Code Red 1

[Guest_imported]

Hello,

I have these listings in my Apache error and access logs ,
can someone tell me if my system is being hit by code red
because the root.exe and cmd.exe behaviour looks familar

My system is Windows NT 4 with Apache and Tomcat

the following is my error log
------------

[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/scripts/root.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/msadc/root.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/c/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/d/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/scripts/..%5c/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist: e:/apache/apache/htdocs/msadc/..%5c/..%5c/..%5c/..Á/..Á/..Á/winnt/system32/cmd.exe
[Mon Nov 12 16:52:24 2001] [error] [client 10.10.30.229] File does not exist:
===============================================

Any guidence will be helpfull

Thanks in advance

Bye

Jay

 

[wushutwist]

Yeah, this is Code Red. Since you are running Apache, no worries.

 

[RhythmAce]

I've had the same thing for a couple months now and no problems other than it uses up a little bandwidth and disk space for the error logs and logs and logs... Linux systems don't have to worry but if you're running NT, you might wanna check out Microsoft's website to see what they are saying.

 

[jajanes]

So that's what that is! I see that constantly. Let me add my thanks to the bottom of this post.

 

[Ganton]

I can save you some disk space, if you add these lines to the top of your httpd.conf file:

SetEnvIfNoCase Request_URI MSADC attack_indicator
SetEnvIfNoCase Request_URI SCRIPTS attack_indicator
SetEnvIfNoCase Request_URI VTI_BIN attack_indicator
SetEnvIfNoCase Request_URI MEM_BIN attack_indicator
SetEnvIfNoCase Request_URI /.exe$ attack_indicator
SetEnvIfNoCase Request_URI default.ida attack_indicator

and add this before your Host/VirtualHost directives
CustomLog /opt/apache/logs/access_log combined env=!attack_indicator

The requests will not be logged. It basically works by looking at the request_uri, and determinining if a certain string, i.e. default.ida, is in the request. If it is, it sets the attack_indicator, and that entry isn't logged.

 

[Guest_imported]

Hello everybody,

Thx for the confirmation , the problem is , I get Dr.Watson popup every 30mts.
And my Tomcat closes itself.

Thank you,

Jay