GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Recently, I have been seeing tons of evidence pointing towards a Code Red infected machine in my Apache logs, and the question I have to ask is:
Should I even bother trying to track down the admins of the server in question, so as to notify them of the infection? Or, is it just a big waste of time? I have already tracked down the offending IP to the speakeasy network. Should i just mail abuse@speakeasy.net , or should I try to take it further in than that??
Any opinions will be appreciated.
Ian
Last edited by green_dragon37; 06-24-2003 at 10:08 PM.
Lately I have been noticing symptoms of code red infected servers in my
logs, particularly, over 50 such requests from an IP in your
network(216.231.41.198). I just would like to bring this to your
attention, and request that you look into this. I have included one such
line from my logs. I am not worried about being infected, as I run Apache
on Linux, but I find it a nuisance to try to sift through my logs with
this garbage in my way.
If I can help you in any way, by providing more logs, etc., please
feel free to contact me.
Speakeasy Members: Please DO NOT reply to this email, as we will not be
able to respond to it or provide additional support.
We will update this with status or resolution via the Customer Support
tool in TAC. If you need to make updates or close your support request,
please go to MySpeakeasy (http://www.speakeasy.net/myspeak). Select
Customer Support from the navigation menu and go to the My Info tab to
view.
If your original request was made via email to any of the below addresses,
you can continue to correspond or add information to your inquiry by
sending a copy of this message to the email address originally contacted
with updated information:
Please keep the Question Reference number in the subject line of that
email.
For your convenience, we have included a summary of the inquiry
details below.
Thanks!
The Speakeasy Crew
Subject
---------------------------------------------------------------
Possible Code Red Worm infected server
Suggested Answer
---------------------------------------------------------------
At 06/24/2003 06:47 PM we wrote -
Greetings,
According to the headers you sent us, this spam is not going through Speakeasy's mail servers. We therefore have no control over this spam. We suggest you contact the service provider that is indicated in the headers, as this spam is going through their mail server.
They should be able to help you resolve this problem of unsolicited email.
Network Security Department
Speakeasy, Inc.
206.728.9770
800.556.5829 abuse@speakeasy.net
Lately I have been noticing symptoms of code red infected servers in my
logs, particularly, over 50 such requests from an IP in your
network(216.231.41.198). I just would like to bring this to your
attention, and request that you look into this. I have included one such
line from my logs. I am not worried about being infected, as I run Apache
on Linux, but I find it a nuisance to try to sift through my logs with
this garbage in my way.
If I can help you in any way, by providing more logs, etc., please
feel free to contact me.
To: abuse@speakeasy.net
Subject: [Incident 030624-000273] Possible Code Red Worm infected server
To elaborate:
I am not, as you reply suggests, receiving any spam e-mail. In fact I am
merely notifying you of a server on your network that is infected with the
Code Red worm, which infects Microsoft IIS servers, which in turn attempt
to infect other servers. I am merely requesting that you contact the
owner of the IP address, or put me in contact with the owner.
Regards,
Clifton I Barr
I am waiting for a reply from speakeasy.
Ian
Last edited by green_dragon37; 06-24-2003 at 10:13 PM.
Before you go pounding on their door you would be wise to make sure all your ducks are in a row. ie: does your ISP allow you to run http/mail servers on your network?
I am curious about how far they (Speakeasy) are willing to go to enforce their terms on their own customers.
Sorry MasterC - I should clarify. I'm really interested in how far this complaint gets on the other end (where the nimda/codered bxes are). But yeah I don't want to see an LQ member in hot water either
Well, my ISP is probably the best out there. Their TOS says that I can do whatever I like, just as long as it's not illegal. They even go as far as state on their site that the Static IP that I pay $10/month for can be used for "Online gaming, VPN, and running a server."
So I just got home and checked my email, and in it I found a response from Speakeasy, as follows:
Quote:
Greetings,
We have taken appropriate steps to insure that no further activity of this nature will occur from this ip address. Please do not hesitate to inform us if you detect any undesirable activity from any host within Speakeasy.net's IP space. We do not tolerate abuse of any kind on our network and make every attempt to swiftly correct problems that arise.
Network Security Department
Speakeasy, Inc.
206.728.9770
800.556.5829 abuse@speakeasy.net
All that I have to say is, Thank you Speakeasy! In all actuality, though, I would have much rather contacted the admins of this computer directly, so that I could inform them of the problem myself, because of the actions this implies...
Whoa! Try shooting off an email to:
admin@1.2.3.4
Or
webmaster@1.2.3.4
Or the failsafe:
root@1.2.3.4
Where 1.2.3.4 is the IP of the computer you were getting it from.
Originally posted by Whitehat Code Red tastes great. I like regular Mountain Dew better however
lol, that's funny. I think it was just a bunch of hype though. And you can tell the people at Mtn. Dew knew it wasnt that great..that's why they are having out for "the summer only" to get the masses to buy it....that strategy worked on me i must say. i had to know what all the hype was about. maybe Mountain Dew Nimda or Moutain Dew Klez will be out next summer.
and just so this post is TOTALLY off topic....i have the same problem in my apache logs. i wonder who i could contact.
also, it's quite common to see the infection from a computer that isnt even really trying to run a web server. windows 2000 comes with that IIS crap and people just have it there and never use it. it happened to a computer at my old job. it was on a college campus though and detected almost immediatly and the port was locked...but there was no web server (or any kind of server for that matter) running on the machine.
Last edited by Robert0380; 06-29-2003 at 05:17 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Code Red--Should I Even Bother?
Let's hope not too far, for (I'm sure) some of our users probably run "httpd" servers from their lines "unofficially" 
Correspondence - Part 3
