Solved

CODE RED

Posted on 2001-08-31
6
113 Views
Last Modified: 2010-04-13
My server seems to be getting alot of reguests for something like /default.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
my logs indicate the ip address(s). How can I find out the owner of the ip so I can contact them and notify them of the problem. for some reason most of the attacks seem to be coming from the same netork range as my server.
0
Comment
Question by:CUTTHEMUSIC
6 Comments
 
LVL 5

Accepted Solution

by:
matt023 earned 15 total points
ID: 6447022
do an nslookup on the IP address.  once you get the hostname, you'll be able to determine the domain name of the host.  you can then go to a site like register.com and type in the domain name.  you should be able to get a contact information from it.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6447413
I wouldn't fool with this.  

The people who are now running servers that are still being infected with CodeRed don't have a clue and even if you were able to contact them, they would not be able to understand what to do.  

So unless you are prepared to walk them through a fix, just ignore it or put a block on their IP if it's overloading your server.
0
 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6448032
goto www.zonealarm.com and download a personal firewall onto that server this minute.

Look at your security logs and see who is trying to log on to what - and which ones are being unsuccessful.

I'd change every password on the server for every user.

My experience is based on an over the network attack by SirCam virus which started out similarly to what you are seeing.

0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 32

Expert Comment

by:jhance
ID: 6448713
>>My experience is based on an over the network attack by >>SirCam virus which started out similarly to
>>what you are seeing.

The CODE RED is unrelated to the SirCam virus.  Both their propagation methods and their hosts computers are different.

CODE RED propagates itself directly form system-to-system and it targets NT and 2000 IIS installations only.  It makes attempts on ANY web server but only IIS is able to be infected.  But it's clear that CUTTHEMUSIC has already applied the CODE RED patch from MS so it's not a problem other than just the network "noise" being generated by infested systems "trolling" for more victims.

ZoneAlarm will NOT help here nor is it needed. I'm assuming, of course, that the intent is to run IIS as a server on this machine.
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 6453626
how do I do a nsLookup
0
 
LVL 5

Expert Comment

by:matt023
ID: 6455037
you said you have the ip address of the host, correct?  just do:  nslookup <ip_address>
you'll get the name back - ie:  www.domain.com.  now you know the domain name.  go to www.register.com and look up the contact for the domain.

of course if the host doesn't have its PTR record registered, you won't be able to find out anything.  however, since it's most likely an IIS server, PTR record is probably registered.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question