Forgot your password?
typodupeerror
Bug

Code Redux 472

Posted by michael
from the carpetbombing-the-new-economy dept.
I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.
This discussion has been archived. No new comments can be posted.

Code Redux

Comments Filter:
  • by Chelloveck (14643) on Wednesday August 08, 2001 @10:48AM (#2150216) Homepage

    AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.

    What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?

    Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...

  • By the way: The Code Red scans went dead yesterday morning on MediaOne.net (at least the 66.* where I am). It looks like they're blocking all connects on port 80 now.
  • I gotta say this worm is really amazing. You can watch it's growth in your log files. Mine roll over daily and you can see the file sizes increase day by day. On Aug 1 I had an 8k log file. The 2nd I had a 12k one. The third was 32k the day after that was 64k. Today it was up to 192k so far and there's still another 2 hours till the log file rolls over.
  • by zdzichu (100333) <.lp.cri. .ta. .uhcizdz.> on Tuesday August 07, 2001 @06:40PM (#2167120) Homepage Journal
    Polish Telecom, the biggest ISP down here, also announced that they will block traffic from 'infected' sites. Trying to connect to whitehouse server is taken as a proof of infection.
  • Code Red Self Test (Score:5, Interesting)

    by staplin (78853) on Tuesday August 07, 2001 @06:40PM (#2167129) Homepage Journal
    While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test [securityspace.com] which is supposed to tell you if you are vulnerable, and if you have been infected.

    I don't know if it works, I don't have a Win boxen to test it on...
    • What it does (Score:2, Informative)

      by kimihia (84738)
      I tried it out. This is what appeared in the log.

      - 216.201.108.18 - - [08/Aug/2001:19:29:45 +1200] "GET /scripts/root.exe?/c+dir+c:\ HTTP/1.0" 404 286 "-" "-"

      - 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET / HTTP/1.0" 200 1948 "-"
      "-"

      210.zz.zz.zz 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET /NULL.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX=X HTTP/1.1" 404 284 "-" "-"

      - 216.201.108.18 - - [08/Aug/2001:19:29:48 +1200] "GET / HTTP/1.0" 200 1948 "-"
      "-"

      (I've snipped by IP BTW.)

      It looks like it is testing for:
      * Code Red 3 backdoor (found on all good Windows 2000 systems)
      * A web server
      * The ida overflow
      * A web server (again)
    • by rkent (73434)
      I don't know if it works, I don't have a Win boxen to test it on...

      Okay, if you're going to use the archaic, tongue-in-cheek unix-guru term "boxen," at least bother to learn that its denotation is plural.

      And now back to your regularly scheduled worm discussion.

    • According to it I don't have it (and I know I don't) so it either works or is just going to provide everyone who DOES have it with a nice surprise.
    • by The_Weevil (448754)
      Lol.

      It isnt difficult to self test. Get your IP with winipcfg then type this in a browser:

      http:///scripts/root.exe?/c+dir

      if you download a directory listing, you're infected. Ohohoho. Practically all win2k users i know are infected. how amusing.

      You may also find /scripts/shell.exe works too.

      Weevil.
    • How about if someone just writes a Code Red version that instead of doing something nefarious just puts up a dialog that says: "Hey, you fucking moron! Patch your crappy IIS server so that you don't get some version of Code Red."

      Better yet, why not just run the patch installer for them?
      • Better yet, why not just run the patch installer for them?

        All well and good, I guess. But what of the day when people don't see your white hatting as such? Then someone will come out with a variant of your white hat hack on Code Red and, instead of having it hit the patch, will have it install something really nasty on the box, making it look like they're white hatting.

        Yes, this could be done now--infect a box, then have it hit a second virus that slams the box after the DDoS is done--but it would be more elegant after someone started to white hat Code Red.

  • AT&T's residential broadband division (MediaOne) has cut off port 80 across their network

    Seeing as how HTTP runs on port 80, how are outgoing HTTP connections (i.e. web page pulls) supposed to proceed across the network? Given that frontends to mail [hotmail.com], newsgroups [google.com], and file transfers are increasingly HTTP-based, they might as well just schedule total network downtime during Code Red attacks.

  • Cutting off port 80 (Score:5, Interesting)

    by Grim Grepper (452375) <Andrew275@gmail.com> on Tuesday August 07, 2001 @06:41PM (#2167131) Homepage
    I really hope that RoadRunner doesn't decide to cut off port 80, as I happen to be running a webserver. Since I don't use IIS or Windows, it seems unfair that they would cut me off; it doesn't seem quite fair.

    What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!

    • Verizon has told me they closed port 80 indefinatly. Thus making my dsl useless. They start filtering SMTP access to non verizon email servers today (which don't let you said email that isn't using a verizon domain).

      I know i'll be switching. I don't pay 80 bucks a month to just surf the net on verizons terms. I do use my DSL for work, VPN, testing websites and personal pages.

      Is there anything "We" can do. The terms of service specifically state it is up to the END user to do all necesseary functions to protect HIS data. Verizon makes no gurantees of service so how can they modify the service?

      I wish i could get a class action for something.. they're limiting email to verizon.net emails only, filtering access.. what next?

    • Well you are breaking policy, if they didn't want your money you'd probably be kicked off by now. O
      • He said RoadRunner. If it's anything like my RoadRunner setup, he's allowed to run web and FTP servers as long as he notifies them (to open up the ports on the cable modem).

        In fact, I just wiped my webserver and I'm doing a major upgrade on it right now.
      • by Sc00ter (99550) on Tuesday August 07, 2001 @09:22PM (#2168087) Homepage
        HEY! It's not against their AUP to run a web server!

        From: http://help.broadband.att.com/subagreelease.jsp [att.com]

        (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

        And the actual AUP page doesn't mention it at all: http://help.broadband.att.com/faq.jsp?content_id=7 2&category_id=34 [att.com]

  • by Hobbex (41473) on Tuesday August 07, 2001 @06:42PM (#2167139)

    Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.

    Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.

    In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)
    • The problem really is that it opens you up, then it broadcasts it to all your neighbors. Kinda like breaking your door down and putting a "Help Yourself" sign in front of the door.
  • I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

    Maybe because they don't! You are thinking in terms of security hole. With a virus it is different, you are more concerned about data loss.

    A virus can inflict low damage, ie: print a message on the screen that you are stupid, or a high DAMAGE rate of deleting your whole hard drive. Medium is a good measurement of this one, as it only has the POTENTIAL for data loss.

    • I agree. <imo>Anti-virus software companies are in the business of protecting against viruses; of preventing a large number of users from being compromised by the same code. They are not interested in the kind of security that would prevent script kiddies or social engineers from gaining access to your computer, and so they rate viruses by the amount of damage they cause, rather than rating security holes by the amount of damage they allow. I suppose they do this to be consistent with their stance that "the viruses are the enemy".</imo>

      By the way, did anyone else think it was strange that CERT [cert.org] listed anti-virus software companies, and only anti-virus software companies, in the "vendor information" section of their advisory [cert.org] about SirCam? They could have easily targeted

      • E-mail client vendors, for having poor user interface surrounding attachments. (Especially Microsoft, for releasing at least one version of OE that shows a very similar dialog when you double-click a .jpg attachment as it does when you double-click a .exe attachment.)
      • Microsoft, for relying on extensions as the only way for a user to tell the difference between a document and a program, rather than doing one or more of the following:
        • Giving users and programs a way to flag files as "executable" (or as "not executable"), like linux does with the +x mode.
        • Using a single, special extension for executable files. For example, foo.vbs would have to be renamed to foo.vbs.exe before it would run.
        • Using a special type of icon, or icon overlay, to indicate that something is a document. For example, always show documents as a piece of paper, and show an icon chosen by the associated application in the middle of the paper.
      • Microsoft, for not providing a function in Windows for "is a file with extension .foo a document or a program?".
  • by EvlPenguin (168738) on Tuesday August 07, 2001 @06:44PM (#2167160) Homepage
    I recieved an email today from road runner (aka time warner cable) regarding the "VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED". For the intrigued, here's the letter:
    ------
    VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

    Dear Road Runner Subscriber:

    Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributeable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).

    Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.

    IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.

    IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

    We ask for your patience while Road Runner continues to work with the Internet community to address this virus. Thank you. Road Runner Security
    P.S. Please, do not reply to this message
    --------

    Well, gee, if the whole "internet community" is at work at resolving the issue, I can rest easy. But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?
    • But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?

      No, you should report them to "abuse@timewarner.com" for sending you Unsolicted Bulk Email advertising those products.
  • Cutting Off Port 80? (Score:2, Informative)

    by Bonkers54 (416354)
    To specify more specifically for the people misunderstanding this poorly worded post, port 80 is not completely block. Only the _INCOMING_ connections to port 80 are block, so only people running webservers are infected. Because I currently run a webserver using Apache under Linux on my MediaOne cable modem, I am currently on hold on the MediaOne tech-support line attempting to get port 80 unblocked.
  • by duncan (16437)
    From the article:

    "The group gathered around the dinner table then managed to get a copy of the worm and began disassembling its code"

    Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA? I think that those at this conference should be held accountable.

    • What if somebody releases a virus and protects it under the DMCA? Does that mean it won't be legal to write an anti-virus for it? (that too could be a good way to fight DMCA)
  • I work for a rather large cable modem provider in the callcenter. We are getting inunduated with calls about the code red virus. Especially concerning hyper-active activity lights on cable modems. It's been like this ever since sunday. I must admit, we are very close to blocking port 80 as well, since we don't allow web servers anyways. oh well, I start my new job next monday.
  • by interiot (50685) on Tuesday August 07, 2001 @06:46PM (#2167174) Homepage
    @Home's AUP specifically says "no servers". Also, they've always blocked port 137, so the tools are already installed. Yet they still haven't blocked port 80, even though each IP is getting hit approximately every other minute.
    • The contract I signed specifically said "No commercial servers." I checked this very carefully before signing it to ensure that they have no contractual right to pull my account for running a personal web server. Of course, this was when MediaOne was Roadrunner, not @Home, but they cannot unilaterally change the agreement without notice.
    • On some segments, they have. If you're on what was MediaOne's old segments, they have set it up. They just haven't admitted it yet. They say 'no servers' but they actually mean 'no servers for public use'. I personally consider every machine in my house a server... heh
    • by Anonymous Coward
      I found this in my Apache log last night (I know, I shouldn't be running servers, but I have them capped using CBQ so they use very little bandwidth):

      24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"

      24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.

      This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.

      @Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).

      I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.

    • It's not likely that they will in INDY, as they are too fscking stupid here. And I'm getting hit pretty hard here, the lights on my modem would give an epileptic one hell of a time.

      Thanks to Linus, Alan and all the others who made my firewall possible.
  • or the worm has a sleeping behaviour pattern. Please review the following message [securityfocus.com] from the Securityfocus Incidents Archive (the message was sent 30 minutes ago)
  • by BroadbandBradley (237267) on Tuesday August 07, 2001 @06:51PM (#2167210) Homepage
    and I'm on @home's network. I like the program 'etherape' to sit and watch the requests come in and then browse to the IP's to see JoeBlow's homepage.
    really, do these home users PAY for IIS? of course not, would you? If you're going to use software free, use free software!!!
    I can't imagine that anyone who administers servers for a living hasn't already patched againts this. Thus I think most of this Code Red comes from home users windows boxes with pirated software. I wish MS did pursure those people because we'd have a whole lot more Linux users if that was the case. ( I guess that's why they don't)

    a note to IIS users: /etc/httpd.conf it's not really that hard.
  • by banky (9941) <.moc.gnihsaboruen. .ta. .ggerg.> on Tuesday August 07, 2001 @06:51PM (#2167216) Homepage Journal
    Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.

    The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.

    Phone tech support is turned off, at least in my wanderings in the phone system.

    Anyone else having these problems?
  • by Micah (278)
    Well I'm on @Home and I'm not sure if this has to do with Code Red or not, but my cable modem light indicating bandwidth use has been flashing pretty much CONSTANTLY since Sunday or so, even when the computer was off!

    I know it's more than port 80 hits, because there's not a constant stream of them in my log file, and I don't even run the web server most of the time. I get plenty of them when it does run, but it's got to be more than that.
  • Crikey (Score:3, Interesting)

    by Illserve (56215) on Tuesday August 07, 2001 @06:59PM (#2167276)
    Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.

    So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.

    It's going to be a rough year.

  • No patch for Alpha NT4 machines. I had to remove Indexing, no big deal, but damn virus even hit Alpha cpus.
  • My server was blocked at 9AM on August 5th. I use it mostly for my resume. I have since relocated my server to port 8080 and it works fine again. I also spoke with a couple different people concerning their blocking port 80, and they totally deny it [granzeau.com].

    Wow, that's kind of weird considering the traffic ended at EXACTLY 9AM for old pages I used to host on that server. And wow, someone couldn't get to my resume that day, and emailed me about the problem they had. Very odd. I don't have a problem if they are going to block it for whatever [att.com] reason [att.com], but at least admit it in the Agreement [att.com]. I just want it for personal use...

  • Twenty-four hours. (Score:5, Insightful)

    by ktakki (64573) on Tuesday August 07, 2001 @07:13PM (#2167373) Homepage Journal

    grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l

    139


    Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with .de, .tw, and .kr most prevalent), and the remaining sixth are US corporations, including some Fortune 500 hosts.

    I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.

    I guess the big question is this: do you root their box before the first interview or after?

    k.

  • by Pac (9516) <paulo...candido@@@gmail...com> on Tuesday August 07, 2001 @07:17PM (#2167400)
    It's been already shown that Code Red will not bring the Internet down. And it was never very much of a mortal threat to the majority of the users out there, because those are not running IIS (or any http server, for that matter). And until the more recent versions, the worm was not even a menace the files in the infected system (the recent versions, by installing a backdoor, would allow for a malicious invader to do a lot more damage).

    The kind editor should also remember his math and Netcraft nice figures. IIS installations represent some 25% of the servers out there. Most of those are already patched by now. Even when they were not patched Code Red got only 6-7% of them (considering 4 million servers/250 thounsand infected).

    Code Red is certainly a local problem in networks where it finds a nice ecologival niche. Cable modem networks are likey to suffer due to their archtecture and their own flaws. Other networks will suffer down the road.

    But the main point is that this particular the worm is out of the way for nmost of us (if it ever was in the way) and will only affect the bandwidth locally.

    It is almost time to reduce its risk rating to low.
  • by Anemophilous Coward (312040) on Tuesday August 07, 2001 @07:19PM (#2167415)
    We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.

    One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.

    On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.

    -A non-productive mind is with absolutely zero balance.
    - AC
    • A good portion of them have probably been unattatched to the network, or will be brand new machines just for school.

      This may be insightful, but how many of these people will ACTUALLY be running a vulnerable web server? Only those that have installed IIS with Windows 2000! I am willing to bet that this number is negligable among college students, especially those with new computers. Those computers will most likely be running ME, which is less expensive and is more suitable for home/student use.

      Those students running Win9x or ME are NOT VULNERABLE from Code Red or CR II and those running NT4 are NOT VULNERABLE from Code Read II. This kind of FUD is what makes people panic. We don't need it in the news and we especially don't need it on Slashdot.
      • Doing student network support for a midwest college, I came across several newly purchased IBM Thinkpads which came with Win2k installed. Enough, that I'd say one out of every thirty people with a laptop there had it.

        Additionally, since alot of the colleges in Ohio have site license deals with Microsoft so that students can get the OS for cheap (or even free), there were just enough people figuring that 2000 must be better than 95, simply due to the numbers, to cause us a bit of aggravation.

        Of course, out of those people, most probably don't have IIS installed, but I've come across just enough people who install random things they don't need to say that the problem, while small, certainly isn't insignificant.

  • It is very emberassing for Microsoft to be responsable for the biggest true worm (as opposed to email worms which can be blocked at a small number of points) in internet history.

    It is well known that Microsoft could easily crush Symantec. Almost all of Symantec's products fill holes in the Windows Family Line that do not exist in other operating systems. According to reports that I have read, the Windows XP betas have, firewall software, remote access software, older operating systems have also hurt the viablity of Symantec products.

    It is clearly in Symantec's best interest to ensure that Microsoft does not add to many of these new features, and when it does to water them down or license Symantec technology. It would be very easy for microsoft to include a powerfull firewall system based on one of the BSD firewall systems. But instead they have included a weak fire wall that most security consciuos users would find lacking. Microsoft Scan Disk and Defrag are also both examples of code that have been watered down. The code for defrag is even licensed from symantec.

    In the past, companies that have made Microsoft look bad have been crushed. Symantec does not want to suffer the same fate
    • Go search google for 'morris worm.' Then repeat, one hundred times, "every problem that Microsoft is having with security, UNIX had, and continues to have."
      • Please...
        Give me a break.
        Go search google yourselft!
        The Morris worm hit less then 6000 computers
        for a period of time, Code Red was infecting that many computes every three minutes.
        As of July 19th, 359,000 computers were infected
        http://www.cs.berkeley.edu/~srhea/morris-interne t- worm.html
        http://www.caida.org/analysis/security/code-red/
        Microsoft is worse than unix for the following reasons.
        1) it is a monoculture, one web server runing on one operating system, runing on one CPU type. Compare to *nix which has about three popular webservers runing on about 20 OS's runing on about 10 CPU types. For the OS's and webservers, there are hundreds of different builds. This makes building a worm with good penetration very difficult.

        2.) Most windows admins no almost nothing about there systems. Nuf said.

        This is getting boring and long winded. I have better things to do than explain why windows has such poor security.

  • The real danger (Score:5, Interesting)

    by aralin (107264) on Tuesday August 07, 2001 @07:32PM (#2167515)
    The real problem is that all the boxes that are vulnerable to this one specific exploit advertise themselves all over the net! Everyone knows what exploit it is. All you need to do is to read your apache logs and you own at average 400-500 windows boxes to do ANYTHING you want.

    Remote Linux install, anyone?

  • My report [websoup.net] on this shows that I'm getting hammered quite a bit. Over 2500 attempted attacks, which is eating quite a bit of bandwidth. And yes, I'm on cable.

    My thanks, once again, to the author of the wonderful Perl program which generated this (link available on site).
  • by Cramer (69040) on Tuesday August 07, 2001 @07:43PM (#2167579) Homepage
    I know I'm askin' for it, but I couldn't resist:

    cd /home/httpd/html
    ln -s /dev/zero default.ida


    I'm only a 128k ISDN, but with compression, I can push over a T1 worth of zeros :-) (And people say PPPoE has no value.)
  • [root@gateway rothwell]# grep default.ida /var/log/httpd/access_log | cut -f1 -d" " | uniq | wc -l
    1595
  • Amazingly annoying (Score:4, Informative)

    by Pedrito (94783) on Tuesday August 07, 2001 @07:55PM (#2167639) Homepage
    6 of our machines at work got infected over the weekend. I was under the impression that our web guy had been keeping them up-to-date, but 5 were inside our NAT (infected by the 1 that was outside). I was under the impression that the ones inside the NAT would be ok. Bad assumption.

    The bandwidth it used was so bad that it completely wiped out our ability to get out via HTTP. We could ping, get and send mail, but we couldn't browse at all. I had innoculated my home machine, and it wasn't until this morning, when we received a notice from our ISP accusing of massive port scanning of port 80 that I made the connection. I went around the office and, even after 5 of the 6 machines were innoculated, we still couldn't get out via HTTP. It wasn't until the 6th was innoculated that we could get out.

    Our line is a 768/512 DSL (I believe those are the numbers), and it amazes me that a single machine infected could cause so much trouble. This is pretty disturbing.
  • Mediaone has closed off port 80 inbound? WHY? The new version of the worm (the person responsible took the shellcode from the first two variants...yes, that's right, "CodeRed II" is really the third iteration) first checks to see if the machine is running a Chinese or Taiwanese version of Win2K. Ah, yes....it only works against Win2K, since that's the only offset it carries. I don't think that people need to take more action towards securing things a good bit better, but this is a reaction that does not consider the nature of the threat.
  • by jgaynor (205453)

    The CNN.com story about this makes no mention of AT&T's woes. Wonder Why?

    It because they're one of CNN's biggest sponsors. The online video coverage of the story is even preceded by AT&T commercials :). Now THATS Irony!

    Here's [cnn.com] the Video . . .

  • Actually, the new variant may be easier to eradicate than previous versions. The fact that it preferentially scans 'nearby' network address ranges means that the worm will be less widespread, and it should be easier for providers and businesses to detect infected hosts in their network, just by watching for the characteristic overflow attempts in the logs on their various webservers.

    I've already seen at least one site sending out automated 'a host in your network may be infected' notices by putting up a CGI script in place of vulnerable IIS binary, and using the ARIN database to try to guess who controls the network that the attacking host resides in.

    I only received the warning message because it guessed wrong :-)

  • I live in England. For the last day or so, it has not been possible to get telephone-directory inquiries for Europe or Asia. Asking for numbers in Canada/USA works fine. But when I've tried to get a number in Eurasia, I've been told that there are no lines to directory inquiries in those countries. The cause is claimed to be CodeRed, but I haven't been able to find out the details.

    (Note: calls work fine; it's just directory information that you cannot get.)

  • I had read that it is supposed to hang Hewlett Packard laser printers with web interfaces. We had an issue today where a client's Minolta-QMS laser printer with a web interface was affected in the same manner.

    Hasn't hit any of our servers but I keep getting the w32.sircam worm in my email all day. I reply to them all with easy to comprehend AOL language... "You've got worms."

  • small survey (Score:5, Informative)

    by 1010011010 (53039) on Tuesday August 07, 2001 @09:02PM (#2168000) Homepage
    I ran a test on the 1597 unique hosts that have attempted to infect my web server recently.

    321- 20.1% - "Under Construction" default blank page
    0- 00.0% - "too busy"
    1093- 69.4% - cannot connect
    183- 11.4% - some web page

    • How did you automate that? My shell kung fu is weak.

      Or do you just have a lot of time for copy/paste? ;)

      FWIW I manually did about 40 IPs the other day. Similar ratio.

<< WAIT >>

Working...