Re: Security Issues... Early Bird

Subject: Re: Security Issues... Early Bird
From: Keith Dawson (dawson@world.std.com)
Date: Tue Aug 14 2001 - 07:16:24 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Craig Sala: "Keep Losing YDL install"
• Previous message: Donovan Warren: "Re: Security Issues..."
• In reply to: michael: "Re: Security Issues..."
• Next in thread: Brian Watson: "Re: Security Issues..."
• Reply: Keith Dawson: "Re: Security Issues... Early Bird"

>>Brian Watson:
>> 4.21.22.189 - - [12/Aug/2001:04:11:52 -0400] "GET
>> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

>michael":
>That is the infamous Code Red Worm. Your YDL Apache install is not affected,
>except by loss of bandwidth.

The best remediation I've seen for the flood of Code Red visitors is
Early Bird:

  http://www.treachery.net/~jdyson/earlybird/

This CGI script returns a simple HTML page to the requestor (which is
a server infected with Code Red) and emails a notification to the
netblock owner with a timestamp and the IP address of the infected
machine. Since many of these machines are not commercial servers --
they are IIS servers running on the home machines of victims who may
not even know they are running IIS -- Early Bird's email notification
may be the best chance to get the infected machines cleaned up.

• Next message: Craig Sala: "Keep Losing YDL install"
• Previous message: Donovan Warren: "Re: Security Issues..."
• In reply to: michael: "Re: Security Issues..."
• Next in thread: Brian Watson: "Re: Security Issues..."
• Reply: Keith Dawson: "Re: Security Issues... Early Bird"

This archive was generated by hypermail 2a24 : Tue Aug 14 2001 - 06:25:03 MDT