Date: Mon, 20 Aug 2001 09:33:05 -0700 (PDT) From: Tim Erlin <tperlin@yahoo.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: Code Red Message-ID: <20010820163305.60779.qmail@web11706.mail.yahoo.com> In-Reply-To: <20010820113337.A34996@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Doesn't Code Red leave a backdoor open on the servers it's infected? Anyone explored ways to respond to the http requests that shutdown IIS on the offending server? What would the legal implications of doing so be -- self-defense? --Tim --- Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> wrote: > On 08/20/01 06:28 AM, default - Subscriptions sat at > the `puter and typed: > > Jason, > > > > Howdy ... Yeah I have the same thing goin on > here... > > > > Here check this out: > > > http://www.eeye.com/html/Research/Advisories/AL20010717.html > > > > This worm is one mean customer for Windows > machines... > > > > Basically the way it works, is it will scan the 16 > bit (depending on what > > variation of the worm it is) I.P. range that you > are in for open webserver > > ports. It then indiscriminately attempts to > propagate itself using the IIS > > Indexing server exploit described in the link > above. > > > > I currently am working on ways of reducing the > impact of this on my personal > > server by modifications to my firewall... > > > > I heard of someone else on this list actually > creating a default.ida file so > > that it would reduce the amount of data put into > the web server logs... not > > a bad idea... > > I did this. Just 'touch > <path-to-your-docroot/default.ida' Does a > hell of a job reducing the log file sizes. In the > first week of the > traffic spike, I was over 1,000 hits a day. Closer > to 2,000 one day. > Now I'm down to just 2 or 3 hundred. Of course, no > one really knows > how this will affect the virus, either. Sending it > an empty 200 OK > message does not seem to get the offending server to > leave you alone, > so it seems to treat it like a 404. Probably the > virus architect > decided to handle only the case of the expected cgi > response string > and shunt all other responses to a short loop. > > Unfortunately, I'm seeing problems with Apache now. > It takes twice as > long to serve content, if it serves at all. Of > course I'm using > Apache 1.3.19 with modssl, mod_perl, etc., and still > running on RH6.2 > - my FreeBSD system intended to replace it isn't > quite ready yet. > I haven't had time to really investigate the problem > yet, but it's not > really the most critical thing I have this machine > doing. Setting up > the replacement takes much higher priority, and I'm > still in FreeBSD > newbie status - although I did replace my Mandrake > desktop at work > with FreeBSD 4.3-RELEASE. > > Anyone else seeing degraded performance in Apache? > > > This is really an epidemic that is effecting > anyone with a webserver right > > now... especially ones on commercial networks such > as @home Roadrunner ... > > for home users ... due to the large number of > people who run Windows servers > > that are not very secure or up to date... > > No doubt. I used to get these requests from half a > dozen different > networks, with about 90% being within my own domain > (ne.mediaone.net). > Now, it looks like they are all in my domain. AT&T > doesn't seem to > give a crap that this traffic is keeping their > network at a higher > level of saturation, either. Mail to abuse hasn't > really affected the > number of hits I get. > > At least it seems that an early form of Code Red has > run its course. > I haven't gotten any of the 'Client sent malformed > Host Header' > messages since August 4. Touching default.ida helps > a great deal with > the later strains that don't mangle the Host header. > > Lou > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > Happiness, n.: > An agreeable sensation arising from contemplating > the misery of another. > -- Ambrose Bierce, "The Devil's Dictionary" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010820163305.60779.qmail>