Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
Blame the bozo who designed strncat!
strncat() isn't a problem by itself. The problem is improper usage patterns.
When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:
strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));
Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.
But strncat() isn't the main culprit.
Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.
The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
:)
And were still vulnerable until we disabled URL forwarding.
The Microsoft patch alone is not useful. You are still at risk. See Incidents home page
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!
Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein
I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.
From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification
ROAD RUNNER ALERT
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.
Thank you.
Road Runner Security
- If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
.ida/.idq and so on (UI is buried in the Computer Management console), and then sleep at night because you don't have to worry about most of the IIS patches. Of course, neither Microsoft or the mainstream media, or slashdot for the most part is offering this advice. (Somewhere buried on their site, they have a 'Securing IIS' document where this is the #1 recommendation, but since they aren't getting the word out, their ass will be bitten hard again.)
Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.
What Microsoft doesn't tell you is that Internet Information Service_s_ automatically installs a bunch of other ISAPI services which enable crap that you most like do not want. Examples include:
+ The ability to query Index Server indexes (idq.dll)
+ Internet Printing
+ Remote data queries
etc etc
Some of these things, particularly idq.dll have *repeatedly* had security holes. And that's why installing the the patch is not a fix, because it's only a matter of time until Code Red IV is exploiting another IIS bug to similar effect.
The real fix is to disable the extention mappings for things like
And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton. Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.
When I hear the word 'innovation', I reach for my pistol.
in /etc/apache/httpd.conf:
.ida
AddHandler cgi-script