I was looking through the access logs on my site and it is littered with the following access:

64-123-21-162.auseea.com - - [04/Aug/2001:13:53:45 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 - "-" "-"

The accesses have been made by a variety of other sites. Some look familiar and some I doubt have ever been to my site before.

I checked and I don't have a /default directory or default.ida file.

So my question, is this the code red virus or is it something else?
--
Rob Van Deren
BeaverheadRiver.com

Hi there,

All hits for default.ida should correspond to a hit with the domain worm.com

That is evidence of continued Code Red attacks. If you are running Windows NT, Windows 2000 or IIS then you will need to go to Microsoft.com and download the patch to fix this ASAP. If you aren't running those OS's, then you can simply ignore the problem.

Michael Bray

Our sites are hosted at CI Host (very bad) and the sites have been down since the 2nd. They are all hosted on Linux but they claim that all of thier servers are affected by code red. Do you think what they are saying is true?

thanks

I to have this in my log.
httpd: [Sat Aug 4 21:49:30 2001] [error] [client 64.229.105.15] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
and these requests have been made on an average of 3/hr for the last few days,
httpd: [Sun Aug 5 00:54:53 2001] [error] [client 64.174.208.52] File does not exist: /default.ida

Bob
http://totallyfreeads.com

Sounds like they are lying/mistaken as the code red worm only infects WinNT/2000/IIS

I had Apache running on Win98 and within a day of downloading Apache, the logs already showed the code red worm but it didn't infect me.

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

I went back though my site logs which I hadn't checked for awhile because I've been working on somthing else (no excuse realy).
Anyway for the past 3 weeks this has tried to gain access 105 times,
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNÖ090Ö858Öbd3Ö801Ö090Ö858Öbd3Ö801Ö090Ö858Öbd3Ö801Ö090Ö090Ö190Ö0c3Ö003Öb00Ö31bÖ3ffÖ078Ö000Ö0=a

and this 31 times,
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXÖ090Ö858Öbd3Ö801Ö090Ö858Öbd3Ö801Ö090Ö858Öbd3Ö801Ö090Ö090Ö190Ö0c3Ö003Öb00Ö31bÖ3ffÖ078Ö000Ö0=a

Is this Code Red or somthing else?

Bob
http://totallyfreeads.com

Yes it is, as long as you don't use one of the OS's mentioned above you should be at no risk. Otherwise download the patch from M$.

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

There is a code red variant you may wish to read about:

http://www.symantec.com/...data/codered.v3.html

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

Interesting... I decided to check my jagerman.com access logs - Over the past week I've had 118 of the one with the N's, and 425 of the one with the X's.

I'm so happy - no one has ever tried to send me a virus or worm before.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com

Why does there seem to be a wide variety of trouble like this with the M$ operating systems? Is it because of:

- sloppy (buggy) coding
- M$ more accessible to hackers because M$ runs on PC's
- scalability issue, M$ windows started life as a single user system vs. Unix was designed as a multi user system
- faulty logic
- M$ operating systems have gotten very large, giving more access points to hackers
- some other reason

It seems strange that as M$ operating systems are a single source paid for system, they would be more vunerable than an open source system like linux/apache. I am not knocking linux/apache, it is just there are two completely different ways of bringing an operating system to market and M$ doesn't seem to have the better way.


--
Rob Van Deren
BeaverheadRiver.com
SW Montana's Premier Online Directory

Check this one out!

211.51.205.13 - - [06/Aug/2001:04:34:23 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205 "-" "-"

Try visiting the IP address it came from
http://211.51.205.13/

Lol....you think this guy is a psycho on a mission to deface USA Govenment websites???

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

Eeek, it also gives you a virus when you visit it Something like Backdoor.Sandmind.Dr

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

You probably already had that on your pc


Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

Well, my virus software picked it up! look at http://www.symantec.com/...door.sadmind.dr.html Bit of a coincidense if it just happened to be there and activate at that site!

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

Yes but you aren't _infected_ with the virus...read the details:

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/