In the wake of the Code Red virus, security watchers have pointed out that millions of IT administrators and web users are now in possession of an exhaustive list of web servers vulnerable to attack.

Speculative calculations suggest that these figures could be nearing the quarter of a million mark.

When Code Red has infected and settled into a new host, it starts scanning the internet for more vulnerable machines.

Every machine or firewall it hits logs the attempt in a log file, and now these log files on every web server out there contain a very long list of machines that have been infected and are still vulnerable.

The ISAPI .ida exploit used by Code Red to break into NT boxes is common knowledge.

And even though Microsoft assures us that the patch to stop the attack has been downloaded a few million times, there are still a few more million vulnerable web servers out there.

Anyone with a list of these wide-open boxes, gleaned from their server logs, has the potential to anonymously take over a few thousand servers overnight, with full administrator-level access.

US software consultant Braddock Gaskill, who wrote a White Paper (http://braddock.com/cr2.html) on the methodology behind this security flaw, said that an intruder could simply break into infected machines, read their log files and thus acquire a whole new range of vulnerable IP addresses.

"I've got one machine that has hit me with HTTP probes over 200 times in the last week. I've tried to contact the admin, but no luck. My next temptation is to crack into the box and just wipe it to stop the annoying alerts I get every few hours," he said.

He added that the strong recommendation from this report is that "as part of any CodeRed II recovery effort, the system web logs should immediately be destroyed, and Intrusion Detection Systems should be checking for and tracing recursive attempts to access web logs though the backdoor.

"In addition, the backdoor could conceivably be used with such a list of hosts to purge the worm and close the backdoors of all affected hosts," he said.