?
Solved

CODE RED

Posted on 2001-08-31
6
Medium Priority
?
118 Views
Last Modified: 2010-04-13
My server seems to be getting alot of reguests for something like /default.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
my logs indicate the ip address(s). How can I find out the owner of the ip so I can contact them and notify them of the problem. for some reason most of the attacks seem to be coming from the same netork range as my server.
0
Comment
Question by:CUTTHEMUSIC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Accepted Solution

by:
matt023 earned 60 total points
ID: 6447022
do an nslookup on the IP address.  once you get the hostname, you'll be able to determine the domain name of the host.  you can then go to a site like register.com and type in the domain name.  you should be able to get a contact information from it.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6447413
I wouldn't fool with this.  

The people who are now running servers that are still being infected with CodeRed don't have a clue and even if you were able to contact them, they would not be able to understand what to do.  

So unless you are prepared to walk them through a fix, just ignore it or put a block on their IP if it's overloading your server.
0
 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6448032
goto www.zonealarm.com and download a personal firewall onto that server this minute.

Look at your security logs and see who is trying to log on to what - and which ones are being unsuccessful.

I'd change every password on the server for every user.

My experience is based on an over the network attack by SirCam virus which started out similarly to what you are seeing.

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 32

Expert Comment

by:jhance
ID: 6448713
>>My experience is based on an over the network attack by >>SirCam virus which started out similarly to
>>what you are seeing.

The CODE RED is unrelated to the SirCam virus.  Both their propagation methods and their hosts computers are different.

CODE RED propagates itself directly form system-to-system and it targets NT and 2000 IIS installations only.  It makes attempts on ANY web server but only IIS is able to be infected.  But it's clear that CUTTHEMUSIC has already applied the CODE RED patch from MS so it's not a problem other than just the network "noise" being generated by infested systems "trolling" for more victims.

ZoneAlarm will NOT help here nor is it needed. I'm assuming, of course, that the intent is to run IIS as a server on this machine.
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 6453626
how do I do a nsLookup
0
 
LVL 5

Expert Comment

by:matt023
ID: 6455037
you said you have the ip address of the host, correct?  just do:  nslookup <ip_address>
you'll get the name back - ie:  www.domain.com.  now you know the domain name.  go to www.register.com and look up the contact for the domain.

of course if the host doesn't have its PTR record registered, you won't be able to find out anything.  however, since it's most likely an IIS server, PTR record is probably registered.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question