Code Red Worm advisory
Matt Alexander
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 21 Jul 2001 12:16:39 -0700 (PDT)
Quoting Technomage <technomage-hawke@qwest.net>:
> where does one find these files?
> I have looked all over for that extension and it doesn't appear
> to be installed here (on mandrake 8.0)
"default.ida" is the file that is requested on your web server. So in your
apache logs, you would see something like:
65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 323 "-" "-"
So in your httpd.conf or in your .htaccess file, you could add what I wrote
below to redirect requests to default.ida to something else.
Again, I don't know if this exploit honors HTTP redirects, and I haven't cared
enough to try and find out.
~M
> Matt Alexander wrote:
> >
> > If you've got an Apache server running, you can do either of these and
> chuckle
> > to yourself:
> >
> > Redirect /default.ida http://www.microsoft.com/
> >
> > or
> >
> > Redirect /default.ida http://127.0.0.1
> >
> > I don't know if this exploit actually honors HTTP redirects (probably
> not),
> > however.
> > ~M
> >
> > Quoting "John (EBo) David" <ebo@eagle.west.asu.edu>:
> >
> > >
> > > This was sent to me via my families ISP. If you all know of this
> link
> > > please ignore...
> > >
> > > EBo --
> > >
> > > ------------------------------------------------
> > >
> > > This message is for anyone who operates an IIS Web Server. Most
> of
> > > our customers can ignore this. We're sorry for the broadcast
> message,
> > > but it was important to get this information out to those it
> affects.
> > >
> > > The Code Red Worm has been multiplying greatly since yesterday.
> It
> > > attacks english-language IIS servers. If you run an IIS server,
> > > please
> > > see http://www.eeye.com/html/Research/Advisories/AL20010717.html
> > > This page contains an analysis of the worm, and instructions for
> > > protecting your system against it and/or removing it if you've
> already
> > > been infected.
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> doesn't
> > > post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list -
> PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > --
> > This email has been double rot-13 encoded for your protection.
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
This email has been double rot-13 encoded for your protection.