homepage Welcome to WebmasterWorld Guest from 54.197.94.241
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
default .ida logs - be gone with you
idiotgirl




msg:669686
 8:12 pm on Aug 9, 2001 (gmt 0)

So, like everyone else I see my access logs show every IP address from Peking to Port Townsend has initiated the GET request for the infamous 'default.ida' file (sorry - my flavor is Unix, Apache) resulting in thousands of bogus hits to my server logs. (Yeah- *I* can't wait to see the added costs for my web transfer, either.)

Am I being overly dim, or unrealistic to think that we (the barraged) could respond to these GET requests by modifying our .htaccess files or error-responders to serve a bum default.ida (configure a mime-type) for each request that efficiently redirects and reverse-tracks these people? Is it worth the effort?

(Did some twelve year old already try this and figure out it wasn't workable? )

Thoughts, anyone?

Idiotgirl

 

mivox




msg:669687
 9:32 pm on Aug 9, 2001 (gmt 0)

If we fed a fake file to the worm, I'd think it would actually eat more bandwidth than the 404 not found request it currently gets.

idiotgirl




msg:669688
 9:38 pm on Aug 9, 2001 (gmt 0)

Right now every not found request is something like 946 kb (who knows!), compared to much fewer kb for any other 'not found' files in my log.

I don't see any slow-down in the requests for this file - so I figured I might as well return a response, as long as it's my money paying the bandwidth costs. ugh.

Any hacks for this?

Idiotgirl

mivox




msg:669689
 9:46 pm on Aug 9, 2001 (gmt 0)

I think the increased size could just be partially due to the length of the request itself... but I can't think of any way around that offhand. :( Anyone else got an idea?

idiotgirl




msg:669690
 9:52 pm on Aug 9, 2001 (gmt 0)

Okay, so I'm thinking that I config my htaccess to read a plain htm file (harmless?) as default.ida - and deliver a response through that file. This might have an embedded parser to reverse IP lookup, and automatically email a response OR... simply redirect to the last abuser's IP address from my logs, or another www addy.

Could the GET request from the abusive intruder to a valid found ida file (albeit not a real ida file, but an htm file)offer any security risks you can think of?

I guess I'm caught up in spirit of return fire <G>

Idiotgirl

Bolotomus




msg:669691
 12:57 am on Aug 10, 2001 (gmt 0)

Since every host that sends us a request for default.ida is presumably a compromised machine, I think we should write a program that automatically hacks into them, installs the patch, and reboots the server.

Macguru




msg:669692
 1:24 am on Aug 10, 2001 (gmt 0)

Nah! we need someting that would reformat those hard drives and install a real web server OS on it. ;)

idiotgirl




msg:669693
 1:48 am on Aug 10, 2001 (gmt 0)

Well... since I'm on a Unix box, all I can say is I'm sick and tired of these stupid requests for a file I don't have that each equal about 950 kb in my log (hundreds!).

I'd like to return the favor somehow. If even I returned a one pixel gif- I'd be out less bandwidth and no error log, right?

Further, I'd like to boot them out the door with a token of my appreciation.

Is it hot in here, or is it just me?

Macguru




msg:669694
 2:00 pm on Aug 10, 2001 (gmt 0)

Hello! Just to say that on one of my "test" site I have put a simple ASCI text file a couple of days ago. Of course I saved it as this stupid "default.ida" file. Not much is written on it, only 2 words + !, 9 bites total. It frees my error logs and uses less bandwith.

In a couple of weeks, I will start tracking those still scanning. May be we could share e-mail adresses lists?

Or better, include them in our "SugarPlum" lists?

idiotgirl




msg:669695
 5:09 pm on Aug 10, 2001 (gmt 0)

Great idea - that's along the lines I was thinking. Rather than get all the bounced requests in my error logs at 950kb - why not give these little pukes what they wanted?

I just uploaded an ASCII text file named default.ida that says:

**** THE CHINESE

Simple, yet elegant.

I wish *I* had nothing better to do than hack into other people's sites all day long. Instead, I'm responsible for keeping dozens of domains online and functioning. (Don't these kids have mothers?!)

I'll save my error logs for ya!

Idiotgirl

mivox




msg:669696
 5:35 pm on Aug 10, 2001 (gmt 0)

(Don't these kids have mothers?!)

It's an automated worm. If one person releases it, it automatically replicates and spreads on it's own. The machines making the file requests aren't the hackers, they're 'victim' machines that have been infected by the worm.

<added>And I doubt the worm routine is set up to 'read' the content of your dummy .ida file... I seriously doubt any live humans are going to see it. ;) </added>

Macguru




msg:669697
 5:51 pm on Aug 10, 2001 (gmt 0)

>>**** THE CHINESE

Hey! Hey! slack thoses testosterone pils, idiot"girl"! Whathever you will write on this TXT file wont affect the behavior of infected windblows servers. It will just free you error logs and relieve you banwith a bit. Better if any keep it short.

Lets give those guys owning infected servers a time to come back from vacations before saving anything.

If I was one of those viri autors, I could launch it from anywhere.

Have one of those icy code red drinks to turn down the heat.

Someday people will realise that the ennemy is in Redmont not in China.

idiotgirl




msg:669698
 6:39 pm on Aug 10, 2001 (gmt 0)

Macguru & mivox-

My point is - is that the people who spread the virus, infecting - was it - winBlows?? - machines - have nothing better to do.

While my message won't be read by a human, most likely, I s'pose it's my response to "Hacked by the Chinese" and, therefore, posted in the same 'spirit' in which it was written, as such - I'm not going to worry about apologies. BTW, I see since posting an hour or so ago my error logs are... blank :)

Now, tell me again, dear vendor, why I should dump my prehistoric Unix box for a Windows server ??? (Wasn't Cleopatra bitten by an asp?)

Idiotgirl

Key_Master




msg:669699
 9:28 pm on Aug 10, 2001 (gmt 0)

Instead of feeding the worm a blank .htm file why not redirect it to Microsoft.com instead?

evinrude




msg:669700
 10:09 pm on Aug 10, 2001 (gmt 0)

> I'd like to return the favor somehow.

Perhaps something like this [securityfocus.com] would be more appropriate.

tamarian




msg:669701
 6:02 am on Aug 17, 2001 (gmt 0)

There have been some great scripts posted on slashdot to handle those requests. Some nice, and some not so nice.

Webmasters who still haven't cleaned up their servers yet, will not understand what you're talking about when you email them about the worm. If they don't know what a virus scan software is, and haven't heard of code red, why email them? I gave up notifying them after receiving some clueless replies!

idiotgirl




msg:669702
 6:32 am on Aug 17, 2001 (gmt 0)

The faux default.ida text file helped slim down my error logs tremendously. For bare-bones default.ida requests I set up a redirect to Microsoft's tech pages with .htaccess. I'm not sure about matching the entire string length I'm seeing for the default.ida GET requests for a .htaccess redirect, but it seemed a simple enough so I added it in.

I was getting hundreds and hundreds of requests. Now I'm getting about 30-40 per day.

I'm tired of the whole mess, frankly. Who do I send the bill to?

TallTroll




msg:669703
 10:44 am on Aug 17, 2001 (gmt 0)

If you want to do something about reducing the number of CodeRed infected servers out there, chewing through your bandwidth, and filling your logs with rubbish, you could do worse than setting up a CodeRed Vigilante server [dynwebdev.com]

I found out about this when one of my clients called in asking why he had had a wierd message on his machine. He is indeed using Win2k Pro, with IIS installed to run a local host version of his site.

Theres also some good link to other related resources (news feeds, Apache/perl implementation etc.)

I think its quite neat, using the exploit in CodeRed to notify the infected party of their problem, and direct them to a solution

evinrude




msg:669704
 4:54 pm on Aug 17, 2001 (gmt 0)

The problem with an application such as CR Vigilante is that, like the Code Red Worm itself, it is exploiting a vulnerability within IIS to gain illegal access to a machine you don't own.

While the goal may be noble, you may take note of CR Vigilante's disclaimer:
I take no responsibility whatsoever for the use of this software or said software's effectiveness or lack thereof.
Smart move, and typical of information on hacker/cracker web sites as a method to try and get out of legal responisiblity. :)

guardian




msg:669705
 5:33 pm on Aug 22, 2001 (gmt 0)

I would like to add this fake "default.ida"
file also, but I'm not sure where it should live. I am using IIS 4.0,

Thanks in advance

DaveAtIFG




msg:669706
 12:36 am on Aug 23, 2001 (gmt 0)

Welcome to WmW Guardian!

From my logs:
"GET /default.ida?XXXX...etc...u0000%u00=a HTTP/1.0" 200 9 "-" "-"
The virus is requesting the file from the root directory of a web site, put your file there.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved