Here's an interesting tidbit on using Cisco's IOS to detect if any http servers on your network have been compromised. This information originates from Cisco Canada's Calgary office. I've removed the original email header and sender's ID since I'd be publishing his information without permission but I want to give credit where credit is due. ---Beginning of Forwarded Email--- Funny, I was debugging an IOS http issue and turned on the following debugs (below) and saw Aug 9 15:42:34.136: HTTP: processing URL '/default.ida?XXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u000 0%u0 0=a' from host xxx.xxx.xxx.xxx priv = 15 which means a machine on the network is trying to probe my router for the IIS vulnerability. Thus, if you take a NON PRODUCTION Cisco router and just put the following command ip http server and then turn on the debugs (below), you will know if there are machines that have been comprised by code red. It will give you the IP address so you can then patch that machine following Microsoft's instructions. 1751-vespa#sh deb HTTP: HTTP URL debugging is on HTTP Authentication debugging is on HTML: HTML page requests debugging is on HTML form submissions debugging is on HTML server side include debugging is on HTML command line interface debugging is on 1751-vespa#debug ip http ? authentication HTTP Authentication ezsetup HTTP EZSetup ssi HTTP Server Side Includes tokens HTTP tokens transactions HTTP transactions url HTTP URL 1751-vespa#debug ip html ? forms HTML forms pages HTML pages ssi HTML server side includes tokens HTML tokens Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15551&t=15551 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
