> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Matt
> Alexander
> Sent: Saturday, July 21, 2001 12:17 PM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: Code Red Worm advisory
>
>
> Quoting Technomage <technomage-hawke@qwest.net>:
>
> > where does one find these files?
> > I have looked all over for that extension and it doesn't appear
> > to be installed here (on mandrake 8.0)
>
> "default.ida" is the file that is requested on your web server.
> So in your
> apache logs, you would see something like:
>
> 65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%
> ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
> bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
> b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 323 "-" "-"
>
--------
which of course - appears in my web server logs and probably in most others
web server logs as well. I was worried about what I had to do on my apache
server but it appears that I need not do anything.
I did find this little tidbit on Cisco...
<
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml>
this explains the problems associated with this worm and the 600 series
routers
and of course those who are running IIS servers - they need to visit
<
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS01-033.asp>
I would call this the full employment program for tech/security consultants.
I checked - just for fun and <
http://www.whitehouse.gov> is up and running
so apparently they have figured out a method for deflecting the DOS attacks.
This exploit though is certain to reverberate for quite some time.
It made my week a living hell.
Craig