From owner-freebsd-questions  Mon Aug 20  8:40: 0 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.147.1.144])
	by hub.freebsd.org (Postfix) with ESMTP id 78A2537B411
	for <freebsd-questions@FreeBSD.ORG>; Mon, 20 Aug 2001 08:39:56 -0700 (PDT)
	(envelope-from leblanc@smtp.ne.mediaone.net)
Received: from canada.acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189])
	by chmls06.mediaone.net (8.11.1/8.11.1) with ESMTP id f7KFdum22334
	for <freebsd-questions@FreeBSD.ORG>; Mon, 20 Aug 2001 11:39:56 -0400 (EDT)
Received: (from leblanc@localhost)
	by canada.acadia.ne.mediaone.net (8.11.5/8.11.5) id f7KFXcn35594;
	Mon, 20 Aug 2001 11:33:38 -0400 (EDT)
	(envelope-from leblanc)
Date: Mon, 20 Aug 2001 11:33:38 -0400
From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>
To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject: Re: Code Red
Message-ID: <20010820113337.A34996@acadia.ne.mediaone.net>
Reply-To: freebsd-questions@FreeBSD.ORG
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <JKEKIFNEJJDCJPPDHPIFKEBACBAA.jason@jason-n3xt.org> <OE30Gh05YFRcmVFOh1v000012e1@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <OE30Gh05YFRcmVFOh1v000012e1@hotmail.com>
User-Agent: Mutt/1.3.20i
X-bright-idea: Lets abolish HTML mail!
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 08/20/01 06:28 AM, default - Subscriptions sat at the `puter and typed:
> Jason,
> 
> Howdy ... Yeah I have the same thing goin on here...
> 
> Here check this out:
> http://www.eeye.com/html/Research/Advisories/AL20010717.html
> 
> This worm is one mean customer for Windows machines...
> 
> Basically the way it works, is it will scan the 16 bit (depending on what
> variation of the worm it is) I.P. range that you are in for open webserver
> ports. It then indiscriminately attempts to propagate itself using the IIS
> Indexing server exploit described in the link above.
> 
> I currently am working on ways of reducing the impact of this on my personal
> server by modifications to my firewall...
> 
> I heard of someone else on this list actually creating a default.ida file so
> that it would reduce the amount of data put into the web server logs... not
> a bad idea...

I did this.  Just 'touch <path-to-your-docroot/default.ida'  Does a
hell of a job reducing the log file sizes.  In the first week of the
traffic spike, I was over 1,000 hits a day.  Closer to 2,000 one day.
Now I'm down to just 2 or 3 hundred.  Of course, no one really knows
how this will affect the virus, either.  Sending it an empty 200 OK
message does not seem to get the offending server to leave you alone,
so it seems to treat it like a 404.  Probably the virus architect
decided to handle only the case of the expected cgi response string
and shunt all other responses to a short loop.

Unfortunately, I'm seeing problems with Apache now.  It takes twice as
long to serve content, if it serves at all.  Of course I'm using
Apache 1.3.19 with modssl, mod_perl, etc., and still running on RH6.2
- my FreeBSD system intended to replace it isn't quite ready yet.
I haven't had time to really investigate the problem yet, but it's not
really the most critical thing I have this machine doing.  Setting up
the replacement takes much higher priority, and I'm still in FreeBSD
newbie status - although I did replace my Mandrake desktop at work
with FreeBSD 4.3-RELEASE.

Anyone else seeing degraded performance in Apache?

> This is really an epidemic that is effecting anyone with a webserver right
> now... especially ones on commercial networks such as @home Roadrunner ...
> for home users ... due to the large number of people who run Windows servers
> that are not very secure or up to date...
 
No doubt.  I used to get these requests from half a dozen different
networks, with about 90% being within my own domain (ne.mediaone.net).
Now, it looks like they are all in my domain.  AT&T doesn't seem to
give a crap that this traffic is keeping their network at a higher
level of saturation, either.  Mail to abuse hasn't really affected the
number of hits I get.

At least it seems that an early form of Code Red has run its course.
I haven't gotten any of the 'Client sent malformed Host Header'
messages since August 4.  Touching default.ida helps a great deal with
the later strains that don't mangle the Host header.

Lou
-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Happiness, n.:
  An agreeable sensation arising from contemplating the misery of another.
    -- Ambrose Bierce, "The Devil's Dictionary"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message