Slashdot Log In
Code Red Worm Spreading, Set To Flood Whitehouse
from the code-blue-code-blue dept.
Slow Internet service due to all those extra packets of malice may not be the worst effect: As sp1n writes: "It appears that due to the way the worm formats its HTTP request and the semi-random way it seeks out vulnerable systems, it is also causing Cisco 67x DSL routers, widely deployed by Qwest, using firmware prior to 2.4.1, as well as some others, such as 3Com LanModems, to crash -- recoverable only by a power cycle. I have yet to see any news outlet cover the affect this is having on DSL service. Qwest's Interprise networking department confirmed they are receiving reports from all 14 states in their territory. Some routers running pre-2.4.1 firmware are crashing even though the web admin is disabled. This has become a huge support nightmare for every ISP in the region."
Re:what it looks like (Score:3)
Fake worm warning makes ALL OF US flood website! (Score:5)
Re:Cisco DSL routers (Score:3)
None of my int's are good enough.
Re:Cisco DSL routers (Score:3)
http://www.qwest.com/dsl/customerservice/csco675up s.html [qwest.com]
p s.html [qwest.com]
http://www.qwest.com/dsl/customerservice/csco678u
Re:Probes coming from dial-up connections too! (Score:3)
Wonder if that's vulnerable.
Re:hmm -- UPDATE (Score:3)
This showed up in my logs. I'm pasting it unadulterated seeing as I've found like 20 copies of it anyways so the script kiddies already have it.
207.68.188.44 - - [19/Jul/2001:15:15:30 -0400] "GET
Re:So, who's REALLY in charge... (Score:3)
Tempting, but I block cookies whenever I can. If you bring some beer and steak, I'm there.
Press DOS attack (Score:5)
100,000 (Score:3)
At my company (small midwest ISP), I could feel the effects at around 10am CDT. A couple servers run by customers were infected and were sending out a *constant* stream of requests to random servers trying to infect others.
Oof.
FOR THE LOVE OF GOD, FIND GET YOUR Tee Ball at the White House [whitehouse.gov] INFORMATION BEFORE IT'S TOO LATE!!!
So, who's REALLY in charge... (Score:5)
The government cannot take down Microsoft, but Microsoft can take down the government...
*ponder*
Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.
I've had to deal with this all day.. (Score:4)
upgrade your service packs/critical updates and then run this (http://www.microsoft.com/technet/treeview/defaul
Ah HA! (Score:4)
After reading about the trouble Slashdot ran into with their Cisco routers, and the tongue lashing they got for rebooting it without understanding the problem, I'm glad I powercycled it anyway. It did solve the problem, until I got hit again.
While I was rebooting the "turtle," as we call it, my girlfriend, Anne, for some reason got really upset, started crying and moved out. Really odd.
If you don't run IIS but.... (Score:5)
65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET
The thing on security focus [securityfocus.com] indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here [securityfocus.com].
Good description here: (Score:3)
This is basically just the usual buffer overflow attack that's had a patch available for a month, and by following best practices shouldn't be an issue at all. The really interesting thing is where the guns being gathered are pointed: at whitehouse.gov. Should be an interesting night!
Jason
Obligatory reference: (Score:5)
George Bush: MAIN SCREEN TURN ON!
George Bush: IT'S YOU!!
Li Peng: YOU HAVE NO CHANCE. MAKE YOUR TIME.
Li Peng: HAHAHAHAHA
Cisco DSL routers (Score:5)
There is common belief that disabling the web interface will prevent this. It's not true; mine's been disabled every since this was first reported a year ago and I still got hit. The problem is that "set web disable" prevents the web server from fiddling the router config, but doesn't actually stop the server from parsing input from port 80, which is what locks up the box.
An improved workaround is to disable the web-admin interface and change its port number with "set web port 53496" (replace with some random port number). At least that'll stop it for the near term.
Long term you need to get updated firmware, but of course Cisco won't distribute firmware directly to customers, even though they have public announcements of the existence of bugs and bugfixes. To actually get the firmware you have to get it from your DSL line provider (Qwest, in my case), and Qwest couldn't care less about security with respect to home users, so they've never bothered to offer fixed versions of CBOS.
--
This is why! (Score:3)
Infrastructure Issues (Score:3)
There have been quite a lot of posts on NANOG [merit.edu] about this already, and depletion of memory on Cisco routers causing them to crash.
--
what it looks like (Score:5)
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNN ...
There are tons of N's (can you say buffer overflow?) and then stuff after the N's. I've left that out to make it harder for script kiddies.
-ted
bashing M$ IS fun... (Score:5)
Re:Update! (Score:5)
Re:Why or why.... (Score:5)
207.46.123.13
207.46.152.122
207.46.153.9
207.46.171.237
207.46.171.61
207.46.171.68
207.46.173.25
207.46.175.96
207.46.186.252
207.46.187.123
207.46.196.55
207.46.196.58
207.46.203.39
207.46.227.38
207.46.230.64
207.46.239.116
207.46.239.117
207.46.239.44
207.46.252.139
207.46.28.158
Each of them has hit default.ida on one server I'm watching. From what I can tell from whois -a, 207.46 is all Microsoft corp! They can't even keep up with their patches.
(btw, on this same server I'm seeing a new unique IP default.ida hit every second)
Re:Detection (Score:3)
Re:Update! (Score:4)
it attacks 198.137.240.92 not www.whitehouse.gov
that is, it doesn't need to reference the dns server (i was hoping to just add an entry for whitehouse.gov to our dns server since i dont have access to the router side of things)
-f
Why or why.... (Score:5)
Sigh. Windows IIS: It's like walking around with a handfull of twenties and giving a loaded gun to any criminal you meet.
Dealing with this all day (Score:4)
SealBeater
Re:Why or why.... (Score:3)
22 hits to me, though my overworked cable modem serves about 1000 unique visitors a day.
Then again traffic shouldn't matter... according to the articles the IP addresses to attack are produced by a pseudo-random algorithm... so those of us with a handful of hits have IPs that are way down on the algorithm's list.
My first hit was at 9:20 AM, the last was at 4:04 PM.
Can Microsoft Protect You From Itself? (Score:3)
Microsoft Outlook: Making the Goodtimes virus real.
Update! (Score:4)
Here is the snippet from bugtraq:
Thanks to Eric from Symantec for tossing us a note about the worm being Date
based and not Time based.
We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based on a
date (the 20th UTC) which is tomorrow.
If the worm infects your system between the 1st and the 19th it will attempt
to deface the infected servers web page or try to propogate itself to other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed from
the infected system.
Any new infection that happens between the 20th and 28th will most likely be
someone "hand infecting" your system as all other worms should be attacking
whitehouse.gov. If for some reason you are infected between the 20th and the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.
The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.
The worm has a timeline like this:
day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep
Presumably, this could restart at any point in a new month again.
Also, some stats for the attack:
Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so
Remember, each host can be infected multiple times, meaning that a single
host can send 410MB * # of infections.
We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.
If there are 300 thousand infections then that means you have (300,000 * 410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm "works
as advertised" then the fact that whitehouse.gov goes offline is only the
begining of what _can_ possibly happen...
Re:Good description here: (Score:5)
Re:what it looks like (Score:3)
If the DDoS doesn't bother spoofing the source address (and I didn't see anything to indicate that it did) and if it doesn't bother closing the hole, I find it interesting that the target of the attack could hypothetically "hack back".
(20 hits for default.ida in the logs at one job, 26 at the other. I (heart) Apache.)
Re:Affects IIS? (Score:3)
It's been done [software.com.pl].
(It's a link to information on RTM's worm, for those who don't feel like clicking the link.)
Re:what it looks like (Score:3)
Oh nos! You've called me a dumbass. My penis will now shrink, and I'll forever be a hollow shell of a man.
And assuming I'm understanding you correctly, by zombies you're referring to just an arbitrary exploited machine, running the DDoS on behalf of a third party. I was aware of this fact when I posted my comment. I certainly was under no misapprehension that a given DDoS machine was being run by the person who created the worm.
But that doesn't change the fact that, under the conditions I stated, the person on the receiving end of the attack could hypothetically reexploit each machine to (if they're nice) disable the worm or (if they're mean) wipe the system altogether. Besides, the owners of the machines in question share some culpability in their failure to properly administer and secure their systems.
Write Your Congressman NOW! (Score:3)
I got a little worried there for a sec!
I'm still worried!
Write your congressman. I want to see using a Microsoft server being treated as an act of criminal negligence, like drunk driving.
Haven't we all had enough of this bullspit?
My own webserver had been hit by several thousand of these attempts. When I got Slashdotted for putting up pictures of Bobo [glowingplate.com], it was bad. But this worm has been saturating my DSL with HTTP GET requests.
Re:Write Your Congressman NOW! (Score:4)
It's just because Microsoft is the number one webserver that the worm is targetted towards it. If Linux were the number one webserver the worm would target it.
Hmmm... Uhhh. Microsoft primarily makes operating systems which repeatly prove themselves marginal for desktop use, and criminally inadequate for anything requiring stability or security.
I think you're attempting to imply that IIS server, which comes free - though hobbled to various degrees - with all versions of NT and 2000, is the number one webserver.
That's mighty good crack that you're smoking [netcraft.com].
P.S. Drunk driving is not as bad an activity as you describe.I love drunk driving. It's a lot of fun. A friend of mine used to work in an automotive wrecking yard, and we used to love cracking open a few beers and driving around the yard in one of the junkers that came in under its own power. It was a great way of spending a Friday evening when I was in high school. I assure you, 50-foot-tall mountains of crushed cars are a lot harder to avoid after 6 beers. Even worse, 50-foot-tall mountains of crushed cars are a lot harder than uncrushed cars. They don't collapse well in accidents after they've been through the Al-jon. One might even suggest that they have less crush space. Especially the silly little Hondas.
You know what? I love my cars, and I love my beer. But the two don't mix. I don't drive (on public roads, anyway) if I've had even one beer.
Old people kill more people just because of senility, than drunk drivers.Uh-huh. Yeah. You fascinate me.
Re:Cisco DSL routers (Score:4)
http://www.qwest.com/dsl/customerservice/win675ups .html [qwest.com]
Re:Windows Update (Score:3)
Not that keeping up to date on patches is very difficult (subscribe to their Security Bulletin at http://www.microsoft.com/technet/security/bulleti
They haven't really changed Windows Update since it was introduced with Windows 98 - they've really dropped the ball... Redhat's up2date and Ximian's Red Carpet are both quite a bit better than the current implementation of Windows Update.
--
Convictions are more dangerous enemies of truth than lies.
Re:Windows Update (Score:3)
a) it's really annoying, and lots of people just won't bother, and...
b) it's really easy to miss one or two
And there's no real way to check (there's a dinky little script available somewhere that'll check for IIS patches, but it's buggy and hard to find).
The Corporate Windows Update site makes them easier to download, but it takes weeks for patches to be put up on it after they've been released, and there's no real way to match them with the associated Bulletins (to know if they need to be re-downloaded, if you've missed any, etc.) And it doesn't allow searching by Service Pack.
In this case, Microsoft's system is just sloppy and unprofessional. There's absolutely no reason for this to be such a pain other than Microsoft isn't putting enough money and attention into its support structure.
Sure, they now allow Patches to be joined together so you only have to reboot once for multiple patches and they allow you to search by Service Pack, but those are baby steps that should've been done years ago... patches today should be instantly updated over the web and shouldn't require reboots in 99% of cases (for all IIS patches, it should just shut down IIS, update the files, and restart). Microsoft's behind the curve, and if I was a corporate system admin, I'd be tempted to switch to Red Hat just because they have a much better update structure.
(For instance, with Red Hat, you type up2date, it launches a graphical wizard which automatically tells you what you need updated, downloads, and installs them. It's like four mouse clicks to completely update your system to latest versions of everything on it.)
--
Convictions are more dangerous enemies of truth than lies.
Apologies to St. Ives.... (Score:5)
I met a worm they called Code Red...
And Code Red hit 100K hosts,
And every host had 3 infections
And every infection had 100 threads
And every thread sent 100k
And every k had a thousand bytes [*]
And every byte was sent in 1 packet
And every packet had a 40-byte header
Headers, packets,
Bytes, k,
Infections, hosts and threads...
Once every month, just to piss off the Feds.
[*] 1024 just doesn't scan well.
Probes coming from dial-up connections too! (Score:3)
Fortunately, a trace of the sources indicate that the servers involved are being shut down pretty quickly by their admins.
One alarming aspect is the number of these probes that are obviously coming from servers connected through PPP dial-up accounts.
I wonder how many people have installed IIS on PCs running IIS and don't even know it's running?
News With Attitude [7amnews.com]
Should have open sourced it... (Score:5)
Re:So, who's REALLY in charge... (Score:4)
Affects IIS? (Score:4)
Is this even worth mentioning? I mean, really! Don't all worms take advantage of security flaws in Microsoft software? Why can't someone write a worm to take advantage of Apache for a change? All of these Microsoft servers being compromised are making me jealous. If only I could afford a license of Win2k Server, then I could participate in the excitement as well...
some day....
WhiteHouse.gov? Thank God! (Score:4)
---