Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

CodeRedNeck

[RoyalTS]

Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.

From the Windows 2000 EULA

[Waffle+Iron]

This Limited Warranty is void if failure of the Product has resulted from accident, abuse, misapplication, abnormal use or a virus.

Interesting.
Also...

Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.

OTOH, be careful what you wish for. The GPL has similar disclaimers...

Re:What are you talking about?

[jonathan_ingram]

Why do you call this pattern bizarre? That's how I'd scan if I wrote a worm: if you manage to infect a computer at a particular IP adress, then you have some evidence that computers 'close' to that one will probably be vulnerable as well, so you attempt to infect 'close' computers more than 'distant' ones.

You keep trying the 'distant' ones every now and then, just in case you get lucky.

Re:@home preventative measures

[cybrthng]

You sure you just didn't dos yourself of the net? :)

Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.

Check your outtage listings for your area.

And the depressing thing is...

[Simon+Brooke]

I wrote the following shell script to mail webmasters on infected hosts:
#!/bin/bash

# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@

log=$HOME/codered.log

for ip in `grep default.ida /var/log/httpd/access_log |\
awk '{print $1}'`
do
grep "$ip" $log > /dev/null

if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again

host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`

echo -n "Seen $ip [$host]"

echo $host | grep '^[a-z0-9.-]*$' > /dev/null

if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."

valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi

if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF

Dear Webmaster

We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft


* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

Or, better still, switch to a proper operating system
EOF
echo " ...mailed"
else
echo " ? not valid?"
fi
fi
done

I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?

That's right, none.

Re:If this can't break Microsoft's back nothing wi

[nicodaemos]

This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.

Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

logs

[Kryptolus]

automatically generated list of attacks against my server

147 attacks so far

the page is generated through a perl script that reads my apache logs