Code Red?

David P. Schwartz plug-discuss@lists.PLUG.phoenix.az.us
Wed, 08 Aug 2001 22:27:24 -0700


I saw someome complaining about their server, and decided to take a look at
my
server's logs.

The main domain's log is cluttered with stuff over the past several days
that looks like this:

63.229.248.108 - - [08/Aug/2001:21:57:21 -0700] "GET
/default.ida?XXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090

%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u

531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277
63.231.70.17 - - [08/Aug/2001:22:03:20 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u

6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53

1b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277

A grep on stuff just this month shows:

>grep '/Aug/2001:' akash*access | grep 'default.ida' | wc
    499    4990  227105

Just for fun, here's a look at the front of the lines from the first 40
entries since Aug 1:

>grep '/Aug/2001:' akash*access | grep 'default.ida' | c
1-70 | head -40
211.20.168.125 - - [01/Aug/2001:08:14:16 -0700] "GET /default.ida?NNNN
62.154.210.21 - - [01/Aug/2001:08:29:14 -0700] "GET /default.ida?NNNNN
211.240.34.175 - - [01/Aug/2001:09:08:49 -0700] "GET /default.ida?NNNN
wwwsv.chuokai-kagawa.or.jp - - [01/Aug/2001:10:01:11 -0700] "GET /defa
211.32.101.2 - - [01/Aug/2001:10:09:16 -0700] "GET /default.ida?NNNNNN
202.156.0.10 - - [01/Aug/2001:11:15:02 -0700] "GET /default.ida?NNNNNN
pec-30-35.tnt4.me2.uunet.de - - [01/Aug/2001:11:46:31 -0700] "GET /def
216.142.223.104 - - [01/Aug/2001:11:55:07 -0700] "GET /default.ida?NNN
210.91.45.212 - - [01/Aug/2001:13:34:54 -0700] "GET /default.ida?NNNNN
61.168.133.67 - - [01/Aug/2001:13:56:03 -0700] "GET /default.ida?NNNNN
bre130137-1.gw.connect.com.au - - [01/Aug/2001:16:31:55 -0700] "GET /d
24.27.246.31 - - [01/Aug/2001:17:05:34 -0700] "GET /default.ida?NNNNNN
200.161.15.36 - - [01/Aug/2001:17:15:46 -0700] "GET /default.ida?NNNNN
216.136.30.230 - - [01/Aug/2001:17:24:25 -0700] "GET /default.ida?NNNN
www.cofe.ru - - [01/Aug/2001:17:29:35 -0700] "GET /default.ida?NNNNNNN
206.231.228.163 - - [01/Aug/2001:17:31:50 -0700] "GET /default.ida?NNN
www.headcountsystems.com - - [01/Aug/2001:18:47:09 -0700] "GET /defaul
h-207-148-146-62.dial.cadvision.com - - [01/Aug/2001:20:01:10 -0700] "
165.132.59.117 - - [01/Aug/2001:20:04:03 -0700] "GET /default.ida?NNNN
mail.biodynamics.com.na - - [01/Aug/2001:22:36:00 -0700] "GET /default
62.225.135.227 - - [01/Aug/2001:23:25:00 -0700] "GET /default.ida?NNNN
61.163.224.70 - - [01/Aug/2001:23:59:37 -0700] "GET /default.ida?NNNNN
acaf8a6c.ipt.aol.com - - [02/Aug/2001:00:35:42 -0700] "GET /default.id
211.172.183.254 - - [02/Aug/2001:00:45:38 -0700] "GET /default.ida?NNN
c1474844-a.hlndpk1.il.home.com - - [02/Aug/2001:00:52:42 -0700] "GET /
61-222-57-133.hinet-ip.hinet.net - - [02/Aug/2001:01:46:11 -0700] "GET
host-209-214-61-228.aby.bellsouth.net - - [02/Aug/2001:02:17:10 -0700]
abesancon-101-1-2-212.abo.wanadoo.fr - - [02/Aug/2001:03:24:03 -0700]
msp-65-25-207-2.mn.rr.com - - [02/Aug/2001:04:06:06 -0700] "GET /defau
211.52.85.52 - - [02/Aug/2001:05:17:33 -0700] "GET /default.ida?NNNNNN
61-216-187-98.hinet-ip.hinet.net - - [02/Aug/2001:05:21:20 -0700] "GET
61.161.52.88 - - [02/Aug/2001:05:43:44 -0700] "GET /default.ida?NNNNNN
146.145.90.95 - - [02/Aug/2001:08:06:21 -0700] "GET /default.ida?NNNNN
209.163.178.28 - - [02/Aug/2001:08:53:40 -0700] "GET /default.ida?NNNN
211.169.219.4 - - [02/Aug/2001:09:16:02 -0700] "GET /default.ida?NNNNN
64.85.89.24 - - [02/Aug/2001:09:59:47 -0700] "GET /default.ida?NNNNNNN
210.92.113.5 - - [02/Aug/2001:10:22:43 -0700] "GET /default.ida?NNNNNN
202.31.233.3 - - [02/Aug/2001:13:17:28 -0700] "GET /default.ida?NNNNNN
uu212-190-133-37.unknown.uunet.be - - [02/Aug/2001:13:18:45 -0700] "GE
61.78.75.202 - - [02/Aug/2001:13:26:19 -0700] "GET /default.ida?NNNNNN

Lots of IPs with no corresponding domain names!  Very interesting!

Freq counts by day:

>grep '01/Aug/2001:' akash*access | grep 'default.ida' | wc
     22     220    9924
>grep '02/Aug/2001:' akash*access | grep 'default.ida' | wc
     26     260   11778
>grep '03/Aug/2001:' akash*access | grep 'default.ida' | wc
     18     180    8112
>grep '04/Aug/2001:' akash*access | grep 'default.ida' | wc
     25     250   11367
>grep '05/Aug/2001:' akash*access | grep 'default.ida' | wc
     36     360   16572
>grep '06/Aug/2001:' akash*access | grep 'default.ida' | wc
     86     860   39254
>grep '07/Aug/2001:' akash*access | grep 'default.ida' | wc
    118    1180   53611
>grep '08/Aug/2001:' akash*access | grep 'default.ida' | wc
    168    1680   76487

I don't like this curve!!!

Does this indicate anything about my machine, or it is just a reflection of
the pervasiveness of this worm?

-David