Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red III

Posted by ryuzaki0 on from the are-we-there-yet-mommy dept.

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

15 of 759 comments (clear)

  1. Re:Bah. by austad · · Score: 5, Insightful

    How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  2. Stop addressing Code Red by I_redwolf · · Score: 4, Insightful

    and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.

  3. Re:Microsoft should be sued by IronChef · · Score: 3, Insightful


    I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.

    My view is very simple: Things you buy shouldn't suck.

  4. One problem.... by JohnTheFisherman · · Score: 3, Insightful
    People need to patch servers that don't know they're servers. I have RoadRunner (cable modem), and I looked at my logs, and decided to try and track a few people down via http://ipattackingme. Almost none of them had a website up - just the stock 'page under construction.' So I suspected (and RR tech suppt. confirmed this) that most of these people are running IIS and DON'T KNOW THEY'RE RUNNING IIS.

    RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.

    --
    +5:offtopic,but anti-American
  5. Re:Microsoft should be sued by Keith+Russell · · Score: 3, Insightful
    ...I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth...
    If you are a sysadmin responsible for any server, regardless of operating system, it's your job to be aware. Microsoft's poor record may drive up the frequency of patches, but that doesn't change the fact that the difference between a good sysadmin and a bad one is the knowledge that no server runs itself.
    --
    This sig intentionally left blank.
  6. Re:Copycats by Syberghost · · Score: 5, Insightful

    Get over it. Code Red is dead.

    The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

  7. It's not like they haven't announced the patch by mblase · · Score: 5, Insightful
    Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

    The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

    Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

    But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

    Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

  8. Version 3? Don't think so. by Todd+Knarr · · Score: 5, Insightful

    My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

  9. Obviously,IIS is *vastly* more popular then apache by Jerf · · Score: 4, Insightful
    They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

    More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.

    IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.

    Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.

    "More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."

  10. make some money off banner ads by SethJohnson · · Score: 5, Insightful


    Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).
    --
    $5 / month hosted VPS on linux = awesome!
  11. Re:Code Red is trying to eat me! by garcia · · Score: 3, Insightful

    They probably understand the fact that there is VERY little that they can do (other than blocking port 80) than inform their users of what to do. At least they are giving "Worm? I have a worm in my computer? There's no dirt in there" guys the information.

    As much as I hate Verizon and their bullshit, at least they are trying to do something.

    Gotta give em SOME credit ;)

  12. Re:Microsoft should be sued by Keith+Russell · · Score: 5, Insightful
    ...most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software.
    IIS doesn't even run on 9x, ME, or other spawn of 3.x. 2000 Professional* does not install IIS by default. Your Joe Schmoe must have either installed IIS after installing W2kPro, or installed W2k Server, which does install IIS automatically. Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

    Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.

    *: This also applies to NT 4.0.
    --
    This sig intentionally left blank.
  13. Re:Microsoft should be sued by blang · · Score: 5, Insightful

    Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.

    --
    -- Another senseless waste of fine bytes.
  14. Re:Bah. by Syberghost · · Score: 3, Insightful

    No, this fun new version is "XXXXXXXX".

    And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.

    I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

    The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.

  15. Re:Microsoft should be sued by cr0sh · · Score: 3, Insightful

    I can't count the number of times when patches have been applied to NT-based servers, only to have other server software (generally third-party) die after the patch is put into place.

    Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:

    1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
    2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.

    Suddenly, it all makes sense...

    --
    Reason is the Path to God - Anon