Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

2 of 364 comments (clear)

  1. Sorry. by ryanr · · Score: 5, Interesting

    One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

    Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.

  2. Well, at least it was good pizza that night... by SClitheroe · · Score: 5, Interesting

    It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

    Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

    Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

    Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.