Who was/is talking about a DOS??? I wasn’t. Your impling that my fix (which doesn’t work and I’ve gotten many responses about having “tried that”) causes a DOS. Um, Please re-evaluate the data I have shared. There is NOTHING I have offered that is not already known. You come to my website, ask for a file (default.ida) and I send it to you, Wheres the DOS in that?
Legal or not, Um, next case…
[.. fragment of private thread deleted ..]
The answers are in your inbox. I'm signing off from this thread now, it's
gotten just a little too surreal for me after we've been discussing this
for the past several hours in a private thread.
Joe, you win. I'm such an idiot for once again being trolled by a net.kook.
Please, somebody turn up the noise level (another spam flame war, yes? please?)
to drown out the pain before the rest of the NANOG flame horde chimes in. Is
there a cure for this or is it terminal? :^)
There is an Apache module for dealing with CodeRed in a civilised way:
Continuing requests for /default.ida
We continue to get a large number of messages from system
administrators who see requests for /default.ida in their Apache
access logs. The requests look similar to this:
192.168.2.12 - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN
HTTP/1.0" 400 252 -
If you are running Apache there is nothing to worry about, these
requests are part of the Code Red Worm designed to search out
vulnerable IIS servers running on Windows. You can quite happily
ignore these requests, or get them back
In this section we highlight some of the articles on the web that are of interest to Apache users.
Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored.
[ On Sunday, August 19, 2001 at 11:56:57 (+0100), Fearghas McKay wrote: ]
Subject: RE: Code Red 2 Erratication
Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is
not a new B-grade movie but how you can be a good internet citizen
and let people know that their server has been infected by the Worm.
It is very impolite to send automated notifications, even one per day,
especialy if dozens, or hundreds, or millions of Apache users all start
doing this. Indeed the result could be worse for the net in general
than CR itself. At least CR only affects the lame software that can be
Haven't we learned anything yet from the days when people wrote scripts
to try and report DNS errors by parsing their named logs and e-mailing
back to the zones that appear to have the problems?