Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red II: Shells for the Taking

Posted by CmdrTaco on from the it-keeps-getting-more-and-more-comical dept.

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

7 of 602 comments (clear)

  1. Help track this: submit your logs to dshield! by mjh · · Score: 5, Informative
    You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

    Submissions can be made by following these instructions.

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
    1. Re:Help track this: submit your logs to dshield! by LinuxHam · · Score: 4, Informative

      It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.

      I'm on 56k ppp dialup, so I shouldn't see any attacks (let alone packets) not destined for my machine. Now that you know that, you should also know that I was rejecting all connections to port 80 with ipchains. Therefore, since the worm couldn't connect, it wouldn't transmit the HTTP request that snort is watching for.

      By hanging netcat on port 80 with a 3 second connect limit using xinetd, all inbound port 80 probes get connections. They send their payload, snort alerts on it, netcat routes it directly to /dev/null, and then closes the connection. No huge apache logs, or whatever minimal risks are associated with apache.

      I shunt the payloads directly to /dev/null just so snort can actually watch them coming in. I literally asked for a "dummy listener" on the snort list, and they pointed me to netcat at l0pht.

      --
      Intelligent Life on Earth
  2. Killing small ISPs by Alien54 · · Score: 5, Informative
    I know of at least one small ISP that had very serious problems this week.

    First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.

    Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.

    BOOM!

    If this keeps happening, this is going to be bad for business in a lot of places.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  3. Securityfocus asks for IPs by mawis · · Score: 5, Informative

    To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310

  4. A Warning to Whitehats by Ms.Taken · · Score: 5, Informative
    Anyone working on scripts which respond to Code Red attacks by patching the originating server should read this cnet article, which calls that approach 'hack-back'.

    From the article:

    The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

    It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.

  5. New Sites report on CR2 by stuccoguy · · Score: 4, Informative
    CNN has very little to say about the subject.

    MSNBC has a longer story.

    Fox News has a few words to say.

    ABC copied the AP story.

    CBS still seems to think the red tide is receeding.

    Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.

  6. How to send a message to the poor bastards by Brian+Stretch · · Score: 4, Informative

    A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:

    http://ipaddress/c/inetpub/scripts/root.exe?/c+n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server

    %25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
    the title:

    CGI Error

    The specified CGI application misbehaved by not returning a complete set
    of HTTP headers. The headers it did return are:

    and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.

    The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.