Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Re:Bah.

[austad]

How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??

Stop addressing Code Red

[I_redwolf]

and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.

Re:Copycats

[Syberghost]

Get over it. Code Red is dead.

The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

It's not like they haven't announced the patch

[mblase]

Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

Version 3? Don't think so.

[Todd+Knarr]

My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

Obviously,IIS is *vastly* more popular then apache

[Jerf]

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.

IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.

Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.

"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."

make some money off banner ads

[SethJohnson]

Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).

Re:Microsoft should be sued

[Keith+Russell]

...most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software.

IIS doesn't even run on 9x, ME, or other spawn of 3.x. 2000 Professional* does not install IIS by default. Your Joe Schmoe must have either installed IIS after installing W2kPro, or installed W2k Server, which does install IIS automatically. Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.

*: This also applies to NT 4.0.

Re:Microsoft should be sued

[blang]

Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.