: 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (Tony Langdon)
Thu Jul 19 21:26:47 2001
Message-ID: <B17EB7B34580D311BE38525405DF62324B60B6@atc-mail-db.atctraining.com.au>
From: Tony Langdon <tlangdon@atctraining.com.au>
To: "'Mike Brockman'" <phubuh@home.se>, bugtraq@securityfocus.com
Date: Fri, 20 Jul 2001 09:09:24 +1000
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
> From what i read about the 'Code Red'-worm, it was supposed
> to be scanning
> for IIS-servers. It obviously is'nt, i believe it tries to infect
> everything they find on port 80, or something as simple as that.
I suspect you're right. I've noticed exploit attempts on all web servers
here, but only one of them is running IIS. The IDS has been monitoring a
rapid increase in IIS related attacks, which are presumably related to this
worm. It started about 2-3 days ago, but the last 24 hours have been
particularly intense. It's certainly not picky about what servers it will
try and attack (though I can't see the exploits succeeding on the UNIX
Apache servers ;) ).
> About three to four days ago, i started to get those
> default.ida-GET's in
> my Apache-logs. I shut down the server as fast as i could,
> and checked for
> outgoing connections from my computer, and then did some research.
> I was told that it was an IIS-worm, and that it could'nt affect
> Apache-servers, so i was safe. I turned the server back on,
> and from that
> day i have received forty-one attempts.
I've had a lot more than 41. Every attempt is logged and archived here.
