Code Red and OS X firewalls

Aug 07, '01 07:45:53AM

Contributed by: jasont

Recently I started seeing lot of activity in my Apache logs. For those that don't know, they are at /private/var/log/httpd (access_log and error_log). The code was:

63.82.46.11 - - [07/Aug/2001:04:06:38 -0700] "GET /default.ida?
XXXXXXXXX...snipped...XXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27
[Editor's note: Carriage returns inserted, and repetitive "X" characters snipped, to aid readability; this will appear as one line in your log].

If you're seeing this then it's not a threat to your system. It's someone's machine running windows NT 4.0 with IIS 4.0 or 5.0 enabled, Windows 2000 servers, or betas of XP with the Code Red worm running on their box. This probably means they don't know about it and it doesn't hurt us except it bloats your access logs. The information on it can be found at
http://www.cert.org/incident_notes/IN-2001-08.html

I have a question. Is there a way to set a deny rule for this with ipfw. Anyone?
-j

Comments (26)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20010807074553384