I sent my IIS logs to Microsoft to troubleshoot a problem. They found entries in the logs from Codr Red scans and attacks aimed at flooding the memory buffers in the servers and gaining entrance.

Open your IIS logs. They should be located in root/winnt/logfiles...Open them up and do a find for cmd.exe. Now, before you get excited, some of these may be legit. Crystal Reports uses this command also. But if you see them, look for "ida" with out the quotes of course. Look for ida entries followed by a lenghty string of X's, A's or N's. This is the memory buffer attack.

Now here is the bad part. Do a search on the word worm. If you find any that aren't related to normal websites, you have been acsessed and infected.

Here is the really bad part. Microsoft told us that they, and the CERT teams, recommend formatting and reloading the server if this is found.

We took over 2000 hits on 3 servers in a 7 day period. We didn't even know that they were happening. Luckily, they didn't gain access. Must be they didn't have the patience to flood a Gig of memory.......

If the cmd.exe and the ida strings end in a negative error, 200, 401, 404, 403 they were denied entry.

Thanks for the info.

Checked my logs, all seems right. I'm clean as usual ;)

Nice pic BTW.

Thanks, Kingslayer. This is valuable information.

i have the cmd.exe file but how do I open it without clicking on it.... for some reason, right clicking it doesn't give me the option of "open with..."

I have win2k Pro... but i read from Microsoft that you have to be running server ...Pro, by itself, isn't affected.

Originally posted by alan
i have the cmd.exe file but how do I open it without clicking on it.... for some reason, right clicking it doesn't give me the option of "open with..."

I have win2k Pro... but i read from Microsoft that you have to be running server ...Pro, by itself, isn't affected.

Only if you find the cmd.exe in the log file.. cmd is the command prompt executable file (DOS prompt) in windows 2000 pro... I think that's what you were saying...

Good to know only the server software is being attacked... I am also using Pro as my server (too lazy to install w2k server).

Originally posted by Pinky


Only if you find the cmd.exe in the log file.. cmd is the command prompt executable file (DOS prompt) in windows 2000 pro... I think that's what you were saying...

Good to know only the server software is being attacked... I am also using Pro as my server (too lazy to install w2k server).

Please re-check my info with Microsoft... I am pretty sure that is what I read... but I don't want to post anything that may not be absolute. If you find out differently..please post it so I am corrected.

thanks

And the neat thing is that Code Red doesn't affect Chinese versions of 2000.

Hmm.....I wonder why?

Originally posted by Kingslayer
And the neat thing is that Code Red doesn't affect Chinese versions of 2000.

Hmm.....I wonder why?

LOL!

Moved to Software and Operating Systems.