Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Worm Spreading, Set To Flood Whitehouse

Posted by ryuzaki0 on from the code-blue-code-blue dept.

altek writes: "CNET has an article describing a worm that has taken down over 12,000 MS IIS webservers." Bill Kendrick points to another CNET story, which reports that the worm will "cause every infected computer to flood the Whitehouse.gov address with data starting at 5 p.m. PDT," writing "Time to shut down all those IIS servers before the Internet gets flooded."

Slow Internet service due to all those extra packets of malice may not be the worst effect: As sp1n writes: "It appears that due to the way the worm formats its HTTP request and the semi-random way it seeks out vulnerable systems, it is also causing Cisco 67x DSL routers, widely deployed by Qwest, using firmware prior to 2.4.1, as well as some others, such as 3Com LanModems, to crash -- recoverable only by a power cycle. I have yet to see any news outlet cover the affect this is having on DSL service. Qwest's Interprise networking department confirmed they are receiving reports from all 14 states in their territory. Some routers running pre-2.4.1 firmware are crashing even though the web admin is disabled. This has become a huge support nightmare for every ISP in the region."

14 of 306 comments (clear)

  1. Fake worm warning makes ALL OF US flood website! by Anonymous Coward · · Score: 5

    It's a conspiracy. Everyone will hit the whitehouse.gov site to see if the alleged worm affected it, and in doing so, we have all been duped into participating in a DDoS attack on the site. Rather clever, actually. Proclaim the effect to create the cause.

  2. Press DOS attack by jonathanclark · · Score: 5

    This is acutally the "Press DOS attack." You get some security expert to claim that a worm is spreading all over the internet and will attack X site at 5pm. Then everyone who reads the story will go see if the site is down at 5pm. And of course since everyone is hitting reload to see when it is down, the site gets flooded and goes down while the virus/worm never exsisted!

    --
    -- Virtual Windows Project
  3. So, who's REALLY in charge... by devphil · · Score: 5


    The government cannot take down Microsoft, but Microsoft can take down the government...

    *ponder*

    Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  4. If you don't run IIS but.... by heliocentric · · Score: 5

    I don't run IIS, but I've been seeing odd things in my logs. It took me a sec to check security focus and learn what it was. Here is an except of a log file so you if see similar you know what's up.

    65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"

    The thing on security focus indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here.

    --
    Wheeeee
  5. Obligatory reference: by bmo · · Score: 5

    Dick Cheney: SOMEONE SET UP US THE WORM!

    George Bush: MAIN SCREEN TURN ON!

    George Bush: IT'S YOU!!

    Li Peng: YOU HAVE NO CHANCE. MAKE YOUR TIME.

    Li Peng: HAHAHAHAHA

  6. Cisco DSL routers by Eric+Seppanen · · Score: 5
    I, and many of my co-workers, had our home DSL routers (Cisco 675s) lock up today as this worm scanned them.

    There is common belief that disabling the web interface will prevent this. It's not true; mine's been disabled every since this was first reported a year ago and I still got hit. The problem is that "set web disable" prevents the web server from fiddling the router config, but doesn't actually stop the server from parsing input from port 80, which is what locks up the box.

    An improved workaround is to disable the web-admin interface and change its port number with "set web port 53496" (replace with some random port number). At least that'll stop it for the near term.

    Long term you need to get updated firmware, but of course Cisco won't distribute firmware directly to customers, even though they have public announcements of the existence of bugs and bugfixes. To actually get the firmware you have to get it from your DSL line provider (Qwest, in my case), and Qwest couldn't care less about security with respect to home users, so they've never bothered to offer fixed versions of CBOS.
    --

    --
    314-15-9265
  7. what it looks like by tedtimmons · · Score: 5
    For those of you that tend flocks of web servers, here's what a request would look like:

    GET /default.ida?NNNNNNNNNNNNNNNNNNNNNN ...

    There are tons of N's (can you say buffer overflow?) and then stuff after the N's. I've left that out to make it harder for script kiddies.

    -ted

  8. bashing M$ IS fun... by Raymond+Luxury+Yacht · · Score: 5

    ... but really, what would have been helpful to many IT readers would have been the link to the Microsoft bulletin and patch download in the /. article.

    --

    Ceci n'est pas une sig.
  9. Re:Update! by Smitty825 · · Score: 5

    While I don't disagree with your bug report, I want to point out that at 5PM PST, it offically becomes July 20th on GMT. Unless the attack begins on the 21st, I'm still assuming whitehouse.gov will be inaccessable tonight :-)

    --

    Doh!
  10. Re:Why or why.... by realdpk · · Score: 5

    It's not the RIAA or MPAA, but you might like these IPs:

    207.46.123.13
    207.46.152.122
    207.46.153.9
    207.46.171.237
    207.46.171.61
    207.46.171.68
    207.46.173.25
    207.46.175.96
    207.46.186.252
    207.46.187.123
    207.46.196.55
    207.46.196.58
    207.46.203.39
    207.46.227.38
    207.46.230.64
    207.46.239.116
    207.46.239.117
    207.46.239.44
    207.46.252.139
    207.46.28.158

    Each of them has hit default.ida on one server I'm watching. From what I can tell from whois -a, 207.46 is all Microsoft corp! They can't even keep up with their patches.

    (btw, on this same server I'm seeing a new unique IP default.ida hit every second)

  11. Why or why.... by Wintermancer · · Score: 5

    ....can't it be the RIAA's and MPAA's webservers?

    Sigh. Windows IIS: It's like walking around with a handfull of twenties and giving a loaded gun to any criminal you meet.

  12. Re:Good description here: by Bender_ · · Score: 5

    Here is a full analysis of the worm. (including source!)

  13. Apologies to St. Ives.... by Eryq · · Score: 5

    While I was working for the feds,
    I met a worm they called Code Red...
    And Code Red hit 100K hosts,
    And every host had 3 infections
    And every infection had 100 threads
    And every thread sent 100k
    And every k had a thousand bytes [*]
    And every byte was sent in 1 packet
    And every packet had a 40-byte header
    Headers, packets,
    Bytes, k,
    Infections, hosts and threads...
    Once every month, just to piss off the Feds.

    [*] 1024 just doesn't scan well. :-)

    --
    I'm a bloodsucking fiend! Look at my outfit!
  14. Should have open sourced it... by srvivn21 · · Score: 5
    From http://news.cnet.com/news/0-1003-200-6604515.html
    ...each instance of the worm will attack the same computers in the same order, according to eEye's analysis. Maiffret said that while the addresses of the computers attacked by the worm seem to be random, because the worm uses the same starting point, or "seed," to generate the list, the "random" lists that any two worms generate are identical...
    You know that if this worm had been open sourced, that mistake would have been caught, and this would be an even better epidemic.