Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

Re:Now that is funny!

[sharifi]

I tried to visit some of the infected sites in my web log, but most of them gave no response, until I got to http://202.81.246.51 which states: "If you can see this, it means that the installation of the Apache web server software on this system was successful." :)

Re:URM. Thjs is NOT good. GG Microsoft

[kilrogg]

Is there a "shutdown -h now" equivalent with windows?

CodeRedNeck

[RoyalTS]

Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.

From the Windows 2000 EULA

[Waffle+Iron]

This Limited Warranty is void if failure of the Product has resulted from accident, abuse, misapplication, abnormal use or a virus.

Interesting.
Also...

Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.

OTOH, be careful what you wish for. The GPL has similar disclaimers...

Re:Do what I did...

[Ranger+Rick]

Already done it (well, not crashing, but I email hostmaster@their.domain), just do:

AddHandler cgi-script .ida

In your httpd.conf and make a little perl script or something called default.ida to log it. It's been great fun, shoulda been to bed hours ago, but I'm playing around with my script instead. =)

ISPs filtering port 80

I find it odd that my OS X (Apache httpd) webserver is now inaccessible to the outside world because @Home has filtered port 80 my IP. Even my other IP is filtered on port 80, and it doesn't even have any services running. This sucks because other @Home customers who HAVE been bitten by the worm haven't had incoming requests on port 80 blocked. If @Home is going to start enforcing the TOS on users that aren't hosting warez servers or any high-bandwidth servers, then I'm going to cancel my subscription. My 128 kbps upstream cap is horrible enough.

Worse than that...any looser has ALL hosts

[braddock]

It's worse than that. I can use the backdoor on the few hosts I am being hit directly with, and get THEIR web logs. If I have 100 hosts that have attacked me, and each of THEM have 100 hosts that have tried to reinfect THEM, etc....

100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)

Re:What are you talking about?

[jonathan_ingram]

Why do you call this pattern bizarre? That's how I'd scan if I wrote a worm: if you manage to infect a computer at a particular IP adress, then you have some evidence that computers 'close' to that one will probably be vulnerable as well, so you attempt to infect 'close' computers more than 'distant' ones.

You keep trying the 'distant' ones every now and then, just in case you get lucky.

Re:@home preventative measures

[cybrthng]

You sure you just didn't dos yourself of the net? :)

Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.

Check your outtage listings for your area.

Re:What are you talking about?

Seems smart, though its as usual a completely static algorithm, a hack. If you really want it to spread as fast as possible, you'll make the thing adaptive.

Together with the algorithm, spread a bit of data determining the probability of randomizing the last, the last two, the last three octets or the entire ip-adress. Now if the worm copies itself, it copies these parameters as well, but just randomizes it a bit (mutation). This is all you need to make it adapt to its neighbourhood.

Critters that have a (near) optimal set of randomization parameters for the subnet they're on will spread faster (and thus their parameters will spread faster as well) than others that are less well-adapted. As the population of hosts is in the 100's of K's, this quite likely will work.

I'm not advocating that people should write worms such as Code Red, so by implication I am also not advocating that people should use the algorithm above for infecting hosts like Code Red does. In any case, the above algorithm would make the spreading just a tat more effective, the static set of parameters in the current Code Red seem to work good already.

HEY GENIUSES

All you do-gooders who are flitting around deleting root.exe -- nice job. Now there is no way to actually interact with the remote machine to remove the rest of the code, until it's reinfected anyway

Linux Distro Worm?

[starz]

I'm gonna make a worm that...

1. Repartitions a Fat32/NTFS partition
2. Makes a Ext2 partition
3. Installs a Linux distribution on the Ext2 partition.
4. Formats Fat32/NTFS partition
5. Writes the boot sector for the new linux installation
6. Reboots.

Re:A few more details:It's a root trojan

[lalleglad]

OK, I tried this on a couple of the hosts that I have in my access logfile, but after a few successful attempts it got boring.

I wonder what I can do after getting the prompt? After I get:

c:\inetpub\scripts>

I don't know what to do, but I would like to send an email to the webmaster telling him to stop letting his server sending me crap, however I have tried 'dir' and 'cd' which I thoiught were simple commands, but the link then seems to be stuck, ie. nothing happens.

If anyone has info about what can be done there I'd like to hear.

An email from his own machine by someone else ought to scare him to DO something about it!

And the depressing thing is...

[Simon+Brooke]

I wrote the following shell script to mail webmasters on infected hosts:
#!/bin/bash

# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@

log=$HOME/codered.log

for ip in `grep default.ida /var/log/httpd/access_log |\
awk '{print $1}'`
do
grep "$ip" $log > /dev/null

if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again

host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`

echo -n "Seen $ip [$host]"

echo $host | grep '^[a-z0-9.-]*$' > /dev/null

if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."

valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi

if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF

Dear Webmaster

We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft


* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

Or, better still, switch to a proper operating system
EOF
echo " ...mailed"
else
echo " ? not valid?"
fi
fi
done

I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?

That's right, none.

Re:If this can't break Microsoft's back nothing wi

[nicodaemos]

This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.

Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

logs

[Kryptolus]

automatically generated list of attacks against my server

147 attacks so far

the page is generated through a perl script that reads my apache logs

To see them live

[cybermage]

To see them come in live:

tail -f [log_file] | grep default.ida

To see just CR2, s/default.ida/default.ida\?XXX/

I got three while writing this. I was wondering what was slowing things down tonight.

Re:A few more details:It's a root trojan

[glokkpod]

I've been tinkering and I've found that this will help cure the "root exploit":

GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0