A server should return 200 if ida.dll is mapped to handle *.ida and ida.dll is found as expected - patched or not. A server will return another code in other circumstances - 400 is "Bad Request" so I'd assume something else went wrong with the attempt. 404 is "Not Found" (of course) and appears if the *.ida is unmapped or not found. A server in my block got infected last time (a colo I didn't build, and I fixed it within an hour of initial infection, so I plead innocent/ignorant/virtuous). All logged attacks there returned 200 until the server was patched. The colo client has no use for Index Server, so after the patch I also unmapped its extensions and deleted ida.dll. Now I get 404s for -most- of the attempts. In 200 attempts today across 25 IP addresses (grepping all IIS logs for "Default.ida") they've all returned 404 -except- 3 attacks where they returned 400. The same servers also returned proper 404's for other failed attempts, so I'm betting the 400s are actual bad requests. It happens... -- Dave Salovesh RAM Associates, Inc. (800) 543-3635 > -----Original Message----- > From: Michael Tavares [mailto:miketavaresat_private] > Sent: Wednesday, August 01, 2001 4:30 PM > To: incidentsat_private > Subject: Re: Code Red hits > > > This brings up an interesting point. I was scanning the logs > on one of my > servers and came across a several attempts, every other > attempt is 200, > while the rest are 400's. Below is 1 of each. The box is > patched (and has > been since MS released the patch). I have confirmed the > patch with the Code > Red Scanner posted by eeye. Anyone care to explain why this is? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 18:21:21 PDT