Date: Mon, 20 Aug 2001 11:33:38 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Code Red Message-ID: <20010820113337.A34996@acadia.ne.mediaone.net> In-Reply-To: <OE30Gh05YFRcmVFOh1v000012e1@hotmail.com> References: <JKEKIFNEJJDCJPPDHPIFKEBACBAA.jason@jason-n3xt.org> <OE30Gh05YFRcmVFOh1v000012e1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/20/01 06:28 AM, default - Subscriptions sat at the `puter and typed: > Jason, > > Howdy ... Yeah I have the same thing goin on here... > > Here check this out: > http://www.eeye.com/html/Research/Advisories/AL20010717.html > > This worm is one mean customer for Windows machines... > > Basically the way it works, is it will scan the 16 bit (depending on what > variation of the worm it is) I.P. range that you are in for open webserver > ports. It then indiscriminately attempts to propagate itself using the IIS > Indexing server exploit described in the link above. > > I currently am working on ways of reducing the impact of this on my personal > server by modifications to my firewall... > > I heard of someone else on this list actually creating a default.ida file so > that it would reduce the amount of data put into the web server logs... not > a bad idea... I did this. Just 'touch <path-to-your-docroot/default.ida' Does a hell of a job reducing the log file sizes. In the first week of the traffic spike, I was over 1,000 hits a day. Closer to 2,000 one day. Now I'm down to just 2 or 3 hundred. Of course, no one really knows how this will affect the virus, either. Sending it an empty 200 OK message does not seem to get the offending server to leave you alone, so it seems to treat it like a 404. Probably the virus architect decided to handle only the case of the expected cgi response string and shunt all other responses to a short loop. Unfortunately, I'm seeing problems with Apache now. It takes twice as long to serve content, if it serves at all. Of course I'm using Apache 1.3.19 with modssl, mod_perl, etc., and still running on RH6.2 - my FreeBSD system intended to replace it isn't quite ready yet. I haven't had time to really investigate the problem yet, but it's not really the most critical thing I have this machine doing. Setting up the replacement takes much higher priority, and I'm still in FreeBSD newbie status - although I did replace my Mandrake desktop at work with FreeBSD 4.3-RELEASE. Anyone else seeing degraded performance in Apache? > This is really an epidemic that is effecting anyone with a webserver right > now... especially ones on commercial networks such as @home Roadrunner ... > for home users ... due to the large number of people who run Windows servers > that are not very secure or up to date... No doubt. I used to get these requests from half a dozen different networks, with about 90% being within my own domain (ne.mediaone.net). Now, it looks like they are all in my domain. AT&T doesn't seem to give a crap that this traffic is keeping their network at a higher level of saturation, either. Mail to abuse hasn't really affected the number of hits I get. At least it seems that an early form of Code Red has run its course. I haven't gotten any of the 'Client sent malformed Host Header' messages since August 4. Touching default.ida helps a great deal with the later strains that don't mangle the Host header. Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Happiness, n.: An agreeable sensation arising from contemplating the misery of another. -- Ambrose Bierce, "The Devil's Dictionary" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010820113337.A34996>