O'Reilly Network: Apache::CodeRed
Aug 19, 2001, 19:30 (6 Talkback[s])
"Like many programmers and system administrators, I
like to know when something goes wrong with my web site, no matter
how trivial the problem is. So when I moved my company's web server
to mod_perl and HTML::Mason last year, one of the first things I
did was write an automatic warning system to send me an e-mail
message whenever a visitor encounters a broken link.
I usually expect to receive two or three such e-mail messages on
any given day, with the majority coming from people who enter wrong
URLs. But on the night of Saturday, August 4, I had hundreds of
automatically generated "broken link" reports in my in-box, all of
which came from requests for /default.ida. It didn't take long to
figure out that my server was under attack by the Code Red 2
worm.
Code Red 2, in case you haven't heard, attacks Windows 2000
systems running Microsoft's IIS Web server. The worm enters via a
very long HTTP request beginning with /default.ida. Once it has
infected a system, the worm opens some security holes, and then
begins trying to spread to other servers. The worm mostly attacks
computers whose IP addresses are similar to that of its current
host, but sometimes it chooses a new IP address at random."
Complete
Story
Related Stories:
