Slashdot Mirror
Code Red III
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.
The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.
Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html
Hi,
I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.
I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.
An example of the email I've been sending is this:
Hi,
Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.
This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?
-- thinkyhead software and media
but I have not seen any instances of attempted infection.
It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.
I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.
I'm not even sure how to spell regexe, but this is what I've attempted to do: