Date: Mon, 20 Aug 2001 06:28:58 -0500 From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: "Jason Halbert" <jason@jason-n3xt.org>, <freebsd-questions@freebsd.org> Subject: Re: Code Red Message-ID: <OE30Gh05YFRcmVFOh1v000012e1@hotmail.com> References: <JKEKIFNEJJDCJPPDHPIFKEBACBAA.jason@jason-n3xt.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jason, Howdy ... Yeah I have the same thing goin on here... Here check this out: http://www.eeye.com/html/Research/Advisories/AL20010717.html This worm is one mean customer for Windows machines... Basically the way it works, is it will scan the 16 bit (depending on what variation of the worm it is) I.P. range that you are in for open webserver ports. It then indiscriminately attempts to propagate itself using the IIS Indexing server exploit described in the link above. I currently am working on ways of reducing the impact of this on my personal server by modifications to my firewall... I heard of someone else on this list actually creating a default.ida file so that it would reduce the amount of data put into the web server logs... not a bad idea... This is really an epidemic that is effecting anyone with a webserver right now... especially ones on commercial networks such as @home Roadrunner ... for home users ... due to the large number of people who run Windows servers that are not very secure or up to date... Good Luck! Jordan ----- Original Message ----- From: "Jason Halbert" <jason@jason-n3xt.org> To: <questions@freebsd.org> Sent: Monday, August 20, 2001 6:18 AM Subject: Code Red > Hello Everyone: > > I just want to clear something up. Something that's bothering me that > is.. The Code Red Worm is strictly an NT IIS thing, right? The > console of my web server is used for watching the access log file of > my Apache web server. I am seeing quite a few of those requests for > "default.ida" followed by the "X"s and then the code. I'm sure you > are familiar with it. According to the log as it scrolls along on the > screen, Apache just sends a 404. I have been told also that even > Apache servers running under Windows would be unaffected. > > I know that it is not as easy to write a virus for UNIX because of the > fundamentals of how UNIX works, but I would just like some > clarification. > > Also, another note of interest.. These Code Red requests seem to be > coming from other boxes in my domain (*.dsl.att.net) and no where > else. Anyone like to venture a guess as to why? > > TIA > > ---- > Jason Halbert > jason@jason-n3xt.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE30Gh05YFRcmVFOh1v000012e1>