Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

30 of 364 comments (clear)

  1. IIS is sorta like an STD by cbone00 · · Score: 4, Funny

    It is the gift that just keeps on giving.

    1. Re:IIS is sorta like an STD by thesolo · · Score: 4, Insightful

      Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.

      Yeah, that's fine and dandy for those who don't need the IDA, et all mappings; but what of those people who DO use them?! You know, a lot of those corporate servers that were hacked had those script mappings set for a reason, i.e. they were using them.

      That's great that you knew better than to keep the default script mappings, but what about people who needed them?? It would have been a lot nicer if Microsoft had written a secure server in the first place instead. Even the most vigilant sysadmin would still get infected running IIS if he needed to use the IDQ & IDA mappings. In short, don't blame the sysadmin, because it's not always their fault.

  2. And how fitting... by Jester99 · · Score: 5, Funny

    ...that on the anniversary of an attack which paralyzed servers dead in their tracks, we hear the far-away screams of agony from the lone sysadmin of missingleftsocks.com as 100,000 slashdotters pillage his machine simultaneously.

    1. Re:And how fitting... by totallygeek · · Score: 5, Funny
      .

      And how fitting that on the anniversary of an attack which paralyzed servers dead in their tracks, we hear the far-away screams of agony from the lone sysadmin of Missing Left Socks as 100,000 slashdotters pillage his machine simultaneously.

      That is me, and yeah *OUCH*, I am feeling it.

      --
      Click here or here.
  3. I wouldn't worry about it. by colmore · · Score: 5, Funny

    Don't worry about Code Red and related problems. I'm sure Microsoft will fix everything before they start storing our National ID information.

    --
    In Capitalist America, bank robs you!
  4. Sorry. by ryanr · · Score: 5, Interesting

    One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

    Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.

  5. What about Morris? by sconeu · · Score: 5, Insightful

    Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since

    Granted, the 'Net was a lot smaller, but what about the Morris worm?

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  6. Well, at least it was good pizza that night... by SClitheroe · · Score: 5, Interesting

    It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

    Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

    Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

    Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.

  7. Re:Logs Clogged by odaiwai · · Score: 5, Informative

    That's the nimda worm. Running apache, you're immune to it, but it makes a mess in your logs.

    One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.

    Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.

    dave

  8. Animation Mirror Sites by morcheeba · · Score: 5, Informative

    from the original analysis by David Moore:

    UK Mirror
    UK FTP
    AU Mirror
    Flipbook animation (207k .FLI)
    Quicktime animation of growth by geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
    original www.caida.org gif animation

    --
    HIV Crosses Species Barrier... into Muppets
  9. Happy Birthday? by SoupaFly · · Score: 4, Insightful

    What exactly are we supposed to celebrate? The inept SAs that have failed to patch their systems? The sad lack of software development skills and abundance of corporate greed that combine to push shoddy software upon millions of users?

    Maybe we should celebrate the resiliency of the Net. The fact that while attacks on systems continue to come daily, and at a seemingly increasing rate, everything still works most of the time.

    --knowledge, not information, is power

    1. Re:Happy Birthday? by vondo · · Score: 5, Funny
      What exactly are we supposed to celebrate?
      Ahh, a young person who thinks "birthday" == "celebration." How wrong you are. Wait 'til you hit 30 or 40, my friend.
  10. IRC quotefile entry by Skreech · · Score: 5, Funny

    From the official #python@OPN quotefile:

    <skreech> I'm gonna miss code red when its gone, my webpage has never gotten this many hits before

  11. Lots of infected hosts still out there by ActMatrix · · Score: 4, Interesting

    DShield's Code Red Anniversary Page has an interesting graph showing scanning activity they've detected from active hosts since the beginning of this year. Some 35,000 IPs still continue to regularly come alive around the beginning of the month, quiet down towards the middle, and then resume the cycle again - the numbers have remained remarkably consistent.

  12. Re:Logs Clogged by timecop · · Score: 5, Informative

    many months ago when default.ida was the rage around the www, I added these couple lines to my httpd.conf:

    SetEnvIf Request_URI "^/default.ida" dontlog
    ErrorLog logs/254-error_log
    CustomLog logs/254-access_log combined env=!dontlog

    check out SetEnvIf in apache docs, you can do even better than this.

  13. times out by bilbobuggins · · Score: 5, Insightful
    To really appreciate the spread of this program, look at this animated image.

    Is it slashdotted or is that the demonstration?
    ;)

  14. My school district's by DMDx86 · · Score: 5, Informative

    Server is still infected with a IIS virus (though not Code Red). Here it is

    I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
    You can read the e-mail here.

    Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.

  15. Click Here? by Myriad · · Score: 5, Funny
    Click here [missingleftsocks.com]

    That's the first time I've seen someone getting smashed by the /. effect, and coming back asking for more!

    --
    "They do not preach that their god will rouse them, a little before the Nuts work loose." Kipling, 'The Sons of Martha'
  16. What pisses me off by Com2Kid · · Score: 4, Informative

    What pisses me off is that when an early exploit was detected awhile back (err, many years), somebody released worm to go around and fix it but THEY where the ones who got in trouble with the FBI, thus setting a precident in the future saying that the computer community was not allowed to take all neccisary steps to fix problems that may pop up.

    Kind of killed off community effort right there. >;(

    --
    Need help treating your acne? Come here!
  17. Post the URLs by Mustang+Matt · · Score: 5, Funny

    Someone will let them know... hehehe.

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  18. Re:Interesting... by NeuroManson · · Score: 4, Insightful

    Considering that despite the worm being in the wild for over a year, that either installing a *nix varient, applying a service pack, or simply running a decent antivirus app were alternatives to being infected? All of which are conscientious actions of the user, admin, etc? All actions that are made on the part of the user? All options undertaken or not by the user?

    Sounds an awful lot like the fault of the user to me...

    --
    Just because you can mod me down, doesn't mean you're right. Shoes for industry!
  19. Re:Looking at my records by spongman · · Score: 5, Informative
    no, he's right:

    6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.

    7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.

    7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.

  20. Re:Power of slick advertising by _Sprocket_ · · Score: 4, Insightful

    Just a side note, if anyone ever came up with a virus that was as devastating to apache as code red was to IIS, I think Linux would be doomed. If you expect something to fail (Microsoft products) then you don't care too much when they do. But if a product is touted as being absolutely secure and stable (Linux/Apache) then when it does screw up big, it will probably be it's death. The higher up you are, the further you have to fall.
    Tnere has to be some fundimental shifts in the environment for this to happen. You see - Linux (and Solaris) have had their own worms around the same time period as Code Red. They could have been just as devistating - but they weren't. They died quickly and went away.

    Of course - that's not to say it can't happen to Linux in the future. Some changes that would have to take place would include:

    1) An increase in un-administered machines (which is possible as more Linux machines go in to service and are promptly forgotten about or appropriate support stuff aren't also put in place).

    2) More distributions installing services by default without user knowledge (which most distros seem fairly resistant to doing - but not all).

    3) Patches that become as devistating as the security threat they attempt to mitigate (I've yet to see this and would think that any organization that constantly produced dangerous patches / replacement packages would find their user base fleeing to another distribution).
  21. Re:Interesting... by Tony-A · · Score: 5, Funny

    Microsoft still insists that such things are the fault of the user, not the software.
    Microsoft is right. The user is using Microsoft software.

  22. Ya think? by NFW · · Score: 4, Interesting
    I got curious about the default.ida hits I was getting my web server one day, so I took a look at the systems at a bunch of the IP address the attacks were coming from. I found mostly unix systems, a couple I couldn't ID (not that I tried much beyond telnetting to ports 25 and 80), and only a couple of Microsoft systems.

    This was not an exhaustive search, nor a statistically significant sample group, and dynamic IP allocation muddled the results a bit, but it was enough to make me wonder. How many of the 'code red attacks' these days are really script kitties with unix boxes? My guess is they account for most of them.

    Has anyone looked into this for more than the 15-20 minutes I put into it?

    --
    Build stuff. Stuff that walks, stuff that rolls, whatever.
  23. Evil plan (please don't implement) by tlambert · · Score: 5, Funny

    We jokingly discussed an Evil Plan where I worked when CodeRed first came out.

    One thing we discussed doing was getting a copy, disassembling it, and building a version that would install FreeBSD with Apache with Front Page Extensions and the Active Server Pages module over top of the Windows installation, with all of the web site content left more or less intact.

    We figured that it would be pretty cool if we could make it so that people would not notice that their server had been "competitively upgraded" until the next scheduled reboot/update.

    We thought that it would be even more likely to go a long time if we captured the console screen of the running server, and used it as the boot "splash screen" for the replacement OS...

    Of course, as I said, doing this would be Evil, so we only discussed the possibility.

    -- Terry

  24. Re:Interesting... by Zocalo · · Score: 4, Informative
    In this case I tend to partly side with Microsoft. OK, they put the bug there in the first place, but when you consider that:
    • Every coder makes programming errors (some more than others, true).
    • Microsoft released a *working* patch a few months before the exploits started.
    • A work around was also available.
    • A properly installed & configured server was *not* vulnerable.
    • A web server does not need to *establish* outbound HTTP connections through the firewall, only to accept and reply to them.
    You kind of get an idea where they are coming from.

    PS. That last point is the crux, and denying webservers the ability to establish outbound HTTP connections would have stopped Code Red type exploits dead. If your network is properly configured, even if you are exploited, then the exploit should have a much harder time propagating and thus making you look like a complete incompetent. The *real* problem is that a *huge* proportion of sysadmins don't seem to understand the most basic of security principles, and that's not Microsoft's problem at all.

    --
    UNIX? They're not even circumcised! Savages!
  25. If a hotfix breaks an app, kick the developer. by Otis_INF · · Score: 4, Interesting

    Hotfixes don't kill webapps. I develop webapplications (the n-tier stuff, VC++/VB/ASP/IIS/SQLServer etc) for over 5 years now and have applied a zillion or so hotfixes on IIS and NT / Win2k server to keep the systems up to date, but never ever have I encountered 1 single hotfix which killed a webapplication nor did I hear from collegues that hotfixes killed their webapplications. If the webapp is written solidly, by the guidelines MS has supplied, you can apply any hotfix, period.

    When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied (allthough I doubt it, hotfixes mostly overwrite existing files without updating CLS_ID's etc, because these stay the same) and the app will die after the hotfix is applied: one reason to kick them out the door for some real professionals.

    --
    Never underestimate the relief of true separation of Religion and State.
  26. Re:I still have my fake default.ida by DeadSea · · Score: 4, Insightful
    Notice that the parent post ends with "YHBT".

    That stands for "You have been trolled".

    The perl script is a troll, it won't work, I can't believe this got modded up.

  27. The 1% Patch Statistic by Proudrooster · · Score: 4, Informative

    Believe it or not, out of all the people in in the world running MS Outlook, fewer than 1% have ever pulled down security patches, see The Great MS Patch Nobody Uses.

    Additionally, the Win2K/NT server guys are afraid to install security patches since they never are really how much of their server is going to break. Often times, Admins will patch the servers which touch the Internet but not the Internal servers for fear of breaking them. With Code Red, this was quite humorous because the outer servers were patched as soon as the Code Red patch was available, thinking this action would defend the realm against Code Red, but they forgot about the laptop users which brought Code Red in the back door via the local LAN.

    But not to worry folks, once we get Palladium hardware in all our servers, this will not happen again right? In fact we won't even have to patch anymore, since everything will be secure and, only secure applications will be allowed to run.

    Oh, wait, wouldn't IIS pass the palladium trusted application test?

    Why yes it would...... and Code Red would join the list of "Trusted Secure Applications".!
    Sorry, I have to smack Palladium everytime I get a chance.