DM wrote:
>
> could this be really CODE RED in action? the worm
> scans the range of ips of an infected machine and
> verifies if there are MIIS lying around to conquer. i
> got a lot of those funny default.idaXXXXXXX something
> on my apache logs and they are coming from a variety
> of ip addresses ... of which when i try to check are
> either saying "hacked by chinese" or "page under
> construction".
>
> well, just a thought
>
> --- Pierre Fortin <[EMAIL PROTECTED]> wrote:
I've noticed those too and with everything else going on in my life right now,
had not associated them to CODE RED... Since the addresses are obviously bogus,
and no dups, there is not much chance of finding the perp yet... but I did add:
default.ida:
You're starting to irritate me...!
Go away!!!!
in all my virtual hosts... no need to add html codes... I know it probably
doesn't help anything; but I'm hoping the perp gets an unexpected response and
stops probing... I thought about returning a HUGE file of ASCII chars; but that
would just hose my uplink sending to innocent or non-existant hosts since the
return IPs are bogus...
Not sure what these packets are really trying to do (haven't read the CODE RED
bio); but all the packets are different in the area that could be code.
Pierre
