Curious HTTP GET commands ...

[John Chambers]

--------

Drew Taylor writes:
| If you're running mod_perl on a server, someone put together an Apache
| handler to log these accesses and sent email to the MX for the host. I had
| to play with the DNS lookups a little to get things to work properly, but
| it's working fine now. I modified the Code Red analysis script mentioned on
| ./ to show the infected hosts attacking me.
|
| All the above code is at http://home.drewtaylor.com/code_red/

Interesting.  One problem is the need for mod_perl and a few modules.
Since  I noticed these messages, I did write a small default.ida perl
script that does much of the job.  But I'm also looking at the server
log  on  trillian.mit.edu,  which  has  a lot of CodeRed attacks, and
where I don't really have permission (or inclination)  to  play  with
mod_perl  etc.   So I'm probably better off rolling my own.  But rest
assured I'll steal a few ideas from this code.

One minor problem is the "whois  <addr>@whois.arin.netf"  suggestion.
This  works  fine on my home linux system, but fails drastically here
on trillian, which is a FreeBSD system. I've also got an account on a
Solaris system, where whois has a third syntax.  I also don't seem to
find any documentation on linux's whois command, but I  suppose  I'll
find it eventually.

Digging around whois.arin.netf has also turned up a few clues that  a
more  portable  approach  might work.  Or my script will just have to
discover what sort of system it's on.  (This  is  actually  a  troll,
based  on  the  classical  problem  that  the  answer  is an infinite
regress, since all known answers are of the form "If you're on a  foo
system, here's how you find out ..." ;-)

One curious problem:  I've dug around in a few search sites and  some
of the security sites to see if I could find a precise description of
the CodeRed symptoms. So far, I've hit a brick wall. Lots and lots of
comments  on  what  it does and how it works, but nothing at all that
tells me how to detect it. They all seem to think that I'm too stupid
to  understand  that;  I  shouldn't  worry my little head about it; I
should just install Microsoft's patch (in my apache server running on
linux?) and all will be right with the world.

Meanwhile, I've noticed that sometimes the  GET  requests  include  a
long  string  of X's, and other times with a long string of N's.  Are
these two clones of CodeRed?  Are other letters also  symptomatic  of
CodeRed? Is this documented somewhere? I wouldn't want to accuse some
site of doing a CodeRed  attack,  when  it's  actually  an  unrelated
CodeBlue attack, y'know.

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).