Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

18 of 364 comments (clear)

  1. And how fitting... by Jester99 · · Score: 5, Funny

    ...that on the anniversary of an attack which paralyzed servers dead in their tracks, we hear the far-away screams of agony from the lone sysadmin of missingleftsocks.com as 100,000 slashdotters pillage his machine simultaneously.

    1. Re:And how fitting... by totallygeek · · Score: 5, Funny
      .

      And how fitting that on the anniversary of an attack which paralyzed servers dead in their tracks, we hear the far-away screams of agony from the lone sysadmin of Missing Left Socks as 100,000 slashdotters pillage his machine simultaneously.

      That is me, and yeah *OUCH*, I am feeling it.

      --
      Click here or here.
  2. I wouldn't worry about it. by colmore · · Score: 5, Funny

    Don't worry about Code Red and related problems. I'm sure Microsoft will fix everything before they start storing our National ID information.

    --
    In Capitalist America, bank robs you!
  3. Sorry. by ryanr · · Score: 5, Interesting

    One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

    Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.

  4. What about Morris? by sconeu · · Score: 5, Insightful

    Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since

    Granted, the 'Net was a lot smaller, but what about the Morris worm?

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  5. Well, at least it was good pizza that night... by SClitheroe · · Score: 5, Interesting

    It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

    Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

    Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

    Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.

  6. Re:Logs Clogged by odaiwai · · Score: 5, Informative

    That's the nimda worm. Running apache, you're immune to it, but it makes a mess in your logs.

    One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.

    Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.

    dave

  7. Animation Mirror Sites by morcheeba · · Score: 5, Informative

    from the original analysis by David Moore:

    UK Mirror
    UK FTP
    AU Mirror
    Flipbook animation (207k .FLI)
    Quicktime animation of growth by geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
    original www.caida.org gif animation

    --
    HIV Crosses Species Barrier... into Muppets
  8. IRC quotefile entry by Skreech · · Score: 5, Funny

    From the official #python@OPN quotefile:

    <skreech> I'm gonna miss code red when its gone, my webpage has never gotten this many hits before

  9. Re:Logs Clogged by timecop · · Score: 5, Informative

    many months ago when default.ida was the rage around the www, I added these couple lines to my httpd.conf:

    SetEnvIf Request_URI "^/default.ida" dontlog
    ErrorLog logs/254-error_log
    CustomLog logs/254-access_log combined env=!dontlog

    check out SetEnvIf in apache docs, you can do even better than this.

  10. times out by bilbobuggins · · Score: 5, Insightful
    To really appreciate the spread of this program, look at this animated image.

    Is it slashdotted or is that the demonstration?
    ;)

  11. My school district's by DMDx86 · · Score: 5, Informative

    Server is still infected with a IIS virus (though not Code Red). Here it is

    I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
    You can read the e-mail here.

    Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.

  12. Re:Happy Birthday? by vondo · · Score: 5, Funny
    What exactly are we supposed to celebrate?
    Ahh, a young person who thinks "birthday" == "celebration." How wrong you are. Wait 'til you hit 30 or 40, my friend.
  13. Click Here? by Myriad · · Score: 5, Funny
    Click here [missingleftsocks.com]

    That's the first time I've seen someone getting smashed by the /. effect, and coming back asking for more!

    --
    "They do not preach that their god will rouse them, a little before the Nuts work loose." Kipling, 'The Sons of Martha'
  14. Post the URLs by Mustang+Matt · · Score: 5, Funny

    Someone will let them know... hehehe.

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  15. Re:Looking at my records by spongman · · Score: 5, Informative
    no, he's right:

    6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.

    7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.

    7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.

  16. Re:Interesting... by Tony-A · · Score: 5, Funny

    Microsoft still insists that such things are the fault of the user, not the software.
    Microsoft is right. The user is using Microsoft software.

  17. Evil plan (please don't implement) by tlambert · · Score: 5, Funny

    We jokingly discussed an Evil Plan where I worked when CodeRed first came out.

    One thing we discussed doing was getting a copy, disassembling it, and building a version that would install FreeBSD with Apache with Front Page Extensions and the Active Server Pages module over top of the Windows installation, with all of the web site content left more or less intact.

    We figured that it would be pretty cool if we could make it so that people would not notice that their server had been "competitively upgraded" until the next scheduled reboot/update.

    We thought that it would be even more likely to go a long time if we captured the console screen of the running server, and used it as the boot "splash screen" for the replacement OS...

    Of course, as I said, doing this would be Evil, so we only discussed the possibility.

    -- Terry