If using IIS 4.0, be sure you aren't using the native HTTP redirects. The
malformed URLs sent by Code Red probes causes Web services to shut down
when implementing this configuration even if your server is not infected.
Eeye's tool does not detect this as a security hole.
If you're using these
On eeye.com there is a full analysis including the probe signature which
you could capture with a sniffer.
Zangara, Jim
: RE: Code Red Got me - one
more quick thing
What could I check to see
if my server is sending out these broadcasts to infect others? I have
these guys isolated so it should be easy to see the traffic. I have a
Fluke and logging enabled on the websites.
w2k IIS5
thanks
AMTo: NT System Admin IssuesSubject: RE: Code Red Got me
- one more quick thing
Run netstat.
See if the machine is
connecting a lot of different arbitrary other ips
through port 80.
jlc
-Original
Message-From: Zangara,
Jim [mailto:[EMAIL PROTECTED]] Sent