> -----Original Message----- > From: plug-discuss-admin@lists.plug.phoenix.az.us > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Matt > Alexander > Sent: Saturday, July 21, 2001 12:17 PM > To: plug-discuss@lists.plug.phoenix.az.us > Subject: Re: Code Red Worm advisory > > > Quoting Technomage : > > > where does one find these files? > > I have looked all over for that extension and it doesn't appear > > to be installed here (on mandrake 8.0) > > "default.ida" is the file that is requested on your web server. > So in your > apache logs, you would see something like: > > 65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% > ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc > bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 > b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 323 "-" "-" > -------- which of course - appears in my web server logs and probably in most others web server logs as well. I was worried about what I had to do on my apache server but it appears that I need not do anything. I did find this little tidbit on Cisco... this explains the problems associated with this worm and the 600 series routers and of course those who are running IIS servers - they need to visit I would call this the full employment program for tech/security consultants. I checked - just for fun and is up and running so apparently they have figured out a method for deflecting the DOS attacks. This exploit though is certain to reverberate for quite some time. It made my week a living hell. Craig