CodeRed.C - Port 80 block?

[ChromWolf]

How difficult is it to find a (freeware, preferably) program that sets up port blocking, specifically on port 80? My cable modem is being BOMBARDED by requests for a "/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXX (etc., then random characters)" over and over again, and it's REEEEALLY chewing up the bandwidth... I *do* run a webserver, but I run OmniHTTPd, and it's run on WinME. Basically, the big problem is the bandwidth.. The port scanning has been going on since this afternoon, and has occured a few other times before this as well. I contacted my ISP (Charter@home), and they said there's not a whole lot they can do about it. Can someone suggest a program to block port 80? (I reset my web server to work on port 85, does anyone forsee problems on this?)

Thanks in advance!!

--Rob

[Billnodeal]

The problem you have is being with charter! I have cancelled my service with them because of their terrible & I do mean TERRIBLE tech support & customer service. Have you installed the patch from Microsoft to block code red?

[morriswindgate]

Since you are running WinME you do not have a problem with CodeRed.
I am also having a problem and this Thread tells what is going on.
http://forum.pcmech.com/showthread.php?threadid=16116

[mairving]

The only systems affected are Windows 2000, NT with IIs installed. IIs comes with W2K and NT Server editions. It does not come with W2k Pro or NT workstation.

Quote:

from Microsoft's website Who Must Act? Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, Windows Me, Windows XP RC1 or later, or Windows .NET Server build 3505 or later, there is no action that you need to take in response to this alert.

[glc]

You can't really blame Charter for this one - they are kinda helpless because there are thousands of zombies hammering their IP blocks with this thing looking for servers to infect.

[Billnodeal]

yeah GLC, i'm not really blaming charter for the code red virus. I'm just ticked off at them for being completely useless! My cable modem worked great when it was working! They just could never tell why it would'nt work half the time or give me any credit for the days of down time.

[ChromWolf]

After a VERY hectic mess regarding not liking WinME and removing it from the computer, I ended up getting a LinkSys Router/Switch... But that was my own fault, not Charter's. FINALLY it's back up today; it was possibly back a few days ago, but I made the fatal error of "fixing what wasn't broken" when it comes to a computer. Anyway, I've never had any problems with Charter---I sense "it's a bad mobo!!" syndrome.... I always loved reading posts saying companies like Asus, Epox, Gigabyte, whatever sucks, just cuz ONE guy got a bad board, or screwed it up or something.... okay, okay, that was harsh, forgive me... I'm only kidding, but my venting comes from a legit complaint; and besides, I've had a rough couple of days with the entire fam on my back to get cable modem access back... To repsond to the other posts, yes, I know who's affected. Me. I don't run NT or 2000, nor IIS. I'm affected just like everyone else----being bombarded with port 80 sweeps that eventually killed the modem connection. *That* was actually what I was looking for help on..... However, the router can take care of it (yay LinkSys!) Thanks, all!!

Incidentally, GLC, one thing I did notice... not only are charter IP's *being* hammered, the vast vast majority of IP's that were hammering me were also Charter, if not all of them outright.... although, I tried loading a couple of them into a web browser to see if there was anything there, and there wasn't... FWIW, anyway...

[Billnodeal]

Hey chromwolf, I am not the only guy that has had problems with charter. In fact the whole city of Newnan had so many problems with them, that charter gave them 3 months free service! My beef with them is I've had so much down time with the network (not the modem or moboard) that it got to be ridiculous. They kept promising to give me credit but to this date has not. They could never explain what the problem was except to blame it on my pc. Then when a tech actually came out to check the problem it was a day after they worked on the cable lines in my neighborhood! Needless to say everything was working fine at the time of his housecall. He also told me that for the previous 6 weeks all he had done is go around & troubleshoot problems with peoples service only to find the trouble was in the hardwire. My problem is they lied to me numerous times about what they were going to do & their customer service sucks!

[glc]

That's no worse than any other broadband provider's customer service that I've seen - unfortunate but typical.

[Billnodeal]

Sure GLC, but that is the problem with most companies today. There is a big problem with the world today since most people could care less about anyone else. People need to remember that without customers there is no business!

[ChromWolf]

okay, okay, I'm only teasing, but seriously, billnodeal, most of this has nothing to do with the original thread question, it's just that (A) I'm not a moderator, and (B) the problem is gone now... just commenting, not a flame or anything.

[Billnodeal]

That's fine Chromwolf, it isn't a big deal anyway. You just don't realize how frustrating it's been dealing with those people at Charter. I liked the cable modem great when it was working. There is no dsl available where I live yet & I'm looking at a sat hook up now. By the way, where did you come up with the name "Chromwolf"?

[ChromWolf]

I realize EXACTLY what you're going thru--I'm in tech support, I know how it goes on both sides of the fence. As for the name, it came back when I was big into IRC... I had used "OrbKnight" before (I'm big into fantasy stuff).. Now, concerning the first screenname, remember that this was several years ago, I was much younger, and therefore alot closer to "child" than I am now.... but... OrbKnight's ability, when I went into appropriate channels, was to hurl multicolored orbs which did various things... Anyway, I started coming to these wolf channels on IRC, and wanted to bring the concept over.... Originally, it was supposed to be "Chromatic Wolf", but the particular network I was on only allowed a 10 character name, so it got shortened. As time progressed, and the days of the immature 13-year-old internet users abounded, people assumed it meant "Chrome Wolf", and I just sorta said sure, whatever... The history of my name, FWIW... I have one other question, but allow me to use a second post for it....

[ChromWolf]

Okay, here we go. I recently bought a router to solve the problem of the troublesome netbox computer that used to be routing the net throughout the house. However, I also ran a webserver on that computer, since it had the assaigned IP from Charter. Now that the Router technically has that IP, I can't seem to run the webserver anymore... the router assigned a standard Intranet IP to the netbox, and even when I set the webserver's IP the same as the netbox's and try to bring it up in a web browser, it still brings up the setup screen for the router (it's a LinkSys 4-port Router/Switch)... Is there any way I can get around this? Incidentally, I use OmniHTTPd 2.0. Any and all help appreciated!

[Xayd]

If you go to the internal IP in your browser, it should take you to the webserver. If you go to your public IP from outside the network and you have the port the webserver listens on forwarded to the correct internal machine, you should also be taken to the webserver.

It won't work going out from an internal machine, then back in to the webserver.

So, basically, you can't see your webserver on your public IP, but anyone else should be able to. No one else can see what your webserver's *real* internal IP is, but you should be able to connect by that internal IP with no problem.

For instance...

My machines are 10.0.0.2, 10.0.0.3, and 10.0.0.4. The router is 10.0.0.1 to those machines. Lets say my public IP is 208.191.1.1

If I go to 10.0.0.3, the machine I use for my server, I'll see a webserver, ftp server, Unreal Remote Admin for my game server or whatever depending on the port number I specify and the client I use to connect with. If someone from outside connects to 208.191.1.1, what they get depends on what port they're coming in on. That's how NAT works. Lets say I forward port 23 to 10.0.0.2, and port 21 to 10.0.0.3. If I telnet to 208.191.1.1 from outside of my network (default port 23), the router will forward me to the internal machine behind it 10.0.0.2. On the other hand, if I ftp to 208.191.1.1 on default port 21, the router will forward that request to the internal machine 10.0.0.3. All this would be transparent from the outside. From a remote machine it would appear that telnet and ftp were running through to the same machine.

This is also how the firewall functionality works. If you don't forward port 23 to anything and someone from outside tries to telnet to your IP on port 23, the router eats up the request, and doesn't send back a reply. To the remote machine that sent the request, it appears that you don't exist.

NAT won't bounce a request from your public IP back inside to an internal machine if the request originated from an internal machine, though.

It boils down to--you can see all of your different machines by their IPs on the inside, no one on the outside can. To the outside, you're just one machine, which is the router. The NAT config you set up makes it all work, but since you're technically on a single public IP, going to a server by your public IP from the router's perspective I assume looks like a request going from yourself to yourself--i.e., does not compute .

Forward the port the webserver listens on through to the proper internal IP in the router, then the server will work fine. You'll just have to find someone else to test it for ya.

Xayd