Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Aug 2001 19:00:44 -0000
From:      "Jason Halbert" <jason@jason-n3xt.org>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Code Red
Message-ID:  <JKEKIFNEJJDCJPPDHPIFCEBOCBAA.jason@jason-n3xt.org>
In-Reply-To: <20010820113337.A34996@acadia.ne.mediaone.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Speaking of log files.  My flat mate that also runs web servers
(Windows 2000 IIS) saw that he was getting the Code Red requests.  He
had patched his server though, so he was not affected.  He wrote a
utility that when it receives a code red attack it uses a function of
NT called "netsend" I think it is (I am not Windows person), that
sends them a direct messages informing them that they are infected and
where to go to get cleaned up. :)

Jason

> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of
> Louis LeBlanc
> Sent: Monday, August 20, 2001 15:34
> To: freebsd-questions@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG
> Subject: Re: Code Red
>
>
> On 08/20/01 06:28 AM, default - Subscriptions sat at the
> `puter and typed:
> > Jason,
> >
> > Howdy ... Yeah I have the same thing goin on here...
> >
> > Here check this out:
> > http://www.eeye.com/html/Research/Advisories/AL20010717.html
> >
> > This worm is one mean customer for Windows machines...
> >
> > Basically the way it works, is it will scan the 16 bit
> (depending on what
> > variation of the worm it is) I.P. range that you are in
> for open webserver
> > ports. It then indiscriminately attempts to propagate
> itself using the IIS
> > Indexing server exploit described in the link above.
> >
> > I currently am working on ways of reducing the impact of
> this on my personal
> > server by modifications to my firewall...
> >
> > I heard of someone else on this list actually creating a
> default.ida file so
> > that it would reduce the amount of data put into the web
> server logs... not
> > a bad idea...
>
> I did this.  Just 'touch <path-to-your-docroot/default.ida'  Does a
> hell of a job reducing the log file sizes.  In the first week of the
> traffic spike, I was over 1,000 hits a day.  Closer to
> 2,000 one day.
> Now I'm down to just 2 or 3 hundred.  Of course, no one really knows
> how this will affect the virus, either.  Sending it an empty 200 OK
> message does not seem to get the offending server to leave
> you alone,
> so it seems to treat it like a 404.  Probably the virus architect
> decided to handle only the case of the expected cgi response string
> and shunt all other responses to a short loop.
>
> Unfortunately, I'm seeing problems with Apache now.  It
> takes twice as
> long to serve content, if it serves at all.  Of course I'm using
> Apache 1.3.19 with modssl, mod_perl, etc., and still
> running on RH6.2
> - my FreeBSD system intended to replace it isn't quite ready yet.
> I haven't had time to really investigate the problem yet,
> but it's not
> really the most critical thing I have this machine doing.
> Setting up
> the replacement takes much higher priority, and I'm still in FreeBSD
> newbie status - although I did replace my Mandrake desktop at work
> with FreeBSD 4.3-RELEASE.
>
> Anyone else seeing degraded performance in Apache?
>
> > This is really an epidemic that is effecting anyone with
> a webserver right
> > now... especially ones on commercial networks such as
> @home Roadrunner ...
> > for home users ... due to the large number of people who
> run Windows servers
> > that are not very secure or up to date...
>
> No doubt.  I used to get these requests from half a dozen different
> networks, with about 90% being within my own domain
> (ne.mediaone.net).
> Now, it looks like they are all in my domain.  AT&T doesn't seem to
> give a crap that this traffic is keeping their network at a higher
> level of saturation, either.  Mail to abuse hasn't really
> affected the
> number of hits I get.
>
> At least it seems that an early form of Code Red has run its course.
> I haven't gotten any of the 'Client sent malformed Host Header'
> messages since August 4.  Touching default.ida helps a
> great deal with
> the later strains that don't mangle the Host header.
>
> Lou
> --
> Louis LeBlanc       leblanc@acadia.ne.mediaone.net
> Fully Funded Hobbyist, KeySlapper Extrordinaire :)
> http://acadia.ne.mediaone.net                 ԿԬ
>
> Happiness, n.:
>   An agreeable sensation arising from contemplating the
> misery of another.
>     -- Ambrose Bierce, "The Devil's Dictionary"
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JKEKIFNEJJDCJPPDHPIFCEBOCBAA.jason>