North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Code Red 2 Erratication

  • From: Fearghas McKay
  • Date: Sun Aug 19 06:59:33 2001

At 2:49 am -0700 19/8/01, Joe Blanchard wrote:
Who was/is talking about a DOS??? I wasn't. Your impling that my fix (which doesn't work and I've gotten many responses about having "tried that") causes a DOS. Um, Please re-evaluate the data I have shared. There is NOTHING I have offered that is not already known. You come to my website, ask for a file (default.ida) and I send it to you, Wheres the DOS in that?

Legal or not, Um, next case...
There is an Apache module for dealing with CodeRed in a civilised way:

from ApacheWeek:

Continuing requests for /default.ida

We continue to get a large number of messages from system
administrators who see requests for /default.ida in their Apache
access logs. The requests look similar to this: - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN
HTTP/1.0" 400 252 -

If you are running Apache there is nothing to worry about, these
requests are part of the [5]Code Red Worm designed to search out
vulnerable IIS servers running on Windows. You can quite happily
ignore these requests, or [6]get them back


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored.