[unisog] Ida /code red worm veriation

Jean-Francois Duguay Jean-Francois.Duguay at sit.ulaval.ca
Fri Jul 20 17:42:48 GMT 2001

We had exactly the same behavior on many IIS here. This behavior started at
about the same time for many servers that are not related to each other in
any way. I've been monitoring one server for the past few hours but didn't
find any trace of /default.ida

I applied the patch to four servers and had no stop of IIS since then. It
looks good so far.


J.-F. Duguay
Conputer Science Analyst
Laval University, S.I.T.
Ste-Foy, Qc
Canada, G1K 7P4

Tel: (418) 656-2131 ext. 8848
E-mail: Jean-Francois.Duguay at sit.ulaval.ca

-----Original Message-----
From: Jay D. Flanagan [mailto:jflanag at emory.edu]
Sent: 20 July, 2001 10:57 AM
To: unisog at sans.org
Subject: [unisog] Ida /code red worm veriation

As others have, several of our IIS servers have been hit with what we think
is a variation of the ida /code red worm.

Some of the characteristics we are seeing are our web servers stopping and
starting multiple times and no physical traces were found.

Some differences between the attack on our web servers and the code red worm
include that our web servers were brought down and the default web page was
not defaced.

Has anyone seem similar situations with their web servers and if so, what
actions did you take to correct the problem? We have installed the Microsoft
patch, but it seems to not have stopped any of our problems.

Thanks in advance for any help you can give us!

Jay D. Flanagan
Security Administrator
Emory University
Email: jflanag at emory.edu
Phone: 404-727-4962
Fax: 404-727-0817

More information about the unisog mailing list