This was all over one of our Apache logs today. The requests are coming from many different IPs from all over the world. We traced IPs to Italy, Brazil, Korea, USA, etc.
I was reading about it and found that this is an exploit for IIS. We run Apache so we are not too concerned, but I just wanted to know if you knew anything about this how problematic it might be.
Thanks.
Never mind. I already found it is code red.
How nice is to run UNIX and not WINDOWS :D
RackMy.com
08-02-2001, 09:57 AM
Yep, that is the code red worm :)
Bushidohost
08-04-2001, 01:07 AM
I noticed that in our logs two days ago as well, right after we installed the code red patch :)
If you are running linux/unix and want to see how many times you have been scanned by code red, just execute the following command:
cat /path/to/access_log | grep -c default.ida
obviously, the more IPs you have, the more you will get scanned.
jarrod
08-04-2001, 01:26 AM
thanks for the command jw.
wow, 708 times in 2 days with only 2 ip's =]
Cyberpunk
08-04-2001, 08:30 PM
has been kicking my door for 4 days.
jezzicuh
08-06-2001, 01:59 PM
Just in case any fellow newbies were curious, if you see "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXX" in your logs, that's the new Code Red II, which is more malicious than the first one (and once again shouldn't affect Linux/Unix servers). I heard about it for the first time yesterday, and today I'm getting scanned about once a minute for it. Praise Apache! :)
Nicholas Brown
08-06-2001, 06:24 PM
root@server [~]# cat /usr/local/apache/logs/access_log | grep -c default.ida
11070
We run apache 1.3.20, not IIS but the problem is that 4 hours ago, the above number was half that :eek:
Its now making the server very slow and unresponsive - and dam right annoying :(
What do you think about this:
root@serverXX [~]# cat /usr/local/apache/logs/access_log | grep -c default.ida
35869
:angry: :angry:
Cyberpunk
08-07-2001, 03:47 AM
of refusing or denying connection for that specific query?
MattR
08-07-2001, 12:09 PM
2165 on our new servers (uptime 1 day ;))
spock
08-07-2001, 11:02 PM
Originally posted by Cyberpunk
Is there no way of refusing or denying connection for that specific query?
You could block further accesses beyond the first one, for example by automatically adding the offending IPs to ipchains/iptables.
IANACRE (I am not a Code Red expert ;)), but I don't think such a scheme would be of any use in this case. The infected servers seem to try each IP only once and move on when no vulnerability is found.
Cyberpunk
08-07-2001, 11:42 PM
Never looked closely enough at the IP numbers of the attempts.
Would make sense for the virus to do that to achieve maximum infection rate before its spotted on the host server.
