Jim, it looked like you (and some others here) called it exactly right. I, and my CE, owe you a big debt of gratitude.

By my calculations, Drakino gets the credit for being the first to suggest Code Red might be the culprit.

I'm responsible for exactly one public-facing web server here, and this discussion made me double-check it. Thankfully, I had patched the server almost immediately after the ISAPI buffer overflow exploit was discovered, so the server was never hit with anything.

Although it's funny because my BlackICE logs show dozens of code red attempts against the server every day.

When I first set up the web server, I did something fairly paranoid. I physically isolated it from our local LAN. We dial out to the internet on a firewalled line that's a totally different line than this server.

In order to update files on the server, we have to use FTP. It doesn't even run the FrontPage extensions (because those have vulnerabilities as well). This is a hassle, because it means that I have to physically walk up to the server to inspect or make any modifications to it.

At first, I thought I might be being too paranoid. Now I'm glad. Even if the server is 100 percent compromised, there is no way for a hacker to use it to compromise any other part of the network.

___________
Tony Fabris