That annoying little code red


Licensed Computer Geek
The Code Red worm has really gone crazy lately. Of course, since we're using Macs, we're pretty much immune to the worm's antics, but its still annoying as hell, what with cluttering up Apache logs world-wide. That being said, here's a couple of really tiny shell scripts that you can use to ignore its log entries, and also generate a count on its intrusion attempts this month. Of course, these will only work if Apache is running, and logging access.
You can do with these as you please.

cat /var/log/httpd/access_log | awk '! /default/ && ! /XXXXX/ && ! /NNNNN/' | more

echo August Code Red intrusion attemps thus far:
cat /var/log/httpd/access_log | awk '(/default/ || /XXXXX/ || /NNNNN/) && /Aug/' | wc -l

These miniscule scrips should be able to spot the major variations I've seen on my system. If you find others, by all means, update the scripts. It's not like I'm going to claim copyright on three lines of code. :)
Not to sound totally stupid, but how do you execute shell scripts? Since I know Perl & PHP, I've always just written a script in either of those languages and then executed it in the shell. Just never had a reason to learn much about shell scripts I guess. Time to start...
From what I understand, executing them is almost identical to running a Perl script. Just copy the text exactly into a file, chmod 755 it for the execute permission, then run ./ or whatever the script name is.
I love it when you post at the same time :)

Whats odd is my G4 has gotten 1172 hits...whereas our Win2K web server at work has only gotten 171 hits. I check all 172 and most of the sites had the default IIS "Under Construction" page up, which means that they are probably not real servers and maybe no one is even paying attention to them.

Of the ones that were actual web sites, I'd say that 90% of them were foriegn [french, chineese, german, japaneese, etc], which I find to be strange because the worm was only supposed to attack if IIS was running the US English version. Or did I understand something wrong?
You know, with all of these infected systems, it seems logical to me that we could make a different "worm" that would check log files for infected systems sending requests, at which point it would install itself on said infected systems. (I am going somewhere with this, believe it or not.) Once it's installed, let it redistribute itself around the internet for a few days or weeks, then have them all automatically patch the vulnerable server they are installed on, delete Code Red, then delete themselves. Problem solved. Hey, if the Code Red worm can get complete access to the system, I would think that a cleanup worm could do the same.
I thought something that attacked only windows servers on the internet WAS a cleanup worm. Why should I want to stop it?

And yeah, I was wondering what that crap was showing up in my log files. Thanks.
He he, I guess your right. The fewer Windows servers, the better. The only downside is that my cable modem has been going absolutely insane with the traffic, and it's actually overloaded and reset a few times.
Originally posted by theed
I thought something that attacked only windows servers on the internet WAS a cleanup worm. Why should I want to stop it?

And yeah, I was wondering what that crap was showing up in my log files. Thanks.


I've had over a 1000 hits from code red!!! Lucky me!

Anyone want to write a script that will check for unique IPs? Then we can see exactly how many systems are infected, not just the number of hits.

Just a thought

One last plea for explanation :
I was away vacationing with no technology with me (except my newton :p)
can someone PLEASE explain to me what code red does ? :p

(Yes I am lazy enough to not want to read the full description on yahoo or some other news organization ;) )

exploits M$ IIS only
spawns 100 of itself in memory
attempts to break in to 100 other servers, tends to choose the same ones over and over again
or on day of month may DoS
after 2 hours starts handing out a "hacked by China" home page.

Restarting clears it up, but it's repeat tendencies will reinfect you if you got it once.
Annoys apache log readers with failed requests for .ida's with looooong filenames.

as for uniques - I'm gonna grep XXXX cat Grep NNNN > newfile and run analog on it. that'll be easy. It'll even give me stats for what time of day is busiest! lol.

First thanks to davidbrit2 for those two scripts. I was wondering how to erase those hit from the access_log. I am a beginner in the use of script and i was wondering how to make a script who will copy only relevant information from this log to a another file.

Could someone help me with this? Where can I find information about shell script?

By the way, in only 24h I had 523 hit of Code Red. Apparently almost all the server in the adress range of my ISP are infected. (Skynet in Belgium)
I'm very happy to have a mac in these moment . :p

I went all out with the code red stuff, and I have a page updating hourly with the code red statistics.

as for learning shell scripting ... you could try some stuff from O'Reilly, looking for csh, tcsh, or the like. Truth is, I think most of us learn "in the field." If you can figure aut the syntax for sed awk and grep. The only other things you should need to know before you can start scripting everythig are:
cat spews a file into standard output
| takes stdout to stdin
> writes to a file
ending a line with & makes it run as its own process.

I learned by watching other command line phreaks, I can't imagine learning any other way.
August Code Red intrusion attemps thus far:

I am on a downstream from an OC3 which stretches from Korea to San Jose California.

Apparently korea has been hit hard by this and probably ignorant of the problem as well.

it took a week before any of the appropriate agencies picked up on it here in Japan.

must be some way to black hole the requests.

in the apache config you can write

Location /default.ida*

Deny from all
ErrorDocument 403 /no_access.html

however you could also write....

Location /default.ida*

Deny from all
ErrorDocument 403 /cgi-bin/hypotheticalWindows_destroying_script.cgi

or given I have no idea what would actually shut the suckers down,
(surely they are immune to the ping of death)
Location /default.ida*

Deny from all
ErrorDocument 403
<b>****note:</b> angle brackets removed above<b>*****</b>
The real trick is to collect the IP addresses and find out which whois server contains the data on that IP and get them to take their servers off the net.

then arrest them all for operating heavy machinery without a license.:)
Seriously, Microsoft has been promoting this concept of "doing technical wizardry without any frontal lobe activity" for too long. Then supported by the AWFUL "for DUMMIES" books. And "How to run a Business on the Net selling things which people wouldn't ever buy if they saw it in a real store" Now, we can see "Bothering your Neighbors while playing Ultra fantastic games on your Home PC " about to hit the bookstores.

check this out:

Point is, nothing here is unfamiliar or unexpected. How long does it take before there's general recognition that Microsoft software has no business on the Internet?

last week I sent this from all machines:

grep 'default.ida' access_log | mail -s 'APACHE'

"We need your Code Red logs"
my logs have doubled in that time....
I wish I could agree that the ISP is being stupid, but at least they are doing something. All of these pseudo power users who have otherwise somewhat challenging to set up services set up for them and running by default are like 5 year olds being handed guns. The people running them simply don't know any better. The grossly irresponsible party in my opinion is of course microsoft for leaving the gun loaded.

The problem with the code red worm is that the damage done is to others, not to themselves, so the people infected often don't even know it, and don't learn, and don't have any desire to fix it. So one of the few responses left by a responsible ISP is to stop the infection themselves. And unless they happen to have ALL brand spanking new Cisco routers, they lack the technology to drop only packets of infection. so this si what they have to do to stop code red. I'm glad to at least see them trying.

I do think it's punishing everyone for a few people's mistake, and that part isn't cool. Another uncool part is if they don't take this as an opportunity to educate people about their own computers.
hey Fahrvergnuugen

good job buddy

That is just what I was hinting at.

I haven't done anything with IIS servers since windows NT4 just came out and I was real unimpressed at that time.
so I didn't posess any immediate knowledge about how to take them out.

This is only a temporary measure as they will turn them back on.
The sucker trojans itself into Explorer.exe as well; can't have windows without that.

If you have a way to write readme messages all over the root directory, that might get their attention.

Time to strike back.

Have a nice day....

I love Friendly Hacking....
Ok, lots of you know that I run a silly little page at (nothing is there). Anyway, I run it off my road runner connection, and of course, code red attacks similar ip addresses to the one it spreads from. So Itypically get about 50 get /defauit.idaXXXXXX (or NNNN in the case of code read 1 [not 2]) requests per day.

I called RR, and asked them if they could *please* contact the people with those IP addresses (I logged them ofcourse) and tell them to do something about it.

The lady at rr was like "Let me talk to the techs up stairs, hold on.." 5mins later "I"m sorry sir, but there is nothing we can do about it..."

we talked for a while about internet security, and what it comes down to is that RR doesn't know who has what IP address. They are that nieve. Which is perfect for a port-scanning person like myself....

But RR has really pissed me off lately. They are almost 100% microsoft. (even though they are operated by aol-timewarner...)

Their gay-as-can-be Windows NT mail server doesn't work half the time (its now using sendmail, so maybe they got a clue).

Tech support is pretty dumb. I asked their tech support one day for the url to add and remove email accounts (we get 5). The guy says "Oh, just go to I told him I don't have flash, so I needed the exact url. The guy is all confused. So I tell him "Just move your mouse over the 'email acounts' button, and tell me what it says at the bottom of the screen". He replies "Let me transfer you to 2nd level tech support"

However, I do enjoy downloading at +300k/sec!
(although upstream at 44k/sec leaves something to be desired).

As for blocking port 80, I don't think they have done that on our RR system yet. I wish they would just call those people up and be like "Dude, why are you running MS II?" You know half those code-red infected people don't even realize they were running a web server.

Sorry about my rant... oh well, rocks!