From owner-freebsd-questions  Mon Aug 20  4:28:54 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141])
	by hub.freebsd.org (Postfix) with ESMTP id 8271837B416
	for <questions@freebsd.org>; Mon, 20 Aug 2001 04:28:47 -0700 (PDT)
	(envelope-from edwin@mavetju.org)
Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141])
	by topaz.mdcc.cx (Postfix) with ESMTP
	id 8D1312B681; Mon, 20 Aug 2001 13:28:26 +0200 (CEST)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id 558A3164; Mon, 20 Aug 2001 21:28:17 +1000 (EST)
Date: Mon, 20 Aug 2001 21:28:17 +1000
From: Edwin Groothuis <edwin@mavetju.org>
To: Jason Halbert <jason@jason-n3xt.org>
Cc: questions@freebsd.org
Subject: Re: Code Red
Message-ID: <20010820212817.C459@k7.mavetju.org>
References: <JKEKIFNEJJDCJPPDHPIFKEBACBAA.jason@jason-n3xt.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <JKEKIFNEJJDCJPPDHPIFKEBACBAA.jason@jason-n3xt.org>; from jason@jason-n3xt.org on Mon, Aug 20, 2001 at 11:18:09AM -0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, Aug 20, 2001 at 11:18:09AM -0000, Jason Halbert wrote:
> Hello Everyone:
> 
> I just want to clear something up.  Something that's bothering me that
> is..  The Code Red Worm is strictly an NT IIS thing, right?  The

It's only an IIS thing. (due to some reason I keep on calling it
an ISS thing, maybe I'm too much a space-geek :-)

> screen, Apache just sends a 404.  I have been told also that even
> Apache servers running under Windows would be unaffected.

It's only an IIS thing, Apache under whatever OS is not vulnerable
for it.

> Also, another note of interest.. These Code Red requests seem to be
> coming from other boxes in my domain (*.dsl.att.net) and no where
> else.  Anyone like to venture a guess as to why?

That's because of the way it's designed (well, at least Code Red
2). They thought that it would be handier to find some friends
nearby than to look at random places :-)

See http://www.incidents.org/react/code_redII.php for the Code Red
2 FAQ of the SANS institute, it tells you exactly how it works.

Edwin

-- 
Edwin Groothuis   |              Personal website: http://www.MavEtJu.org
edwin@mavetju.org |           Interested in MUDs? Visit Fatal Dimensions:
------------------+                       http://www.FatalDimensions.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message