Code Redux 472
I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.
AT&T @Home Not Cut Off in Palatine, IL (Score:3, Interesting)
AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.
What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?
Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...
this thing is fascinating (Score:2, Interesting)
Code Red Self Test (Score:5, Interesting)
I don't know if it works, I don't have a Win boxen to test it on...
Cutting off port 80 (Score:5, Interesting)
What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!
It _is_ quite benign. (Score:3, Interesting)
Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.
Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.
In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)
RoadRunner Fairfax VA unusable (Score:4, Interesting)
The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.
Phone tech support is turned off, at least in my wanderings in the phone system.
Anyone else having these problems?
Does the back door actually work? (Score:1, Interesting)
Trying 128.134.111.8...
Connected to 128.134.111.8.
Escape character is '^]'.
GET
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 07 Aug 2001 22:47:22 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
It gives a command prompt, but typing commands doesn't seem to do anything...
Crikey (Score:3, Interesting)
So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.
It's going to be a rough year.
Re:Ease of Attack (Score:2, Interesting)
root.exe?/C+echo+Do+it+>+C:\Documents+and+Setting
perhaps with a little more explaination than "Do IT".
@Home started scanning port 80 last night (Score:3, Interesting)
24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"
24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.
This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.
@Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).
I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.
The real danger (Score:5, Interesting)
Remote Linux install, anyone?
Re:Network traffic seems high - is this why? (Score:0, Interesting)
Hilariously Ironic . . . (Score:2, Interesting)
The CNN.com story about this makes no mention of AT&T's woes. Wonder Why?
It because they're one of CNN's biggest sponsors. The online video coverage of the story is even preceded by AT&T commercials :). Now THATS Irony!
Here's [cnn.com] the Video . . .
Try aris (Score:1, Interesting)
Re:Why Symantec says that Code Red is medium. (Score:1, Interesting)
Oh... and you were doing so good until that last part there... Care to point me to the most recent large-scale worm that affected UNIX? What was it... thirteen years ago?
What you said is partially true, though... UNIX had these problems in the past, but now they're a distant memory. That's the great thing about 30 year old technology: you've had 30 years to iron out the bugs and the security issues.