Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red II: Shells for the Taking

Posted by CmdrTaco on from the it-keeps-getting-more-and-more-comical dept.

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

9 of 602 comments (clear)

  1. Someone needs to write by mashy · · Score: 0, Redundant

    Someone needs to write a new strand of Code Red that infects servers with the patch from MS.

    I'm sick of all this wasted logfile space.

  2. It is the time by Pat__ · · Score: 1, Redundant

    I think it is about time to write the exploit that will take all those vulnerable IIS servers with a open command shell and remotely patch them once and for all :-)
    At least to get it over with this Code Red thingy!

    On a completely other note! I was thinking it would be nice if the worm copied random text strings (from the victim's hard drive) instead of the XXXXXXXXX in order to overrun the buffer :) Then it would be really interesting to read those log files!

  3. Comments on an Anti-Worm by Nater · · Score: 0, Redundant

    I've been watching my apache logs grow with requests for default.ida?blahblahblah and I had a weird thought last night. CR most likey has some bugs in it. How hard would it be to dissect a copy, find an exploitable buffer overflow, and write a CGI script that counter-attacks CR? I don't think it would be any harder than finding the original default.ida overflow. Or, if it really is making a shell available, why not just have the anti-worm log in and nuke CR?

    --

    I like to play children's songs in minor keys.
    "We're all sons of bitches now." --J. Robert Oppenheimer

  4. link by clinko · · Score: 1, Redundant

    I have a great link on this topic:

    http://slashdot.org/article.pl?sid=01/08/05/043321 9&mode=thread

  5. this sucks by aechols · · Score: 1, Redundant

    some grepping and word counting revealed about 606 hits as of about 5:00 CDT last night. my first attack was at Aug 3 at 23:40 CDT. i dont think the activity light on my cable modem has stopped blinking yet. each computer attempts to get to infect three times before it gives up & moves on.

    what i don't look forward to is probably an increase in this kind of crap as XP rolls out with raw socket support. (if you read GRC stuff then this is old news) script kiddies everywhere, and more attacks can be made that were previously impossible or at the least difficult to accomplish. yes its true that this started in w2k, but does everybody actually have w2k? nope. they're really gonna push XP though, unlike any of the upgrades past 95.

    then again maybe everyone does have it, seeing how many attacks i'm getting. the most aggravating thing about this is that all of the attacks just bounce off me (proudly microsoft free :) but my connection sucks now because of all the morons that didnt patch themselves up after the first time it went around.

    --
    Are you pondering what I'm pondering?
  6. Bad Idea by Sludge · · Score: 1, Redundant

    By design, it's a very bad idea to make your trojan/virus do anything too shocking.

    Ever boiled a frog? If you throw a frog in hot water, it'll jump out. If you slowly turn up the heat, it'll roast.

    This sort of violent behaviour in a virus stops it from being able to live with it's host, because it gets detected way too fast. A worm/virus/trojan that has too great a consequence on it's host will be wiped out too soon, and in the case of the worm, this means lesser propogation.

    <\Devil's advocate>

  7. huge cable modem hits by rknop · · Score: 3, Redundant

    I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.

    It's depressing, really.

    -Rob

  8. Already on Slashdot by alanjstr · · Score: 0, Redundant

    Forgive me for the karma whoring, but all I did was scroll down my SlashDot homepage to see that Timothy already posted an article about Code Red II.

  9. oh c'mon... by Anonymous Coward · · Score: 1, Redundant

    please. posting another story like this is almost as big a waste of bandwidth as the worm.

    please reference previous stories: http://slashdot.org/article.pl?sid=01/08/05/043321 9.