Quickly written perl script to check your IIS Server logs for code red activity. It'll return how many are form code red I, code red II and how many scans using the eeye security vulernability scanner, as well as the number of unique IPs scanned you, includng a full listing.
# D:\Perl\Bin\Perl.exe
# Script to check IIS Logs for Code Red Default.ida requests

# Defined Variables

# Location of IIS Logs
$loglocation = '\\\\IISServer\\Admin$\\System32\\LogFiles\\w3svc1\\';

# Number Of The Char where the IP Starts.
# example
#    12:55:39 200.168.146.167 GET /default.ida 500
#    0123456789
# The Starting Char is 9 :)
$ipstartnumber = '9';

opendir(IISLOG, $loglocation) or die "Unable to read IIS Logs $!\n";
@loglisting = readdir IISLOG;
closedir IISLOG;

foreach(@loglisting) {
    $UNCPathName = $loglocation . $_;
    open(logfile, $UNCPathName);
    @workinglog = <logfile>;
    foreach(@workinglog) {
        $coderedtwo++ if ($_ =~ /XXXXXXXXXXXXX/);
        $coderedone++ if ($_ =~ /NNNNNNNNNNNNN/);
        $coderedeeye++ if ($_ =~ /AAAAAAAAAAAA/);
        if($_ =~ /default.ida/) {        
            $coderedcount++;
            $callingip = substr($_,$ipstartnumber,14);
            # Take out all lowercase a - z
            $callingip =~ s/[a-z]//g;    
            # Take Out all Upper Case A-Z
            $callingip =~ s/[A-Z]//g;
            # Take Out all Blank Spaces
            $callingip =~ s/ //g;
            push(@IPs, $callingip);
        }
    }
}
@IPs = sort(@IPs);
push(@UniqueIPs, $IPs[0]);
$previp = $IPs[0];
foreach(@IPs) {
    if($_ ne $previp) {
        $previp = $_;
        push(@UniqueIPs, $_);
        $ipcount++;
    }
    
}
print "Total Code Red Queries: $coderedcount\nTotal Code Red I Queries
+: $coderedone\nTotal Code Red II Queries: $coderedtwo\n";
print "Total Code Red Eeye Checks: $coderedeeye\n";
print "Total Unique IPs: $ipcount\n";
foreach(@UniqueIPs) {
    print "$_\n";
}

[download]

In reply to Check IIS Logs for Code Red by SgtClueLs

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.