Happy Birthday Code Red

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

Sorry.

[ryanr]

One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.

Well, at least it was good pizza that night...

[SClitheroe]

It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.

Lots of infected hosts still out there

[ActMatrix]

DShield's Code Red Anniversary Page has an interesting graph showing scanning activity they've detected from active hosts since the beginning of this year. Some 35,000 IPs still continue to regularly come alive around the beginning of the month, quiet down towards the middle, and then resume the cycle again - the numbers have remained remarkably consistent.

Ya think?

[NFW]

I got curious about the default.ida hits I was getting my web server one day, so I took a look at the systems at a bunch of the IP address the attacks were coming from. I found mostly unix systems, a couple I couldn't ID (not that I tried much beyond telnetting to ports 25 and 80), and only a couple of Microsoft systems.

This was not an exhaustive search, nor a statistically significant sample group, and dynamic IP allocation muddled the results a bit, but it was enough to make me wonder. How many of the 'code red attacks' these days are really script kitties with unix boxes? My guess is they account for most of them.

Has anyone looked into this for more than the 15-20 minutes I put into it?

If a hotfix breaks an app, kick the developer.

[Otis_INF]

Hotfixes don't kill webapps. I develop webapplications (the n-tier stuff, VC++/VB/ASP/IIS/SQLServer etc) for over 5 years now and have applied a zillion or so hotfixes on IIS and NT / Win2k server to keep the systems up to date, but never ever have I encountered 1 single hotfix which killed a webapplication nor did I hear from collegues that hotfixes killed their webapplications. If the webapp is written solidly, by the guidelines MS has supplied, you can apply any hotfix, period.

When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied (allthough I doubt it, hotfixes mostly overwrite existing files without updating CLS_ID's etc, because these stay the same) and the app will die after the hotfix is applied: one reason to kick them out the door for some real professionals.