Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

IPFW | 26 comments | Create New Account
Click here to return to the 'IPFW' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Authored by: cardmagic on Aug 08, '01 01:54:54PM
First of all, there is no need to block it. Since you don't use Microsoft IIS, it does absolutely no harm to you. What you see is much like a ping command, the worm is doing two things at once: 1) if the remote host responds to the HTTP command, it inoculates that system, 2) if the remote host does not respond it forgets about that host and moves on. Anyone that is not running IIS just sends back a 404 Not Found command, as if someone was trying to go to a web page on your server that wasn't there. Second, as I said before, the worm sends an HTTP command to port 80. If you want to firewall anything to prevent these 404 Not Found errors because of the Code Red worm, all you have to do is firewall port 80, aka your web server. Of course, doing that means that the outside world wouldn't be able to access your web server at all, so you may as well just shut it down in the Network Preferences for that matter. So, if you want to stop your web server from being asked for documents that do not exist (god forbid!), simply shut it down. In summary, CODE RED DOES NOT AFFECT ANYTHING APPLE WHATSOEVER, there is absolutely no reason to do anything to your computer in response to it! -Lucas

[ Reply to This | # ]
Authored by: jasont on Aug 09, '01 07:29:52AM

Yes Lucas, I know it's not a threat to my system. I said so in my original post, but it can't help to let people know not to worry. The reason I'm trying to do this is because I'm sick of my Apache logs getting bloated. I'm going to try installing snort with flexresp and see if I can just kill it by content filtering. There's a lot of variants out now and there's the eeye test as well. I'm averaging 8 per hour if I set my server up on a new static ip that's never had a server on it. The new version is worse because it only looks outside of your address range 12.5% of the time and it's only going to increase. What are you averaging?

[ Reply to This | # ]
Authored by: cardmagic on Aug 10, '01 02:59:06PM

Bloated? If 8 entried/hour "bloats" your apache logs, why are you running apache at all, it seems like absolutely nobody is using it. In the 7,829 lines of my log, 20 of those are 404s from Code Red and 79 are 404s in general. And this is my home computer/developer computer, not my main server.

Another way to look at it is that one line of error from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 20 time 450 bytes is Zero. And since logs are generally used as data for statistics making programs, all you have to do is find the percentage of 404s that are from Code Red (in my case it is 20/79 which is about 25%) and keep that in mind while looking at the general statistics.


[ Reply to This | # ]
Recent data
Authored by: cardmagic on Aug 10, '01 03:32:49PM

Woops, those where old logs, here are the numbers since April 4th:

18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red

Code Red takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 20 kbytes of my hard disk space
About 0% of my hard disk space

Any questions?


[ Reply to This | # ]