[40717] in North American Network Operators' Group
RE: Code Red 2 Erratication
daemon@ATHENA.MIT.EDU (Fearghas McKay)
Sun Aug 19 06:57:48 2001
Mime-Version: 1.0
Message-Id: <p05100310b7a54a3b9e97@[212.20.247.51]>
In-Reply-To: <E9BBE0941932D511934C0002A52CDB4E2D0834@sj-exchange.wyse.com>
Date: Sun, 19 Aug 2001 11:56:57 +0100
To: Joe Blanchard <jblanchard@wyse.com>
From: Fearghas McKay <fm@st-kilda.org>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
At 2:49 am -0700 19/8/01, Joe Blanchard wrote:
>Who was/is talking about a DOS??? I wasn't. Your impling that my fix
>(which doesn't work and I've gotten many responses about having
>"tried that") causes a DOS. Um, Please re-evaluate the data I have
>shared. There is NOTHING I have offered that is not already known.
>You come to my website, ask for a file (default.ida) and I send it
>to you, Wheres the DOS in that?
>
>Legal or not, Um, next case...
There is an Apache module for dealing with CodeRed in a civilised way:
from ApacheWeek:
Continuing requests for /default.ida
We continue to get a large number of messages from system
administrators who see requests for /default.ida in their Apache
access logs. The requests look similar to this:
192.168.2.12 - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 252 -
If you are running Apache there is nothing to worry about, these
requests are part of the [5]Code Red Worm designed to search out
vulnerable IIS servers running on Windows. You can quite happily
ignore these requests, or [6]get them back
6. http://www.apacheweek.com/issues/01-08-17#featured
9. http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html
Featured articles
In this section we highlight some of the articles on the web that are
of interest to Apache users.
Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is
not a new B-grade movie but how you can be a good internet citizen
and let people know that their server has been infected by the Worm.
One way is by using Apache::CodeRed written by Reuven M. Lerner. In
this article, he explains how the module intercepts requests for
/default.ida, determines the host name of the HTTP client, sends only
one warning e-mail message in a 24-hour period to SecurityFocus and
the administrator of that client, and keeps a list of IP addresses to
be ignored.
--
Regards
f
