cancel
Showing results for 
Search instead for 
Did you mean: 

Code Red II

Community Veteran
Posts: 3,789
Registered: 08-06-2007

Code Red II

Hi all,

I run a couple of low-volume web servers on my ADSL line, both running Linux/Apache 2.0 which currently receive ~100 requests a day for the default.ida file, meaning a Code Red II "attack".

I've been pondering a way to notify these hosts that they are currently infected, which may actually be easier than it seems.

Due to the way that Code Red II was written, it attempts to infect a local subnet (255.255.0.0) more frequently than it attempts to infect a wider subnet. This means that a large majority of these requests actually originate from within the PlusNet 212.159 ip block.

I was thinking of writing an program that greps my access files, and then attempts to resolve the ip address to a domain name. If this domain falls within the plusnet block, and resolves to a '<username>.plus.com' domain (presumably an ADSL customer, or a fixed-ip dialup?) then simply generate an automatic email to the plusnet account.

My question is this:

Would this be better served by passing the information on to plusnet themselves? I'm sure the last thing that PlusNet need is more work notifing these people (if it even falls within their remit to do so).

If not, is it socially acceptable for me to automate this? Would some users take offence at this suggestion of guilt?

Personally, I'm not bothered about the access attempts on my web servers. They run Linux, not some half-baked-graphical-mess-of-an-OS (evil grin), so they are much less susceptible to these types of attacks.

Your comments would be most appreciated, and if I do decide to go ahead with this, I'll drop the source somewhere so that any other interested parties can play as they wish.

Barry
2 REPLIES
N/A

Code Red II

It would be far better to notify abuse@plus.net

While it would involve far more load for the abuse team, in most cases, self-notification would fail.

Officialy, Code Red II infection constitutes a violation of the AUP (if you want to get all technical), and the user can be forced to comply.

To be honest, I would reather see information from my ISP than the user that located the issue.

Make sure you also include the log lines in full
N/A

Re: Code Red II

Quote
If not, is it socially acceptable for me to automate this? Would some users take offence at this suggestion of guilt?


I downloaded and installed Apache::CodeRed. This automates pretty much what you suggest. It needs a bit tweaking to work with Apache 2.

I really don't think there's any point in involving abuse@plus.net when you can inform the offender yourself. I guess if they do nothing about it you might want to pass it on.

Finally, yes, some people do take offence but I keep notifying them anyway. People shouldn't be running Internet servers if they're not prepared to secure them.

--> Stephen