Solved

CODE RED

Posted on 2001-08-31
6
112 Views
Last Modified: 2010-04-13
My server seems to be getting alot of reguests for something like /default.ida xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
my logs indicate the ip address(s). How can I find out the owner of the ip so I can contact them and notify them of the problem. for some reason most of the attacks seem to be coming from the same netork range as my server.
0
Comment
Question by:CUTTHEMUSIC
6 Comments
 
LVL 5

Accepted Solution

by:
matt023 earned 15 total points
ID: 6447022
do an nslookup on the IP address.  once you get the hostname, you'll be able to determine the domain name of the host.  you can then go to a site like register.com and type in the domain name.  you should be able to get a contact information from it.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6447413
I wouldn't fool with this.  

The people who are now running servers that are still being infected with CodeRed don't have a clue and even if you were able to contact them, they would not be able to understand what to do.  

So unless you are prepared to walk them through a fix, just ignore it or put a block on their IP if it's overloading your server.
0
 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6448032
goto www.zonealarm.com and download a personal firewall onto that server this minute.

Look at your security logs and see who is trying to log on to what - and which ones are being unsuccessful.

I'd change every password on the server for every user.

My experience is based on an over the network attack by SirCam virus which started out similarly to what you are seeing.

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 32

Expert Comment

by:jhance
ID: 6448713
>>My experience is based on an over the network attack by >>SirCam virus which started out similarly to
>>what you are seeing.

The CODE RED is unrelated to the SirCam virus.  Both their propagation methods and their hosts computers are different.

CODE RED propagates itself directly form system-to-system and it targets NT and 2000 IIS installations only.  It makes attempts on ANY web server but only IIS is able to be infected.  But it's clear that CUTTHEMUSIC has already applied the CODE RED patch from MS so it's not a problem other than just the network "noise" being generated by infested systems "trolling" for more victims.

ZoneAlarm will NOT help here nor is it needed. I'm assuming, of course, that the intent is to run IIS as a server on this machine.
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 6453626
how do I do a nsLookup
0
 
LVL 5

Expert Comment

by:matt023
ID: 6455037
you said you have the ip address of the host, correct?  just do:  nslookup <ip_address>
you'll get the name back - ie:  www.domain.com.  now you know the domain name.  go to www.register.com and look up the contact for the domain.

of course if the host doesn't have its PTR record registered, you won't be able to find out anything.  however, since it's most likely an IIS server, PTR record is probably registered.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now