Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

5 of 364 comments (clear)

  1. Re:Logs Clogged by odaiwai · · Score: 5, Informative

    That's the nimda worm. Running apache, you're immune to it, but it makes a mess in your logs.

    One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.

    Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.

    dave

  2. Animation Mirror Sites by morcheeba · · Score: 5, Informative

    from the original analysis by David Moore:

    UK Mirror
    UK FTP
    AU Mirror
    Flipbook animation (207k .FLI)
    Quicktime animation of growth by geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
    original www.caida.org gif animation

    --
    HIV Crosses Species Barrier... into Muppets
  3. Re:Logs Clogged by timecop · · Score: 5, Informative

    many months ago when default.ida was the rage around the www, I added these couple lines to my httpd.conf:

    SetEnvIf Request_URI "^/default.ida" dontlog
    ErrorLog logs/254-error_log
    CustomLog logs/254-access_log combined env=!dontlog

    check out SetEnvIf in apache docs, you can do even better than this.

  4. My school district's by DMDx86 · · Score: 5, Informative

    Server is still infected with a IIS virus (though not Code Red). Here it is

    I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
    You can read the e-mail here.

    Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.

  5. Re:Looking at my records by spongman · · Score: 5, Informative
    no, he's right:

    6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.

    7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.

    7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.