If we fed a fake file to the worm, I'd think it would actually eat more bandwidth than the 404 not found request it currently gets.

Right now every not found request is something like 946 kb (who knows!), compared to much fewer kb for any other 'not found' files in my log.

I don't see any slow-down in the requests for this file - so I figured I might as well return a response, as long as it's my money paying the bandwidth costs. ugh.

Any hacks for this?

Idiotgirl

I think the increased size could just be partially due to the length of the request itself... but I can't think of any way around that offhand. :( Anyone else got an idea?

Okay, so I'm thinking that I config my htaccess to read a plain htm file (harmless?) as default.ida - and deliver a response through that file. This might have an embedded parser to reverse IP lookup, and automatically email a response OR... simply redirect to the last abuser's IP address from my logs, or another www addy.

Could the GET request from the abusive intruder to a valid found ida file (albeit not a real ida file, but an htm file)offer any security risks you can think of?

I guess I'm caught up in spirit of return fire <G>

Idiotgirl

Since every host that sends us a request for default.ida is presumably a compromised machine, I think we should write a program that automatically hacks into them, installs the patch, and reboots the server.

Nah! we need someting that would reformat those hard drives and install a real web server OS on it. ;)

Well... since I'm on a Unix box, all I can say is I'm sick and tired of these stupid requests for a file I don't have that each equal about 950 kb in my log (hundreds!).

I'd like to return the favor somehow. If even I returned a one pixel gif- I'd be out less bandwidth and no error log, right?

Further, I'd like to boot them out the door with a token of my appreciation.

Is it hot in here, or is it just me?

Hello! Just to say that on one of my "test" site I have put a simple ASCI text file a couple of days ago. Of course I saved it as this stupid "default.ida" file. Not much is written on it, only 2 words + !, 9 bites total. It frees my error logs and uses less bandwith.

In a couple of weeks, I will start tracking those still scanning. May be we could share e-mail adresses lists?

Or better, include them in our "SugarPlum" lists?

Great idea - that's along the lines I was thinking. Rather than get all the bounced requests in my error logs at 950kb - why not give these little pukes what they wanted?

I just uploaded an ASCII text file named default.ida that says:

**** THE CHINESE

Simple, yet elegant.

I wish *I* had nothing better to do than hack into other people's sites all day long. Instead, I'm responsible for keeping dozens of domains online and functioning. (Don't these kids have mothers?!)

I'll save my error logs for ya!

Idiotgirl

(Don't these kids have mothers?!)

It's an automated worm. If one person releases it, it automatically replicates and spreads on it's own. The machines making the file requests aren't the hackers, they're 'victim' machines that have been infected by the worm.

<added>And I doubt the worm routine is set up to 'read' the content of your dummy .ida file... I seriously doubt any live humans are going to see it. ;) </added>

>>**** THE CHINESE

Hey! Hey! slack thoses testosterone pils, idiot"girl"! Whathever you will write on this TXT file wont affect the behavior of infected windblows servers. It will just free you error logs and relieve you banwith a bit. Better if any keep it short.

Lets give those guys owning infected servers a time to come back from vacations before saving anything.

If I was one of those viri autors, I could launch it from anywhere.

Have one of those icy code red drinks to turn down the heat.

Someday people will realise that the ennemy is in Redmont not in China.

Macguru & mivox-

My point is - is that the people who spread the virus, infecting - was it - winBlows?? - machines - have nothing better to do.

While my message won't be read by a human, most likely, I s'pose it's my response to "Hacked by the Chinese" and, therefore, posted in the same 'spirit' in which it was written, as such - I'm not going to worry about apologies. BTW, I see since posting an hour or so ago my error logs are... blank :)

Now, tell me again, dear vendor, why I should dump my prehistoric Unix box for a Windows server ??? (Wasn't Cleopatra bitten by an asp?)

Idiotgirl

Instead of feeding the worm a blank .htm file why not redirect it to Microsoft.com instead?

> I'd like to return the favor somehow.

Perhaps something like this [securityfocus.com] would be more appropriate.

There have been some great scripts posted on slashdot to handle those requests. Some nice, and some not so nice.

Webmasters who still haven't cleaned up their servers yet, will not understand what you're talking about when you email them about the worm. If they don't know what a virus scan software is, and haven't heard of code red, why email them? I gave up notifying them after receiving some clueless replies!

The faux default.ida text file helped slim down my error logs tremendously. For bare-bones default.ida requests I set up a redirect to Microsoft's tech pages with .htaccess. I'm not sure about matching the entire string length I'm seeing for the default.ida GET requests for a .htaccess redirect, but it seemed a simple enough so I added it in.

I was getting hundreds and hundreds of requests. Now I'm getting about 30-40 per day.

I'm tired of the whole mess, frankly. Who do I send the bill to?

If you want to do something about reducing the number of CodeRed infected servers out there, chewing through your bandwidth, and filling your logs with rubbish, you could do worse than setting up a CodeRed Vigilante server [dynwebdev.com]

I found out about this when one of my clients called in asking why he had had a wierd message on his machine. He is indeed using Win2k Pro, with IIS installed to run a local host version of his site.

Theres also some good link to other related resources (news feeds, Apache/perl implementation etc.)

I think its quite neat, using the exploit in CodeRed to notify the infected party of their problem, and direct them to a solution

The problem with an application such as CR Vigilante is that, like the Code Red Worm itself, it is exploiting a vulnerability within IIS to gain illegal access to a machine you don't own.

While the goal may be noble, you may take note of CR Vigilante's disclaimer:

I take no responsibility whatsoever for the use of this software or said software's effectiveness or lack thereof.

Smart move, and typical of information on hacker/cracker web sites as a method to try and get out of legal responisiblity. :)

I would like to add this fake "default.ida"
file also, but I'm not sure where it should live. I am using IIS 4.0,

Thanks in advance

Welcome to WmW Guardian!

From my logs:
"GET /default.ida?XXXX...etc...u0000%u00=a HTTP/1.0" 200 9 "-" "-"
The virus is requesting the file from the root directory of a web site, put your file there.