Slashdot Mirror
Code Red III
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??
Need Free Juniper/NetScreen Support? JuniperForum
At least give some credit!! That was origionally a spoof of the goodtimes hoax.
and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.
Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"
The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."
The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!
Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!
News like this is the best kind around.
The middle mind speaks!
To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected.
From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:
Hi, how are you?
We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.
If you have any advice on this file, please email us back!
See you later!
I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.
My view is very simple: Things you buy shouldn't suck.
Ah coding practices. Sorry, Murphy's law you know. If it can go wrong it will go wrong (and he porves himself right a lot lately). That's why even prorgams that have been around since the early days of UNIX are sometimes caught with their pants down (recent BIND bug anyone).
Any manual check can be forgotten and be a potential security hole. Once it is forgotten it merely depends on who finds the hole first: script kiddie or code maintainer.
And lets rub this in deeply, there are plenty of languages that protect you against the single most frequent cause of security leaks that is costing the world billions of dollars in damage annually (and it sure isn't C). Any program that is going to be exposed to hackers (i.e. any internet server software) should never ever be programmed in C. You simply cannot guarantee that the compiler and libraries are correct. Even if your program is correct, those still can be a potential source of bugs. Your average UNIX system likely has dozens of undiscovered potential buffer overflows.
Us java programmers are laughing our asses of each time a buffer overflow is wreaking havoc on the internet. We don't have to worry about such things. Java may not be the greatest thing, but you can rest assure that buffer overflows won't happen.
Jilles
RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.
+5:offtopic,but anti-American
I spent a couple of hours yesterday sending out emails to just about everyone that hit my box at home. Just toss the IP into a browser and get some contact info from the site that comes up (if one does come up). I got MANY replies thanking me for finding that "hidden" box on their network.
And no, this isn't the time to send off an email that says "ditch your M$ crap and goto apache" because most of these poor admins aren't running IIS because they WANT to...it's what they HAVE to do.
So let's take back some bandwidth already!
hmmm...
This sig intentionally left blank.
Get over it. Code Red is dead.
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.
Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.
But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.
Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.
My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.
More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.
IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.
Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.
"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."
http://www.incidents.org/diary/august2001.php#801 courtesy of incidents.org
Well if they had written it write the first time there'd be no need for duplicates because it would have been decent enough to trash IIS when it was done.
The thing is, with Perl and Java, the language's runtime handles memory allocation/de-allocation. And barring a bug in the language itself, there's no way an app written in such language can overflow a buffer. Either the buffer will be grown dynamically to fit the data, or the app will get an exception. But corruption of unrelated data cannot happen in this way.
$5 / month hosted VPS on linux = awesome!
Code Red II doesn't give you Administrator access; root.exe usually runs with the privaleges of the Internet Guest Account.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
They probably understand the fact that there is VERY little that they can do (other than blocking port 80) than inform their users of what to do. At least they are giving "Worm? I have a worm in my computer? There's no dirt in there" guys the information.
;)
As much as I hate Verizon and their bullshit, at least they are trying to do something.
Gotta give em SOME credit
Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.
*: This also applies to NT 4.0.
This sig intentionally left blank.
Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.
-- Another senseless waste of fine bytes.
No, this fun new version is "XXXXXXXX".
And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.
You may get 403'd several times, as the infected machines reach their limits after a while. Just keep poking at it, you'll get your directory listing. What you won't get, though, is privilege enough to shut down either IIS or the OS itself, format the drives, reboot the box, etc.
Some folks have taken to leaving graffiti in infected machines as they find them. It's awfully tempting...
Warning: This signature may offend some viewers.
I can't count the number of times when patches have been applied to NT-based servers, only to have other server software (generally third-party) die after the patch is put into place.
Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:
1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.
Suddenly, it all makes sense...
Reason is the Path to God - Anon
Windows get's targeted because it's the most common OS. Apache is the most common web server; why isn't apache targeted? Nothing MS is known for it's great security or reliability; Why is it always the MS product that gets hit with a virus/worm? Because it's easy.
Have you ever read the GPL?
It specifically disclaims any and all liabilities and warranties.
If the Microsoft EULA disclaiming responsibility is invalid, isn't the GPLs? If you argue that GPLed software is free, so consumer protection laws don't apply, then what if you paid Red Hat $15 for their distribution?
Regardless of whether you paid them for the packaging or the 1-800 support number, you bought something from 'em, so shouldn't they be liable if your linux box ruins your MySQL database?
Read the MS EULA (End User License Agreement)
for example, if you load MS/NT/W2K on a PC that controls your companies Fire Alarms and because of a virus/worm/???? your Fire Alarms are down when a fire starts and burns your business to the ground (including physical injury to staff)....
MS is NOT liable for one red cent of any kind of damagaes....
MS was certainly not the first S/W company to immunize themselves from product liability through licensing....
BUT, the MS license agreement is one way non-negotiable (Take it or Don't Load It), not subject (by the user) to any modification under any circumstances (if a consultant GUARANTEES anything about Windows performance that's not binding on MS) and best of all....
the mere fact that you install the s/w is COMPLETELY BINDING ON YOU AND ALL YOUR COWORKERS...
SO, if over your loud objections, your IS/IT dept installs W2K in your department and it crashes another app (say an Oracle8 database on Solaris) and destroys it completely, well, the mere act of installation binds you completely, even if you didn't want it, didn't need and told everyone that if ruin your existing applications...
NOW THAT'S ***INNOVATION***
Ten quid, she's so easy to blind. And not a word is spoken...