Quoting Technomage : > where does one find these files? > I have looked all over for that extension and it doesn't appear > to be installed here (on mandrake 8.0) "default.ida" is the file that is requested on your web server. So in your apache logs, you would see something like: 65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-" So in your httpd.conf or in your .htaccess file, you could add what I wrote below to redirect requests to default.ida to something else. Again, I don't know if this exploit honors HTTP redirects, and I haven't cared enough to try and find out. ~M > Matt Alexander wrote: > > > > If you've got an Apache server running, you can do either of these and > chuckle > > to yourself: > > > > Redirect /default.ida http://www.microsoft.com/ > > > > or > > > > Redirect /default.ida http://127.0.0.1 > > > > I don't know if this exploit actually honors HTTP redirects (probably > not), > > however. > > ~M > > > > Quoting "John (EBo) David" : > > > > > > > > This was sent to me via my families ISP. If you all know of this > link > > > please ignore... > > > > > > EBo -- > > > > > > ------------------------------------------------ > > > > > > This message is for anyone who operates an IIS Web Server. Most > of > > > our customers can ignore this. We're sorry for the broadcast > message, > > > but it was important to get this information out to those it > affects. > > > > > > The Code Red Worm has been multiplying greatly since yesterday. > It > > > attacks english-language IIS servers. If you run an IIS server, > > > please > > > see http://www.eeye.com/html/Research/Advisories/AL20010717.html > > > This page contains an analysis of the worm, and instructions for > > > protecting your system against it and/or removing it if you've > already > > > been infected. > > > ________________________________________________ > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail > doesn't > > > post to the list quickly and you use Netscape to write mail. > > > > > > PLUG-discuss mailing list - > PLUG-discuss@lists.PLUG.phoenix.az.us > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > -- > > This email has been double rot-13 encoded for your protection. > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail > doesn't post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > -- > I will not be pushed, filed, stamped, indexed, briefed, debriefed, or > numbered! > My life is my own - No. 6 > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- This email has been double rot-13 encoded for your protection.