Today is 19 November 2001 and I received an email responding to an email I sent about a Code Red infected computer. They had fixed their computer and wanted to know if it happened again. It was from a responsible individual at Walnut Creek, California. This city deserves 10 gold stars for customer relations. The rest of you people suffering from denial get 10 blacks ones :).
I have been following the growth of the attack by the worm identified as Code Red. For a description of Code Red visit the Carnegie Mellon Cert site. A different site to visit is eEye Security who discovered the vulnerability of IIS and contacted Microsoft. On eEye, they have a detailed analysis of the worm and also provide a commented disassembly of the payload of Code Red 2.
Code Red(s) shows up on my systems as a single line in my httpd-error log. The request it self is logged in httpd-access.log. The current set of probes look like
[Wed Aug 1 05:13:17 2001] [error] [client 61.137.106.19] Client sent malformed Host header
[Wed Aug 1 09:57:26 2001] [error] [client 66.56.20.189] Client sent malformed Host header
[Wed Aug 1 11:29:30 2001] [error] [client 210.159.82.211] Client sent malformed Host header
[Wed Aug 1 11:39:18 2001] [error] [client 211.20.7.98] Client sent malformed Host header
[Wed Aug 1 11:50:49 2001] [error] [client 211.180.223.211] Client sent malformed Host header
[Wed Aug 1 12:35:02 2001] [error] [client 61.16.79.12] Client sent malformed Host header
[Wed Aug 1 13:59:05 2001] [error] [client 131.94.58.103] Client sent malformed Host header
[Wed Aug 1 14:58:09 2001] [error] [client 165.132.139.48] Client sent malformed Host header
[Wed Aug 1 15:43:10 2001] [error] [client 66.56.76.16] Client sent malformed Host header
[Wed Aug 1 16:08:30 2001] [error] [client 65.101.23.145] Client sent malformed Host header
[Wed Aug 1 16:09:20 2001] [error] [client 12.75.199.159] Client sent malformed Host header
[Wed Aug 1 17:11:10 2001] [error] [client 64.105.77.74] Client sent malformed Host header
[Wed Aug 1 18:54:14 2001] [error] [client 212.210.15.106] Client sent malformed Host header
[Wed Aug 1 19:00:52 2001] [error] [client 64.163.19.91] Client sent malformed Host header
[Wed Aug 1 20:05:59 2001] [error] [client 200.222.60.242] Client sent malformed Host header
[Wed Aug 1 20:20:03 2001] [error] [client 66.3.19.115] Client sent malformed Host header
[Wed Aug 1 22:14:56 2001] [error] [client 210.72.81.148] Client sent malformed Host header
[Wed Aug 1 23:12:51 2001] [error] [client 64.130.159.29] Client sent malformed Host header
[Wed Aug 1 23:39:15 2001] [error] [client 62.251.23.176] Client sent malformed Host header
[Thu Aug 2 00:46:30 2001] [error] [client 61.13.155.20] Client sent malformed Host header
[Thu Aug 2 01:37:08 2001] [error] [client 210.127.44.159] Client sent malformed Host header
[Thu Aug 2 03:33:26 2001] [error] [client 210.18.1.185] Client sent malformed Host header
[Thu Aug 2 03:35:54 2001] [error] [client 128.121.239.107] Client sent malformed Host header
[Thu Aug 2 05:52:52 2001] [error] [client 211.23.240.54] Client sent malformed Host header
[Thu Aug 2 07:23:21 2001] [error] [client 24.20.247.173] Client sent malformed Host header
[Thu Aug 2 09:51:04 2001] [error] [client 213.120.113.124] Client sent malformed Host header
[Thu Aug 2 10:29:53 2001] [error] [client 217.33.48.2] Client sent malformed Host header
[Thu Aug 2 10:31:50 2001] [error] [client 211.74.136.153] Client sent malformed Host header
[Thu Aug 2 11:05:36 2001] [error] [client 211.93.93.219] Client sent malformed Host header
[Thu Aug 2 11:13:57 2001] [error] [client 200.229.133.19] Client sent malformed Host header
[Thu Aug 2 11:58:05 2001] [error] [client 165.121.38.220] Client sent malformed Host header
[Thu Aug 2 12:19:09 2001] [error] [client 202.106.93.129] Client sent malformed Host header
[Thu Aug 2 12:23:40 2001] [error] [client 63.178.231.145] Client sent malformed Host header
[Thu Aug 2 12:29:37 2001] [error] [client 66.31.153.36] Client sent malformed Host header
[Thu Aug 2 13:48:06 2001] [error] [client 61.218.86.86] Client sent malformed Host header
[Thu Aug 2 15:15:21 2001] [error] [client 208.62.89.166] Client sent malformed Host header
[Thu Aug 2 15:32:27 2001] [error] [client 216.250.74.194] Client sent malformed Host header
[Thu Aug 2 19:12:18 2001] [error] [client 163.29.115.139] Client sent malformed Host header
[Thu Aug 2 19:32:34 2001] [error] [client 196.25.223.51] Client sent malformed Host header
[Thu Aug 2 21:15:46 2001] [error] [client 165.138.82.20] Client sent malformed Host header
[Thu Aug 2 21:51:21 2001] [error] [client 211.232.180.166] Client sent malformed Host header
[Thu Aug 2 22:23:52 2001] [error] [client 210.126.144.72] Client sent malformed Host header
[Fri Aug 3 00:18:36 2001] [error] [client 202.39.224.191] Client sent malformed Host header
[Fri Aug 3 01:10:40 2001] [error] [client 216.155.133.138] Client sent malformed Host header
[Fri Aug 3 02:34:25 2001] [error] [client 66.120.95.83] Client sent malformed Host header
[Fri Aug 3 05:52:27 2001] [error] [client 141.45.15.60] Client sent malformed Host header
[Fri Aug 3 09:00:50 2001] [error] [client 62.76.13.85] Client sent malformed Host header
[Fri Aug 3 09:50:48 2001] [error] [client 211.62.59.251] Client sent malformed Host header
[Fri Aug 3 11:25:51 2001] [error] [client 209.116.250.153] Client sent malformed Host header
[Fri Aug 3 15:27:18 2001] [error] [client 216.77.244.189] Client sent malformed Host header
[Fri Aug 3 16:37:06 2001] [error] [client 216.37.70.164] Client sent malformed Host header
[Fri Aug 3 16:52:20 2001] [error] [client 62.4.2.144] Client sent malformed Host header
[Fri Aug 3 17:28:11 2001] [error] [client 61.159.232.170] Client sent malformed Host header
[Fri Aug 3 17:33:23 2001] [error] [client 210.97.242.16] Client sent malformed Host header
[Fri Aug 3 17:51:29 2001] [error] [client 193.136.160.58] Client sent malformed Host header
[Fri Aug 3 21:02:58 2001] [error] [client 148.75.37.22] Client sent malformed Host header
[Fri Aug 3 21:56:18 2001] [error] [client 63.91.167.39] Client sent malformed Host header
[Sat Aug 4 00:00:36 2001] [error] [client 141.153.228.243] Client sent malformed Host header
[Sat Aug 4 00:03:48 2001] [error] [client 64.222.17.37] Client sent malformed Host header
[Sat Aug 4 00:14:07 2001] [error] [client 207.17.117.55] Client sent malformed Host header
[Sat Aug 4 00:30:08 2001] [error] [client 195.246.17.213] Client sent malformed Host header
[Sat Aug 4 00:34:44 2001] [error] [client 211.171.1.147] Client sent malformed Host header
[Sat Aug 4 00:58:57 2001] [error] [client 203.227.204.106] Client sent malformed Host header
[Sat Aug 4 01:41:41 2001] [error] [client 139.144.64.76] Client sent malformed Host header
[Sat Aug 4 03:15:03 2001] [error] [client 208.131.145.94] Client sent malformed Host header
[Sat Aug 4 03:16:32 2001] [error] [client 66.95.25.69] Client sent malformed Host header
[Sat Aug 4 03:50:49 2001] [error] [client 143.233.16.28] Client sent malformed Host header
[Sat Aug 4 04:10:48 2001] [error] [client 64.63.38.170] Client sent malformed Host header
[Sat Aug 4 05:10:40 2001] [error] [client 61.121.8.46] Client sent malformed Host header
[Sat Aug 4 05:16:11 2001] [error] [client 24.37.140.79] Client sent malformed Host header
[Sat Aug 4 06:26:40 2001] [error] [client 216.254.27.200] Client sent malformed Host header
[Sat Aug 4 06:27:36 2001] [error] [client 211.101.228.85] Client sent malformed Host header
[Sat Aug 4 06:56:02 2001] [error] [client 216.174.104.58] Client sent malformed Host header
[Sat Aug 4 07:13:21 2001] [error] [client 211.198.152.53] Client sent malformed Host header
[Sat Aug 4 07:41:21 2001] [error] [client 208.184.46.13] Client sent malformed Host header
[Sat Aug 4 08:31:43 2001] [error] [client 211.114.193.220] Client sent malformed Host header
[Sat Aug 4 08:57:44 2001] [error] [client 65.65.1.33] Client sent malformed Host header
[Sat Aug 4 09:12:11 2001] [error] [client 212.157.37.12] Client sent malformed Host header
[Sat Aug 4 10:10:31 2001] [error] [client 211.163.180.69] Client sent malformed Host header
[Sat Aug 4 10:36:03 2001] [error] [client 206.102.167.9] File does not exist: /usr/local/www/data/default.ida
[Sat Aug 4 16:51:20 2001] [error] [client 206.133.170.222] File does not exist: /usr/local/www/data/default.ida
[Sat Aug 4 16:59:25 2001] [error] [client 24.51.115.114] File does not exist: /usr/local/www/data/default.ida
[Sat Aug 4 17:27:06 2001] [error] [client 63.90.148.82] Client sent malformed Host header
[Sat Aug 4 19:01:41 2001] [error] [client 211.241.45.162] Client sent malformed Host header
[Sat Aug 4 20:55:13 2001] [error] [client 211.186.104.148] Client sent malformed Host header
[Sat Aug 4 21:21:27 2001] [error] [client 209.53.186.253] File does not exist: /usr/local/www/data/default.ida
[Sat Aug 4 21:47:08 2001] [error] [client 210.72.239.248] Client sent malformed Host header
[Sat Aug 4 22:21:55 2001] [error] [client 195.46.1.130] Client sent malformed Host header
[Sat Aug 4 22:51:08 2001] [error] [client 161.53.9.162] Client sent malformed Host header
[Sat Aug 4 23:20:55 2001] [error] [client 213.188.132.166] File does not exist: /usr/local/www/data/default.ida
[Sat Aug 4 23:28:54 2001] [error] [client 195.208.8.35] Client sent malformed Host header
[Sun Aug 5 00:10:17 2001] [error] [client 61.18.202.110] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 00:10:39 2001] [error] [client 195.224.227.2] Client sent malformed Host header
[Sun Aug 5 00:31:31 2001] [error] [client 24.218.132.211] Client sent malformed Host header
[Sun Aug 5 02:05:17 2001] [error] [client 64.171.24.228] Client sent malformed Host header
[Sun Aug 5 03:28:48 2001] [error] [client 209.217.62.112] Client sent malformed Host header
[Sun Aug 5 04:02:13 2001] [error] [client 206.239.211.232] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 04:43:22 2001] [error] [client 211.223.234.62] Client sent malformed Host header
[Sun Aug 5 07:46:50 2001] [error] [client 63.192.189.139] Client sent malformed Host header
[Sun Aug 5 07:52:27 2001] [error] [client 203.246.81.171] Client sent malformed Host header
[Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] Client sent malformed Host header
[Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 09:20:33 2001] [error] [client 211.60.80.37] Client sent malformed Host header
[Sun Aug 5 09:44:41 2001] [error] [client 195.17.22.203] Client sent malformed Host header
[Sun Aug 5 10:46:00 2001] [error] [client 65.42.161.18] Client sent malformed Host header
[Sun Aug 5 11:04:11 2001] [error] [client 4.60.202.66] Client sent malformed Host header
[Sun Aug 5 11:42:08 2001] [error] [client 24.250.50.76] Client sent malformed Host header
[Sun Aug 5 16:36:09 2001] [error] [client 24.162.106.140] Client sent malformed Host header
[Sun Aug 5 17:32:21 2001] [error] [client 210.223.66.109] Client sent malformed Host header
[Sun Aug 5 18:06:58 2001] [error] [client 198.211.123.217] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 18:32:03 2001] [error] [client 61.37.105.245] Client sent malformed Host header
[Sun Aug 5 19:57:16 2001] [error] [client 206.160.168.161] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 20:11:06 2001] [error] [client 217.136.0.154] Client sent malformed Host header
[Sun Aug 5 20:17:27 2001] [error] [client 24.218.224.192] Client sent malformed Host header
[Sun Aug 5 20:24:23 2001] [error] [client 148.245.203.53] Client sent malformed Host header
[Sun Aug 5 21:06:56 2001] [error] [client 195.122.28.135] Client sent malformed Host header
[Sun Aug 5 21:23:22 2001] [error] [client 211.217.245.146] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 21:32:13 2001] [error] [client 206.135.157.135] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 21:45:18 2001] [error] [client 211.56.127.210] File does not exist: /usr/local/www/data/default.ida
[Sun Aug 5 23:09:38 2001] [error] [client 203.231.177.122] Client sent malformed Host header
[Sun Aug 5 23:46:19 2001] [error] [client 203.132.108.236] Client sent malformed Host header
[Sun Aug 5 23:48:41 2001] [error] [client 128.100.152.56] Client sent malformed Host header
[Mon Aug 6 03:59:34 2001] [error] [client 200.59.141.109] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 04:36:26 2001] [error] [client 64.65.251.48] Client sent malformed Host header
[Mon Aug 6 05:02:30 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 05:45:37 2001] [error] [client 198.70.169.213] Client sent malformed Host header
[Mon Aug 6 06:03:50 2001] [error] [client 211.236.153.204] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 06:08:29 2001] [error] [client 210.244.184.253] Client sent malformed Host header
[Mon Aug 6 06:39:35 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 06:40:00 2001] [error] [client 195.210.132.236] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 06:59:31 2001] [error] [client 206.48.106.118] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 07:11:00 2001] [error] [client 206.167.114.200] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 07:53:14 2001] [error] [client 24.182.120.153] Client sent malformed Host header
[Mon Aug 6 08:16:40 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 08:17:15 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 08:47:23 2001] [error] [client 204.100.65.70] Client sent malformed Host header
[Mon Aug 6 08:56:32 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 08:57:08 2001] [error] [client 206.78.62.16] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 09:00:47 2001] [error] [client 206.167.114.179] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 09:27:45 2001] [error] [client 206.102.177.101] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 09:41:26 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 10:15:28 2001] [error] [client 206.29.149.2] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 10:18:59 2001] [error] [client 206.159.54.35] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 10:38:46 2001] [error] [client 202.132.12.26] Client sent malformed Host header
[Mon Aug 6 11:50:43 2001] [error] [client 206.124.12.219] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 12:39:41 2001] [error] [client 206.159.185.253] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 13:53:12 2001] [error] [client 206.159.27.153] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:01:43 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:13:53 2001] [error] [client 206.230.60.50] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:14:04 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:14:51 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:29:34 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:49:05 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 14:58:27 2001] [error] [client 63.109.5.115] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 16:12:27 2001] [error] [client 206.159.185.253] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 16:55:17 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 18:04:23 2001] [error] [client 206.159.27.153] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 18:09:09 2001] [error] [client 206.205.13.34] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 18:14:00 2001] [error] [client 206.159.27.153] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 18:39:16 2001] [error] [client 206.159.27.153] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 18:54:32 2001] [error] [client 207.248.59.75] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 19:40:01 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 19:56:01 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 20:03:07 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 20:55:53 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 20:57:26 2001] [error] [client 206.159.27.153] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 21:13:00 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 21:56:11 2001] [error] [client 206.159.10.106] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 22:30:28 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Mon Aug 6 23:09:03 2001] [error] [client 206.242.192.154] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 00:09:54 2001] [error] [client 206.117.243.5] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 00:27:54 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 01:30:34 2001] [error] [client 210.192.238.51] Client sent malformed Host header
[Tue Aug 7 01:56:44 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 02:28:48 2001] [error] [client 206.254.198.98] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 03:48:08 2001] [error] [client 206.153.134.251] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 04:16:45 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 04:24:22 2001] [error] [client 206.48.59.156] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 04:52:51 2001] [error] [client 206.63.12.2] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 05:16:55 2001] [error] [client 206.136.92.97] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 05:44:44 2001] [error] [client 206.105.105.2] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 06:16:45 2001] [error] [client 200.219.72.226] Client sent malformed Host header
[Tue Aug 7 06:44:10 2001] [error] [client 206.221.250.189] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 06:57:42 2001] [error] [client 211.180.95.60] Client sent malformed Host header
[Tue Aug 7 07:15:27 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 07:21:30 2001] [error] [client 210.113.72.176] Client sent malformed Host header
[Tue Aug 7 07:40:54 2001] [error] [client 206.159.146.92] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 08:21:30 2001] [error] [client 206.78.62.16] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 08:40:22 2001] [error] [client 206.124.86.195] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 09:37:33 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 10:44:45 2001] [error] [client 206.228.203.33] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 11:06:29 2001] [error] [client 61.74.137.181] Client sent malformed Host header
[Tue Aug 7 11:21:54 2001] [error] [client 206.159.185.241] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 11:57:34 2001] [error] [client 203.146.66.160] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 13:27:05 2001] [error] [client 206.159.54.30] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 13:48:16 2001] [error] [client 206.97.32.133] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 13:57:56 2001] [error] [client 206.247.57.12] File does not exist: /usr/local/www/data/default.ida
[Tue Aug 7 14:37:09 2001] [error] [client 206.13.36.11] Client sent malformed Host header
In case you are curious, the malformed request for Code Red appears in Apache's error log like the following:
63.91.167.39 - - [03/Aug/2001:21:56:18 -0700] "GET /default.ida?NNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090\
%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078\
%u0000%u00=a HTTP/1.0" 400 320 "-" "-"
Code Red 2 appears in Apache's error log like the following:
206.78.62.16 - - [06/Aug/2001:08:57:08 -0700] "GET /default.ida?XXXXXXXX\
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\
XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb\
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0\
0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 282 "-" "-"
It has a much more sinister payload. It opens a backdoor What I don't understand is that with all of the Apache based web sites in the world, you can probably track down who modified Code Red in to Code Red 2. Getting rid of Code Red II isn't that hard; however, you have to add the Code Red I patch and then run the cleaner program provided by Microsoft on their web site. You can't reinstall Windows 2000 Server because in the 60 seconds it takes to download the patches, you will most likely be re-infected. Microsoft has the patch and the cleaner program on their download site. Download them and then run them. You can disconnect your system if you want to feel a little bit safer.
Apache doesn't have a problem with the malformed Host header. Microsoft's IIS has a problem but only if the system administrator ignored Microsoft's security update notice of June 2001. What I found interesting is that the first probe was from a site in China. For example, a traceroute of the IP address 61.137.106.19 shows that it is a computer in China that is connected to their cn.net.
7 sl-gw4-tac-4-0.sprintlink.net (144.232.17.10) 36.978 ms 35.614 ms 48.209 ms
8 sle-chinatelecom-3-0.sprintlink.net (160.81.25.6) 204.831 ms 203.484 ms 208.218 ms
9 p-13-0-r1-c-bjbj-1.cn.net (202.97.33.9) 214.946 ms 212.845 ms 203.953 ms
10 p-2-0-r1-c-gdgz-1.cn.net (202.97.34.98) 238.290 ms 244.227 ms 240.958 ms
11 p-2-0-r1-a-hncs-1.cn.net (202.97.40.102) 252.129 ms 251.059 ms 241.760 ms
12 61.187.255.69 (61.187.255.69) 257.682 ms 247.180 ms 250.683 ms
13 61.187.255.150 (61.187.255.150) 258.112 ms 264.947 ms 262.500 ms
14 202.103.104.38 (202.103.104.38) 266.118 ms 260.693 ms 267.298 ms
15 202.103.104.42 (202.103.104.42) 268.956 ms 263.294 ms 254.615 ms
16 202.103.104.58 (202.103.104.58) 269.645 ms 261.278 ms 262.434 ms
17 61.137.106.19 (61.137.106.19) 260.589 ms 273.763 ms 261.889 ms
A traceroute of 66.56.20.189 shows that it is a site on mediaone.net. Information in the traceroute also indicates that it is in the Atlanta, Georgia area. The last entry in the traceroute list is
22 rr-56-20-189.atl.mediaone.net (66.56.20.189) 158.782 ms 153.852 ms 133.227 ms