Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 122
  • Last Modified:

CODE RED

My server seems to be getting alot of reguests for something like /default.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
my logs indicate the ip address(s). How can I find out the owner of the ip so I can contact them and notify them of the problem. for some reason most of the attacks seem to be coming from the same netork range as my server.
0
CUTTHEMUSIC
Asked:
CUTTHEMUSIC
1 Solution
 
matt023Commented:
do an nslookup on the IP address.  once you get the hostname, you'll be able to determine the domain name of the host.  you can then go to a site like register.com and type in the domain name.  you should be able to get a contact information from it.
0
 
jhanceCommented:
I wouldn't fool with this.  

The people who are now running servers that are still being infected with CodeRed don't have a clue and even if you were able to contact them, they would not be able to understand what to do.  

So unless you are prepared to walk them through a fix, just ignore it or put a block on their IP if it's overloading your server.
0
 
HDWILKINSCommented:
goto www.zonealarm.com and download a personal firewall onto that server this minute.

Look at your security logs and see who is trying to log on to what - and which ones are being unsuccessful.

I'd change every password on the server for every user.

My experience is based on an over the network attack by SirCam virus which started out similarly to what you are seeing.

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
jhanceCommented:
>>My experience is based on an over the network attack by >>SirCam virus which started out similarly to
>>what you are seeing.

The CODE RED is unrelated to the SirCam virus.  Both their propagation methods and their hosts computers are different.

CODE RED propagates itself directly form system-to-system and it targets NT and 2000 IIS installations only.  It makes attempts on ANY web server but only IIS is able to be infected.  But it's clear that CUTTHEMUSIC has already applied the CODE RED patch from MS so it's not a problem other than just the network "noise" being generated by infested systems "trolling" for more victims.

ZoneAlarm will NOT help here nor is it needed. I'm assuming, of course, that the intent is to run IIS as a server on this machine.
0
 
CUTTHEMUSICAuthor Commented:
how do I do a nsLookup
0
 
matt023Commented:
you said you have the ip address of the host, correct?  just do:  nslookup <ip_address>
you'll get the name back - ie:  www.domain.com.  now you know the domain name.  go to www.register.com and look up the contact for the domain.

of course if the host doesn't have its PTR record registered, you won't be able to find out anything.  however, since it's most likely an IIS server, PTR record is probably registered.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now