• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Code Red v.2

  • Thread starter Thread starter pm
  • Start date Start date
P

pm

Elite Member Mobile Devices
I've started seeing what I was calling "Code Red TNG" (the next generation), but what Slashdot is calling "Code Red v2.0" showing up on my scanners tonight.

It looks like this:


<< [03/Aug/2001:18:32:37 -0800] &quot;GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a%20 HTTP/1.0&quot; 404 -1 &quot;&quot; &quot;&quot; >>



I've tracked about a dozen of these starting at 6pm (MST) this evening. Note the &quot;X&quot;'s instead of the &quot;N&quot;'s used by &quot;Code Red v1.0&quot;. I'm patched, and running a different webserver anyway (no IIS for me, thank you very much), so I don't worry much, but it's a bit disconcerting to actually watch a virus/worm probing my shields. I sit there and think &quot;Hah! You can't touch me&quot; but in the back of my mind I wonder &quot;You can't, can you?&quot;.
 
My Apache logs have both the &quot;N&quot; and &quot;X&quot; forms. Most started in earnest ~9am EDT yesterday morning (8/4) and have been going crazy all this morning.

Code Red! Blech.

Apache rules! 😛

😉
 
Paulson, et al - here is a site talking about Code Red II (got pointed to Slashdot from another thread here, where they began reporting on it). This thing looks a bit nasty because it can go through NAT firewalls to IIS's running internally (via port-forwarding), and then will start scanning and infecting any &quot;local&quot; and/or &quot;reserved address space&quot; machines.

Sigh. When will M$ get the message?
 
It started with mine yesterday morning also. I have been probed about every 3-4 minutes continuously since. Non stop! My log is going wild.
 
Oh baby.... 🙁

You better take your machine off temporarily and check for it. There are at least 2 variants
out in the wild now. These last 2 came out in the past 36 hours or so. 🙁

[EDIT: Check here for more info]
 
Paulson - I haven't been paying much attention to it until now, but go through this FAQ. It has links to all the places you need to go to fix your IIS. 🙂
 
I don't know if the patch was installed or not?

How do I tell if it would be running on my machine... all I need to knwo 😉

Thanks though
 
At this point, if you don't know if it is on there or not, it probably isn't. 😉 Just apply it. If it complains, then it should abort. 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top