Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

Code Red Worm exploits Windows IIS; Widespread servers hit

probes for default.ida files to set up attack on White House



6:59 pm on Jul 19, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Anyone know what kind of request this is? I'm getting a bunch of them across multiple sites. The IP addresses are different and they come from all over the globe at different times throughout the day. No UA is attached.

u53ff%u0078%u0000%u00=a HTTP/1.0"

edited to wrap the text

(edited by: msgraph at 7:14 pm (gmt) on July 19, 2001


4:58 pm on Jul 20, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I agree with evinrude: There was a patch available for IIS for this bug since June 18. One estimate says that 200,000 machines have been affected. What does that tell you?


6:00 pm on Jul 20, 2001 (gmt 0)

5+ Year Member

Funny, my server logs do not show up exactly like posted above

Instead of this

"GET /default.ida?NNN....%u0000%u00=a HTTP/1.0"

I receive this

"GET / default.ida?NNN....%u0000%u00=a"

The "default.ida?NNNNN..." stuff is sent as the *protocol* not the page requested. Server logs report,

[Thu Jul 19 13:57:34 2001] [error] [client] Client sent malformed Host header



7:07 pm on Jul 20, 2001 (gmt 0)

10+ Year Member

> I say it'll take a week before CNN

:) Made CNN [cnn.com] this morning.


8:52 pm on Jul 20, 2001 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Hit us pretty bad. We had quite a few sites down for about six hours while we frantically transferred everything over to a new box running IIS5. Yes, I know, get away from MS! If it were that simple we probably would!


12:17 pm on Jul 21, 2001 (gmt 0)

10+ Year Member

Was affected in way that caught me by surprise. We're running Apache but a significant affiliate was running MS. All the affiliate links were affected.


2:10 pm on Jul 21, 2001 (gmt 0)

10+ Year Member

We had two servers go down intermittently all day without getting infected. Interesting behavior.

On another note, I just received the Sircam virus in an email this morning, so be on the lookout. Sircam distributes personal files from your computer to infect others.

More about it at the CNN link mentioned in an earlier post on this thread.


7:16 pm on Jul 24, 2001 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Moved the virus talk over to Foo [webmasterworld.com].

It seems the CodeRed worm is all done with.


10:39 pm on Jul 29, 2001 (gmt 0)

Received this today from my systems administrator.

For Immediate Release: 3:00 PM EDT July 29, 2001

A Very Real and Present Threat to the Internet: July 31 Deadline For Action

Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required to
combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.

How Big Is The Problem?

On July 19, the Code Red worm infected more than 250,000 systems in
just 9 hours. The worm scans the Internet, identifies vulnerable
systems, and infects these systems by installing itself. Each newly
installed worm joins all the others causing the rate of scanning to
grow rapidly. This uncontrolled growth in scanning directly decreases
the speed of the Internet and can cause sporadic but widespread
outages among all types of systems. Code Red is likely to start
spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that
it may be even more dangerous. This spread has the potential to
disrupt business and personal use of the Internet for applications
such as electronic commerce, email and entertainment.

Who Must Act?

Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable. IIS is
installed automatically for many applications. If you are not certain,
follow the instructions attached to determine whether you are running
IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows
Me, there is no action that you need to take in response to this

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft?s patch for
the Code Red vulnerability problem:
* Windows NT version 4.0:
* Windows 2000 Professional, Server and Advanced Server:

Step-by-step instructions for these actions are posted at

Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:


Because of the importance of this threat, this alert is being made
jointly by:

The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance


10:58 pm on Jul 29, 2001 (gmt 0)

10+ Year Member

They're a bit behind the times aren't they?

This discussion started over a week ago and they just sent you a warning email...

Sounds like Mickey$oft, billion dollars short and 10 days late :)


10:59 pm on Jul 29, 2001 (gmt 0)

Hi Slade and Welcome to WmW,

Read the part that says...

>..spreading again on July 31st, 2001 8:00 PM EDT ....>


2:52 pm on Jul 30, 2001 (gmt 0)

I checked my log files and all access didnt find any thing that the worm was doin to you guys did to me.... guess saving me for next target well did they find out who he is?


3:58 pm on Jul 30, 2001 (gmt 0)

WebmasterWorld Senior Member littleman is a WebmasterWorld Top Contributor of All Time 10+ Year Member

What an embarrassment this has been for ms. Apparently ms, the White House, and the FBI are holding a joint press conference today on the subject.


5:53 pm on Jul 30, 2001 (gmt 0)

10+ Year Member

> They're a bit behind the times aren't they?

I believe the advisory was re-released recently since the Code Red worm has the potential to restart itself tomorrow evening. Because it's obvious many admins are not updating their systems with the latest patches/security fixes, it's a good idea to get this sort of information out as far as possible.


2:18 am on Jul 31, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

The funny thing for me is that I have to resubcribe to MS's security bulletin every 3 months or so. For some reason after a few months I don't receive them any more.

I wonder if certain ISP's out there see these bulk security mailings from MS as spam attempts and therefore block them after a certain amount is sent. Like if they receive more than x amount of mailings at one time on their server then they block the rest until another time. Either that or MS's subscription list gets wiped clean from time to time

I mean I'm sure only 10%, if that many, of those running MS software know about these bulletins but that is beside the point.

Another thing is MS's Windows update application. The one that sends info to MS to check for any updates related to your OS. They release a patch on their security site on one date, then three or more months down the road they post it on their Win update site.


9:12 am on Aug 1, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I heard that somebody is sending out a virus called Bliss2001 which will mess up Apache systems.


4:31 pm on Aug 1, 2001 (gmt 0)

10+ Year Member

> a virus called Bliss2001

Just so long as McAfee doesn't catch wind of it.... ;)

Somehow, I doubt the beast currently exists, as it hasn't hit the radars of...errr...well, any place I've searched, including BugTraq and McAfee (the guys who claim to have found the original "Bliss" first.)

I'd wonder where you heard it from. I'd chalk it up to hoax or wishful thinking. ;)


6:00 am on Oct 17, 2001 (gmt 0)

Yes, that would be amusing if it would open that site up on the infected server. Unfortunately, the worm does not access the internet through a browser and as far as I know doesn't even listen for a reply.

The message, if any, that this and other worms delivers is that there needs to be a standard way to contact system admins and anybody who runs a web server and provides no way for you to contact them should be metered out some form of disciplinary action, like a $1 fine to get their attention.

Yes, my grammar is suffering. It's late and I've just finished digesting my webserver logs!

This 47 message thread spans 2 pages: 47

Featured Threads

Hot Threads This Week

Hot Threads This Month