Slashdot Mirror
Code Redux
I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.
AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.
What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?
Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Polish Telecom, the biggest ISP down here, also announced that they will block traffic from 'infected' sites. Trying to connect to whitehouse server is taken as a proof of infection.
:wq
I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.
I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.
The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."
You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.
While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test which is supposed to tell you if you are vulnerable, and if you have been infected.
I don't know if it works, I don't have a Win boxen to test it on...
What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!
Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.
Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.
In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)
You can block incoming and outgoing http connections separately. eg. if a SYN packet is going from an outside address to an inside address, and the port number is 80, block it. But don't block anything else.
I recieved an email today from road runner (aka time warner cable) regarding the "VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED". For the intrigued, here's the letter:
------
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributeable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the Internet community to address this virus. Thank you. Road Runner Security
P.S. Please, do not reply to this message
--------
Well, gee, if the whole "internet community" is at work at resolving the issue, I can rest easy. But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?
--
#nohup cat
@Home's AUP specifically says "no servers". Also, they've always blocked port 137, so the tools are already installed. Yet they still haven't blocked port 80, even though each IP is getting hit approximately every other minute.
and I'm on @home's network. I like the program 'etherape' to sit and watch the requests come in and then browse to the IP's to see JoeBlow's homepage.
/etc/httpd.conf it's not really that hard.
really, do these home users PAY for IIS? of course not, would you? If you're going to use software free, use free software!!!
I can't imagine that anyone who administers servers for a living hasn't already patched againts this. Thus I think most of this Code Red comes from home users windows boxes with pirated software. I wish MS did pursure those people because we'd have a whole lot more Linux users if that was the case. ( I guess that's why they don't)
a note to IIS users:
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.
The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.
Phone tech support is turned off, at least in my wanderings in the phone system.
Anyone else having these problems?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...
For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.
Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.
Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".
Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.
So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.
It's going to be a rough year.
I'll bet that it gets strictly enforced from now on, killing all the fun even for people like me who run Apache on OpenBSD.
grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l
139
Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with
I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.
I guess the big question is this: do you root their box before the first interview or after?
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
It's been already shown that Code Red will not bring the Internet down. And it was never very much of a mortal threat to the majority of the users out there, because those are not running IIS (or any http server, for that matter). And until the more recent versions, the worm was not even a menace the files in the infected system (the recent versions, by installing a backdoor, would allow for a malicious invader to do a lot more damage).
The kind editor should also remember his math and Netcraft nice figures. IIS installations represent some 25% of the servers out there. Most of those are already patched by now. Even when they were not patched Code Red got only 6-7% of them (considering 4 million servers/250 thounsand infected).
Code Red is certainly a local problem in networks where it finds a nice ecologival niche. Cable modem networks are likey to suffer due to their archtecture and their own flaws. Other networks will suffer down the road.
But the main point is that this particular the worm is out of the way for nmost of us (if it ever was in the way) and will only affect the bandwidth locally.
It is almost time to reduce its risk rating to low.
Yes, pre-existing worms disappear and no worms of that variety can infect, but in the few minutes of life it had on your system, CodeRed had full access to download other, newer, unpatched, programs that otherwise would be unable to get onboard.
I reiterate, the only safe path is to install on an airgapped machine, or on a well secured LAN. But if you have to download it from the internet, there is a chance that *anything*, not just CodeRed, will be hiding somewhere by the time you patch.
We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.
One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.
On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.
-A non-productive mind is with absolutely zero balance.
- AC
24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"
24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.
This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.
@Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).
I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.
Remote Linux install, anyone?
If programs would be read like poetry, most programmers would be Vogons.
I know I'm askin' for it, but I couldn't resist:
/home/httpd/html
/dev/zero default.ida
:-) (And people say PPPoE has no value.)
cd
ln -s
I'm only a 128k ISDN, but with compression, I can push over a T1 worth of zeros
6 of our machines at work got infected over the weekend. I was under the impression that our web guy had been keeping them up-to-date, but 5 were inside our NAT (infected by the 1 that was outside). I was under the impression that the ones inside the NAT would be ok. Bad assumption.
The bandwidth it used was so bad that it completely wiped out our ability to get out via HTTP. We could ping, get and send mail, but we couldn't browse at all. I had innoculated my home machine, and it wasn't until this morning, when we received a notice from our ISP accusing of massive port scanning of port 80 that I made the connection. I went around the office and, even after 5 of the 6 machines were innoculated, we still couldn't get out via HTTP. It wasn't until the 6th was innoculated that we could get out.
Our line is a 768/512 DSL (I believe those are the numbers), and it amazes me that a single machine infected could cause so much trouble. This is pretty disturbing.
I ran a test on the 1597 unique hosts that have attempted to infect my web server recently.
321- 20.1% - "Under Construction" default blank page
0- 00.0% - "too busy"
1093- 69.4% - cannot connect
183- 11.4% - some web page
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.