yep that's the evil codred virus you'll find variants of it as well i believe it's codered that's requesting "default.ida" and nimda that's looking for "root.exe" i wrote a cron-perlscript to toast it all: #!/usr/bin/perl -w my @coderedeffect = ("/path/to/log/file/access.log", "/path/to/error/log/error.log"); for (my $x = 0; $x <= 1; $x++) { open (CODERED, "$coderedeffect[$x]") or die "can't open $coderedeffect[$x] - $!"; my @coderedfile = <CODERED>; $coderedloop = scalar(@coderedfile) - 1; for (my $y = 0; $y <= $coderedloop; $y++) { if ($coderedfile[$y] =~ m/default\.ida/g || $coderedfile[$y] =~ m/\.exe/g) { $coderedfile[$y] = ""; } } close (CODERED) or die "can't close $coderedeffect[$x] - $!"; open (CODERED, ">$coderedeffect[$x]") or die "can't open for writing $coderedeffect[$x] - $!"; for (my $y = 0; $y <= $coderedloop; $y++) { print CODERED $coderedfile[$y]; } close (CODERED) or die "can't close $coderedeffect[$x] - $!"; }
From: "Brandon Caudle"
Date: Tue, 25 Sep 2001 18:56:23 -0400 To: Subject: [SLE] /var/log/httpd/access_log & error_log <!--StartFragment-->64.226.247.96 - - [15/Sep/2001:09:19:49 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909 0%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0 000%u00=a HTTP/1.0" 404 389
What in the world is this?
This error appears every 30 minutes and most appear to come from 64.XXX
<!--StartFragment-->64.173.193.7 - - [18/Sep/2001:09:41:36 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir HTTP/1.0" 404 325 <!--StartFragment-->64.243.113.2 - - [18/Sep/2001:09:54:26 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268
Is this some MS crap? The code red virus?
Thanks
Brandon Caudle
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com