LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 08-10-2001, 07:08 PM   #1
aimstr8
Member
 
Registered: Mar 2001
Posts: 40

Rep: Reputation: 15
weird mesg. in /var/log/httpd/access_log


Hi,

I've noticed that recently I am getting quite a few of these messages in
/var/log/httpd/access_log:

64-171-245-20.ded.pacbell.net - [10/Aug/2001:16:53:22 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 299

All from different IP adresses. Anyone know what this means? I know 404 is "The requested URL was not found on this server." I guess my question is what is /default.ida?XXX… Is this a bad page somewhere in my web dir?

TIA for any help
 
Old 08-10-2001, 07:29 PM   #2
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Your bandwidth is jammed
Your logs full of goo

That would be CodeRedII
 
Old 08-10-2001, 07:55 PM   #3
aimstr8
Member
 
Registered: Mar 2001
Posts: 40

Original Poster
Rep: Reputation: 15
Code Red II

Thx. any suggestions other than shutting down https?

thx
 
Old 08-10-2001, 10:15 PM   #4
BrianG
Member
 
Registered: Apr 2001
Location: Cape Cod, MA
Distribution: Redhat 6.2/7.2 & FreeBSD 4.4
Posts: 108

Rep: Reputation: 15
yep...welcome to the Code Red Club...there is nothing you can do...other than wait it out
 
Old 08-10-2001, 10:39 PM   #5
gcombe74
Member
 
Registered: Jul 2001
Location: Utah, Roy
Distribution: Gentoo
Posts: 72

Rep: Reputation: 15
I will be glad when that damn code red is contained, but of course, as always some brillant soul will modify it and send it out again!!


 
Old 08-10-2001, 10:44 PM   #6
BrianG
Member
 
Registered: Apr 2001
Location: Cape Cod, MA
Distribution: Redhat 6.2/7.2 & FreeBSD 4.4
Posts: 108

Rep: Reputation: 15
well i think the only way it will EVER end is if someone modifies the code in it, or creates a new virus to destroy Code Red...there are 2 known verisons of CR now, and a third is thought to have been created.
 
Old 08-14-2001, 05:42 AM   #7
gizmola
Member
 
Registered: Jun 2001
Location: Los Angeles, CA USA
Distribution: RedHat
Posts: 53

Rep: Reputation: 15
If you run php by chance, and want to have a little fun with codered, there's a script that will display the number of times you've been probed by it.

http://vsadesign.com/download.php
 
Old 08-16-2001, 01:01 PM   #8
aimstr8
Member
 
Registered: Mar 2001
Posts: 40

Original Poster
Rep: Reputation: 15
Unhappy Code Red 2

I just threw a hack script together real quick to get an idea of who is jamming me via CD2. crude, but effective:

target=`date|awk '{print $3"/"$2}'`
date=`date|cut -c5-11,25-|sed 's/\([0-9]\{1,2\}\)/\1,/'`
time=`date|awk '{print $4}'`

cat /var/log/httpd/access_log|grep default|awk '{print $1,$4}' >/tmp/codered
echo -n "Code Red II has hit your site on $date $time"|mail root
cat /tmp/codered|sort -u|grep $target|mail root
total=`cat /tmp/codered|sort -u|grep $target|wc -l`

echo "There have been $total CODE RED 2 hits as of $time"|mail root
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/messages weird entries blizunt7 Linux - Security 5 11-01-2005 05:56 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 08:29 AM
Apache Log file (httpd.access_log) question eallen Linux - Networking 2 07-02-2002 10:29 AM
error rotating /var/log/httpd/access_log joseph_k Linux - General 5 09-22-2001 05:09 PM
/var/log/httpd/error_log:Premature end of script headers! katana Linux - General 0 08-14-2001 06:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 12:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration