Code Red Worm advisory
Patrick Fleming
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 21 Jul 2001 13:29:21 -0700 (MST)
On Sat, 21 Jul 2001, Matt Alexander wrote:
> Quoting Technomage <technomage-hawke@qwest.net>:
>
> > where does one find these files?
> > I have looked all over for that extension and it doesn't appear
> > to be installed here (on mandrake 8.0)
>
> "default.ida" is the file that is requested on your web server. So in your
> apache logs, you would see something like:
>
> 65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%
> ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
> bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 323 "-" "-"
>
> So in your httpd.conf or in your .htaccess file, you could add what I wrote
> below to redirect requests to default.ida to something else.
> Again, I don't know if this exploit honors HTTP redirects, and I haven't cared
> enough to try and find out.
> ~M
>
>
> > Matt Alexander wrote:
> > >
> > > If you've got an Apache server running, you can do either of these and
> > chuckle
> > > to yourself:
> > >
> > > Redirect /default.ida http://www.microsoft.com/
> > >
> > > or
> > >
> > > Redirect /default.ida http://127.0.0.1
> > >
> > > I don't know if this exploit actually honors HTTP redirects (probably
> > not),
> > > however.
> > > ~M
> > >
It won't resolve to 127.x.x.x nor 224.x.x.x according to a write-up that I
read on it.
http://net-security.org
Patrick