From owner-freebsd-questions Mon Aug 20 4:30:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (oe30.law12.hotmail.com [64.4.18.87]) by hub.freebsd.org (Postfix) with ESMTP id 38D3437B401 for ; Mon, 20 Aug 2001 04:30:22 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 20 Aug 2001 04:30:22 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: "Jason Halbert" , References: Subject: Re: Code Red Date: Mon, 20 Aug 2001 06:28:58 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 20 Aug 2001 11:30:22.0027 (UTC) FILETIME=[7F7DB9B0:01C1296B] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jason, Howdy ... Yeah I have the same thing goin on here... Here check this out: http://www.eeye.com/html/Research/Advisories/AL20010717.html This worm is one mean customer for Windows machines... Basically the way it works, is it will scan the 16 bit (depending on what variation of the worm it is) I.P. range that you are in for open webserver ports. It then indiscriminately attempts to propagate itself using the IIS Indexing server exploit described in the link above. I currently am working on ways of reducing the impact of this on my personal server by modifications to my firewall... I heard of someone else on this list actually creating a default.ida file so that it would reduce the amount of data put into the web server logs... not a bad idea... This is really an epidemic that is effecting anyone with a webserver right now... especially ones on commercial networks such as @home Roadrunner ... for home users ... due to the large number of people who run Windows servers that are not very secure or up to date... Good Luck! Jordan ----- Original Message ----- From: "Jason Halbert" To: Sent: Monday, August 20, 2001 6:18 AM Subject: Code Red > Hello Everyone: > > I just want to clear something up. Something that's bothering me that > is.. The Code Red Worm is strictly an NT IIS thing, right? The > console of my web server is used for watching the access log file of > my Apache web server. I am seeing quite a few of those requests for > "default.ida" followed by the "X"s and then the code. I'm sure you > are familiar with it. According to the log as it scrolls along on the > screen, Apache just sends a 404. I have been told also that even > Apache servers running under Windows would be unaffected. > > I know that it is not as easy to write a virus for UNIX because of the > fundamentals of how UNIX works, but I would just like some > clarification. > > Also, another note of interest.. These Code Red requests seem to be > coming from other boxes in my domain (*.dsl.att.net) and no where > else. Anyone like to venture a guess as to why? > > TIA > > ---- > Jason Halbert > jason@jason-n3xt.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message