Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

8 of 364 comments (clear)

  1. Re:Logs Clogged by odaiwai · · Score: 5, Informative

    That's the nimda worm. Running apache, you're immune to it, but it makes a mess in your logs.

    One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.

    Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.

    dave

  2. Animation Mirror Sites by morcheeba · · Score: 5, Informative

    from the original analysis by David Moore:

    UK Mirror
    UK FTP
    AU Mirror
    Flipbook animation (207k .FLI)
    Quicktime animation of growth by geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
    original www.caida.org gif animation

    --
    HIV Crosses Species Barrier... into Muppets
  3. Re:Logs Clogged by timecop · · Score: 5, Informative

    many months ago when default.ida was the rage around the www, I added these couple lines to my httpd.conf:

    SetEnvIf Request_URI "^/default.ida" dontlog
    ErrorLog logs/254-error_log
    CustomLog logs/254-access_log combined env=!dontlog

    check out SetEnvIf in apache docs, you can do even better than this.

  4. My school district's by DMDx86 · · Score: 5, Informative

    Server is still infected with a IIS virus (though not Code Red). Here it is

    I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
    You can read the e-mail here.

    Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.

  5. What pisses me off by Com2Kid · · Score: 4, Informative

    What pisses me off is that when an early exploit was detected awhile back (err, many years), somebody released worm to go around and fix it but THEY where the ones who got in trouble with the FBI, thus setting a precident in the future saying that the computer community was not allowed to take all neccisary steps to fix problems that may pop up.

    Kind of killed off community effort right there. >;(

    --
    Need help treating your acne? Come here!
  6. Re:Looking at my records by spongman · · Score: 5, Informative
    no, he's right:

    6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.

    7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.

    7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.

  7. Re:Interesting... by Zocalo · · Score: 4, Informative
    In this case I tend to partly side with Microsoft. OK, they put the bug there in the first place, but when you consider that:
    • Every coder makes programming errors (some more than others, true).
    • Microsoft released a *working* patch a few months before the exploits started.
    • A work around was also available.
    • A properly installed & configured server was *not* vulnerable.
    • A web server does not need to *establish* outbound HTTP connections through the firewall, only to accept and reply to them.
    You kind of get an idea where they are coming from.

    PS. That last point is the crux, and denying webservers the ability to establish outbound HTTP connections would have stopped Code Red type exploits dead. If your network is properly configured, even if you are exploited, then the exploit should have a much harder time propagating and thus making you look like a complete incompetent. The *real* problem is that a *huge* proportion of sysadmins don't seem to understand the most basic of security principles, and that's not Microsoft's problem at all.

    --
    UNIX? They're not even circumcised! Savages!
  8. The 1% Patch Statistic by Proudrooster · · Score: 4, Informative

    Believe it or not, out of all the people in in the world running MS Outlook, fewer than 1% have ever pulled down security patches, see The Great MS Patch Nobody Uses.

    Additionally, the Win2K/NT server guys are afraid to install security patches since they never are really how much of their server is going to break. Often times, Admins will patch the servers which touch the Internet but not the Internal servers for fear of breaking them. With Code Red, this was quite humorous because the outer servers were patched as soon as the Code Red patch was available, thinking this action would defend the realm against Code Red, but they forgot about the laptop users which brought Code Red in the back door via the local LAN.

    But not to worry folks, once we get Palladium hardware in all our servers, this will not happen again right? In fact we won't even have to patch anymore, since everything will be secure and, only secure applications will be allowed to run.

    Oh, wait, wouldn't IIS pass the palladium trusted application test?

    Why yes it would...... and Code Red would join the list of "Trusted Secure Applications".!
    Sorry, I have to smack Palladium everytime I get a chance.