Code Red ][ Hackbacks

by Jason McIntosh

People on Slashdot are sharing vigilante scripts (in shell and various scripty languages) meant for triggering when the Code Red ][ worm knocks on one's webserver (not hard to detect, since it leaves a distinct signature in its request -- have you run grep default.ida?XXXX on your access logs lately?). When launched, the programs immediately leap down the throat of the machine from which the request came and attempt to excorize the foul worm from it on the spot, or at least let the machine's administrator know that something's amiss. This surprising behavior becomes possible since the worm leaves its victims wide open to all sorts of intrusion, inlcuding those which might try to do the machine's owner (and the whole Internet) a favor, albeit to nobody's awareness. Wacky.

Some examples:

(I find myself typing '][' a la 'Apple ][' when writing 'Code Red ][' just because one of these back-hackers' hacks did the same, and it's a funsticky idea, I suppose. Did you know that Code Red was named such by its initial dissecters both because of its silly 'Hacked by Chinese!!!' website defacement message, and in honor of the Mountain Dew variant of the same name?)