From 2001 to 2012, OS X was code-named internally (for development purposes) after big cats. Becuase Apple marketing was also using those code-names to promote OS X publicly, however, the company's development crew switched their internal naming structure to wines beginning with OS X 10.3 — publicly known as Panther, privately as 'Pinot.' The NXP IDE is provided by Code Red Studios (LPCXpresso) and it is a lightly customized and well supported version of Eclipse. Their modified Eclipse is close enough to stock that it lets me install the subversion plugins which makes life a lot easier for me.
According to this page, X11 is an option under Mac OS X (on my Lion-based system, X11 is available by default). Desktop environments like KDE or Gnome are built on top of X11. Then using X11 API can be an interesting solution if you need to quickly test an piece of code under Linux and Max OS X (it's my case). When I worked on Mac OS X in the lab I was able to get the terminal colors from using Terminal (rather than X11) and then editing the profile (from the Mac menu bar). The interface is a bit odd on the colors, but you have to set the modified theme as default. Further settings worked by editing.bashrc.
| Click here to return to the 'Code Red and OS X firewalls' hint |
Yes Lucas, I know it's not a threat to my system. I said so in my original post, but it can't help to let people know not to worry. The reason I'm trying to do this is because I'm sick of my Apache logs getting bloated. I'm going to try installing snort with flexresp and see if I can just kill it by content filtering. There's a lot of variants out now and there's the eeye test as well. I'm averaging 8 per hour if I set my server up on a new static ip that's never had a server on it. The new version is worse because it only looks outside of your address range 12.5% of the time and it's only going to increase. What are you averaging?
-j
Bloated? If 8 entried/hour 'bloats' your apache logs, why are you running apache at all, it seems like absolutely nobody is using it. In the 7,829 lines of my log, 20 of those are 404s from Code Red and 79 are 404s in general. And this is my home computer/developer computer, not my main server.
Another way to look at it is that one line of error from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 20 time 450 bytes is Zero. And since logs are generally used as data for statistics making programs, all you have to do is find the percentage of 404s that are from Code Red (in my case it is 20/79 which is about 25%) and keep that in mind while looking at the general statistics.
-Lucas
http://www.rufy.com/
Woops, those where old logs, here are the numbers since April 4th:
18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red
Summary:
Code Red takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 20 kbytes of my hard disk space
About 0% of my hard disk space
Any questions?
-Lucas
http://www.rufy.com/
Does the IP address at the beginning of these log entries indicate the IP address of the infected machine? If so then I could potentially contact some of the ones that are showing up that have a local IP address (local to work). I.e. not ingore these, but respond to them.
I see lots of those XXXXXXXXXXXX.. entries, but also some with N...... For example:
66.89.136.70 - - [08/Aug/2001:09:58:02 -0400] 'GET /default.ida?NNNNN..[snip]..
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0' 400 326
What does that indicate if anything?
The XXXXXXX entries are of a newer strain of the worm, which apart from using a large number of X's to force the buffer overflow in IIS (instead of N's) doesn't seem different.
As for warning infected parties about their infections: there are so many that it becomes a bit of a chore very soon.
I thought about writing a quick PHP script that parses the IP adres of the server making the request, and then sending a mail message warning of their infection to abuse@the_offending_ip_address but still haven't found the time yet.
It would be trivial to write such a simple script, name it default.ida (the file the Code Red worm tries to access on your server), put it in the server root, and change /etc/httpd/httpd.conf so that '.ida' files will be recognized as PHP files (to make sure the script actually gets executed).
I contacted one of the people and sure enough they had Code Red. Turns out that they were unaware that they were even running IIS.
Anyway, I figure I can automate this via an AppleScript. Our network ops have a web page where you can find out the owner of a particular local IP address, including email address. So, I could use Web Miner to do the query and get the result, then tell Mail to send an email to them. It's too bad the nifty OS X application 'File Monitor' does not let you trigger an action, either AppleScript or a shell script, when it spots particular types of entries. Is there any thing that would do this for Unix? I can run AppleScript from a shell script, so that would work too.
Code Red Mac Os 11
OK, checked mine too. M$ !!!! and hackers, thanks.
I know this is really lame and should be looking for this on my own but would somebody please kindly point me in the right direction on how to 'trim' my acess and error logs.
I would really appreciate it.
Also, since I'm requesting help has anybody made an email responder script to notify the infected host?
Ok .. here something I found for a php solution wonder if it'll work????
http://www.hotscripts.com/Detailed/11415.html
First of all, that PHP script is not necessary, way too much of an overkill actually since CODE RED DOES NOT AFFECT MACINTOSH. Second of all, you couldn't get it running on Mac OS X because you need IP Tables which is a Linux firewall tool, not BSD!
-Lucas
Thanks for saving the trouble. Last night before going to bed I was wondering about that. IP Tables that is.
Although Code Red doesn't necessarily affect my computer it has in another sense. I've noticed hard drive creep. Slowly and steadly the access_log is filling up which takes up space.
Thanks for your reply. I probably would've played with the script and found out the hard.
One line of error code from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 100 time 450 bytes (about 44k) when in perspective of a 30Gb, or even 12Gb) is Zero. If you don't think you can spare an extra 44k of disk space, I think it is time for you to get a new computer.
-Lucas
http://www.rufy.com/
Ok, so it's not that then. Thanks.
How about this then. I open access_log up with pico and it complains that file has long lines and there are now 65571 lines total in my log.
Sure, my question might be outrageous for those more experienced than I am and I probably should open files with a different type of editor that allows scrolling versus control-V or control-Y to page down or up. I should even get myself a book to study more about my system, this I all agree with. I'm not even really complaing that I'm missing some drive space. I just mentioned drive creep and how I can cut down on my log and save space. I should have also mentioned that I would like to reduce the 'length' of my log. sorry.
So, let me re-ask my question. How can I cut down my log's 'length'?
I prefer using pico since it's a little more unix than let's say textedit would be and therefore reminds me that I'm editing files that are part of the system.
To cut down on the space it takes, (which is completely minimal, therefore giving you a trivial amount of hard disk space) just delete the log.
-Lucas
Here are numbers from my home/development computer since April 4th:
18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red
Summary:
Code Red alone takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 24 kbytes of my hard disk space
About 0% of my hard disk space
Less than 0% of my worries
Any questions?
-Lucas
http://www.rufy.com/
Wow! 1.9 meg file.
May I ask, why keep it so long?
What editor do you use to view it?
Thanks for the information.
Actually, it is interesting to see such stats. I'm not being sarcastic or anything just that being a 'regular' mac user for years and having no real unix/bsd experience this type of information does provide insights into the system I'm using.
Thanks.
I keep it so long because I like the statistics, the bigger the log, the better acuracy of the statistics. I use Analog (freeware) to process the log files:
http://www.summary.net/soft/analog.html
-Lucas
http://www.rufy.com/
thanks cardmagic. I appreciate it.
Sounds like a good idea just to have that script running to check my box every once in a while.
Code Red Mac Os 8
'We need your Code Red logs'
in terminal.app
go to the /private/var/log/httpd; sudo and
grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org
go to
http://www.dshield.org/codered.html' <=' a='>
for more details and info
if I knew more about the backdoor that the worm opens, I would write a script to shutdown each of the offending servers.
also on the subject of viruses
this one is a bit irritating
'New virus travels in PDF files'
http://news.cnet.com/news
if I knew more about the backdoor that the worm opens, I would write a script to shutdown each of the offending servers.
Heh. I was just mentioning an idea to my co-worker a couple of days ago that we can get a similar vius to infect and apply security patches to servers susceptable to Code Red, then go and infect oher servers. He thought we could call it Code White, then asked whether the end justifies the means.
In this case, I thought so. :)
Code Red Mac Os 11
Later,
Louie
If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.
So:SetEnvIf Request_URI '^/default.ida' IDAREQ
CustomLog '/private/var/log/httpd/access_log' common env=!IDAREQ
You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.
-jΠr² mac os. If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.
So:SetEnvIf Request_URI '^/default.ida' IDAREQ
Code Red Mac Os Catalina
CustomLog '/private/var/log/httpd/access_log' common env=!IDAREQRed Mac Laptop
You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.
-j