Screaming Penguin - Source Does Matter

that's the script solution, seperated into init step and cronjob.

cd /var/log/httpd

init:
# initially block code red hosts
grep "GET /default.ida?XXX" access.log |cut -f1 -d' '|sort|uniq >codered.init
for i in $(cat codered.init); do
/sbin/ipchains -A input -j DENY -i eth0 -s $i
done
echo "`wc -l codered.init` hosts blocked"

cron:
# check for new hosts regularly
grep "GET /default.ida?XXX" access.log |cut -f1 -d' '|sort|uniq >codered.new
for i in $(cat codered.new); do
if [ ! $(grep $i codered.init) ]; then
/sbin/ipchains -A input -j DENY -i eth0 -s $i
echo $i >> codered.init
fi
done

to actually know if the poor user reacted on that, I redirected /default.ida to a huge mp3 file of mine, which is streamed over icecast. this stream lasts for one hour. in the icecast logs I can see when or if the user stopped that streaming manually.
it should hurt the user to force him to download an antivirus toolkit and i don't have to pay for traffic :)

if he stopped it and if afterwards no /default.ida appears,
he is revoked immediately. all other stay blocked for 2 weeks.

I'll have to beautify this icecast analysis-and-revoke script and post it then.

note that that large number of ipchains slows down network ins. so it should not be blocked forever. but such worms typically last for two weeks. code-red lasts longer, but it will
decrease soon.