Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
Blame the bozo who designed strncat!
strncat() isn't a problem by itself. The problem is improper usage patterns.
When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:
strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));
Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.
But strncat() isn't the main culprit.
Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.
The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
:)
And were still vulnerable until we disabled URL forwarding.
The Microsoft patch alone is not useful. You are still at risk. See Incidents home page
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!
Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein
I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.
From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification
ROAD RUNNER ALERT
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.
Thank you.
Road Runner Security
" it also gives you an option to permanantly disable IIS..."
About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*
Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.
.ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...
I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:
http://www.dynwebdev.com/codered/
It auto-replies to any machine that tries an
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
- If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
.ida/.idq and so on (UI is buried in the Computer Management console), and then sleep at night because you don't have to worry about most of the IIS patches. Of course, neither Microsoft or the mainstream media, or slashdot for the most part is offering this advice. (Somewhere buried on their site, they have a 'Securing IIS' document where this is the #1 recommendation, but since they aren't getting the word out, their ass will be bitten hard again.)
Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.
What Microsoft doesn't tell you is that Internet Information Service_s_ automatically installs a bunch of other ISAPI services which enable crap that you most like do not want. Examples include:
+ The ability to query Index Server indexes (idq.dll)
+ Internet Printing
+ Remote data queries
etc etc
Some of these things, particularly idq.dll have *repeatedly* had security holes. And that's why installing the the patch is not a fix, because it's only a matter of time until Code Red IV is exploiting another IIS bug to similar effect.
The real fix is to disable the extention mappings for things like
And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton. Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.
When I hear the word 'innovation', I reach for my pistol.
My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.
If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).
I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?
Screw Micro$oft.
in /etc/apache/httpd.conf:
.ida
AddHandler cgi-script
Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.
Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.
It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.
You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.
-reemul
who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working
You're just jealous 'cuz the voices talk to *me*