Code Redux

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red ^[?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

Man, I wish...

[Rimbo]

I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.

I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.

The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Re:Man, I wish...

[blang]

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Sorry for being such a troll, but what makes you believe that this patch is the ultimate cure of IIS security bugs? You may not be lame, but you do posess an impressive threshold for pain.

Code Red Self Test

[staplin]

While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test which is supposed to tell you if you are vulnerable, and if you have been infected.

I don't know if it works, I don't have a Win boxen to test it on...

Cutting off port 80

[Grim+Grepper]

I really hope that RoadRunner doesn't decide to cut off port 80, as I happen to be running a webserver. Since I don't use IIS or Windows, it seems unfair that they would cut me off; it doesn't seem quite fair.

What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!

Re:Cutting off port 80

[Sc00ter]

HEY! It's not against their AUP to run a web server!

From: http://help.broadband.att.com/subagreelease.jsp

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

And the actual AUP page doesn't mention it at all: http://help.broadband.att.com/faq.jsp?content_id=7 2&category_id=34

Re:Cutting off port 80?

[interiot]

You can block incoming and outgoing http connections separately. eg. if a SYN packet is going from an outside address to an inside address, and the port number is 80, block it. But don't block anything else.

Re:Medium damage

[Tackhead]

> > I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...

For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.

Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.

Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".

Twenty-four hours.

[ktakki]

grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l

139


Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with .de, .tw, and .kr most prevalent), and the remaining sixth are US corporations, including some Fortune 500 hosts.

I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.

I guess the big question is this: do you root their box before the first interview or after?

k.

Code red growth spurts

[Anemophilous+Coward]

We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.

One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.

On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.

-A non-productive mind is with absolutely zero balance.
- AC

The real danger

[aralin]

The real problem is that all the boxes that are vulnerable to this one specific exploit advertise themselves all over the net! Everyone knows what exploit it is. All you need to do is to read your apache logs and you own at average 400-500 windows boxes to do ANYTHING you want.

Remote Linux install, anyone?

Hmm, evil or DDoS in the making

[Cramer]

I know I'm askin' for it, but I couldn't resist:

cd /home/httpd/html
ln -s /dev/zero default.ida

I'm only a 128k ISDN, but with compression, I can push over a T1 worth of zeros :-) (And people say PPPoE has no value.)

small survey

[1010011010]

I ran a test on the 1597 unique hosts that have attempted to infect my web server recently.

321- 20.1% - "Under Construction" default blank page
0- 00.0% - "too busy"
1093- 69.4% - cannot connect
183- 11.4% - some web page