Welcome to WebmasterWorld Guest from 54.166.245.10

Forum Moderators: phranque

Message Too Old, No Replies

default .ida logs - be gone with you

     
8:12 pm on Aug 9, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


So, like everyone else I see my access logs show every IP address from Peking to Port Townsend has initiated the GET request for the infamous 'default.ida' file (sorry - my flavor is Unix, Apache) resulting in thousands of bogus hits to my server logs. (Yeah- *I* can't wait to see the added costs for my web transfer, either.)

Am I being overly dim, or unrealistic to think that we (the barraged) could respond to these GET requests by modifying our .htaccess files or error-responders to serve a bum default.ida (configure a mime-type) for each request that efficiently redirects and reverse-tracks these people? Is it worth the effort?

(Did some twelve year old already try this and figure out it wasn't workable? )

Thoughts, anyone?

Idiotgirl

9:32 pm on Aug 9, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


If we fed a fake file to the worm, I'd think it would actually eat more bandwidth than the 404 not found request it currently gets.
9:38 pm on Aug 9, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


Right now every not found request is something like 946 kb (who knows!), compared to much fewer kb for any other 'not found' files in my log.

I don't see any slow-down in the requests for this file - so I figured I might as well return a response, as long as it's my money paying the bandwidth costs. ugh.

Any hacks for this?

Idiotgirl

9:46 pm on Aug 9, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


I think the increased size could just be partially due to the length of the request itself... but I can't think of any way around that offhand. :( Anyone else got an idea?
9:52 pm on Aug 9, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


Okay, so I'm thinking that I config my htaccess to read a plain htm file (harmless?) as default.ida - and deliver a response through that file. This might have an embedded parser to reverse IP lookup, and automatically email a response OR... simply redirect to the last abuser's IP address from my logs, or another www addy.

Could the GET request from the abusive intruder to a valid found ida file (albeit not a real ida file, but an htm file)offer any security risks you can think of?

I guess I'm caught up in spirit of return fire <G>

Idiotgirl

12:57 am on Aug 10, 2001 (gmt 0)

New User

10+ Year Member

joined:May 14, 2007
posts:13
votes: 0


Since every host that sends us a request for default.ida is presumably a compromised machine, I think we should write a program that automatically hacks into them, installs the patch, and reboots the server.
1:24 am on Aug 10, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member macguru is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 30, 2000
posts:3300
votes: 0


Nah! we need someting that would reformat those hard drives and install a real web server OS on it. ;)
1:48 am on Aug 10, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


Well... since I'm on a Unix box, all I can say is I'm sick and tired of these stupid requests for a file I don't have that each equal about 950 kb in my log (hundreds!).

I'd like to return the favor somehow. If even I returned a one pixel gif- I'd be out less bandwidth and no error log, right?

Further, I'd like to boot them out the door with a token of my appreciation.

Is it hot in here, or is it just me?

2:00 pm on Aug 10, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member macguru is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 30, 2000
posts:3300
votes: 0


Hello! Just to say that on one of my "test" site I have put a simple ASCI text file a couple of days ago. Of course I saved it as this stupid "default.ida" file. Not much is written on it, only 2 words + !, 9 bites total. It frees my error logs and uses less bandwith.

In a couple of weeks, I will start tracking those still scanning. May be we could share e-mail adresses lists?

Or better, include them in our "SugarPlum" lists?

5:09 pm on Aug 10, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


Great idea - that's along the lines I was thinking. Rather than get all the bounced requests in my error logs at 950kb - why not give these little pukes what they wanted?

I just uploaded an ASCII text file named default.ida that says:

**** THE CHINESE

Simple, yet elegant.

I wish *I* had nothing better to do than hack into other people's sites all day long. Instead, I'm responsible for keeping dozens of domains online and functioning. (Don't these kids have mothers?!)

I'll save my error logs for ya!

Idiotgirl

5:35 pm on Aug 10, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


(Don't these kids have mothers?!)

It's an automated worm. If one person releases it, it automatically replicates and spreads on it's own. The machines making the file requests aren't the hackers, they're 'victim' machines that have been infected by the worm.

<added>And I doubt the worm routine is set up to 'read' the content of your dummy .ida file... I seriously doubt any live humans are going to see it. ;) </added>

5:51 pm on Aug 10, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member macguru is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 30, 2000
posts:3300
votes: 0


>>**** THE CHINESE

Hey! Hey! slack thoses testosterone pils, idiot"girl"! Whathever you will write on this TXT file wont affect the behavior of infected windblows servers. It will just free you error logs and relieve you banwith a bit. Better if any keep it short.

Lets give those guys owning infected servers a time to come back from vacations before saving anything.

If I was one of those viri autors, I could launch it from anywhere.

Have one of those icy code red drinks to turn down the heat.

Someday people will realise that the ennemy is in Redmont not in China.

6:39 pm on Aug 10, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


Macguru & mivox-

My point is - is that the people who spread the virus, infecting - was it - winBlows?? - machines - have nothing better to do.

While my message won't be read by a human, most likely, I s'pose it's my response to "Hacked by the Chinese" and, therefore, posted in the same 'spirit' in which it was written, as such - I'm not going to worry about apologies. BTW, I see since posting an hour or so ago my error logs are... blank :)

Now, tell me again, dear vendor, why I should dump my prehistoric Unix box for a Windows server ??? (Wasn't Cleopatra bitten by an asp?)

Idiotgirl

9:28 pm on Aug 10, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 27, 2001
posts:1472
votes: 0


Instead of feeding the worm a blank .htm file why not redirect it to Microsoft.com instead?
10:09 pm on Aug 10, 2001 (gmt 0)

Full Member

10+ Year Member

joined:Feb 28, 2001
posts:208
votes: 0


> I'd like to return the favor somehow.

Perhaps something like this [securityfocus.com] would be more appropriate.

tamarian

6:02 am on Aug 17, 2001 (gmt 0)

Inactive Member
Account Expired

 
 


There have been some great scripts posted on slashdot to handle those requests. Some nice, and some not so nice.

Webmasters who still haven't cleaned up their servers yet, will not understand what you're talking about when you email them about the worm. If they don't know what a virus scan software is, and haven't heard of code red, why email them? I gave up notifying them after receiving some clueless replies!

6:32 am on Aug 17, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 6, 2001
posts:410
votes: 0


The faux default.ida text file helped slim down my error logs tremendously. For bare-bones default.ida requests I set up a redirect to Microsoft's tech pages with .htaccess. I'm not sure about matching the entire string length I'm seeing for the default.ida GET requests for a .htaccess redirect, but it seemed a simple enough so I added it in.

I was getting hundreds and hundreds of requests. Now I'm getting about 30-40 per day.

I'm tired of the whole mess, frankly. Who do I send the bill to?

10:44 am on Aug 17, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 6, 2001
posts:880
votes: 0


If you want to do something about reducing the number of CodeRed infected servers out there, chewing through your bandwidth, and filling your logs with rubbish, you could do worse than setting up a CodeRed Vigilante server [dynwebdev.com]

I found out about this when one of my clients called in asking why he had had a wierd message on his machine. He is indeed using Win2k Pro, with IIS installed to run a local host version of his site.

Theres also some good link to other related resources (news feeds, Apache/perl implementation etc.)

I think its quite neat, using the exploit in CodeRed to notify the infected party of their problem, and direct them to a solution

4:54 pm on Aug 17, 2001 (gmt 0)

Full Member

10+ Year Member

joined:Feb 28, 2001
posts:208
votes: 0


The problem with an application such as CR Vigilante is that, like the Code Red Worm itself, it is exploiting a vulnerability within IIS to gain illegal access to a machine you don't own.

While the goal may be noble, you may take note of CR Vigilante's disclaimer:

I take no responsibility whatsoever for the use of this software or said software's effectiveness or lack thereof.
Smart move, and typical of information on hacker/cracker web sites as a method to try and get out of legal responisiblity. :)
5:33 pm on Aug 22, 2001 (gmt 0)

New User

10+ Year Member

joined:Jan 14, 2004
posts:15
votes: 0


I would like to add this fake "default.ida"
file also, but I'm not sure where it should live. I am using IIS 4.0,

Thanks in advance

12:36 am on Aug 23, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 21, 1999
posts:2141
votes: 0


Welcome to WmW Guardian!

From my logs:
"GET /default.ida?XXXX...etc...u0000%u00=a HTTP/1.0" 200 9 "-" "-"
The virus is requesting the file from the root directory of a web site, put your file there.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members