Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Reporting That Doesn't Suck

Posted by ryuzaki0 on from the excellent-work dept.

marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."

8 of 191 comments (clear)

  1. The Silly Season by Marcus+Brody · · Score: 4, Informative

    In the UK, this time of year is sometimes refered to as "The Silly Season" in the media.
    All the poloticians are away on summer holidays.... most of the decent journalists take a break aswell. This leaves the papers a little thin on decent news (er, like, theres nothing happening in the world at all. honest guv. No civil war in sri lanka. No erupting volcano on sicily. No siree). Basically, its the time of year when two-bit journalists regurgitate 2-week old stories, and the papers are full of "and-finally" articles....

  2. Re:An observation... by Saint+Aardvark · · Score: 4, Informative
    Hey, folks -- mail those logs!

    From http://dshield.org/codered.html:

    As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

    Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

    grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

    --
    Carousel is a lie!
  3. Re:Good quote about now knowing its there... by _xeno_ · · Score: 3, Informative
    I feel I need to point out the following:

    IIS stands for Internet Information Services - that includes FTP and HTTP. IIS is usually used as a webserver, but you can also use it as a FTP server and various other servers, all through the same "friendly" interface. You can install IIS without the webserver and with various other interfaces.

    My install of Win2K (hey, I'm at work, writing ASPs - it's a paycheck, layoff) has the following IIS options:

    • Common Files and Documentation as items - the Common Files are required, Docs are useful
    • FTP Server
    • FrontPage 2000 Server Extensions (allows FrontPage to post pages via the HTTP server)
    • Internet Information Services Snap-In - some sort of managment utility
    • Personal Web Server - actually, a GUI for idiots who want to screw themselves over with bad IIS installs (it's basically a on/off switch for the webserver plus some pretty slides)
    • SMTP Service - an SMTP server
    • Visual InterDev plugin - same as FrontPage extensions, but for InterDev
    • World Wide Web Server - what most people call "IIS"

    IIS is just Microsofts server platform, it isn't just a webserver - that's why you have to install it with a FTP server - it contains some core files along with pretty graphical management software. If it helps, think of it like inetd - it also does configuration and other management "stuff." (I'm not sure exactly what the "Common Files" are and what they do - I think they're mainly the configuration/management utilities though.)

    --
    You are in a maze of twisty little relative jumps, all alike.
  4. Re:Has anybody thought about this? by martyb · · Score: 5, Informative

    There are still about 100.000 vulnerable (and by now... infected) machines out there.

    As of the time of my posting this, there are about 130,000 infected hosts. Go to:

    http://www.caida.org/dynamic/analysis/security/cod e-red/index.html
    to see the "Dynamic Graphs of Code Red Worm" page from CAIDA (Cooperative Association of Internet Data Analysis).
  5. Re:An observation... by jroysdon · · Score: 2, Informative

    CodeRedII uses default.ida?XXXXX so one should use:

    grep 'default.ida?' access_log | mail -s 'APACHE' redalert@dshield.org

  6. Dynamic graphs at Caida by madumas · · Score: 2, Informative
    Caida is producing dynamic graphs of the code red spread. It seems that there is about 50% less infected host than last time. The worm progression seems to have stopped, probably that all the machine with the IIS bug are now infected.

    http://www.caida.org/dynamic/analysis/security/cod e-red/index.html

  7. For everyone who didn't pay attention in History by Markvs · · Score: 5, Informative

    ...which is probably most Americans...

    Stolen from the article:
    "For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department --which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace -- but they also had their name inextricably linked with the well-being of the Internet itself."

    Which is *exactly* what it is, except that in this case there isn't any Nazi menace to stand up to. My bet is that this will be seen as a way to soften the DOJ/Microsoft schism in the public's eye and make all those pesky state lawsuits go away that much quicker.

    History is *filled* with bait-n-switches like this, which most people pick up on about as frequently as they do retail prices going up two weeks before a big sale. Study the past. Without it, you'll never see the future.

    --
    46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
  8. Good quote about now knowing its there... by weave · · Score: 4, Informative
    I liked this bit from the article...

    It could replicate itself across thousands of servers ? usually because the owners were never aware that Microsoft software had turned their computer into a server in the first place.

    We set up a simple win2k file server and specifically did not want IIS installed. There are a LOT of things on 2000 server that depends on it and if you check them on during the install, it will silently recheck IIS again. Want to just run an ftp server? It installs IIS.

    We had to go back and uncheck IIS three separate times during the install. Another server done by another tech had IIS after I specifically put in a work order NOT to install it. He swears he didn't. I believe him.

    It's as bad as the original various linux distro installs enabling every damn service under the sun (no pun intended) during an install.

    Don't believe me? Just watch your code red hits on your web server and go to the sites that nail you. Most of them have either the default page or "directory listing denied" message. They are not big corporate servers for the most part that I've seen... That leads me to believe that a lot of these people don't even know IIS is running on their server...