Web Hosting Talk






PDA

View Full Version : Code Red with a Vengeance

Lawrence
08-07-2001, 11:57 PM
I just had a rather close shave with Code Red. When I'm CGI scripting, I run Apache on Windows 2000 for testing. This is just on a local PC, not on a server. Security settings are pretty poor because of that.

Yesterday I noticed about 20 404 calls to /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a.

I had no idea what all that was about, particularly because they came from a dozen or so IP addresses. I got a little concerned and started investigating (with Apache nicely terminated). Then I just read this thread -http://www.webhostingtalk.com/showthread.php?s=&threadid=17050 and found out that it's Code Red II!

I must have been surfing the net with Apache running and been picked up. I've installed the patch anyway, and only run IIS when need be anyway, but in future I'll be a little more careful...
Lawrence
08-07-2001, 11:59 PM
There you go, it's even so annoying that it breaks vBulletin's tables... (1024 x 768)
Chicken
08-08-2001, 12:08 AM
AHHHHHHH, who says it doesn't (indirectly) affect linux machines??? :D
B-Broker
08-08-2001, 12:11 AM
LOL! Ask *****! ALL of their Linux machines are completely corrupt! The only thing that seems to be causing the problem is Code Red... (I have a few linux boxes of my own; telnet crashes, FTP times out and all of the password databases are cleared....the list goes on)

Is this the end for *****? :wavey: (quietly crys out in joy) We shall find out soon enough...
The Prohacker
08-08-2001, 12:21 AM
If any ***** customers have php on their servers, either shared or dedicated, could you please run this script:


<p><b>Code Red has attacked this server <font color="#ff0000"> <?
exec( "cat /etc/httpd/logs/access | grep -c default.ida .", $output, $return );
print "$return";
?>
</font></b></P>


You may have to modify the path to apache's logs...

But I'd really like to see how hard they are really getting hit....
MasterMindz
08-08-2001, 12:23 AM
No one can access their servers or accounts. :laugh:
B-Broker
08-08-2001, 12:24 AM
Originally posted by The Prohacker
[B]If any ***** customers have php on their servers, either shared or dedicated, could you please run this script:


I'd really like to run that script for you...BUT...my linux boxes are SO corrupt I can't even access them...they're DOA

What else is new?

:uzi: ***** :smash: