O'Reilly Network: Apache::CodeRed

"Like many programmers and system administrators, I like to know when something goes wrong with my web site, no matter how trivial the problem is. So when I moved my company's web server to mod_perl and HTML::Mason last year, one of the first things I did was write an automatic warning system to send me an e-mail message whenever a visitor encounters a broken link.

I usually expect to receive two or three such e-mail messages on any given day, with the majority coming from people who enter wrong URLs. But on the night of Saturday, August 4, I had hundreds of automatically generated "broken link" reports in my in-box, all of which came from requests for /default.ida. It didn't take long to figure out that my server was under attack by the Code Red 2 worm.

Code Red 2, in case you haven't heard, attacks Windows 2000 systems running Microsoft's IIS Web server. The worm enters via a very long HTTP request beginning with /default.ida. Once it has infected a system, the worm opens some security holes, and then begins trying to spread to other servers. The worm mostly attacks computers whose IP addresses are similar to that of its current host, but sometimes it chooses a new IP address at random."

Complete Story

Related Stories:

• NewsAlert: Code Red: A Witch Hunt Provocateur?(Aug 11, 2001)
• ZDNET: Blame it on Buffer Overflows(Aug 09, 2001)
• LinuxPlanet: .comment: The Great, the Pretty Bad, and the Breathtakingly Stupid(Aug 08, 2001)
• Red Rock Eater: "Code Red" Roundup(Aug 01, 2001)
• SANS Security Alert: Code Red Is Set to Come Storming Back!(Jul 30, 2001)
• LinuxPlanet: .comment: The Weakest Link(Jul 25, 2001)
• Red Rock Eater: "Code Red" Worm(Jul 21, 2001)