Subject: Re: Security Issues... Early Bird
From: Keith Dawson (dawson@world.std.com)
Date: Tue Aug 14 2001 - 07:16:24 MDT
>>Brian Watson:
>> 4.21.22.189 - - [12/Aug/2001:04:11:52 -0400] "GET
>> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>michael":
>That is the infamous Code Red Worm. Your YDL Apache install is not affected,
>except by loss of bandwidth.
The best remediation I've seen for the flood of Code Red visitors is
Early Bird:
http://www.treachery.net/~jdyson/earlybird/
This CGI script returns a simple HTML page to the requestor (which is
a server infected with Code Red) and emails a notification to the
netblock owner with a timestamp and the IP address of the infected
machine. Since many of these machines are not commercial servers --
they are IIS servers running on the home machines of victims who may
not even know they are running IIS -- Early Bird's email notification
may be the best chance to get the infected machines cleaned up.
This archive was generated by hypermail 2a24 : Tue Aug 14 2001 - 06:25:03 MDT