Code Red Worm Spreading, Set To Flood Whitehouse

altek writes: "CNET has an article describing a worm that has taken down over 12,000 MS IIS webservers." Bill Kendrick points to another CNET story, which reports that the worm will "cause every infected computer to flood the Whitehouse.gov address with data starting at 5 p.m. PDT," writing "Time to shut down all those IIS servers before the Internet gets flooded."

Slow Internet service due to all those extra packets of malice may not be the worst effect: As sp1n writes: "It appears that due to the way the worm formats its HTTP request and the semi-random way it seeks out vulnerable systems, it is also causing Cisco 67x DSL routers, widely deployed by Qwest, using firmware prior to 2.4.1, as well as some others, such as 3Com LanModems, to crash -- recoverable only by a power cycle. I have yet to see any news outlet cover the affect this is having on DSL service. Qwest's Interprise networking department confirmed they are receiving reports from all 14 states in their territory. Some routers running pre-2.4.1 firmware are crashing even though the web admin is disabled. This has become a huge support nightmare for every ISP in the region."

Re:what it looks like

[Anonymous Coward]

Which begs the question -- is it "right" to create a sploit that connects back to the attacking machines and "patches" their system so that it is fixed.

Fake worm warning makes ALL OF US flood website!

[Anonymous Coward]

It's a conspiracy. Everyone will hit the whitehouse.gov site to see if the alleged worm affected it, and in doing so, we have all been duped into participating in a DDoS attack on the site. Rather clever, actually. Proclaim the effect to create the cause.

Re:what it looks like

[Micah]

Yep, I got a lot of them on both my cable modem box and my server.

On the server:

[root@nova logs]# grep NNNNNNNNNN access_log | wc -l
34
[root@nova logs]# grep NNNNNNNNNN jes*access_log | wc -l
18
[root@nova logs]# grep NNNNNNNNNN trav*access_log | wc -l
20
[root@nova logs]# grep NNNNNNNNNN /var/www/group/logs/access_log | wc -l
18
[root@nova logs]# grep NNNNNNNNNN /var/www/otg/logs/access_log | wc -l
19


---

Re:If you don't run IIS but....

[Alan]

Cool! Thanks for the info. A grep through my own logs showed a lot of similar traffic. Time to start the whois' on those ips!

Pretty good simulation/dry run...

[torpor]

... on a potential future target, if you ask me.

Be interesting to hear the analyses about this one when it's all over.

Re:So, who's REALLY in charge...

[torpor]

Count me in.

We should take a lot of weed with us.

high5!~

[torpor]

bah-dumpsh!

Re:So, who's REALLY in charge...

[torpor]

Speak for yourself.

I'm using hash oil for fule in *my* tent!

Pollution never looked so sweet.

But seriously: where do we start? I wanna get off this chunk of rock. It hurts my ass.

Re:Cisco DSL routers

[torpor]

Almost any integer, eh?

None of my int's are good enough.

Re:Cisco DSL routers

[Brian Knotts]

Shhh...don't tell anyone:

http://www.qwest.com/dsl/customerservice/csco675up s.html [qwest.com]
http://www.qwest.com/dsl/customerservice/csco678up s.html [qwest.com]

Re:So, who's REALLY in charge...

[Tim Doran]

Sounds great, but no BBQ in the space station.

*cough

Re:Why or why....

[Tim Doran]

Whoa - just checked the logs on my humble linux box (behind a cable modem) and I've had about 25 hits on 'default.ida' today. Looks like a unique IP every time.

Jeez, if this is coming to my obscure neck of the woods... gonna be a hell of a night for W's IT staff...

Re:Probes coming from dial-up connections too!

[Tim Doran]

hmm... could these dialup victims be using Win98's 'Personal Web Server'? It's just IIS 3.x.

Wonder if that's vulnerable.

What about an automatic antidote?

[Tim Macinta]

I noticed this yesterday in my logs as well as some other strange requests that looked like somebody trying to break in.

Say, here's an idea... machines which request URLs like this have already been cracked and may still be vulnerable to the hole that the worm exploits (or does the worm patch this hole after exploiting it?). Somebody could take control of the cracked machines in the same way that the worm did and once inside introduce an antidote that eliminates the worm and patches the vulnerability. This could even be set up as a cgi script so that these cracked machines can be automatically cured.

It's a nice thought, but probably not worth the effort. Somebody would be bound to get upset by this good samaritan hacking and sue. It would also be too tempting to have the IIS "patch" that the antidote delivers be Apache (and OpenBSD for the ambitious).

Re:hmm

[MoOsEb0y]

last night I experienced a similar problem on my machine. Someone had been using various proxies to proxy through my machine to various pay for click type sites. I quickly put an end to this by commenting out modproxy in my apache config. Whether this is related I don't know. One thing is for sure though. the rise of lame people is happing at an exponential rate. It will only continue to get worse from here. :\

-Moose

Re:hmm -- UPDATE

[MoOsEb0y]

well, well, I just checked my logs. I have been scanned by lamers for this heh.
This showed up in my logs. I'm pasting it unadulterated seeing as I've found like 20 copies of it anyways so the script kiddies already have it.

207.68.188.44 - - [19/Jul/2001:15:15:30 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 273

Re:Fake worm warning makes ALL OF US flood website

[unitron]

15 minutes and counting!

How many of those who check whitehouse.gov to see if it's down will then check to see if they can get there through dot org or dot com, and think that what's at dot com is a "hacked" version of the dot gov?

Re:Fake worm warning makes ALL OF US flood website

[unitron]

Somehow I'd never bothered to wonder about whitehouse dot org before, just looked at it, and I'd love to see the faces of those who go there thinking it's an alternate way to get to dot gov.

Be sure to check out the inaugural address link.

Re:Fake worm warning makes ALL OF US flood website

[unitron]

Well, so far http://www.whitehouse.gov/ loads a lot faster than Slashdot.

'Course I'm not browsing whitehouse.gov at -1.

Re:Why or why....

[Cato]

Probably windowsupdate is run on a server farm - one server was hacked, and when you hit refresh the load balancer sent you to another server that wasn't.

Or maybe you were just unlucky :)

Re:Cisco DSL routers

[Phexro]

what versions of cbos does this affect? i was thinking of upgrading mine to 2.4.1 a few days ago... now might be a good time to do it.
---

ha!

[Phexro]

and msft called linux anti-american!
---

Re:what it looks like

[RobM]

Actually, you can do what you say only on a NT 4 IIS (default) installation: there the IIS runs as SYSTEM and can modify files.
On 2000 and on system where some non-stupid admin did the initial installation (but not maintenance ;-) the IIS runs as a user that can't "patch" itself or overwrite "interesting" system files.

Ciao,
Rob!

Re:Windows Update

[IntlHarvester]

This site [microsoft.com] lets you search for MS patches by product name and applied service pack. A hellava improvement over Microsoft's previous patch search.

Two words of warning:
1) W2K SP2, like all SPs, did not include all of the previous hotfixes. You might need to reapply some after applying the service pack. I think this particular exploit is one of those.

2) For W2K, you need to search under both "Windows 2000" and "IIS 5.0" to get all the patches.

Happy hunting!
--

And while we're confirming stuff

[Sangui5]

The stuff they say about certain HP printers is true too. We have a HP LaserJet 4000N, and it's been going down all day. The secretary (who's since gone home) has been confused as all else as to why the printer keeps giving some strange error. I'd guess that all HP's that use the same internal network spooler will have the same problem.

Re:hmm -- UPDATE

[SoftwareJanitor]

Here is the hall of shame of IP's from my Apache logs:

66.80.40.178
202.30.107.77
134.155.40.49
195.65.218.213
206.153.53.106
66.121.57.63
132.178.148.167
131.174.228.6
24.91.116.188
200.202.120.59
62.48.11.31
24.214.66.226
208.11.51.150
63.194.235.102
208.139.198.171
62.17.151.141
195.85.182.18
211.53.214.76

If your IP is on that list, you might want to patch it... Or better yet, switch to Linux and Apache... :-)

Re:Update!

[sharkey]

Actually, 4pm PST is 12am GMT. PST is GMT-8. Mountain Standard is GMT-7.

--

Re:Update!

[sharkey]

That is irrelevant. PST was what was referenced, and is the subject of this thread, not PDT.

--

Re:So, who's REALLY in charge...

[Eimi Metamorphoumai]

Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.

Tempting, but I block cookies whenever I can. If you bring some beer and steak, I'm there.

time h@X0R

[Tiro]

This worm apparently takes specific actions at certain dates/times.

Can you interfere worms such as this by changing system/software clocks? Could a crafty craker proggy writer create some kind of independent time record to avoid such tampering affecting his effects?

Re:Proactivity

[Jahf]

Damn, I went from one every hour to about one every 10 minutes ... this is definitely hitting alot of folks since I have a DSL line with a pretty much unknown webserver.

I'm sending the following form letter to webmaster@, administrator@ and root@ of the reversed domain for anyone who I see sending me the request:

--------------

I noticed in my web server logs that your server tried to access a false web page today. This access is a signature of attacks coming from the Red Tape worm and it would appear you have an IIS server that is infected. The infected server (yours) then tries to contact other ISS servers to infect, generating the following request (the first IP address is the server that you have that is infected, though you may have many others with the same predicament):

[replace with the actual request]
###.###.###.### - - [19/Jul/2001:18:11:07 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-"

NOTE: If this is a dynamic IP address and you are an ISP, the above request should be able to help you track down your customer and help them fix this issue.

I'm only providing this note as a warning so that you can try and patch your machine. My web server was immune to this attack, so I was not directly affected.

For more details about this worm, please see the following sites:

News.com ... http://news.cnet.com/news/0-1003-200-6617292.html

Slashdot.org ... http://slashdot.org/article.pl?sid=01/07/19/223024 6&mode=thread

To patch your server you should:

1) make sure you have all of the most recent service packs installed

2) make sure you have all of the available critical updates installed

3) install this patch:
http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/security/bulletin/MS01-033.asp

4) reboot

NOTE: I do not have a Windows IIS webserver with which to verify the above instructions, so I can't guarantee it will work, but the above practices should be done on a regular basis (if they had been done, including installing the patch mentioned, your web server would not have been compromised to begin with).

--------------

Press DOS attack

[jonathanclark]

This is acutally the "Press DOS attack." You get some security expert to claim that a worm is spreading all over the internet and will attack X site at 5pm. Then everyone who reads the story will go see if the site is down at 5pm. And of course since everyone is hitting reload to see when it is down, the site gets flooded and goes down while the virus/worm never exsisted!

Re:Update!

[Polo]

I thought the analysis [google.com] said the worm references the .91 address. DNS right now resolves to the .92 address. So no problem.

100,000

[Zildy]

Cnet now says 100,000 servers infected.

At my company (small midwest ISP), I could feel the effects at around 10am CDT. A couple servers run by customers were infected and were sending out a *constant* stream of requests to random servers trying to infect others.

Oof.

FOR THE LOVE OF GOD, FIND GET YOUR Tee Ball at the White House [whitehouse.gov] INFORMATION BEFORE IT'S TOO LATE!!!

Re:Dealing with this all day

[aenea]

root.exe was left from the solaris worm that went around about a month and half ago. You guys have been hacked for a while. Scan your logs for entries that have "cmd.exe" in them and you'll find when you first got smacked.

Re:Why M$ ?

[gimpboy]

I can't imagine that they didn't think as hard about security as Apache or Linux for example.

i'm not bashing microsoft here, but the windows3.1/95/98/nt/etc os's originated from dos which is a single user operating system. there were no concerns made with respect to security when dos was originally placed on the market. because of the application base dos had the various windowsxxx's that have come along had to be backwards compatable with dos programs. as a result you have this pseudomultiuser platform that implements security as an afterthought. see for example this article about windows xp [grc.com].

on the other hand linux is based on unix, which microsoft trashes for being 30 year old technology, but this technology has had 30 years to iron out alot of the security issues. unix was also designed with multiple users in mind which affects everything from file access to memory allocation.

so in essance linux, via unix, has had alot more thought put into security than microsoft. as a result of linux being open alot of the security issues can be addressed by its users. because microsoft is closed the poor iis administrators have to sitback while their boxen are DOS'ed and wait for a patch to arrive. its sad really.

use LaTeX? want an online reference manager that

Re:Update!

[ajs]

If you're router/firewall's linux, you can do this:

/sbin/route add -host 198.137.240.92 gw 127.0.0.1 dev lo

That will dump all of that traffic into space, and it will never hit your outbound ethernet card.

I presume similar things are possible on just about every piece of routing hardware out there.

--
Aaron Sherman (ajs@ajs.com)

Re:Another update- random IPs

[mpe]

I've got the same thing in my Apache access logs.. 17 unique hosts sent it. Haven't noticed any side effects or problems on Apache or Linux yet (I know this is an IIS worm, but it's best to be cautious).

It does show up how many people cannot be bothered to set up reverse DNS though. THe only likely problem is wastage of bandwidth.

Re:what it looks like

[macpeep]

So THAT's what it is.. Starting around 3 hours ago, my home desktop machine has been getting about 50 of those. One very 3 minutes or so.. And my machine is just on a random ADSL IP. This thing must have spread REALLY wide!

Re:Dealing with this all day

[EasyTarget]

The patch is availible here [microsoft.com]

Not any more it's not.. Looks like Microsoft have started responding, probably moved it more prominent..

Wonder when the 'Red Menace' spin from Mr gates sympathisers in the Gvt. will start.

EZ

Re:hmm

[ncc74656]

And I wondered why my little apache running on almost unknown site got so much hits today with strange shellcode...

I don't know about strange shellcode, but you made me curious...I browsed the log for my personal webserver (Apache running on LFS) and saw a suspicious request for /default.ida at 16:49 PDT from a site in Taiwan. Searching for that request on the rest of the webserver log (going back maybe a year or so at this point) turned up 21 other requests for the same thing, all earlier today. The requests were coming in from around the world...but the last one was from Taiwan and the two before it were from Red China. These last three requests were within one hour of the beginning of whitehouse.gov's problems. /default.ida sounds like something one might request from an IIS box (instead of /index.html, they usually use /default.htm as the homepage)...would this have been a probe from the punks who pulled this stunt?

(FWIW, other countries that appeared in the log are (in the order they appeared) South Korea, Canada, Japan, and Germany. Several American sites were also on the list (many of them on cable-modem or DSL connections).)

Re:Update!

[cyberdonny]

Don't forget we are speaking about Windows machines here, and those are notoriosly bad at managing such "advanced" concepts as timezones. Just whitness the bi-yearly mess that occurs whenever we switch daylight savings time. Windows machines usually run their clock in local time, and have no such concept as location-independant UTC time.

So, who's REALLY in charge...

[devphil]

The government cannot take down Microsoft, but Microsoft can take down the government...

*ponder*

Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.

I've had to deal with this all day..

[TheTomcat]

scared me at first.. reboot fixes it.. but it comes back..
upgrade your service packs/critical updates and then run this (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/MS01-033.asp [microsoft.com]) patch.. should clear it up.. I hope, anyway. (-:

Ah HA!

[underwhelm]

So that's why my DSL router was crapping out every 10 minutes or so this afternoon, after several months of continuous uptime. I knew it couldn't be a configuration problem (there's only so much configuratin' one can do to those things.)

After reading about the trouble Slashdot ran into with their Cisco routers, and the tongue lashing they got for rebooting it without understanding the problem, I'm glad I powercycled it anyway. It did solve the problem, until I got hit again.

While I was rebooting the "turtle," as we call it, my girlfriend, Anne, for some reason got really upset, started crying and moved out. Really odd.

Re:Let's see... /var/log/apache

[mbyte]

lets do a quick grep in the logs ;)

# grep default.ida * | wc -l
5630

woops .. ;)

Re:WhiteHouse.gov? Thank God!

[Rev_Hojo]

Out of curiosity I checked whitehouse.com. If anyone is working the evening shift like me, don't go there from work unless your employer has an very lax internet use policy. In other words it's one of those "Mature Audiences" sites. Just so ya know.

If you don't run IIS but....

[heliocentric]

I don't run IIS, but I've been seeing odd things in my logs. It took me a sec to check security focus and learn what it was. Here is an except of a log file so you if see similar you know what's up.

65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"

The thing on security focus [securityfocus.com] indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here [securityfocus.com].

umm... are you sure?

[Jafa]

I don't think this has anything to do directly with the routers. It just happens that the exploit used also affects certain cisco routers (through a well-known bug). It's not attacking the cisco os, the routers just happen to get hit in the crossfire between the infected IIS machines and the target IIS machines.

Jason

Another update- random IPs

[Jafa]

Guess I'll just paste another copy or eEye's email here also. From security focus:
===========

the worm just tries port 80 on ip's. doesnt care if its IIS or not.

also as for the ip seed thing... we have heard reports there is a variant
worm that is doing truly random IP addresses. We dont have any more info on
that though.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security

problems with the patch

[Jafa]

There are some reports that the patch itself is causing some problems on machines with certain combinations of IIS 4/5 and Exchange and Index server.

This email from the security focus list:

I have seen some problems with NT4 servers running Exchange crashing when
they encounter the Code Red Worm. These machines were all upgraded with the
patch in the MS-33 ida/idq bulletin. While the worm wouldn't exploit the
servers, it would bring down IIS4.

The page returned contained an error message:

This is the error page for errors found in .idq files
A registry entry points to this page (where X is the current language):

This was returned along with a registry key and some more detail why it
failed. Out of all the servers, only the ones with Exchange exhibited these
problems after being patched. I have confirmed these results with someone
with a similar setup. The only way I could stop it was to unmap the ida/idq
extensions from IIS4.

Has anyone else seen similar behavior? Is this limited only to NT4/Exchange
machines? I haven't been able to test it on an IIS5 machine to see. I'd
advise anyone currently having these problems to unmap the ida/idq extensions.

For dumps/more information just let me know.

Neil

Good description here:

[Jafa]

The guys at Eeye [eeye.com] have a good overview here [eeye.com].

This is basically just the usual buffer overflow attack that's had a patch available for a month, and by following best practices shouldn't be an issue at all. The really interesting thing is where the guns being gathered are pointed: at whitehouse.gov. Should be an interesting night!

Jason

Obligatory reference:

[bmo]

Dick Cheney: SOMEONE SET UP US THE WORM!

George Bush: MAIN SCREEN TURN ON!

George Bush: IT'S YOU!!

Li Peng: YOU HAVE NO CHANCE. MAKE YOUR TIME.

Li Peng: HAHAHAHAHA

Re:Cisco DSL routers

[Eric Seppanen]

Cisco's vulnerability report [cisco.com] (read the date!) says that 2.4.1 is OK.
My ISP is recommending 2.4.2, but I don't know why.
It's all academic to me, because I haven't found a place to download either.
--

Cisco DSL routers

[Eric Seppanen]

I, and many of my co-workers, had our home DSL routers (Cisco 675s) lock up today as this worm scanned them.

There is common belief that disabling the web interface will prevent this. It's not true; mine's been disabled every since this was first reported a year ago and I still got hit. The problem is that "set web disable" prevents the web server from fiddling the router config, but doesn't actually stop the server from parsing input from port 80, which is what locks up the box.

An improved workaround is to disable the web-admin interface and change its port number with "set web port 53496" (replace with some random port number). At least that'll stop it for the near term.

Long term you need to get updated firmware, but of course Cisco won't distribute firmware directly to customers, even though they have public announcements of the existence of bugs and bugfixes. To actually get the firmware you have to get it from your DSL line provider (Qwest, in my case), and Qwest couldn't care less about security with respect to home users, so they've never bothered to offer fixed versions of CBOS.
--

Re:Another update- random IPs

[kootch]

the requests in my httpd-access.log looked like this:
<P>
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0
<P>
this came from about 3 dozen different IP's today. a few were from corporate servers... so I notified the webmasters... but the index page of these servers were not replaced... so I have no idea what the exception was.
<P>
more info can be found on deja or <a href="http://www.securityfocus.com/templates/archi ve.pike?end=2001-07-21&list=100&mid=197436 &fromthread=0&start=2001-07-15&threads =0&">here</a>

Re:Dealing with this all day

[Moonshadow]

We got hit by this, too, although we found it and contained it withing 10 minutes of being infected. The solution is to make sure you've got service pack 2 for Win2K, THEN download the critical updates from Windows update, and reboot. The worm will be gone from memory, and the hole patched. SP2 supposedly contains the patch, but it doesn't work, so you have to install SP2 then the critical update available from Windows Update.

Also, we discovered that all the infected machines had had a file "root.exe" placed in the root dir and the inetpub/scripts directory. Anyone who got hit might want to check for that too.

Of course, the simplest solution is to not run IIS...

This is why!

[AirLace]

Perhaps this is why [robertedmonds.net] the patch is not on windows update. Fixed now though.

Re:So, who's REALLY in charge...

[nconway]

Does the government have a legal monopoly on force?

Yes -- for example, if I shoot someone, that's illegal. If the government subsequently locks me up for 20 years (which is a form of physical force), that's perfectly legal.

I thought the raison d'etre of the 2nd Amendment was to prevent the government gaining a monopoly of force.

Right -- it's more complicated than that. As a citizen, you have the right to defend yourself -- and if necessary, to respond to an act of force with violence; but only the government can legally initiate the use of force. (That's Ayn Rand's view anyway...)

Infrastructure Issues

[Joel Rowbottom]

This won't just cause problems for whitehouse.gov, but also quite a lot of problems for the very fabric of the Internet - the routers. The traffic generated within colocation facilities for instance is likely to overcome routing kit and deplete memory very very quickly.

There have been quite a lot of posts on NANOG [merit.edu] about this already, and depletion of memory on Cisco routers causing them to crash.

--

Let's see... /var/log/apache

[magi]

My Apache logs seem to have lots of these:

(address removed) - - [20/Jul/2001:00:36:19 +0300] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

20 lines now, about one coming every 15 mins.

Quite many seem to be coming Taiwanian or other Far-East countries such as Thailand.

what it looks like

[tedtimmons]

For those of you that tend flocks of web servers, here's what a request would look like:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNN ...

There are tons of N's (can you say buffer overflow?) and then stuff after the N's. I've left that out to make it harder for script kiddies.

-ted

Re:Why or why....

[Fjord]

I've got 26. Definitely unique IPs as shown by
grep default.ida apache_access.log | sed "s/ .*$//g" | sort -u | wc -l

Re:Should have open sourced it...

[athmanb]

This isn't necessarily a shortcoming. As pointed out in the detailed analysis on Usenet:

The worm could have done

truly random IP generation and that would have allowed it to infect a lot
more systems a lot faster. We are not sure why that was not done but a
friend of ours did pose an interesting idea... If the person who wrote this
worm owned an IP address that was one of the first hundred or thousand
etc... to be scanned then they could setup a sniffer and anytime and IP
address tried to connect to port 80 on their IP address they would know that
the IP address that connected to them was infected with the worm and they
would therefore be able to create a list of the majority of systems that
were infected by this worm.

--------------------------------------

bashing M$ IS fun...

[Raymond Luxury Yacht]

... but really, what would have been helpful to many IT readers would have been the link [microsoft.com] to the Microsoft bulletin and patch download in the /. article.

Re:Update!

[Smitty825]

While I don't disagree with your bug report, I want to point out that at 5PM PST, it offically becomes July 20th on GMT. Unless the attack begins on the 21st, I'm still assuming whitehouse.gov will be inaccessable tonight :-)

Re:Why or why....

[realdpk]

It's not the RIAA or MPAA, but you might like these IPs:

207.46.123.13
207.46.152.122
207.46.153.9
207.46.171.237
207.46.171.61
207.46.171.68
207.46.173.25
207.46.175.96
207.46.186.252
207.46.187.123
207.46.196.55
207.46.196.58
207.46.203.39
207.46.227.38
207.46.230.64
207.46.239.116
207.46.239.117
207.46.239.44
207.46.252.139
207.46.28.158

Each of them has hit default.ida on one server I'm watching. From what I can tell from whois -a, 207.46 is all Microsoft corp! They can't even keep up with their patches.

(btw, on this same server I'm seeing a new unique IP default.ida hit every second)

Re:This is why!

[petard]

ROTFLMAO! And the warning that this was in the wild appeared on bugtraq 2 days ago. You'd think they could at least apply their own patches. I knew there was a reason I don't allow M$ software on my network unless it's absolutely required. (I tend to use Linux sparingly too :-) [openbsd.org])

pétard

Re:Windows Update

[SuiteSisterMary]

NT sysadmins who know their shit are on Microsoft's Technical Bulletin list. Because these are hotfixes, they don't go on the public site, because they're 'install only if it fixes a problem you actually have.'

Re:Windows Update

[SuiteSisterMary]

Yeah. It's not at all like that ramen.worm; didn't find many unpatched redhat boxes. Oh, wait.... It's not clueless NT admins, it's clueless admins. Idiocy is platform-agnostic.

Re:Detection

[SuiteSisterMary]

Run task manager. Select 'processes.' Open the view menu. Select 'choose columns.' Activate 'thread count.' Then look for a process with 100 threads. At least, from what I've read about the worm. My firewall's been turning these away left, right, and centre.

Re:Another update- random IPs

[jallen02]

Hey!

I hope you see this

We watched a worm today hitting our IIS machine. With a few hacked up perl scripts I wrote I captured some of the HTTP requests.

Has anyone seen something like.. (from memory bear with me) /index.ida?NNN(Repeat N a BUNCH of times)%u6380%u9090%u0000

Something like that.. I knowt he middle was 9090. I dont think this was the china worm.. our index page wasnt replaced or hacked. It continually shut down our IIS service. Removing our IIS mappings to everything but the extensions we needed stopped the crash. It became progressively worse to the point where our ISDN being hit with these requests every second.

I found the security bulletin (033?) on the MS site etc. Its pretty interesting. Anyhow.. Just figured id share.

Jeremy

Re:Update!

[friscolr]

one more thing to note-

it attacks 198.137.240.92 not www.whitehouse.gov
that is, it doesn't need to reference the dns server (i was hoping to just add an entry for whitehouse.gov to our dns server since i dont have access to the router side of things)

-f

Re:So, who's REALLY in charge...

[RevAaron]

WERD!

But honestly, we have to be economical- how about a few drums of hash oil? I mean, we only have so much space!

Re:So, who's REALLY in charge...

[RevAaron]

And such is the wonder known as the plant Cannabis! However, there's no way I'm using hash oil for fuel, that's just evil. Hemp seed oil would work pretty swell though!

Re:So, who's REALLY in charge...

[RevAaron]

Heh. I suppose if you were using hash oil in your tent you would hotbox to such a point that you would be stoned forever. I like this idea of yours.

In any case, you can leave whenever you want, no one is keeping you here. I like it, though, so I guess I'll just swim in my own sea of hash oil down on Earth. However, I can sell you some sweet plans on making a rocketship...

Why or why....

[Wintermancer]

....can't it be the RIAA's and MPAA's webservers?

Sigh. Windows IIS: It's like walking around with a handfull of twenties and giving a loaded gun to any criminal you meet.

Re:Another update- random IPs

[Andrewkov]

I've got the same thing in my Apache access logs.. 17 unique hosts sent it. Haven't noticed any side effects or problems on Apache or Linux yet (I know this is an IIS worm, but it's best to be cautious).

---

Re:So, who's REALLY in charge...

[Andrewkov]

Would your space station run on Windows servers? ;-)

---

Re:Another update- random IPs

[Andrewkov]

Yeah, I'm not even running a website, it's just my little ol' 486 acting as my IP Masquerading gateway for my home LAN... I don't have much more than my resume on the web server!

Good point about the reverse DNS lookups, actually most of the ones I checked didn't even have a valid domaine name. Probably they are just Windows 2000 users with cable modems who leave their computers on all day, and don't even realize they are infected.

---

Re:Dealing with this all day

[SealBeater]

Fat-fingered the patch location. Here [microsoft.com] it is.

SealBeater

Dealing with this all day

[SealBeater]

We have been dealing with this all day at my job (colo/hosting). Apprently, it's totally memory resident, so a reboot should clear it. However, its really spreading like wildfire. Also will hang Cisco 675s and 678s, so if you have one of those routers (cable/dsl), disable web access. Also is hanging HP printers with web frontends. The traffic alone is choking some of our smaller routers. The patch is availible here [microsoft.com].

SealBeater

Re:Why or why....

[IronChef]

22 hits to me, though my overworked cable modem serves about 1000 unique visitors a day.

Then again traffic shouldn't matter... according to the articles the IP addresses to attack are produced by a pseudo-random algorithm... so those of us with a handful of hits have IPs that are way down on the algorithm's list.

My first hit was at 9:20 AM, the last was at 4:04 PM.

Can Microsoft Protect You From Itself?

[cant_get_a_good_nick]

Ironic. I read an article on ZdNet [zdnet.com] on how Microsoft was not only gonna pull it's JVM, but was going to disable some Java applets because it viewed them as a security risk. I wondered aloud whether this would have disabled Outlook, IIS, IE (ActiveX vulnerabilities) and .vbs files.

Microsoft Outlook: Making the Goodtimes virus real.

Update!

[Bender_]

The information about the whitehouse.gov attack was wrong. (Well - its still up :)) In fact the attack is going to start tommorrow, july 20th.

Here is the snippet from bugtraq:

Thanks to Eric from Symantec for tossing us a note about the worm being Date
based and not Time based.

We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based on a
date (the 20th UTC) which is tomorrow.

If the worm infects your system between the 1st and the 19th it will attempt
to deface the infected servers web page or try to propogate itself to other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed from
the infected system.

Any new infection that happens between the 20th and 28th will most likely be
someone "hand infecting" your system as all other worms should be attacking
whitehouse.gov. If for some reason you are infected between the 20th and the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.

The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.

The worm has a timeline like this:

day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep

Presumably, this could restart at any point in a new month again.

Also, some stats for the attack:

Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so

Remember, each host can be infected multiple times, meaning that a single
host can send 410MB * # of infections.

We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.

If there are 300 thousand infections then that means you have (300,000 * 410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm "works
as advertised" then the fact that whitehouse.gov goes offline is only the
begining of what _can_ possibly happen...

Re:Good description here:

[Bender_]

Here [google.com] is a full analysis of the worm. (including source!)

Re:what it looks like

[Erasmus Darwin]

There are tons of N's (can you say buffer overflow?)

If the DDoS doesn't bother spoofing the source address (and I didn't see anything to indicate that it did) and if it doesn't bother closing the hole, I find it interesting that the target of the attack could hypothetically "hack back".

(20 hits for default.ida in the logs at one job, 26 at the other. I (heart) Apache.)

Re:Affects IIS?

[Erasmus Darwin]

Don't all worms take advantage of security flaws in Microsoft software?

It's been done [software.com.pl].

(It's a link to information on RTM's worm, for those who don't feel like clicking the link.)

Re:what it looks like

[Erasmus Darwin]

Er, 99.99999% of the sources are zombies. Dumbass.

Oh nos! You've called me a dumbass. My penis will now shrink, and I'll forever be a hollow shell of a man.

And assuming I'm understanding you correctly, by zombies you're referring to just an arbitrary exploited machine, running the DDoS on behalf of a third party. I was aware of this fact when I posted my comment. I certainly was under no misapprehension that a given DDoS machine was being run by the person who created the worm.

But that doesn't change the fact that, under the conditions I stated, the person on the receiving end of the attack could hypothetically reexploit each machine to (if they're nice) disable the worm or (if they're mean) wipe the system altogether. Besides, the owners of the machines in question share some culpability in their failure to properly administer and secure their systems.

Write Your Congressman NOW!

[BigBlockMopar]

I got a little worried there for a sec!

I'm still worried!

Write your congressman. I want to see using a Microsoft server being treated as an act of criminal negligence, like drunk driving.

Haven't we all had enough of this bullspit?

My own webserver had been hit by several thousand of these attempts. When I got Slashdotted for putting up pictures of Bobo [glowingplate.com], it was bad. But this worm has been saturating my DSL with HTTP GET requests.

Re:Write Your Congressman NOW!

[BigBlockMopar]

It's just because Microsoft is the number one webserver that the worm is targetted towards it. If Linux were the number one webserver the worm would target it.

Hmmm... Uhhh. Microsoft primarily makes operating systems which repeatly prove themselves marginal for desktop use, and criminally inadequate for anything requiring stability or security.

I think you're attempting to imply that IIS server, which comes free - though hobbled to various degrees - with all versions of NT and 2000, is the number one webserver.

That's mighty good crack that you're smoking [netcraft.com].

P.S. Drunk driving is not as bad an activity as you describe.

I love drunk driving. It's a lot of fun. A friend of mine used to work in an automotive wrecking yard, and we used to love cracking open a few beers and driving around the yard in one of the junkers that came in under its own power. It was a great way of spending a Friday evening when I was in high school. I assure you, 50-foot-tall mountains of crushed cars are a lot harder to avoid after 6 beers. Even worse, 50-foot-tall mountains of crushed cars are a lot harder than uncrushed cars. They don't collapse well in accidents after they've been through the Al-jon. One might even suggest that they have less crush space. Especially the silly little Hondas.

You know what? I love my cars, and I love my beer. But the two don't mix. I don't drive (on public roads, anyway) if I've had even one beer.

Old people kill more people just because of senility, than drunk drivers.

Uh-huh. Yeah. You fascinate me.

Re:Cisco DSL routers

[CeramicNuts]

here's the link to upgrade to the latest firmware:

http://www.qwest.com/dsl/customerservice/win675ups .html [qwest.com]

Re:Windows Update

[mech9t8]

Microsoft doesn't put most security patches on Windows Update. They have a Corporate Windows Update (http://corporate.windowsupdate.microsoft.com), but it's basically just another download site... it doesn't automatically tell you what you need or install it for you.

Not that keeping up to date on patches is very difficult (subscribe to their Security Bulletin at http://www.microsoft.com/technet/security/bulletin /notify.asp), but since they obviously have the Update technology down pat, I don't know why they don't have a version of Windows Update with *all* the hotfixes, not just the "consumer-friendly" ones. It would certainly make setting up new machines easier... instead of downloading and installing twenty files, you should be able to just go to their site and have it do the work for you.

They haven't really changed Windows Update since it was introduced with Windows 98 - they've really dropped the ball... Redhat's up2date and Ximian's Red Carpet are both quite a bit better than the current implementation of Windows Update.
--
Convictions are more dangerous enemies of truth than lies.

Re:Windows Update

[mech9t8]

Yeah, but for each one you have to click through 3 times just to get the file. Which means:

a) it's really annoying, and lots of people just won't bother, and...
b) it's really easy to miss one or two

And there's no real way to check (there's a dinky little script available somewhere that'll check for IIS patches, but it's buggy and hard to find).

The Corporate Windows Update site makes them easier to download, but it takes weeks for patches to be put up on it after they've been released, and there's no real way to match them with the associated Bulletins (to know if they need to be re-downloaded, if you've missed any, etc.) And it doesn't allow searching by Service Pack.

In this case, Microsoft's system is just sloppy and unprofessional. There's absolutely no reason for this to be such a pain other than Microsoft isn't putting enough money and attention into its support structure.

Sure, they now allow Patches to be joined together so you only have to reboot once for multiple patches and they allow you to search by Service Pack, but those are baby steps that should've been done years ago... patches today should be instantly updated over the web and shouldn't require reboots in 99% of cases (for all IIS patches, it should just shut down IIS, update the files, and restart). Microsoft's behind the curve, and if I was a corporate system admin, I'd be tempted to switch to Red Hat just because they have a much better update structure.

(For instance, with Red Hat, you type up2date, it launches a graphical wizard which automatically tells you what you need updated, downloads, and installs them. It's like four mouse clicks to completely update your system to latest versions of everything on it.)
--
Convictions are more dangerous enemies of truth than lies.

Apologies to St. Ives....

[Eryq]

While I was working for the feds,
I met a worm they called Code Red...
And Code Red hit 100K hosts,
And every host had 3 infections
And every infection had 100 threads
And every thread sent 100k
And every k had a thousand bytes [*]
And every byte was sent in 1 packet
And every packet had a 40-byte header
Headers, packets,
Bytes, k,
Infections, hosts and threads...
Once every month, just to piss off the Feds.

[*] 1024 just doesn't scan well. :-)

Probes coming from dial-up connections too!

[NewtonsLaw]

My firewall is getting it about once every four or five minutes with probes coming mainly from servers based in countries along the Asian rim (Japan, Korea, etc).

Fortunately, a trace of the sources indicate that the servers involved are being shut down pretty quickly by their admins.

One alarming aspect is the number of these probes that are obviously coming from servers connected through PPP dial-up accounts.

I wonder how many people have installed IIS on PCs running IIS and don't even know it's running?

News With Attitude [7amnews.com]

Should have open sourced it...

[srvivn21]

From http://news.cnet.com/news/0-1003-200-6604515.html [cnet.com]

...each instance of the worm will attack the same computers in the same order, according to eEye's analysis. Maiffret said that while the addresses of the computers attacked by the worm seem to be random, because the worm uses the same starting point, or "seed," to generate the list, the "random" lists that any two worms generate are identical...

You know that if this worm had been open sourced, that mistake would have been caught, and this would be an even better epidemic.

Re:So, who's REALLY in charge...

[Guppy06]

Seriously though, I hope this convinces the attourney general and the new district judge that Microsoft's monopoly has serious detriments on the internet as well as the industry.

Affects IIS?

[ryanwright]

a new Internet worm that takes advantage of a security flaw in Microsoft software

Is this even worth mentioning? I mean, really! Don't all worms take advantage of security flaws in Microsoft software? Why can't someone write a worm to take advantage of Apache for a change? All of these Microsoft servers being compromised are making me jealous. If only I could afford a license of Win2k Server, then I could participate in the excitement as well...

some day....

WhiteHouse.gov? Thank God!

[Purple_Walrus]

I thought that said whitehouse.com! I got a little worried there for a sec!
---