Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
Second, that FUD about service packs re-breaking the OS is just garbage. Please give me ONE example, JUST ONE, of a service pack opening up new holes for ANY WINDOWS OS, 3.1 and up. You can't because you are a paid basher talking out of your ass. Service pack 2 for NT Server made it so my machine rebooted the 2nd time I accessed a device on the floppy controller. Streamer or floppy -- first access is fine, 2 seconds after the 2nd access I was looking at a black screen and the PC was doing a POST (read: no shutdown, just an immediate reboot). SP3 fixed it, and it wasn't there pre-service pack. When I worked at a major law firm in Atlanta, our DC office had a ton of hard-to-reproduce problems related to the BDC over there. Turns out the admin installed SP4 when it came out because he trusted MS releases. Uninstalled to SP3 and it was solid as a rock. Put SP5 on and it was still great. SP6 sucked, but 6a was just fine (except it broke the way some NT boxes routed, apparently). So maybe the rule is to avoid even-numbered service packs.
Blame the bozo who designed strncat!
strncat() isn't a problem by itself. The problem is improper usage patterns.
When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:
strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));
Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.
But strncat() isn't the main culprit.
Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.
The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
:)
And were still vulnerable until we disabled URL forwarding.
The Microsoft patch alone is not useful. You are still at risk. See Incidents home page
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!
Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein
The large automotive I work for got hit on the internal network last Monday. We lost much of the networking for three days as everything run by IS is NT based (DNS etc.)
Fortunately the applications I'm responsible for run on Solaris, Linux and Tomcat they stayed up fine, but none of our external customers could see them due to much of the internal infrastructure being closed down.
The access logs for the servers indicate that my app was probed by at least 300 unique servers from inside the firewall. The issue is now mostly solved on my local domain, but I can watch the worm spreading throughout the rest of organisation.
This is the third major incident this year due to a combination of bad administration and having chosen a complete MS based infrastructure (previous outbreaks of Outlook issues have closed the networks for several days). I can't understand why nobody is questioning this decision.
The headline implies that the whole Code Red experience is over. I know everybody wants it to be over, but it doesn't seem to be over from where I'm sitting, looking at the sheer volume of logged packets hitting my firewall. So Microsoft has released a solution to the Code Red II worm. That's great, but now try to get most of the infected users to use it. I haven't seen any slowdown in probes from infected machines yet, so I'll believe it when I see it.
-- Never hit a man with glasses. Hit him with a baseball bat.
It seems to me that a GOOD ADMIN would have any important data backed up prior to installing/upgrading any mission critical servers. Just because you're a negligent moron doesn't mean that Windows sucks. You're correct that a "Good Admin" would back their data up before performing a system upgrade / patch.
However, in this case, Windows DOES suck, regardless of the (moron|genius) at the keyboard.
Any system that *requires* OS updates to be bundled and installed along with the application (IIS) updates is broken. It matters not if you have an intern "administering" the box or a 10-year-vet.
If, for some reason, the latest bugfix from Apache broke compatibility with a current or previous Linux kernel, I can always pop a new kernel in there. On my own time. Checking to make sure that none of my other apps will break. Even if I'm not paying attention and blindly upgrade Apache without checking its deps, I'm left with an unusable Apache - my data is still there. I can just backpeddle to my previous Apache and I'm up again.
Not so with (2K|NT)/IIS. Install SP, hose machine...reinstall...
One of these situations takes a little more time than the other...
idq.dll (the bad boy) is an ISAPI handler written in C
I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.
From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification
ROAD RUNNER ALERT
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.
Thank you.
Road Runner Security
" it also gives you an option to permanantly disable IIS..."
About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*
So it probably would be a good idea for anyone to send every host that comes in searching for default.ida at least one reboot command to make sure that patched machines dont bother us again.
/. user set up a script to do this automatically. - He/She is using a similar technique to one that I've already tried. For some reason it doesn't work.
The root.exe left in their scripts directory would be their own problem.
No, this is another common misconception. The exploere.exe trojan makes Code Red ][ infected machines survive the reboot.
Also I've seen many people expressing that they could stop the IIS service. I have tried this and it doesn't work.
I've even seen another
Files on an infected machine, can be accessed via the http://lusers.ip.net/scripts/root.exe, but there are restrictions as to what you can do.
The infected machines are Win2k (ie WINNT based) - if they're running NTFS then there are specific permissions on the file directory structure. I believe that this restricts what you can do with root.exe.
Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.
.ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...
I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:
http://www.dynwebdev.com/codered/
It auto-replies to any machine that tries an
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
Linking to a page that could potentially shut down/restart your machine without warning is rude, virus or not.
~jeff
- If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
.ida/.idq and so on (UI is buried in the Computer Management console), and then sleep at night because you don't have to worry about most of the IIS patches. Of course, neither Microsoft or the mainstream media, or slashdot for the most part is offering this advice. (Somewhere buried on their site, they have a 'Securing IIS' document where this is the #1 recommendation, but since they aren't getting the word out, their ass will be bitten hard again.)
Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.
What Microsoft doesn't tell you is that Internet Information Service_s_ automatically installs a bunch of other ISAPI services which enable crap that you most like do not want. Examples include:
+ The ability to query Index Server indexes (idq.dll)
+ Internet Printing
+ Remote data queries
etc etc
Some of these things, particularly idq.dll have *repeatedly* had security holes. And that's why installing the the patch is not a fix, because it's only a matter of time until Code Red IV is exploiting another IIS bug to similar effect.
The real fix is to disable the extention mappings for things like
And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton. Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.
When I hear the word 'innovation', I reach for my pistol.
the patch worked, it cleared my server of any problems, but it did report if failing to complete. Either way I can no longer "get root" via a webserver, and www.securityspace.com reports im clean. Now I just sit and wait for the next one! (Actually, compound this with the fact that my entire company depends on RHYTHMS, it has been an EXCITING week)
________________________________________________
My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.
If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).
I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?
Screw Micro$oft.
in /etc/apache/httpd.conf:
.ida
AddHandler cgi-script
The author intended for it to shutdown iis first, then the remote machine, but he is actually issuing the iis shutdown command twice. Examine: my $resp = $ua->request ($iis_stop_req); if ($resp->is_success) { my $server_stop_req = [...] $resp = $ua->request ($iis_stop_req); That second request should be $server_stop_req instead of $iis_stop_req Now to fiddle with httpd.conf..... WOW SLASHCODE SUCKS, I couldn't submit this at first because it was considered a junk character post. That filter really sucks, I've triggered that so many times trying to do an actual post.
<high-level position here>
<name of stupid small company here>
AddType application/x-httpd-php
In case you prefer php
Ask and ye shall receive:
NT SP 5 or 6 (sorry don't remember which), broke the TCP/IP sequencing algorithm, making vulnerable to spoofing.
The fix for security holes in Exchange Web broke the server (twice - took 'em till the third try)
My job is programming Windows boxes, so no, I'm not a paid basher.
Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.
Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.
It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.
You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.
-reemul
who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working
You're just jealous 'cuz the voices talk to *me*
yep, same thing at my company. We are MS Solution provider / consulting firm. 40% of NT servers effected!!! LOL...
Actually running a web server is NOT a violation of the TOS. Abusing bandwidth is, but if your web server doesn't utilize much bandwidth, then you haven't run afoul of your TOS. I told AT&T this along with requesting a timeframe as to when they planned on reopening the filters on port 80. Until then, I just reassigned my web server to another port so people can have aoutside access to it if I want them to.
It is worse than that, actually.
Here, all of the W2K workstation boxes were infected. These are not sysadmins or developers who should know better, these are just all the people who work here and are provided with a workstation to do their jobs and have no idea that IIS is running on their machines.
They have no idea and weren't ever told that they need to apply any patches. Couple days after the CR panic started to spread, we got an alert from our crack security administration group that we should download and install a patch from Microsoft if we were running any NT servers.
Of course, none of them new what the hell this meant, so they assumed it didn't apply to them and so did nothing.
Sheesh, what a mess!
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
the c language is being efficient when the for loop that copys the input buffer into ram is not checking for an end of buffer condition. if you want that done automatically, use a home-brew memcpy or use a different language with bounds-checking like java.