What is default.ida? Dealing with the Code Red II Worm

Protecting Your Site from the Code Red II Worm and the requests for default.ida


What is default.ida? Defending Your Site From the Code Red II Worm

by Christopher Heng, thesitewizard.com
Written: 13 August 2001

If you have been monitoring your web log files (or web statistics for that matter) recently, you would undoubtedly have noticed the sudden flood of requests for a certain "default.ida" file located in your main web directory. This is what has happened to one of my sites, where my delight at the traffic increase turned to dismay when I realised the source of increase in traffic.

This request for the default.ida file is actually the result of the Code Red II worm (or as some call it, the Code Red II Virus) having infected some other web server on the Internet, and attempting to infect the web server running your site. It makes requests for the default.ida file because on Microsoft's IIS web server running on Windows NT and 2000, this may take advantage of a vulnerability in that server, allowing it to infect it.

Note that it does not matter what operating system your site is running on. As long as there are infected Microsoft IIS web servers somewhere on the Internet, there is a chance that your site will be targeted. Of course if you are not running on a Microsoft web server on a Microsoft operating system, you need not worry that your server will be infected. However, there are nonetheless steps that you may wish to take in the wake of these attacks. I will deal with the two situations of your site running on an IIS web server and an Apache (or other) web server separately.

Running Your Own IIS Web Server?

If you are running your own IIS web server, and you have not done anything to protect your server, you should probably read the articles at following URLs and act quickly:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
http://www.microsoft.com/technet/itsolutions/security/tools/redthree.asp

For a description of what the worm does, and which systems are vulnerable, you can read the CERT advisory at: http://www.cert.org/incident_notes/IN-2001-09.html

If Your Site is Not Running IIS on Windows

If your website is on a (say) Unix or Linux system, running the Apache web server, your server is probably safe, since the worm actually exploits vulnerabilities in the IIS server that are not present in Apache. However, don't relax just yet.

Check your web logs and search for a string similar to the following.

"GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 404 10100 "-" "-"

Actually, you can simply get all the lines containing lines like the above by using the following command from a Unix shell prompt:

grep default\.ida log-file-name

(where log-file-name is the name of your uncompressed log file). If you want to get a count of the number of such lines in your logs, do the following:

grep -wc default\.ida log-file-name

You may be horrified (like me, when I first saw them) to find numerous such lines in your log files. These lines mean that there are infected IIS web servers somewhere on the internet attempting to spread the worm to your server. It is of course unable to do so, since Apache servers do not answer requests for files named default.ida the way IIS servers do — Apache servers merely look for such a file and return a 404 error if it cannot be found.

Your work is not over yet however. Look at the end of that string. In the case of the example given above, as is typical of sites hosted on Apache servers, you will find that the web server returned a 404 File Not Found code. Because the website given in the example above has a customized 404 File Not Found document, that latter document is returned. That document happened to be 10100 bytes long, which means that each time the worm attempted to access that website, 10100 bytes of the site's data transfer allocation was wasted.

Not too serious for one request. Unfortunately, it's usually not just one request. For example, on one day in August 2001 alone, one of my sites had the default.ida file requested a total of 97 times. If this keeps up, the requests would consume about 29MB of my bandwidth by the end of the month.

There is probably little you can do to block the request (well, actually your web host may be able to do something, but it's probably not worth the effort since the request is coming from all over the Internet). You can, however reduce the amount of traffic it consumes. Simply create a zero length file (ie empty file) named "default.ida" in your root directory. That way, when the infected machine requests for the default.ida file, it would indeed get it — but since the file is empty, your traffic allocation would not be uselessly consumed.

If you do not know how to create a zero length file from your telnet shell prompt, you can simply open an empty document in your favourite text editor, save it as default.ida, and upload it to the main web directory of your website.

Conclusion

Until all the 5 million (or more) web servers on the Internet that use Microsoft's IIS web server get their servers patched, we'll probably continue to see such nuisance attacks on our servers. At least with that little suggestion above, you will not have your precious traffic allocation unnecessarily consumed by the Code Red worm.

Copyright 2001 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from http://www.thesitewizard.com/.

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to thesitewizard.com newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at http://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.

Related Pages

New Articles

Popular Articles

How to Link to This Page

It will appear on your page as:

What is default.ida? Protecting Your Site from the Code Red II Worm or Virus





Home
Donate
Contact Us
Link to Us
Topics
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Domains
Web Hosting
Blogging
JavaScripts
PHP
Perl / CGI
HTML
CSS
.htaccess / Apache
Newsletters
General
Seasonal
Reviews
FAQs
Wizards

 
Free webmasters and programmers resources, scripts and tutorials
 
HowtoHaven.com: Free How-To Guides
 
Site Design Tips at thesitewizard.com
Find this site useful?
Please link to us.