If you have been monitoring your web log files (or web statistics for that matter) recently, you would undoubtedly have noticed the sudden flood of requests for a certain "default.ida" file located in your main web directory. This is what has happened to one of my sites, where my delight at the traffic increase turned to dismay when I realised the source of increase in traffic.
This request for the default.ida file is actually the result of the Code Red II worm (or as some call it, the Code Red II Virus) having infected some other web server on the Internet, and attempting to infect the web server running your site. It makes requests for the default.ida file because on Microsoft's IIS web server running on Windows NT and 2000, this may take advantage of a vulnerability in that server, allowing it to infect it.
Note that it does not matter what operating system your site is running on. As long as there are infected Microsoft IIS web servers somewhere on the Internet, there is a chance that your site will be targeted. Of course if you are not running on a Microsoft web server on a Microsoft operating system, you need not worry that your server will be infected. However, there are nonetheless steps that you may wish to take in the wake of these attacks. I will deal with the two situations of your site running on an IIS web server and an Apache (or other) web server separately.
If you are running your own IIS web server, and you have not done anything to protect your server, you should probably read the articles at following URLs and act quickly:
For a description of what the worm does, and which systems are vulnerable, you can read the CERT advisory at: http://www.cert.org/incident_notes/IN-2001-09.html
If your website is on a (say) Unix or Linux system, running the Apache web server, your server is probably safe, since the worm actually exploits vulnerabilities in the IIS server that are not present in Apache. However, don't relax just yet.
Check your web logs and search for a string similar to the following.
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 10100 "-" "-"
Actually, you can simply get all the lines containing lines like the above by using the following command from a Unix shell prompt:
log-file-name is the name of your uncompressed log file). If you want to get a count
of the number of such lines in your logs, do the following:
You may be horrified (like me, when I first saw them) to find numerous such lines in your log files. These lines mean that there are infected IIS web servers somewhere on the internet attempting to spread the worm to your server. It is of course unable to do so, since Apache servers do not answer requests for files named default.ida the way IIS servers do — Apache servers merely look for such a file and return a 404 error if it cannot be found.
Your work is not over yet however. Look at the end of that string. In the case of the example given above, as is typical of sites hosted on Apache servers, you will find that the web server returned a 404 File Not Found code. Because the website given in the example above has a customized 404 File Not Found document, that latter document is returned. That document happened to be 10100 bytes long, which means that each time the worm attempted to access that website, 10100 bytes of the site's data transfer allocation was wasted.
Not too serious for one request. Unfortunately, it's usually not just one request. For example, on one day in August 2001 alone, one of my sites had the default.ida file requested a total of 97 times. If this keeps up, the requests would consume about 29MB of my bandwidth by the end of the month.
There is probably little you can do to block the request (well, actually your web host may be able to do something, but it's probably not worth the effort since the request is coming from all over the Internet). You can, however reduce the amount of traffic it consumes. Simply create a zero length file (ie empty file) named "default.ida" in your root directory. That way, when the infected machine requests for the default.ida file, it would indeed get it — but since the file is empty, your traffic allocation would not be uselessly consumed.
If you do not know how to create a zero length file from your telnet shell prompt, you can simply open an empty document in your favourite text editor, save it as default.ida, and upload it to the main web directory of your website.
Until all the 5 million (or more) web servers on the Internet that use Microsoft's IIS web server get their servers patched, we'll probably continue to see such nuisance attacks on our servers. At least with that little suggestion above, you will not have your precious traffic allocation unnecessarily consumed by the Code Red worm.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at http://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.
It will appear on your page as: