Code Red Back For More 866
Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
Heh... while we're about it (Score:2)
It took only ten minutes before
213.123.150.110 - - [05/Aug/2001:14:12:16 +0100] "GET
Blimey... 10 minutes! This thing is rife!!!
And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).
Not 'Hacked by Chinese?' (Score:2, Redundant)
Remotely disabling root.exe justifiable? (Score:2, Informative)
tail -f
In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.
Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...
This root.exe might be a stepup for causing even more problems at a later time!
Argh, that poses a bit of a moral dilemma for me...
Re:Remotely disabling root.exe justifiable? (Score:3, Informative)
Basically the above code creates a virtual web path (/c and /d) which maps /c to c:\ and /d to d:\. The writer of this worm has put in this
functionality to allow for a backdoor to be placed on the system so even if
you remove the root.exe (cmd.exe prompt) from your /scripts folder an
attacker can still use the /c and /d virtual roots to compromise your
system. The attacks would basically look like:
http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still
there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an attacker would want to execute.
As long as the trojan explorer.exe is running then an attacker will be able to remotely access your server.
Man whoever did this put some thought into it.
In my honor too ... (Score:5, Funny)
If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck.
Re:In my honor too ... (Score:2)
Re:In my honor too ... (Score:2, Funny)
Your name is Michael Bolton? Wow, like the singer guy?
Yes, and it's just a coincidence.
So do you like his music?
Re:In my honor too ... (Score:3, Informative)
We've designated this the
designed to deface webpages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit.
Re:Mountain Dew (Score:3, Informative)
This doen't appear to be the case, at least not in the covenience store located in my building at work. Hearing the reference to the new soda 'popular with hackers' in the news report about the worm, I looked it up on Pepsi's website (having never heard of it).
When I discovered that it was a Mountain Dew flavor, I decided to wander downstairs to see if the guy had it in, and to possibly check it out.
"No, it is all gone... should have some more it by Monday."
Stopped at the local Dominick's yesterday where it was the same story. If anything, the worm has generated free publicity, seemigly resulting on a run on the product in the Elk Grove/Schaumburg/Palatine suburban area.
Remember, there is no such thing as "bad" pubilicity, right?
A few more details (Score:5, Informative)
We'll have full details posted to the Incidents [securityfocus.com] list shortly.
Re:A few more details (Score:2)
http://www.securityfocus.com/archive/75/201878 [securityfocus.com]
http://www.securityfocus.com/archive/75/201877 [securityfocus.com]
Re:A few more details:It's a root trojan (Score:5, Informative)
Re:A few more details:It's a root trojan (Score:2)
Re:A few more details:It's a root trojan (Score:3, Informative)
Oh yeah, since you can't enter command to the prompt you need to pass the commands to execute as arguments to root.exe (which is really cmd.exe). You can do this by typing "GET /scripts/root.exe?/C%20dir" or something like that. Or you could enter http://somehost/scripts/root.exe?/C%20dir into your favourite browser.
I've found that typing absolute paths doesn't work for some reason, but http://somehost/scripts/root.exe?/C%20dir%20"..\.. \Documents%20and%20Settings\All%20Users\Desktop\" (remove the spaces) should bring you to the desktop.
I wanted to leave a message to the admin on the desktop but I have no idea how to do that since "echo" is part of cmd.exe and piping probably won't work too. Perhaps omeone with WinNT skills could offer some ideas?
PHP countermeasure (Score:3, Informative)
<?php
header("HTTP/1.0 400 You cheeky fucker");
?>
<html>
<title>Red Alert</title>
<?php
$fp =fsockopen($REMOTE_ADDR,80,$en,$es,5);
if (!$fp)
{
echo "I tried to disinfect you, but couldn't connect: $es ($en)";
}
else
{
fputs ($fp, "GET
echo "I tried to disinfect you, and the server started to say:<h2>";
echo $res =fgets($fp,1024);
fclose($fp);
}
$log=fopen("/tmp/redalert.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " "
fclose($log);
echo "</h2> $SERVER_SIGNATURE";
?>
Re:The solution ? (Score:2)
Re:Rooted? Lemme get this straight.... (Score:3, Funny)
Re:A few more details (Score:4, Informative)
When I went to telnet, the backdoor didn't work and I got the "Hacked by chinese" message.
Either the worms over write each other, or a machine can be infected by BOTH worms.
Re:A few more details (Score:5, Insightful)
The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.
My subnet is hit (Score:2)
I'm guess I'm going to have to put a packet sniffer on the other side of the wall and see what the hell is going on with this code red II.
Re:My subnet is hit (Score:2, Funny)
Microsoft or security... (Score:3, Funny)
CodeRedNeck (Score:3, Interesting)
People who don't know they are running IIS (Score:2)
Re:People who don't know they are running IIS (Score:2)
Of course... (Score:3, Insightful)
Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)
I made a rookie mistake in my story submission (Score:4, Informative)
And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?
There's probably a phase III (Score:2)
shutting down those machines (Score:2, Informative)
Having said that, you could kill off a Windows PC by issueing
GET /scripts/root.exe?/c+SHUTDOWN
Other commands are possible as well: GET /scripts/root.exe?/c+dir+/s+\ gives you the recursive directory tree. Formatting, starting Fdisk and the like are possible, too.
If someone could post a shutdown.exe somewhere, I'll be glad to provide a simple script that downloads the executable and starts it, thus stopping the IIS machine. Or maybe this is our chance to create Tuxissa :)
CRII root opening new ports? (Score:2, Informative)
I did a little scan of one of the infectoids:
Ports open at:
21
25 (open mail relay too!)
80
135
139
443
445
1025
1027
2057
2162
2174
2200
2210
2214
2219
2227
2228
2257
2282
I recogize some of those ports, but surely
windows doesn't need all those ports open?
Code Red - the soda pop - sales take off! (Score:3, Funny)
Code Red--the soda--has been spreading almost as fast as its namesake computer worm, which has infected hundreds of thousands of computers to date. The caffeine-laden, cherry-flavored version of its pale-yellow cousin, Mountain Dew, was released in May, months before the Code Red worm threatened to clog Internet traffic. And as computer security experts work to contain the damage from the Code Red worm, the soda's maker, Pepsi, is coincidentally featuring a "Crack the Code" contest on the Mountain Dew Web site.
Code Red has been an especially big hit with computer programmers, who often guzzle the high-octane drink to fuel late-night code-writing sessions. Among the drink's fans were the staff of eEye Digital Security, who say they identified the Code Red worm and named it after their favorite soda..
The rest of the story can be found on http://www.securitynewsportal.com/article.php?sid
Its funny. Laugh. Please?
The end is near... (Score:3, Insightful)
So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?
I think we might be seeing some rather impressive DDoS attacks by this evening.
Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...
@home preventative measures (Score:4, Informative)
I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)
@home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).
normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.
Re:@home preventative measures (Score:4, Interesting)
Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.
Check your outtage listings for your area.
Re:@home preventative measures (Score:2)
In my area, @home can't tell what's out. It takes many hours for an outage to make it onto "the board." If you call before this time, they will make you reboot the computer, reset the modem, etc etc. and then they will schedule a tech to come out. Because, again, let me repeat myself: they have no ability to monitor the network in real-time. I am comvinced that "the board" only shows outage data that they collect from outraged customers.
(side note: the idiot techs always make you reboot... even though the modem's ability to sync to the network has NOTHING TO DO with the kind of computer it is attached to, or even indeed if the computer is ON or OFF. Sigh.)
@home is a freaking circus. A monkey house.
I actually prefer it that way, they are apparently too dense to notice all the servers I run in violation of the TOS.
Breakdown of the new "features" of CRII (Score:5, Informative)
1. It makes a copy of CMD.EXE called ROOT.EXE in the;
\inetpub\scripts
and
\program files\common files\system\msadc
directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).
2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.
3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.
File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).
4. The system is then rebooted (probably a forced reboot).
5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;
a) Launches the real Explorer.exe, so the system looks normal.
b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)
c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual
roots. Called "C" and "D", they are mapped to the root directories of
the two drives and permissions are established in the virtual
directory to allow script, read, and write access as well as setting
execute permissions to scripts and executables.
d) goes into an endless sleep loop.
The end result of all of this action is to leave your box wide open to remote connection and total compromise.
Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.
The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).
Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.
Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).
Credits:
The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
If this can't break Microsoft's back nothing will. (Score:3, Insightful)
I'm warned that smoking and drinking are bad for my health
Medicines and drugs aren't legal unless they're fully tested and approved
My car doesn't lock up and freeze
My microwave doesn't blue screen and cook my brain inside out.
SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?
WHY doesn't microsoft NOTIFY me of the risks of using its OS?
I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.
I hope no one running Windows is on the internet for that matter.
Re:If this can't break Microsoft's back nothing wi (Score:3, Insightful)
>
> SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.
But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.
Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.
The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.
The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).
> I hope no one keeps personal, private, confidential and financial data on there pc's.
The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.
Re:If this can't break Microsoft's back nothing wi (Score:5, Insightful)
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
Re:If this can't break Microsoft's back nothing wi (Score:2)
You left out some key facts:
- Operating systems are more complex than cars.
- Operating systems don't require a license to be operated.
Re:If this can't break Microsoft's back nothing wi (Score:2)
Sounds a bit like the way they're going with SELinux. And yeah, a capability-based OS would rock. Sadly, neither contender for market share (be it any version of 'doze or the various UNIXes/Linuxes) has it yet :(
For those of you with the free time and desire to write code to make the world a better place, it'd be a hell of a good project to get involved with.
Re:If this can't break Microsoft's back nothing wi (Score:3, Funny)
Actually, you don't. Linux is free
Re:If this can't break Microsoft's back nothing wi (Score:3, Interesting)
This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.
Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft [netcraft.com] I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.
Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet [attrition.org].
Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.
From the Windows 2000 EULA (Score:3, Interesting)
Interesting.
Also...
Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.
Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.
OTOH, be careful what you wish for. The GPL has similar disclaimers...
Re:If this can't break Microsoft's back nothing wi (Score:3, Funny)
C:\dos C:\dos\run | run\dos\run (Score:5, Informative)
Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.
Snipped from incidents dot org (emphasis added)Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.
The editorial accusations of crying wolf might look a little pale this evening...
Re:C:\dos C:\dos\run | run\dos\run (Score:4, Informative)
Also, 90% of the 'NNNN's in my server logs came from my Class A subnet (and much more frequently than the 'XXXXX' requests).
Logs available upon request, etc.
Never name a virus by the name its author intended (Score:3, Insightful)
If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself [slashdot.org] it will enter its active phase...
And the depressing thing is... (Score:3, Interesting)
#!/bin/bash
# OK: the rationale behind this is that it will lookup the name of each host
# which probes us with the Code Red style probe, and then see whether that
# name resolves back to the number. If it does there's some hope that it's a
# real host, so we'll try to mail webmaster@
log=$HOME/codered.log
for ip in `grep default.ida
awk '{print $1}'`
do
grep "$ip" $log >
if [ $? -ne 0 ]
then # it's not there
echo $ip >> $log # remember so we don't mail them again
host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
+noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`
echo -n "Seen $ip [$host]"
echo $host | grep '^[a-z0-9.-]*$' >
if [ $? -eq 0 ]
then
echo -n "...appears to be valid..."
valid=`nslookup $host | tail -2 | grep '^Address:' |\
awk '{print $2}'`
fi
if [ "$ip" = "$valid" ]
then
mail -s "Your machine appears to be infected by Code Red" \
webmaster@$host <<EOF
Dear Webmaster
We have received a request for 'default.ida' from your server at
$ip. This is usually an indication that you have been
infected by the 'Code Red' or 'Code Red II' worm, currently
attacking Microsoft IIS servers. To secure your server, download
and install the appropriate patch from Microsoft
* Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
* Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?Re
Or, better still, switch to a proper operating system
EOF
echo "
else
echo " ? not valid?"
fi
fi
done
I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?
That's right, none.
logs (Score:5, Interesting)
147 attacks so far
the page is generated through a perl script that reads my apache logs
Re:logs (Score:2)
Here are my logs: here [homeip.net].
Only 34 so far, but I only decided to open up apache to these this afternoon...
Cheers for that!
Re:logs (Score:5, Informative)
http://www.kryptolus.com/red.txt
On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).
Re:test (Score:2)
Re:Source? (Score:4, Informative)
Why not use the sort mentioned in the paper [sysarch.com] by Uri Guttman and Larry Rosler? It was made for this.
Re:logs (Score:2)
Now that is funny! (Score:5, Funny)
Re:Now that is funny! (Score:2, Interesting)
Re:Now that is funny! (Score:3, Funny)
Re:Now that is funny! (Score:3, Funny)
Re: (Score:2)
It's not safe to install IIS while on a network... (Score:5, Insightful)
Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.
Re:It's not safe to install IIS while on a network (Score:2)
Interesting dilemma... how exactly are these people going to get the patches to be installed with the system unplugged? Microsoft is going to have to release a patch CD.
Proposal for White Hat'ing CR][ (Score:5, Informative)
I'm also guessing that right now a bunch of
1) Writing scripts to make things suck more for those who have been compromised (shame on you)
or
2) Writing scripts to fix the compromised servers
I propose that if a script is created to fix these servers (Code Green?
So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.
Thanks.
Top 8 things to do with Code Red (Score:4, Funny)
1. Distribute Elcomsoft's e-book reader to all compromised boxes; search for any Adobe e-books and write out a plaintext copy.
2. Append the code to DeCSS to all Word documents on the box.
3. Modify the code to only patch the box when Dmitry is finally released from jail.
4. Install Linux; reboot.
5. Install BSD; reboot.
6. Configure box to DoS MS's IIS patch servers; condemn MS for making patches inaccessible.
7. Script all boxes to respond to
8. Install SETI; add the box to your team; brag about your high score.
Note: these are jokes. Please, please, do not do these things. Especially because if you do, the feds will come knocking on my door.
Why don't they... (Score:4, Insightful)
Re:Why don't they... (Score:3, Insightful)
Re:Why don't they... (Score:2)
Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.
So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).
Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".
Re:Why don't they... (Score:2)
Re:Why don't they... (Score:5, Funny)
Nah, this will just make the sysadmins even lazier.
SysAdmin #1: Dude, your NT machines are all infected with Code Red!
SysAdmin #2: I know! I'm just waiting for for them to be infected with the fix... should be any day now...
Something that should happen more often. (Score:5, Funny)
Re:Something that should happen more often. (Score:3, Funny)
I hereby propose we adopt your post as a convention.
We can thus encode "war stories" about the latest [worm/virus/trojan] as follows, saving Slashdot a fortune in bandwidth charges.
For instance, I can now describe my evening as follows:
"IIS. Code Red II. flaw. IIS. doesn't. FreeBSD. 429. worms. thousands. Apache. Apache. FreeBSD. company. worm. 6.2MB."
Re:Something that should happen more often. (Score:3, Redundant)
Re:cisco 675 hanging. (Score:2)
set nat enable
set nat entry add [insert outside ip here] 80 10.255.255.200 17000 tcp
write
exit
Or, you could add a filter to deny incoming traffic on port 80.
Cisco 675 CBOS version 2.4.2 (Score:2)
I can handle a limited number of requests.
I'm running 2.4.2 with no hangs. Cisco made me jump through hoops to get the upgrade.
Anyone from Cisco know why Cisco makes it so hard for customers?
Re:cisco 675 hanging. (Score:2)
Re:Will this wake peoiple up? (Score:2)
It certainly dosn't help that it can take more effort to not install IIS.
Re:Free r00t for all! (Score:2)
Industrial espionage, identity theft, blackmail, and general deltree
Re:URM. Thjs is NOT good. GG Microsoft (Score:2, Interesting)
Re:URM. Thjs is NOT good. GG Microsoft (Score:2)
Anybody have ftp deep link equivalents of:
http://download.microsoft.com/download/winntsp/Pa
Writing a worm to wget those would be a bitch, but ftp comes installed on all NT boxen... so its easy
and
href="http://download.microsoft.com/download/win2
Re:Ooops bad paste. Take two. (Score:2)
Which port to telnet to? (Score:2)
Re:a quick fix (Score:5, Funny)
What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?
(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)
Re:me too (Score:3, Funny)
Should read: Several @Home users reported that everything was moving along normaly. Most of thier friends giggled and left the room.
Release management (Score:2)
Re:Hypothesis (Score:2)
Re:Promise me you'll only use this for good. (Score:2)
In the root directory of the drive there's an HTML file with the "Fuck USA goverment" tag or whatever. I am not doing anymore snooping.
The shit has hit the fan, ladies and gents.
Trained Monkey (Score:2)
- IBM Instructor -- "Introduction to System/360," circa 2Q 1966
Yeah, it's much harder to install Apache. You have to remember how to type "apt-get install apache". Fortunately the Debian people tend to stay pretty well ahead of the security issues, so if you apt-get update ; apt-get upgrade on a regular basis, any newly discovered vulnerabilities will get fixed. Not that Apache's had any major vulnerabilities in a long, long time. Maybe the solution would be to port apt to Windows...
Re:Zero monkeys, ten minutes (Score:2)
Disagree. Apache doesn't answer requests as root, and the apache user (usually nobody, apache or httpd) can't write anywhere useful. IIS answers requests as the kernel. ACLs? What ACLs? Banzaaai!
I also routinely mount
There's also the issue of change and diversity. For example, older Apaches tend to default to
Mandrake installed in a server configuration does start a web server (and other things), but it specifically tells you about it during installation, and you have to click [Yes] to make it happen. They also do things like starting with ALL:ALL:DENY in hosts.deny, meaning that even with services running, a crackers' hope is likely end in futility. Many packagers are following suit.
Debian's automatic updates also take the dodo-or-busy sysadmin out of the loop. Mandrake, RedHat and others are following suit.
Summary: no, we wouldn't. Even though there are twice as many Apache sites as IIS. OTOH if M$ also had 95% penetration of the web server market, the Internet as we know it would be history by now.
Re:MSNBC Coverage (Score:3, Informative)
Re:MSNBC Coverage (Score:2)
"IT WAS NOT IMMEDIATELY clear if the new worm was a variant of Code Red or just a nastier copycat..."
Mmmkay...
Re:All I want to know is (Score:2, Funny)
Re:It's certainly more ambitious... (Score:2)
It depends on your machine's neighbors. If it's in a subnet with a lot of vulnerabe Microsoft machines, it's going to get hammered. If it's in a well-run subnet, it will only see the odd random probes.
Machines I have in colo centers with small numbers of IPs (backup name servers, etc.) are really getting the treatment. Likewise the servers in a UUnet /26 (so presumably someone else in the Class C is an MS shop - never imagined I'd care). The rest of the stuff, in scattered /24s, is not seeing much of it at all (usually 5 or 6 log entries at this point).
Re:Do what I did... (Score:2, Interesting)
AddHandler cgi-script
In your httpd.conf and make a little perl script or something called default.ida to log it. It's been great fun, shoulda been to bed hours ago, but I'm playing around with my script instead. =)
What are you talking about? (Score:4, Insightful)
It's fast because that's how exponential growth works.
Re:What are you talking about? (Score:4, Informative)
OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:
This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.
Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.
What a worm.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net
Looks like somebody did their homework and decided to really make Code Red nasty
Re:What are you talking about? (Score:3, Insightful)
This is very interesting. I've recently been studying spatial population models of dispersal, e.g. when trees release seeds, should they go a short distance or a long distance? I.e. which will make them more likely to survive, and what combination of strategies will be evolutionarily stable?
Short-distance dispersal is best on aggregated landscapes, where good habitat is likely to be nearby, although such strategies end up competing with themselves quite intensely. Long-distance dispersal is good on unclustered landscapes, where you're better off hoping to colonize a good site far away. But it turns out that mixed seem to really kick butt; they exploit local rich patches of resources, but an occasional long-distance propagule allows them to colonize far-off patches once in a great while, and also reduces intraspecific competition somewhat.
It would be really interesting seeing a few different Code Red's going with different proportions of near versus far dispersal, to see which one does best. It would tell us something about the aggregation of exploitable machines on the net. Although I suppose some people may object to such a study.
As an AC pointed out in another reply, the really clever thing to do would be to have an adaptive strategy with a bit of randomness in it (i.e. the parameters in the strategy are changing too). That way, it would eventually "find" the strategy that works best, and in fact different subpopulations could converge to different locally optimum strategies.
Re:What are you talking about? (Score:3, Interesting)
You keep trying the 'distant' ones every now and then, just in case you get lucky.
Re:what is code red. . (Score:4, Funny)
Or maybe patent it. Also how about sending the BSA after anyone running it without a licence.
Re:Server 403's (Score:2)
- the infected servers are just DoSed by the number of people scanning them back on a small connection
- IIS is actually running on WinNT/2K Workstation, which has a limit of something like 10 concurrent inbound TCP connections (exacerbated by HTTP/1.1, used by most browsers these days).
What about.... (Score:4, Funny)