RE: default.ida?
> there's something SERIOUSLY wrong with your DNS Thomas - I'd > sort out that > dodgy "10" mate - it's reserved for M$ back-office! :-) It is, really is it ? RFC's 1918,1597 etc. reserves 10.0.0.0 to 10.255.255.255 for Intranet use (i.e. they are internal addresses). Its listed as 'IANA-reserved' by CERT. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> Actually we have an unpatched (default install) "remote" box > unconnected to the rest of out network put out as a sitting duck, so > we can go see what happens to it every few hours, Honey pots rock, but tend to stick out like a sore thumb to anyone seriously trying to breach your network for profit. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
thousands huh? the fact is, you can't list a dozen people on this list that you know for absolute certain are digging around his server in some malicious manner. i'm not suggesting everyone here is a saint, but i think all these dramatic suggestions of the behaviours of others is unfounded. and while we're still on the subject, i think if you're the admin of machines being hacked based on an exploit that's MONTHS old, you shouldn't feel victimized. you should feel ignorant. and i wonder, of all the machines that were vulnerable to this latest round, how many of them actually *use* MS indexing server? patching services you're not using. brilliant. why don't we all just run anonymous FTP into our system folders and level the playing field? maybe we'll stave off (http://www.dictionary.com/cgi-bin/dict.pl?term=stave) the hackers because they won't know where to start... -Original Message- From: Stephen Moretti [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:17 AM To: CF-Talk Subject: RE: default.ida? Well since he posted his IP addresses to this list they have been pinged, tracert'd, checked for code red vunerability, checked for all the usual CF insecurities, had his entire IP range scanned... Need I go on? Its not the fact that its easy for someone to do these things, its the fact that there are 1000s of subscribers on this list who are now "having a look" at his server, as well as the unscrupulous people having a good old dig at his server. Is that sufficient? > -Original Message- > From: Dylan Bromby [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 16:26 > To: CF-Talk > Subject: RE: default.ida? > > > his email domain is cc.uk.com. which i can ping and see the IP > 193.122.20.2. > so i could do a port scan in that range and see any machine > running port 80. > > so can you explain to us all what he revealed that wouldn't take > more than 1 > or 2 minutes for anyone to figure out? > > -Original Message----- > From: Stephen Moretti [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 8:05 AM > To: CF-Talk > Subject: RE: default.ida? > > > Might be an idea to go away and change the IP addresses on your > servers now > and abandon these two for all eternity > > Never put this kind of information out on the list. You are openning > yourself up to abuse by the few unscrupulous people on this list... > > Stephen > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: 02 August 2001 15:50 > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > 193.122.20.5 - Production > > 193.122.20.8 - Development > > > > Why? > > > > > > > > > -Original Message- > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 3:34 PM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > whats yur ip? :-) > > > > > > > > > Michael T. Tangorre > > > > > > Web Applications Developer > > > Office Phone: 703-558-4746 > > > Cellular Phone: 607-426-9277 > > > AIM: CrazyFlash4 > > > Personal Email: [EMAIL PROTECTED] > > > Work Email: [EMAIL PROTECTED] > > > School Email: [EMAIL PROTECTED] > > > > > > This Email contains MillenniuM Information > > > Systems, LLC Privileged Information which > > > is Customer or Business Sensitive. > > > > > > > > > > > > -Original Message- > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 10:32 AM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > > -Original Message- > > > > > I don't actually think it's hysteria mate, do you want to see > > > > > a copy of my > > > > > IDS logs > > > > > > > > Not really, no. They tend to be boring and full of kidz > getting 404's. > > > > > > :-) I did say IDS logs though, they filter out all the crap and > > > only show me > > > the ISAPI Extension Overflow errors. > > > > > > > > There are a large number of attacks going on as > > > > > I write this > > > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > > a *FACT OF > > >
RE: default.ida?
Well since he posted his IP addresses to this list they have been pinged, tracert'd, checked for code red vunerability, checked for all the usual CF insecurities, had his entire IP range scanned... Need I go on? Its not the fact that its easy for someone to do these things, its the fact that there are 1000s of subscribers on this list who are now "having a look" at his server, as well as the unscrupulous people having a good old dig at his server. Is that sufficient? > -Original Message- > From: Dylan Bromby [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 16:26 > To: CF-Talk > Subject: RE: default.ida? > > > his email domain is cc.uk.com. which i can ping and see the IP > 193.122.20.2. > so i could do a port scan in that range and see any machine > running port 80. > > so can you explain to us all what he revealed that wouldn't take > more than 1 > or 2 minutes for anyone to figure out? > > -Original Message- > From: Stephen Moretti [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 8:05 AM > To: CF-Talk > Subject: RE: default.ida? > > > Might be an idea to go away and change the IP addresses on your > servers now > and abandon these two for all eternity > > Never put this kind of information out on the list. You are openning > yourself up to abuse by the few unscrupulous people on this list... > > Stephen > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: 02 August 2001 15:50 > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > 193.122.20.5 - Production > > 193.122.20.8 - Development > > > > Why? > > > > > > > > > -Original Message- > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 3:34 PM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > whats yur ip? :-) > > > > > > > > > Michael T. Tangorre > > > > > > Web Applications Developer > > > Office Phone: 703-558-4746 > > > Cellular Phone: 607-426-9277 > > > AIM: CrazyFlash4 > > > Personal Email: [EMAIL PROTECTED] > > > Work Email: [EMAIL PROTECTED] > > > School Email: [EMAIL PROTECTED] > > > -------- > > > This Email contains MillenniuM Information > > > Systems, LLC Privileged Information which > > > is Customer or Business Sensitive. > > > > > > > > > > > > -Original Message- > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 10:32 AM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > > -Original Message- > > > > > I don't actually think it's hysteria mate, do you want to see > > > > > a copy of my > > > > > IDS logs > > > > > > > > Not really, no. They tend to be boring and full of kidz > getting 404's. > > > > > > :-) I did say IDS logs though, they filter out all the crap and > > > only show me > > > the ISAPI Extension Overflow errors. > > > > > > > > There are a large number of attacks going on as > > > > > I write this > > > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > > a *FACT OF > > > > LIFE* for a system on the internet. > > > > My dial-up gateway at home gets scanned ! > > > > > > Tell me about it, then again, my server very rarely blocks > > anyone, so far > > > today it's implemented over 300 24 bans on various IP addresses > > > in the last > > > 12 hours. That is unusual. > > > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > > to do something > > > > > about it asap. > > > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > > public network > > > > needs to fired, as their not doing their job. The patch was all > > > > over BugTraq > > > > et al. well before Code Red was released. > > > > > > Agreed! > > > > > > > But, if you look at the domains from which these scans originate, > > > > most have > > > > no reverse look-up, or are from ISP's like @home and > > > > those are just > > > > the people who wont care, because Code Red version 2 is non > > > destructive to > > > > the local machine. > > > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > > EU academic > > > one's as well.. There are even some coming in as 0.0.0.0 > > > > > > I have had a few responses from some of the ones I thought would take > > > action, some very sheepish IISadmins out there :-) > > > > > > We're averaging a new attempt every minute or so > > > > > > -= Ed > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
"Honeypot's" can be pretty interesting
Check out http://project.honeynet.org/
They recorded some IRC conversations too
-Original Message-
From: Daniel Kemp [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 12:00 PM
To: CF-Talk
Subject: RE: default.ida?
> No, anyone running an unpatched/unprotected IIS server on a public
> network needs to fired, as their not doing their job.
Actually we have an unpatched (default install) "remote" box unconnected to
the rest of out network put out as a sitting duck, so we can go see what
happens to it every few hours, before restoring it to it's "I'm a victim"
state. For no other reason then it's interesting to see what the hell goes
on in the wild unpatched world of the internet. All outgoing traffic is
logged and blocked if it seems to be effecting other people (i.e. launching
DDOS attacks etc).
While I think it's of utmost important to patch systems, it's also kinda
cool to try and work out the nitty-gritty of what's actually going on.
The latest excitement is the "h..p://www.worm.com" text changing from black
to red :)
I'm sure people are going to have moral objections to knowingly not patching
a box. But sometimes it can be the difference between blindly patching a
machine without knowing what's going on, or patching the rest of your
machines with some knowledge.
OB ColdFusion;
When using , what are the speed implications of using the dot
notation vrs the slash notation (name vrs template)? We may put an
application on a system where they don't allow custom tags, so we may change
all our from using dot notation to slash. Then we wondered what
good reasons there were for not doing this anyway.
Cheers,
Dan.
This message is intended only for the use of the person(s) ("the intended
recipient(s)") to whom it is addressed.
It may contain information which is privileged and confidential within the
meaning of the applicable law.
If you are not the intended recipient, please contact the sender as soon as
possible. The views expressed in this communication may not necessarily be
the views held by Live Information Systems Limited.
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> I'm getting quite a few requests like this: > > 00:38:13 202.109.105.67 GET /default.ida 401 > ... > Interestingly though, my server is password protected. Does > IIS log the request even if the page doesn't exist, and even > if it did, couldn't be access due to the password protection > anyway? Yes, IIS logs every request, whether or not the request is successful - as you can see, your server is returning a 401 status code indicating the need to authenticate first, not a 200, which is what you'd get for a successful request. When you use a browser to request a URL that requires authentication, the process looks like this. 1. Your browser sends the request: GET /securedpage.html HTTP/1.1 ... 2. The server returns a 401 status code. 3. Your browser displays a password prompt. 4. The browser sends the request again, this time with the authentication info tacked onto the request. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
I'm getting quite a few requests like this: 00:38:13 202.109.105.67 GET /default.ida 401 02:20:36 24.130.170.100 GET /default.ida 401 02:50:41 194.7.47.130 GET /default.ida 401 04:00:45 65.2.171.167 GET /default.ida 401 04:55:53 211.172.176.231 GET /default.ida 401 05:49:07 12.98.100.6 GET /default.ida 401 06:33:12 63.17.76.22 GET /default.ida 401 06:35:31 216.85.123.121 GET /default.ida 401 07:00:16 200.176.48.234 GET /default.ida 401 07:52:00 163.180.18.14 GET /default.ida 401 08:21:23 210.181.179.242 GET /default.ida 401 08:47:19 210.255.176.132 GET /default.ida 401 08:57:43 216.104.158.213 GET /default.ida 401 09:00:22 210.122.124.118 GET /default.ida 401 10:32:16 139.130.84.98 GET /default.ida 401 11:31:56 24.128.34.95 GET /default.ida 401 12:10:29 209.239.84.85 GET /default.ida 401 12:14:58 61.145.108.35 GET /default.ida 401 12:27:16 203.248.108.241 GET /default.ida 401 13:37:05 211.99.96.131 GET /default.ida 500 13:46:58 202.107.224.234 GET /default.ida 401 14:01:32 63.222.244.124 GET /default.ida 401 14:12:54 155.229.77.166 GET /default.ida 401 15:22:40 210.106.239.202 GET /default.ida 401 Interestingly though, my server is password protected. Does IIS log the request even if the page doesn't exist, and even if it did, couldn't be access due to the password protection anyway? I've applied the Code Red patch already. I guess I'm safe! ---mark = Mark Warrick - Fusioneers.com Personal Email: [EMAIL PROTECTED] Business Email: [EMAIL PROTECTED] Phone: 714-547-5386 Efax: 801-730-7289 Personal URL: http://www.warrick.net Business URL: http://www.fusioneers.com ICQ: 125160 / AIM: markwarric = > -Original Message- > From: Jeff Beer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 9:44 AM > To: CF-Talk > Subject: RE: default.ida? > > > You had better never give out your FQDN either.. you can find the IP > from that pretty easily.. lol > > Jeff Beer > Senior Programmer Architect > Hydrogen Media, Inc > (727) 530-5500 x303 > [EMAIL PROTECTED] > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 11:18 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > sorry for asking!!! I didn't think you'd take me seriosuly! > > Wow, I'd change the IPs also; that is good advice. > > > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > > > > > > > -Original Message- > > From: Stephen Moretti [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 11:05 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > Might be an idea to go away and change the IP addresses on > > your servers now > > and abandon these two for all eternity > > > > Never put this kind of information out on the list. You are openning > > yourself up to abuse by the few unscrupulous people on this list... > > > > Stephen > > > > > -Original Message- > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > > Sent: 02 August 2001 15:50 > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > 193.122.20.5 - Production > > > 193.122.20.8 - Development > > > > > > Why? > > > > > > > > > > > > > -Original Message- > > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, August 02, 2001 3:34 PM > > > > To: CF-Talk > > > > Subject: RE: default.ida? > > > > > > > > > > > > whats yur ip? :-) > > > > > > > > > > > > Michael T. Tangorre > > > > > > > > Web Applications Developer > > > > Office Phone: 703-558-4746 > > > > Cellular Phone: 607-426-9277 > > > > AIM: CrazyFlash4 > > > > Personal Email: [EMAIL PROTECTED] > > > > Work Email: [EMAIL PROTECTED] > > > > School Email: [EMAIL PROTEC
RE: default.ida?
> -Original Message- > While I think it's of utmost important to patch systems, it's also > kinda cool to try and work out the nitty-gritty of what's actually > going on. > > The latest excitement is the "h..p://www.worm.com" text changing from > black to red :) > > I'm sure people are going to have moral objections to knowingly not > patching a box. But sometimes it can be the difference between > blindly patching a machine without knowing what's going on, or > patching the rest of your machines with some knowledge. I couldn't agree more. Oh, as long as you monitor it there shouldn't be any problem with an unpatched server... I left my unpatched windows 2k machine up last night and had a lot of fun watching the attempts It gets to a point where you can even tell what scanning utility people use because it always tries the same attacks in the same order.. -= Ed ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Yeah that's the address of one of Aol's many proxies I think our firewall just blocked a large swathe of Aol users. > -Original Message- > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > Sent: 2 August 2001 5:03 PM > To: CF-Talk > Subject: RE: default.ida? > > > > IP: 172.158.23.29 > > DNS: AC9E171D.ipt.aol.com > > Looks like a dial-up luser. > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
I like a bit of positive thinking It was fun watching the IDS logs too, almost as soon as my email hit the list there was a scan for vulnerabilities I think our firewall put them off a bit ;-) -= Ed > -Original Message- > From: James Maltby [mailto:[EMAIL PROTECTED]] > Sent: 2 August 2001 4:40 PM > To: CF-Talk > Subject: RE: default.ida? > > > good bit of a "boost" for your page impressions though (as everyone on the > list browses and pings you) eh? ;-) > > J > (our IP is http://194.164.87.20 if anyone wants to have a look!) > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 16:16 > To: CF-Talk > Subject: RE: default.ida? > > > LOL, like someone on this list couldn't work it out simply by > doing a dig on > our DNS info based on my email address domain Anyone serious about it > doesn't need me or anyone else to tell them my (or your) IP address. > > Besides, they're public servers and I'd like to see Code Red do > anything at > all except get itself banned. > > :-) > > best wishes, > > -= Ed > > > If you want others to be happy, practice compassion. > If you want to be happy, practice compassion." > ~The 14th Dalai Lama > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
You had better never give out your FQDN either.. you can find the IP from that pretty easily.. lol Jeff Beer Senior Programmer Architect Hydrogen Media, Inc (727) 530-5500 x303 [EMAIL PROTECTED] > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 11:18 AM > To: CF-Talk > Subject: RE: default.ida? > > > sorry for asking!!! I didn't think you'd take me seriosuly! > Wow, I'd change the IPs also; that is good advice. > > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Stephen Moretti [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 11:05 AM > To: CF-Talk > Subject: RE: default.ida? > > > Might be an idea to go away and change the IP addresses on > your servers now > and abandon these two for all eternity > > Never put this kind of information out on the list. You are openning > yourself up to abuse by the few unscrupulous people on this list... > > Stephen > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: 02 August 2001 15:50 > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > 193.122.20.5 - Production > > 193.122.20.8 - Development > > > > Why? > > > > > > > > > -Original Message- > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 3:34 PM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > whats yur ip? :-) > > > > > > > > > Michael T. Tangorre > > > > > > Web Applications Developer > > > Office Phone: 703-558-4746 > > > Cellular Phone: 607-426-9277 > > > AIM: CrazyFlash4 > > > Personal Email: [EMAIL PROTECTED] > > > Work Email: [EMAIL PROTECTED] > > > School Email: [EMAIL PROTECTED] > > > ------------ > > > This Email contains MillenniuM Information > > > Systems, LLC Privileged Information which > > > is Customer or Business Sensitive. > > > > > > > > > > > > -Original Message- > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 10:32 AM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > > -Original Message- > > > > > I don't actually think it's hysteria mate, do you want to see > > > > > a copy of my > > > > > IDS logs > > > > > > > > Not really, no. They tend to be boring and full of kidz > getting 404's. > > > > > > :-) I did say IDS logs though, they filter out all the crap and > > > only show me > > > the ISAPI Extension Overflow errors. > > > > > > > > There are a large number of attacks going on as > > > > > I write this > > > > > > > > Woo-wee - where have you been ? An ongoing scan of your > system is > > > > a *FACT OF > > > > LIFE* for a system on the internet. > > > > My dial-up gateway at home gets scanned ! > > > > > > Tell me about it, then again, my server very rarely blocks > > anyone, so far > > > today it's implemented over 300 24 bans on various IP addresses > > > in the last > > > 12 hours. That is unusual. > > > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > > to do something > > > > > about it asap. > > > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > > public network > > > > needs to fired, as their not doing their job. The patch was all > > > > over BugTraq > > > > et al. well before Code Red was released. > > > > > > Agreed! > > > > > > >
RE: default.ida?
you mean AOL doesn't assign static IPs to its dial-up users? argh! we've all been had! -Original Message- From: G [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 8:51 AM To: CF-Talk Subject: Re: default.ida? Whomever that was at the time, they'll be something different the next time they log in - Original Message - From: "Edward Chanter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, August 02, 2001 10:23 AM Subject: RE: default.ida? > Ok, so who is > > IP: 172.158.23.29 > DNS: AC9E171D.ipt.aol.com > > One of you lot? > > best wishes, > > -= Ed > > > If you want others to be happy, practice compassion. > If you want to be happy, practice compassion." > ~The 14th Dalai Lama > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida? A question
On 8/2/01, Dave Watts penned: >I think that Mr. Chiverton's complaint was that simply seeing a request >doesn't mean that the server is infected. My servers are receiving quite a >few of these requests, for example, although they've been patched and don't >respond to .ida requests in any case. Hey. :) I'm wondering what the ramifications what might be for this. I set up a redirect on my web server (O'Reilly). If default.ida is requested, I redirect to http://0.0.0.0/. Of course, if you enter that in a browser the page never loads (standard Page can't be found in IE, error dialogue box in Netscape). It doesn't seem to do anything to me except that the logs show a 302 instead of a 404. http://www.twcreations.com/default.ida?N -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
Ok, we get it. It's not wise to post your IP info on a user group, but any IT person with half a brain can get it anyways. I think the horse is dead. Michael Corrigan Programmer ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
On 8/2/01, Stephen Moretti penned: >Never put this kind of information out on the list. You are openning >yourself up to abuse by the few unscrupulous people on this list... Why? Anyone can get your IP by doing a trace route or nslookup on your domain name. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
there's something SERIOUSLY wrong with your DNS Thomas - I'd sort out that dodgy "10" mate - it's reserved for M$ back-office! :-) J -Original Message- From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 16:47 To: CF-Talk Subject: RE: default.ida? > doesn't need me or anyone else to tell them my (or your) IP address. Well, mines 10.255.x.y so it wouldn't make much difference :_) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
Whomever that was at the time, they'll be something different the next time they log in - Original Message - From: "Edward Chanter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, August 02, 2001 10:23 AM Subject: RE: default.ida? > Ok, so who is > > IP: 172.158.23.29 > DNS: AC9E171D.ipt.aol.com > > One of you lot? > > best wishes, > > -= Ed > > > If you want others to be happy, practice compassion. > If you want to be happy, practice compassion." > ~The 14th Dalai Lama > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> No, anyone running an unpatched/unprotected IIS server on a
> public network needs to fired, as their not doing their job.
Actually we have an unpatched (default install) "remote" box
unconnected to the rest of out network put out as a sitting duck, so
we can go see what happens to it every few hours, before restoring it
to it's "I'm a victim" state. For no other reason then it's
interesting to see what the hell goes on in the wild unpatched world
of the internet. All outgoing traffic is logged and blocked if it
seems to be effecting other people (i.e. launching DDOS attacks etc).
While I think it's of utmost important to patch systems, it's also
kinda cool to try and work out the nitty-gritty of what's actually
going on.
The latest excitement is the "h..p://www.worm.com" text changing from
black to red :)
I'm sure people are going to have moral objections to knowingly not
patching a box. But sometimes it can be the difference between
blindly patching a machine without knowing what's going on, or
patching the rest of your machines with some knowledge.
OB ColdFusion;
When using , what are the speed implications of using the
dot notation vrs the slash notation (name vrs template)? We may put
an application on a system where they don't allow custom tags, so we
may change all our from using dot notation to slash. Then
we wondered what good reasons there were for not doing this anyway.
Cheers,
Dan.
This message is intended only for the use of the person(s) ("the intended
recipient(s)") to whom it is addressed.
It may contain information which is privileged and confidential within the meaning of
the applicable law.
If you are not the intended recipient, please contact the sender as soon as possible.
The views expressed in this communication may not necessarily be the views held by
Live Information Systems Limited.
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
I think we all know that resolving an IP is relatively easy to do. However, publishing your IP in a public forum is still not advisable, as it tends to make you "stick out". Its sort of like standing up in a crowd of pick-pockets and saying: "hey everyone, i'm over here...bet you can't steal MY wallet". Brian - Original Message - From: "Daniel Lancelot" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, August 02, 2001 10:24 AM Subject: RE: default.ida? > Come on - If anyone wanted to get the ip for his live server - all they have > to do is: > > C:\>ping www.cc.uk.com > > Pinging dynamic.cc.uk.com [193.122.20.5] with 32 bytes of data: > > An IP addy is hardly confidetial info... any "unscrupulous people on this > list" would quite easily be able to do that... > > Dan. > > -Original Message- > From: Stephen Moretti [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 16:05 > To: CF-Talk > Subject: RE: default.ida? > > > Might be an idea to go away and change the IP addresses on your servers now > and abandon these two for all eternity > > Never put this kind of information out on the list. You are openning > yourself up to abuse by the few unscrupulous people on this list... > > Stephen > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: 02 August 2001 15:50 > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > 193.122.20.5 - Production > > 193.122.20.8 - Development > > > > Why? > > > > > > > > > -Original Message- > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 3:34 PM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > whats yur ip? :-) > > > > > > > > > Michael T. Tangorre > > > > > > Web Applications Developer > > > Office Phone: 703-558-4746 > > > Cellular Phone: 607-426-9277 > > > AIM: CrazyFlash4 > > > Personal Email: [EMAIL PROTECTED] > > > Work Email: [EMAIL PROTECTED] > > > School Email: [EMAIL PROTECTED] > > > > > > This Email contains MillenniuM Information > > > Systems, LLC Privileged Information which > > > is Customer or Business Sensitive. > > > > > > > > > > > > -Original Message- > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 02, 2001 10:32 AM > > > To: CF-Talk > > > Subject: RE: default.ida? > > > > > > > > > > -Original Message- > > > > > I don't actually think it's hysteria mate, do you want to see > > > > > a copy of my > > > > > IDS logs > > > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > > > :-) I did say IDS logs though, they filter out all the crap and > > > only show me > > > the ISAPI Extension Overflow errors. > > > > > > > > There are a large number of attacks going on as > > > > > I write this > > > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > > a *FACT OF > > > > LIFE* for a system on the internet. > > > > My dial-up gateway at home gets scanned ! > > > > > > Tell me about it, then again, my server very rarely blocks > > anyone, so far > > > today it's implemented over 300 24 bans on various IP addresses > > > in the last > > > 12 hours. That is unusual. > > > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > > to do something > > > > > about it asap. > > > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > > public network > > > > needs to fired, as their not doing their job. The patch was all > > > > over BugTraq > > > > et al. well before Code Red was released. > > > > > > Agreed! > > > > > > > But, if you look at the domains from which these scans originate, > > > > most have > > > > no reverse look-up, or are from ISP's like @home and > > > > those are just > > > > the people who wont care, because Code Red version 2 is non > > > destructive to > > > > the local machine. > > > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > > EU academic > > > one's as well.. There are even some coming in as 0.0.0.0 > > > > > > I have had a few responses from some of the ones I thought would take > > > action, some very sheepish IISadmins out there :-) > > > > > > We're averaging a new attempt every minute or so > > > > > > -= Ed > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> IP: 172.158.23.29 > DNS: AC9E171D.ipt.aol.com Looks like a dial-up luser. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Amen! > -Original Message- > his email domain is cc.uk.com. which i can ping and see the IP > 193.122.20.2. > so i could do a port scan in that range and see any machine > running port 80. > > so can you explain to us all what he revealed that wouldn't take > more than 1 > or 2 minutes for anyone to figure out? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> doesn't need me or anyone else to tell them my (or your) IP address. Well, mines 10.255.x.y so it wouldn't make much difference :_) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
good bit of a "boost" for your page impressions though (as everyone on the list browses and pings you) eh? ;-) J (our IP is http://194.164.87.20 if anyone wants to have a look!) -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 16:16 To: CF-Talk Subject: RE: default.ida? LOL, like someone on this list couldn't work it out simply by doing a dig on our DNS info based on my email address domain Anyone serious about it doesn't need me or anyone else to tell them my (or your) IP address. Besides, they're public servers and I'd like to see Code Red do anything at all except get itself banned. :-) best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Come on - If anyone wanted to get the ip for his live server - all they have to do is: C:\>ping www.cc.uk.com Pinging dynamic.cc.uk.com [193.122.20.5] with 32 bytes of data: An IP addy is hardly confidetial info... any "unscrupulous people on this list" would quite easily be able to do that... Dan. -Original Message- From: Stephen Moretti [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 16:05 To: CF-Talk Subject: RE: default.ida? Might be an idea to go away and change the IP addresses on your servers now and abandon these two for all eternity Never put this kind of information out on the list. You are openning yourself up to abuse by the few unscrupulous people on this list... Stephen > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:50 > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > ------------ > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
his email domain is cc.uk.com. which i can ping and see the IP 193.122.20.2. so i could do a port scan in that range and see any machine running port 80. so can you explain to us all what he revealed that wouldn't take more than 1 or 2 minutes for anyone to figure out? -Original Message- From: Stephen Moretti [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 8:05 AM To: CF-Talk Subject: RE: default.ida? Might be an idea to go away and change the IP addresses on your servers now and abandon these two for all eternity Never put this kind of information out on the list. You are openning yourself up to abuse by the few unscrupulous people on this list... Stephen > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:50 > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > ------------ > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Ok, so who is IP: 172.158.23.29 DNS: AC9E171D.ipt.aol.com One of you lot? best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
sorry for asking!!! I didn't think you'd take me seriosuly! Wow, I'd change the IPs also; that is good advice. Michael T. Tangorre Web Applications Developer Office Phone: 703-558-4746 Cellular Phone: 607-426-9277 AIM: CrazyFlash4 Personal Email: [EMAIL PROTECTED] Work Email: [EMAIL PROTECTED] School Email: [EMAIL PROTECTED] This Email contains MillenniuM Information Systems, LLC Privileged Information which is Customer or Business Sensitive. -Original Message- From: Stephen Moretti [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 11:05 AM To: CF-Talk Subject: RE: default.ida? Might be an idea to go away and change the IP addresses on your servers now and abandon these two for all eternity Never put this kind of information out on the list. You are openning yourself up to abuse by the few unscrupulous people on this list... Stephen > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:50 > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > -------- > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
LOL, like someone on this list couldn't work it out simply by doing a dig on our DNS info based on my email address domain Anyone serious about it doesn't need me or anyone else to tell them my (or your) IP address. Besides, they're public servers and I'd like to see Code Red do anything at all except get itself banned. :-) best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
I should hope so too!!! > -Original Message- > From: Richard Kuryk [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 4:01 PM > To: CF-Talk > Subject: RE: default.ida? > > > Your system is "Patched! NT 4 system" According to the code red scanner. > > Rich > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:50 AM > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
FWIW, I don't believe that Michael is being infected. I remember reading somewhere, that if the machine was vulnerable to the expliot, the code execution would occur before the request was ever written to the log file, and thus there would be no trace of it. On the flip side of things, if the machine is trying to be compromised unsuccessfully, but the proper protection is in place (patch, or remove .idq / .ida from IIS mappings) then the request will show up in the log file. Jay Sudowski - Handy Networks LLC TEL: 877-70-HANDY FAX: 888-300-2FAX URL: www.handynetworks.com <http://www.handynetworks.com> - Providing reseller and dedicated Windows 2000 web hosting solutions. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:18 AM To: CF-Talk Subject: Re: default.ida? Michael Lugassy wrote: > I keep seeing on the log files some default.ida request. > are those hacking attempts? what is this file do? You've got to be kidding. Doesn't "Code Red" ring any bells? Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
1st "Ask Why", THEN give info. :) Eric Carlisle -Original Message- From: James Maltby [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 10:52 AM To: CF-Talk Subject: RE: default.ida? doh! If you didn't have red wormy you'll probably get it now - posting ip's to a chat list - shame on you... ;-) J -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 15:50 To: CF-Talk Subject: RE: default.ida? 193.122.20.5 - Production 193.122.20.8 - Development Why? > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:34 PM > To: CF-Talk > Subject: RE: default.ida? > > > whats yur ip? :-) > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:32 AM > To: CF-Talk > Subject: RE: default.ida? > > > > -Original Message- > > > I don't actually think it's hysteria mate, do you want to see > > > a copy of my > > > IDS logs > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > :-) I did say IDS logs though, they filter out all the crap and > only show me > the ISAPI Extension Overflow errors. > > > > There are a large number of attacks going on as > > > I write this > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > a *FACT OF > > LIFE* for a system on the internet. > > My dial-up gateway at home gets scanned ! > > Tell me about it, then again, my server very rarely blocks anyone, so far > today it's implemented over 300 24 bans on various IP addresses > in the last > 12 hours. That is unusual. > > > > and anyone running an unpatched/unprotected IIS server needs > > > to do something > > > about it asap. > > > > No, anyone running an unpatched/unprotected IIS server on a > public network > > needs to fired, as their not doing their job. The patch was all > > over BugTraq > > et al. well before Code Red was released. > > Agreed! > > > But, if you look at the domains from which these scans originate, > > most have > > no reverse look-up, or are from ISP's like @home and > > those are just > > the people who wont care, because Code Red version 2 is non > destructive to > > the local machine. > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic > one's as well.. There are even some coming in as 0.0.0.0 > > I have had a few responses from some of the ones I thought would take > action, some very sheepish IISadmins out there :-) > > We're averaging a new attempt every minute or so > > -= Ed > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Might be an idea to go away and change the IP addresses on your servers now and abandon these two for all eternity Never put this kind of information out on the list. You are openning yourself up to abuse by the few unscrupulous people on this list... Stephen > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:50 > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > -------- > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and > EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Agreed, but only if you are not using the index server, or have no .ida files in your sites. Your best bet is to get the Patch from microsoft (if you haven't already). If you are only seeing the request in your log files, then you are probably seeing the Code Red Worm trying to get at your server. If it does get in, you'll find IIS will stop responding to page requests after a while. Shawn Grover -Original Message- From: Neil Clark [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 6:52 AM To: CF-Talk Subject: RE: default.ida? .ida is part of the indexing service which is vulnerable to the hack via buffer overflow; you should remove the ISAP filter from the IIS manager configuration ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
i know, i said it as a joke Gesh, shame on you! Michael T. Tangorre Web Applications Developer Office Phone: 703-558-4746 Cellular Phone: 607-426-9277 AIM: CrazyFlash4 Personal Email: [EMAIL PROTECTED] Work Email: [EMAIL PROTECTED] School Email: [EMAIL PROTECTED] This Email contains MillenniuM Information Systems, LLC Privileged Information which is Customer or Business Sensitive. -Original Message- From: James Maltby [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 10:52 AM To: CF-Talk Subject: RE: default.ida? doh! If you didn't have red wormy you'll probably get it now - posting ip's to a chat list - shame on you... ;-) J -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 15:50 To: CF-Talk Subject: RE: default.ida? 193.122.20.5 - Production 193.122.20.8 - Development Why? > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:34 PM > To: CF-Talk > Subject: RE: default.ida? > > > whats yur ip? :-) > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:32 AM > To: CF-Talk > Subject: RE: default.ida? > > > > -Original Message- > > > I don't actually think it's hysteria mate, do you want to see > > > a copy of my > > > IDS logs > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > :-) I did say IDS logs though, they filter out all the crap and > only show me > the ISAPI Extension Overflow errors. > > > > There are a large number of attacks going on as > > > I write this > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > a *FACT OF > > LIFE* for a system on the internet. > > My dial-up gateway at home gets scanned ! > > Tell me about it, then again, my server very rarely blocks anyone, so far > today it's implemented over 300 24 bans on various IP addresses > in the last > 12 hours. That is unusual. > > > > and anyone running an unpatched/unprotected IIS server needs > > > to do something > > > about it asap. > > > > No, anyone running an unpatched/unprotected IIS server on a > public network > > needs to fired, as their not doing their job. The patch was all > > over BugTraq > > et al. well before Code Red was released. > > Agreed! > > > But, if you look at the domains from which these scans originate, > > most have > > no reverse look-up, or are from ISP's like @home and > > those are just > > the people who wont care, because Code Red version 2 is non > destructive to > > the local machine. > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic > one's as well.. There are even some coming in as 0.0.0.0 > > I have had a few responses from some of the ones I thought would take > action, some very sheepish IISadmins out there :-) > > We're averaging a new attempt every minute or so > > -= Ed > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Your system is "Patched! NT 4 system" According to the code red scanner. Rich -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 10:50 AM To: CF-Talk Subject: RE: default.ida? 193.122.20.5 - Production 193.122.20.8 - Development Why? > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:34 PM > To: CF-Talk > Subject: RE: default.ida? > > > whats yur ip? :-) > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:32 AM > To: CF-Talk > Subject: RE: default.ida? > > > > -Original Message- > > > I don't actually think it's hysteria mate, do you want to see > > > a copy of my > > > IDS logs > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > :-) I did say IDS logs though, they filter out all the crap and > only show me > the ISAPI Extension Overflow errors. > > > > There are a large number of attacks going on as > > > I write this > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > a *FACT OF > > LIFE* for a system on the internet. > > My dial-up gateway at home gets scanned ! > > Tell me about it, then again, my server very rarely blocks anyone, so far > today it's implemented over 300 24 bans on various IP addresses > in the last > 12 hours. That is unusual. > > > > and anyone running an unpatched/unprotected IIS server needs > > > to do something > > > about it asap. > > > > No, anyone running an unpatched/unprotected IIS server on a > public network > > needs to fired, as their not doing their job. The patch was all > > over BugTraq > > et al. well before Code Red was released. > > Agreed! > > > But, if you look at the domains from which these scans originate, > > most have > > no reverse look-up, or are from ISP's like @home and > > those are just > > the people who wont care, because Code Red version 2 is non > destructive to > > the local machine. > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic > one's as well.. There are even some coming in as 0.0.0.0 > > I have had a few responses from some of the ones I thought would take > action, some very sheepish IISadmins out there :-) > > We're averaging a new attempt every minute or so > > -= Ed > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
you are talking about the .htr bug ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
James! Back to the UK cfug list! do some work! > -Original Message- > From: James Maltby [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:52 > To: CF-Talk > Subject: RE: default.ida? > > > doh! If you didn't have red wormy you'll probably get it now > - posting ip's > to a chat list - shame on you... ;-) > > J > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: 02 August 2001 15:50 > To: CF-Talk > Subject: RE: default.ida? > > > 193.122.20.5 - Production > 193.122.20.8 - Development > > Why? > > > > > -Original Message- > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 3:34 PM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > whats yur ip? :-) > > > > > > Michael T. Tangorre > > > > Web Applications Developer > > Office Phone: 703-558-4746 > > Cellular Phone: 607-426-9277 > > AIM: CrazyFlash4 > > Personal Email: [EMAIL PROTECTED] > > Work Email: [EMAIL PROTECTED] > > School Email: [EMAIL PROTECTED] > > > > This Email contains MillenniuM Information > > Systems, LLC Privileged Information which > > is Customer or Business Sensitive. > > > > > > > > -Original Message- > > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 02, 2001 10:32 AM > > To: CF-Talk > > Subject: RE: default.ida? > > > > > > > -Original Message- > > > > I don't actually think it's hysteria mate, do you want to see > > > > a copy of my > > > > IDS logs > > > > > > Not really, no. They tend to be boring and full of kidz > getting 404's. > > > > :-) I did say IDS logs though, they filter out all the crap and > > only show me > > the ISAPI Extension Overflow errors. > > > > > > There are a large number of attacks going on as > > > > I write this > > > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > > a *FACT OF > > > LIFE* for a system on the internet. > > > My dial-up gateway at home gets scanned ! > > > > Tell me about it, then again, my server very rarely blocks > anyone, so far > > today it's implemented over 300 24 bans on various IP addresses > > in the last > > 12 hours. That is unusual. > > > > > > and anyone running an unpatched/unprotected IIS server needs > > > > to do something > > > > about it asap. > > > > > > No, anyone running an unpatched/unprotected IIS server on a > > public network > > > needs to fired, as their not doing their job. The patch was all > > > over BugTraq > > > et al. well before Code Red was released. > > > > Agreed! > > > > > But, if you look at the domains from which these scans originate, > > > most have > > > no reverse look-up, or are from ISP's like @home and > > > those are just > > > the people who wont care, because Code Red version 2 is non > > destructive to > > > the local machine. > > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US > and EU academic > > one's as well.. There are even some coming in as 0.0.0.0 > > > > I have had a few responses from some of the ones I thought > would take > > action, some very sheepish IISadmins out there :-) > > > > We're averaging a new attempt every minute or so > > > > -= Ed > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
doh! If you didn't have red wormy you'll probably get it now - posting ip's to a chat list - shame on you... ;-) J -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 15:50 To: CF-Talk Subject: RE: default.ida? 193.122.20.5 - Production 193.122.20.8 - Development Why? > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:34 PM > To: CF-Talk > Subject: RE: default.ida? > > > whats yur ip? :-) > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:32 AM > To: CF-Talk > Subject: RE: default.ida? > > > > -Original Message- > > > I don't actually think it's hysteria mate, do you want to see > > > a copy of my > > > IDS logs > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > :-) I did say IDS logs though, they filter out all the crap and > only show me > the ISAPI Extension Overflow errors. > > > > There are a large number of attacks going on as > > > I write this > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > a *FACT OF > > LIFE* for a system on the internet. > > My dial-up gateway at home gets scanned ! > > Tell me about it, then again, my server very rarely blocks anyone, so far > today it's implemented over 300 24 bans on various IP addresses > in the last > 12 hours. That is unusual. > > > > and anyone running an unpatched/unprotected IIS server needs > > > to do something > > > about it asap. > > > > No, anyone running an unpatched/unprotected IIS server on a > public network > > needs to fired, as their not doing their job. The patch was all > > over BugTraq > > et al. well before Code Red was released. > > Agreed! > > > But, if you look at the domains from which these scans originate, > > most have > > no reverse look-up, or are from ISP's like @home and > > those are just > > the people who wont care, because Code Red version 2 is non > destructive to > > the local machine. > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic > one's as well.. There are even some coming in as 0.0.0.0 > > I have had a few responses from some of the ones I thought would take > action, some very sheepish IISadmins out there :-) > > We're averaging a new attempt every minute or so > > -= Ed > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
I apologize for my "out of context" responses to this issue. Exchange server problems earlier this morning delayed the messages and sent them in the wrong order. :/ Sincerely, Eric Carlisle x4739 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
193.122.20.5 - Production 193.122.20.8 - Development Why? > -Original Message- > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:34 PM > To: CF-Talk > Subject: RE: default.ida? > > > whats yur ip? :-) > > > Michael T. Tangorre > > Web Applications Developer > Office Phone: 703-558-4746 > Cellular Phone: 607-426-9277 > AIM: CrazyFlash4 > Personal Email: [EMAIL PROTECTED] > Work Email: [EMAIL PROTECTED] > School Email: [EMAIL PROTECTED] > > This Email contains MillenniuM Information > Systems, LLC Privileged Information which > is Customer or Business Sensitive. > > > > -Original Message- > From: Edward Chanter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 10:32 AM > To: CF-Talk > Subject: RE: default.ida? > > > > -Original Message- > > > I don't actually think it's hysteria mate, do you want to see > > > a copy of my > > > IDS logs > > > > Not really, no. They tend to be boring and full of kidz getting 404's. > > :-) I did say IDS logs though, they filter out all the crap and > only show me > the ISAPI Extension Overflow errors. > > > > There are a large number of attacks going on as > > > I write this > > > > Woo-wee - where have you been ? An ongoing scan of your system is > > a *FACT OF > > LIFE* for a system on the internet. > > My dial-up gateway at home gets scanned ! > > Tell me about it, then again, my server very rarely blocks anyone, so far > today it's implemented over 300 24 bans on various IP addresses > in the last > 12 hours. That is unusual. > > > > and anyone running an unpatched/unprotected IIS server needs > > > to do something > > > about it asap. > > > > No, anyone running an unpatched/unprotected IIS server on a > public network > > needs to fired, as their not doing their job. The patch was all > > over BugTraq > > et al. well before Code Red was released. > > Agreed! > > > But, if you look at the domains from which these scans originate, > > most have > > no reverse look-up, or are from ISP's like @home and > > those are just > > the people who wont care, because Code Red version 2 is non > destructive to > > the local machine. > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic > one's as well.. There are even some coming in as 0.0.0.0 > > I have had a few responses from some of the ones I thought would take > action, some very sheepish IISadmins out there :-) > > We're averaging a new attempt every minute or so > > -= Ed > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
whats yur ip? :-) Michael T. Tangorre Web Applications Developer Office Phone: 703-558-4746 Cellular Phone: 607-426-9277 AIM: CrazyFlash4 Personal Email: [EMAIL PROTECTED] Work Email: [EMAIL PROTECTED] School Email: [EMAIL PROTECTED] This Email contains MillenniuM Information Systems, LLC Privileged Information which is Customer or Business Sensitive. -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 10:32 AM To: CF-Talk Subject: RE: default.ida? > -Original Message- > > I don't actually think it's hysteria mate, do you want to see > > a copy of my > > IDS logs > > Not really, no. They tend to be boring and full of kidz getting 404's. :-) I did say IDS logs though, they filter out all the crap and only show me the ISAPI Extension Overflow errors. > > There are a large number of attacks going on as > > I write this > > Woo-wee - where have you been ? An ongoing scan of your system is > a *FACT OF > LIFE* for a system on the internet. > My dial-up gateway at home gets scanned ! Tell me about it, then again, my server very rarely blocks anyone, so far today it's implemented over 300 24 bans on various IP addresses in the last 12 hours. That is unusual. > > and anyone running an unpatched/unprotected IIS server needs > > to do something > > about it asap. > > No, anyone running an unpatched/unprotected IIS server on a public network > needs to fired, as their not doing their job. The patch was all > over BugTraq > et al. well before Code Red was released. Agreed! > But, if you look at the domains from which these scans originate, > most have > no reverse look-up, or are from ISP's like @home and > those are just > the people who wont care, because Code Red version 2 is non destructive to > the local machine. Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic one's as well.. There are even some coming in as 0.0.0.0 I have had a few responses from some of the ones I thought would take action, some very sheepish IISadmins out there :-) We're averaging a new attempt every minute or so -= Ed ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> -Original Message- > > I don't actually think it's hysteria mate, do you want to see > > a copy of my > > IDS logs > > Not really, no. They tend to be boring and full of kidz getting 404's. :-) I did say IDS logs though, they filter out all the crap and only show me the ISAPI Extension Overflow errors. > > There are a large number of attacks going on as > > I write this > > Woo-wee - where have you been ? An ongoing scan of your system is > a *FACT OF > LIFE* for a system on the internet. > My dial-up gateway at home gets scanned ! Tell me about it, then again, my server very rarely blocks anyone, so far today it's implemented over 300 24 bans on various IP addresses in the last 12 hours. That is unusual. > > and anyone running an unpatched/unprotected IIS server needs > > to do something > > about it asap. > > No, anyone running an unpatched/unprotected IIS server on a public network > needs to fired, as their not doing their job. The patch was all > over BugTraq > et al. well before Code Red was released. Agreed! > But, if you look at the domains from which these scans originate, > most have > no reverse look-up, or are from ISP's like @home and > those are just > the people who wont care, because Code Red version 2 is non destructive to > the local machine. Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and EU academic one's as well.. There are even some coming in as 0.0.0.0 I have had a few responses from some of the ones I thought would take action, some very sheepish IISadmins out there :-) We're averaging a new attempt every minute or so -= Ed ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Yup. Some hole in IIS that permits viewing the source of ASP pages (wonder if it works for CF as well). There's a patch for it. Search around at http://www.microsoft.com/security/ . Regards, Eric Carlisle -Original Message- From: Michael Lugassy [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:50 AM To: CF-Talk Subject: default.ida? I keep seeing on the log files some default.ida request. are those hacking attempts? what is this file do? Michael. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
the point is this: if your logging requests for default.ida, it does NOT necessarily mean you are infected with code red. and whether you see requests for .ida or .idq, it is practical - especially with the recent release of free tools - to scan your system and take appropriate measures to best protect your system. -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 7:03 AM To: CF-Talk Subject: RE: default.ida? I don't actually think it's hysteria mate, do you want to see a copy of my IDS logs There are a large number of attacks going on as I write this and anyone running an unpatched/unprotected IIS server needs to do something about it asap. best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> I don't actually think it's hysteria mate, do you want to see > a copy of my IDS logs There are a large number of attacks > going on as I write this and anyone running an unpatched/ > unprotected IIS server needs to do something about it asap. I think that Mr. Chiverton's complaint was that simply seeing a request doesn't mean that the server is infected. My servers are receiving quite a few of these requests, for example, although they've been patched and don't respond to .ida requests in any case. If the server had been patched in late June when the patch became available, or if the unused ISAPI mappings had been removed per the IIS configuration guidelines (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsoluti ons/security/tools/iischk.asp) then the server wouldn't be vulnerable. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
Edward Chanter wrote: > I don't actually think it's hysteria mate, do you want to see a copy of my > IDS logs There are a large number of attacks going on as I write this > and anyone running an unpatched/unprotected IIS server needs to do something > about it asap. So let's establish first whether somebody is running IIS, then whether it is unpatched, then whether it is unprotected and only if the answer to all of those is "Yes" it is time to shoot the administrator. IMHO, before all of those are established screaming that some server is infected qualifies as hysteria. Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> I don't actually think it's hysteria mate, do you want to see > a copy of my > IDS logs Not really, no. They tend to be boring and full of kidz getting 404's. > There are a large number of attacks going on as > I write this Woo-wee - where have you been ? An ongoing scan of your system is a *FACT OF LIFE* for a system on the internet. My dial-up gateway at home gets scanned ! > and anyone running an unpatched/unprotected IIS server needs > to do something > about it asap. No, anyone running an unpatched/unprotected IIS server on a public network needs to fired, as their not doing their job. The patch was all over BugTraq et al. well before Code Red was released. But, if you look at the domains from which these scans originate, most have no reverse look-up, or are from ISP's like @home and those are just the people who wont care, because Code Red version 2 is non destructive to the local machine. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> > Has the .ida > > mapping been removed too (that would give you an error like > > your seeing) ? > (YES) Well, guess why your .ida URL fails then ? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
I don't actually think it's hysteria mate, do you want to see a copy of my IDS logs There are a large number of attacks going on as I write this and anyone running an unpatched/unprotected IIS server needs to do something about it asap. best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Thanks Tom. > Did you install it ? (YES) Have you verified it ? (YES) Has the .ida > mapping been removed too (that would give you an error like your seeing) ? (YES) -Original Message- From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:51 AM To: CF-Talk Subject: RE: default.ida? > Here is my scenario. I view the stats on my web site, and the page > requested is default.ida. Now those requests are on my list > of error pages > not found. Does this mean that I have Code Red, or does this > mean that Code > Red is trying to get into my system? If it's comming from seemingly random IP's, its code red knocking. > According to what you > are saying, I > have Code Red, but the patch has already been installed on my server. Did you install it ? Have you verified it ? Has the .ida mapping been removed too (that would give you an error like your seeing) ? Ignore Ed - his sort of hysteria is exactly the wrong course of action, and seems to have been inflamed by over the top media coverage. MS released the patch a *month* ago FFS, if you're only just doing a heads-up to it, imho, you shouldn't be running a web server. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
That's right (whoops). I'm getting this confused with something else. Not sure if there is a patch for this after all. -Original Message- From: Neil Clark [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 8:52 AM To: CF-Talk Subject: RE: default.ida? .ida is part of the indexing service which is vulnerable to the hack via buffer overflow; you should remove the ISAP filter from the IIS manager configuration ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> Here is my scenario. I view the stats on my web site, and the page > requested is default.ida. Now those requests are on my list > of error pages > not found. Does this mean that I have Code Red, or does this > mean that Code > Red is trying to get into my system? If it's comming from seemingly random IP's, its code red knocking. > According to what you > are saying, I > have Code Red, but the patch has already been installed on my server. Did you install it ? Have you verified it ? Has the .ida mapping been removed too (that would give you an error like your seeing) ? Ignore Ed - his sort of hysteria is exactly the wrong course of action, and seems to have been inflamed by over the top media coverage. MS released the patch a *month* ago FFS, if you're only just doing a heads-up to it, imho, you shouldn't be running a web server. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Do you run IIS? If you don't run IIS or have applied the latest MS patches and rebooted you have nothing to worry about. Rich -Original Message- From: Chuck Hergenroeder [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:37 AM To: CF-Talk Subject: RE: default.ida? Here is my scenario. I view the stats on my web site, and the page requested is default.ida. Now those requests are on my list of error pages not found. Does this mean that I have Code Red, or does this mean that Code Red is trying to get into my system? According to what you are saying, I have Code Red, but the patch has already been installed on my server. -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:13 AM To: CF-Talk Subject: RE: default.ida? > -Original Message- > > I keep seeing on the log files some default.ida request. > > are those hacking attempts? what is this file do? YOU ARE INFECTED WITH CODE RED Please shut down your IIS, patch it and then restart! best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Here is my scenario. I view the stats on my web site, and the page requested is default.ida. Now those requests are on my list of error pages not found. Does this mean that I have Code Red, or does this mean that Code Red is trying to get into my system? According to what you are saying, I have Code Red, but the patch has already been installed on my server. -Original Message- From: Edward Chanter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:13 AM To: CF-Talk Subject: RE: default.ida? > -Original Message- > > I keep seeing on the log files some default.ida request. > > are those hacking attempts? what is this file do? YOU ARE INFECTED WITH CODE RED Please shut down your IIS, patch it and then restart! best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
To find that entry in your logs does not mean that you're infected obviously. - Original Message - From: "Edward Chanter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, August 02, 2001 3:13 PM Subject: RE: default.ida? > > -Original Message- > > > I keep seeing on the log files some default.ida request. > > > are those hacking attempts? what is this file do? > > > YOU ARE INFECTED WITH CODE RED > > Please shut down your IIS, patch it and then restart! > > > best wishes, > > -= Ed > > > If you want others to be happy, practice compassion. > If you want to be happy, practice compassion." > ~The 14th Dalai Lama > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: default.ida?
Michael Lugassy wrote: > I keep seeing on the log files some default.ida request. > are those hacking attempts? what is this file do? You've got to be kidding. Doesn't "Code Red" ring any bells? Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> -Original Message- > > I keep seeing on the log files some default.ida request. > > are those hacking attempts? what is this file do? YOU ARE INFECTED WITH CODE RED Please shut down your IIS, patch it and then restart! best wishes, -= Ed If you want others to be happy, practice compassion. If you want to be happy, practice compassion." ~The 14th Dalai Lama ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Michael, The .ida extension is used as part of Microsoft Indexing Services for IIS. It is currently the focal point for the Code Red worm that is in the press. If you have not patched you server you may want to download the patch from Microsoft and read the associated press release. - Steve Johnson -Original Message- From: Michael Lugassy [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 02, 2001 9:50 AM To: CF-Talk Subject: default.ida? I keep seeing on the log files some default.ida request. are those hacking attempts? what is this file do? Michael. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
Index server, similar to .idq I think. I'm pretty sure that's one of the ways the code red worm tries to get in. We don't use index server here, so we disabled all references to it in IIS application management. -Original Message- From: Michael Lugassy [mailto:[EMAIL PROTECTED]] Sent: 02 August 2001 14:50 To: CF-Talk Subject: default.ida? I keep seeing on the log files some default.ida request. are those hacking attempts? what is this file do? Michael. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
> I keep seeing on the log files some default.ida request. > are those hacking attempts? what is this file do? If your running IIS, you're probably in trouble. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: default.ida?
.ida is part of the indexing service which is vulnerable to the hack via buffer overflow; you should remove the ISAP filter from the IIS manager configuration ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
