Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

Re:Now that is funny!

[sharifi]

I tried to visit some of the infected sites in my web log, but most of them gave no response, until I got to http://202.81.246.51 which states: "If you can see this, it means that the installation of the Apache web server software on this system was successful." :)

Re:URM. Thjs is NOT good. GG Microsoft

[kilrogg]

Is there a "shutdown -h now" equivalent with windows?

CodeRedNeck

[RoyalTS]

Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.

From the Windows 2000 EULA

[Waffle+Iron]

This Limited Warranty is void if failure of the Product has resulted from accident, abuse, misapplication, abnormal use or a virus.

Interesting.
Also...

Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.

OTOH, be careful what you wish for. The GPL has similar disclaimers...

Re:Do what I did...

[Ranger+Rick]

Already done it (well, not crashing, but I email hostmaster@their.domain), just do:

AddHandler cgi-script .ida

In your httpd.conf and make a little perl script or something called default.ida to log it. It's been great fun, shoulda been to bed hours ago, but I'm playing around with my script instead. =)

Worse than that...any looser has ALL hosts

[braddock]

It's worse than that. I can use the backdoor on the few hosts I am being hit directly with, and get THEIR web logs. If I have 100 hosts that have attacked me, and each of THEM have 100 hosts that have tried to reinfect THEM, etc....

100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)

Re:What are you talking about?

[jonathan_ingram]

Why do you call this pattern bizarre? That's how I'd scan if I wrote a worm: if you manage to infect a computer at a particular IP adress, then you have some evidence that computers 'close' to that one will probably be vulnerable as well, so you attempt to infect 'close' computers more than 'distant' ones.

You keep trying the 'distant' ones every now and then, just in case you get lucky.

Re:@home preventative measures

[cybrthng]

You sure you just didn't dos yourself of the net? :)

Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.

Check your outtage listings for your area.

Re:A few more details:It's a root trojan

[lalleglad]

OK, I tried this on a couple of the hosts that I have in my access logfile, but after a few successful attempts it got boring.

I wonder what I can do after getting the prompt? After I get:

c:\inetpub\scripts>

I don't know what to do, but I would like to send an email to the webmaster telling him to stop letting his server sending me crap, however I have tried 'dir' and 'cd' which I thoiught were simple commands, but the link then seems to be stuck, ie. nothing happens.

If anyone has info about what can be done there I'd like to hear.

An email from his own machine by someone else ought to scare him to DO something about it!

And the depressing thing is...

[Simon+Brooke]

I wrote the following shell script to mail webmasters on infected hosts:
#!/bin/bash

# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@

log=$HOME/codered.log

for ip in `grep default.ida /var/log/httpd/access_log |\
awk '{print $1}'`
do
grep "$ip" $log > /dev/null

if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again

host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`

echo -n "Seen $ip [$host]"

echo $host | grep '^[a-z0-9.-]*$' > /dev/null

if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."

valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi

if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF

Dear Webmaster

We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft


* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

Or, better still, switch to a proper operating system
EOF
echo " ...mailed"
else
echo " ? not valid?"
fi
fi
done

I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?

That's right, none.

Re:If this can't break Microsoft's back nothing wi

[nicodaemos]

This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.

Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

logs

[Kryptolus]

automatically generated list of attacks against my server

147 attacks so far

the page is generated through a perl script that reads my apache logs

To see them live

[cybermage]

To see them come in live:

tail -f [log_file] | grep default.ida

To see just CR2, s/default.ida/default.ida\?XXX/

I got three while writing this. I was wondering what was slowing things down tonight.

Re:A few more details:It's a root trojan

[glokkpod]

I've been tinkering and I've found that this will help cure the "root exploit":

GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0