If it gets a "not found" error, it wasn't successful. It'll appear
right after the attempt in your logs.
> -----Original Message-----
> From: Chris Haaker [mailto:[EMAIL PROTECTED]]
> Posted At: Monday, August 20, 2001 12:37 PM
> Posted To: MSExchange Mailing List
> Conversation: Code red
> Subject: Re: Code red
>
>
> How do you tell the diff?
>
> ---------------------------------------------------------
> I was thinking about how people seem to read the Bible a
> whole lot more as
> they get older, then it dawned on me...they were cramming for their
> finals...
> ---------------------------------------------------------
> ----- Original Message -----
> From: "Martin Blackstone" <[EMAIL PROTECTED]>
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Sent: Monday, August 20, 2001 1:31 PM
> Subject: RE: Code red
>
>
> > That is just the attempt.
> > Besides, isn't code red asleep right now?
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of
> Chris Haaker
> > Sent: Monday, August 20, 2001 10:29 AM
> > To: Exchange Discussions
> > Subject: Re: Code red
> >
> >
> > This appears in my log just once:
> >
> > 2001-08-20 16:28:41 61.187.115.20 - 172.17.1.217 80 GET /default.ida
> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXX
> > XXXX
> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXX
> > XXXX
> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXX
> > %u90
> >
> 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
> %u7801%u90
> > 90%u
> > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
> >
> > successful? I thought this only showed up in your logs if it *was*
> > successful!
> >
> > TIA.
> >
> > Chris
> > ---------------------------------------------------------
> > I was thinking about how people seem to read the Bible a
> whole lot more
> > as they get older, then it dawned on me...they were
> cramming for their
> > finals...
> > ---------------------------------------------------------
> > ----- Original Message -----
> > From: "Andy David" <[EMAIL PROTECTED]>
> > To: "Exchange Discussions" <[EMAIL PROTECTED]>
> > Sent: Monday, August 20, 2001 1:16 PM
> > Subject: RE: Code red
> >
> >
> > > But he's apparently seeing it in the logs as well.
> > > Chris, What do the w3svc logs say? Is the attack
> successful or not?
> > > You can test your server here:
> > > http://www.eeye.com/html/Research/Tools/codered.html
> > >
> > >
> > >
> > >
> > > Andy David
> > > J Muller International
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, August 20, 2001 1:02 PM
> > > To: Exchange Discussions
> > > Subject: RE: Code red
> > >
> > >
> > > Get rid of the Symantec scanner. My dead grandma has a
> better chance
> > > of telling you accurately whether you have Code Red.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Chris Haaker
> > > Sent: Monday, August 20, 2001 11:56 AM
> > > To: ExchangeList@swynk
> > > Subject: OT: Code red
> > >
> > >
> > > anyone have an idea that has been working with code red?
> > >
> > > I have a win2k server that was infected. I re-formatted all hard
> > > drives, re-installed OS w/SP2 built-in and patched for CR. Within
> > > about 10 minutes I was infected again according to the
> w3svc log and
> > > the symantec scanner for
> > > code red.
> > >
> > > disconnected from network and did same as above. Ran the
> patch from a
> > > floppy. re-connected to the network, ran the new MS
> Security scanner
> > > at: www.microsoft.com/technet/mpsa/start.asp and applied
> all hotfixes
> > > there as well. Note: I ran the CR hotfix and rebooted
> before I ever
> > > attached to the
> > > network. 1 hour later CR shows up in the w3svc log again
> and symantec
> > > scanner says I am infected again.
> > >
> > > Ideas?
> > >
> > > ---------------------------------------------------------
> > > I was thinking about how people seem to read the Bible a
> whole lot
> > > more as they get older, then it dawned on me...they were
> cramming for
> > > their finals...
> > > ---------------------------------------------------------
> > >
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
