Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 17th August 2001

Code Red requests for /default.ida

We receive a large number of messages from system administrators who see requests for /default.ida in their Apache access logs. The requests look similar to this:

192.168.2.12 - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 400 252 -

If you are running Apache there is nothing to worry about, these requests are part of the Code Red Worm designed to search out vulnerable IIS servers running on Windows. You can quite happily ignore these requests

Other common requests

Other common log entries you might see include:

  • Requests for robots.txt in the root directory. These requests are normally automatically made by robots which will analyse the contents of this file to see what files and directories they are not allowed to access. The format of the robots.txt file is given in the HTML 4 Specification.
  • Requests for favicon.ico in various directories (first seen in April 1999). Microsoft Internet Explorer version 5 and above can display a site-defined icon when a site's URL is displayed in a favourites list. This icon is obtained by asking the site for favicon.ico. If the URL contains slash characters (normally used to represent a directory hierarchy), MSIE 5 will request "favicon.ico" in each parent directory until it finds one or reaches the root. The format of the favicon.ico file is the Microsoft icon format. To see this 'feature' in action, bookmark this page using MSIE.
  • Requests for cmd.exe in various directories. These are usually attempts to exploit various security vulnerabilities that affect Microsoft IIS servers.

This feature brought to you by: Mark J Cox
Comments or criticisms? Please email us at editors@apacheweek.com