Code Redux

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red ^[?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

AT&T @Home Not Cut Off in Palatine, IL

[Chelloveck]

AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.

What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?

Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...

this thing is fascinating

[BitchAss]

I gotta say this worm is really amazing. You can watch it's growth in your log files. Mine roll over daily and you can see the file sizes increase day by day. On Aug 1 I had an 8k log file. The 2nd I had a 12k one. The third was 32k the day after that was 64k. Today it was up to 192k so far and there's still another 2 hours till the log file rolls over.

Code Red Self Test

[staplin]

While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test [securityspace.com] which is supposed to tell you if you are vulnerable, and if you have been infected.

I don't know if it works, I don't have a Win boxen to test it on...

Cutting off port 80

[Grim Grepper]

I really hope that RoadRunner doesn't decide to cut off port 80, as I happen to be running a webserver. Since I don't use IIS or Windows, it seems unfair that they would cut me off; it doesn't seem quite fair.

What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!

It _is_ quite benign.

[Hobbex]

Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.

Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.

In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)

RoadRunner Fairfax VA unusable

[banky]

Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.

The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.

Phone tech support is turned off, at least in my wanderings in the phone system.

Anyone else having these problems?

Does the back door actually work?

[Anonymous Coward]

% telnet 128.134.111.8 80
Trying 128.134.111.8...
Connected to 128.134.111.8.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 07 Aug 2001 22:47:22 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>

It gives a command prompt, but typing commands doesn't seem to do anything...

Crikey

[Illserve]

Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.

So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.

It's going to be a rough year.

Re:Ease of Attack

[Sawbones]

Myself I might be tempted to do

root.exe?/C+echo+Do+it+>+C:\Documents+and+Settings \ All+Users\Desktop\PATCH+YOUR+IIS.txt

perhaps with a little more explaination than "Do IT".

@Home started scanning port 80 last night

[Anonymous Coward]

I found this in my Apache log last night (I know, I shouldn't be running servers, but I have them capped using CBQ so they use very little bandwidth):

24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"

24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.

This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.

@Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).

I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.

The real danger

[aralin]

The real problem is that all the boxes that are vulnerable to this one specific exploit advertise themselves all over the net! Everyone knows what exploit it is. All you need to do is to read your apache logs and you own at average 400-500 windows boxes to do ANYTHING you want.

Remote Linux install, anyone?

Re:Network traffic seems high - is this why?

[Anonymous Coward]

I also have an AT&T Cable modem, running Zone Alarm on my Win98 box. Previousely, I would get around 15-20 alerts a day, with ZA blocking various traffic on a variety of ports. The past few days, I am getting an alert about every 90 seconds, with nearly all traffic on port 80.

Hilariously Ironic . . .

[jgaynor]

The CNN.com story about this makes no mention of AT&T's woes. Wonder Why?

It because they're one of CNN's biggest sponsors. The online video coverage of the story is even preceded by AT&T commercials :). Now THATS Irony!

Here's [cnn.com] the Video . . .

Try aris

[Anonymous Coward]

aris.securityfocus.com lets you look at port access trends. dshield.org is a similar, but much less comprehensive, site.

Re:Why Symantec says that Code Red is medium.

[Anonymous Coward]

Then repeat, one hundred times, "every problem that Microsoft is having with security, UNIX had, and continues to have." [emphasis mine]

Oh... and you were doing so good until that last part there... Care to point me to the most recent large-scale worm that affected UNIX? What was it... thirteen years ago?

What you said is partially true, though... UNIX had these problems in the past, but now they're a distant memory. That's the great thing about 30 year old technology: you've had 30 years to iron out the bugs and the security issues.