Solved

CODE RED

Posted on 2001-08-31
6
111 Views
Last Modified: 2010-04-13
My server seems to be getting alot of reguests for something like /default.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
my logs indicate the ip address(s). How can I find out the owner of the ip so I can contact them and notify them of the problem. for some reason most of the attacks seem to be coming from the same netork range as my server.
0
Comment
Question by:CUTTHEMUSIC
6 Comments
 
LVL 5

Accepted Solution

by:
matt023 earned 15 total points
Comment Utility
do an nslookup on the IP address.  once you get the hostname, you'll be able to determine the domain name of the host.  you can then go to a site like register.com and type in the domain name.  you should be able to get a contact information from it.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
I wouldn't fool with this.  

The people who are now running servers that are still being infected with CodeRed don't have a clue and even if you were able to contact them, they would not be able to understand what to do.  

So unless you are prepared to walk them through a fix, just ignore it or put a block on their IP if it's overloading your server.
0
 
LVL 10

Expert Comment

by:HDWILKINS
Comment Utility
goto www.zonealarm.com and download a personal firewall onto that server this minute.

Look at your security logs and see who is trying to log on to what - and which ones are being unsuccessful.

I'd change every password on the server for every user.

My experience is based on an over the network attack by SirCam virus which started out similarly to what you are seeing.

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Expert Comment

by:jhance
Comment Utility
>>My experience is based on an over the network attack by >>SirCam virus which started out similarly to
>>what you are seeing.

The CODE RED is unrelated to the SirCam virus.  Both their propagation methods and their hosts computers are different.

CODE RED propagates itself directly form system-to-system and it targets NT and 2000 IIS installations only.  It makes attempts on ANY web server but only IIS is able to be infected.  But it's clear that CUTTHEMUSIC has already applied the CODE RED patch from MS so it's not a problem other than just the network "noise" being generated by infested systems "trolling" for more victims.

ZoneAlarm will NOT help here nor is it needed. I'm assuming, of course, that the intent is to run IIS as a server on this machine.
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
Comment Utility
how do I do a nsLookup
0
 
LVL 5

Expert Comment

by:matt023
Comment Utility
you said you have the ip address of the host, correct?  just do:  nslookup <ip_address>
you'll get the name back - ie:  www.domain.com.  now you know the domain name.  go to www.register.com and look up the contact for the domain.

of course if the host doesn't have its PTR record registered, you won't be able to find out anything.  however, since it's most likely an IIS server, PTR record is probably registered.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now