Code Red III 759
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
Re:It's not like they haven't announced the patch (Score:2, Informative)
"Ignorance of the law is no excuse", nor is ignorance of your upgrade cycle.
Its Microsoft's responisibilty to do everything they can to notify Win 2000 customers and solve this problem
As I said, they're already doing that. The problem is that too many people don't realize it's a problem they need to attend to. They think they can just install a server, run it, and forget about it.
their design flaw, not the admins. So they need to fix it.
What do you think the patch is for? Even Slashdotters' much-adored Apache software isn't immune to the occasional oversight. The difference is that, as yet, almost everyone who runs Apache is a responsible administrator who already knows the importance of keeping things up-to-date.
I'm not "blaming consumers for the corporation's mistakes," as you say. I'm saying that the corporation is doing everything it can be reasonably expected to, short of directly violating the privacy of every one of its registered customers by forcing a software upgrade down their broadband throats. At some point, you have to lay the blame on the users.
Re:An ETHICAL way to Anti-Virus (Score:5, Informative)
AddHandler cgi-script
then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:
AddType application/x-httpd-php
Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.
-Chris
Re:More information? (Score:5, Informative)
I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml [dyndns.org] if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.
Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:
#!/bin/sh+ %22Your+w\Y ou+have+a+security\h +it.+You+should+fi\s +advantage+of+it.+\s cripts+\(or+wherev\i pts+is+the+default\
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost
eb server+has+been+infected+with+the+CodeRed2+worm.+
+h ole+so+big+that+you+can+drive+a+Mack+truck+throug
x+ it+before+some+script+kiddie+comes+along+and+take
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5C
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscr
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done
Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.
The guy does have a point (Score:2, Informative)
The Code Red hype Hall of Shame (Score:5, Informative)
Re:Code Red 'counter' (Score:2, Informative)
grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org
They use this information to notify the owners of the machines of the infection and to track the progression of the worm.
I feel so left out... (Score:2, Informative)
On the bright side, I have gotten acknowledgement from RRcustomercare (Mediaone/ATT/RR/pick one fscking name already!) that yes, technically it is okay to run a server as long as you don't negatively impact others. Then again, they are still saying that until this worm dies out, none of their customers will be seeing any incoming packets on port 80.
Some numbers and a comment (Score:1, Informative)
grep "Aug.*ida" httpd.log cut -f4,7 -d' ' |cut -c2-7,22-40 |sort -n|uniq -c
23 01/Aug
26 02/Aug
21 03/Aug
24 04/Aug
4 04/Aug
14 05/Aug
13 05/Aug
1 05/Aug
9 06/Aug
34 06/Aug
9 07/Aug
38 07/Aug
2 08/Aug
29 08/Aug
3 09/Aug
44 09/Aug
2 10/Aug
29 10/Aug
This was run at 11:45 PST, meaning today may be even worse for the XXX version than yesterday, probably about 60 attempts before the end of the day. There was a discussion about a code red removal worm, which given how long this thing has been attacking, and the results, is probably the ONLY way this thing is going to be removed. Why isn't the US Government issuing such a worm to protect national interests? It could operate by infecting only machines that attempt to infect the local machine, thus not probing any non-infected machines itself, if you arn't infected, it won't touch you, if you are, it will. Seems simple enough to me. At the rate of propogation this thing works at, it would quickly decimate most if not all infections very quickly.
Re:make some money off banner ads (Score:3, Informative)
Won't work. The worm won't follow redirects nor download any pictures (banners) from the page.
Code Red is trying to eat me! (Score:2, Informative)
So I get a call from my ISP Verizon yesterday. They ask me if I have been having problems with the Code Red virus.
"Nope, but my service is shot to hell. You guys must be having some serious problems."
The representative goes on to tell me that I can 'fix' the code red virus by unplugging my router and plugging it back in. I try, vainly, to inform him that the virus is doing nothing to my hardware and the reason I'm having problems is that it's making swiss cheese of the SERVERS...
Anyway, the guy finishes his script and hangs up. So is Verizon trying to cover up their ineptness by implying that the customer is infected, and not them? Proactivly trying to shift the blame to get less tech support call? Very strange indeed...
Re:More information? (Score:3, Informative)
Re:Microsoft should be sued (Score:3, Informative)
Re:OK lets shut down infected boxes - (Score:1, Informative)
Re:More information? (Score:4, Informative)
CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.
In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.
Justin Buist
Help me out on this one... (Score:2, Informative)
I understand that Code Red is a worm, but I wish I had more of an understanding of how it really works and what it is really doing. Anyone got a good explanation or link to an explanation?
Re:Help me out on this one... (Score:2, Informative)
Flippant answer. The kind that win benchmarks. Anything that reserves reasonable amounts of memory for variable-length things and cannot or does not insure that nothing spills outside its limits has this kind of problem, and that's most everything, not just Microsoft. Note that the real problem is not the exploits, it is the unnoticed cases where innocent input corrupts logically unrelated data.
Public Logfile - for *Educational* Purposes Only (Score:5, Informative)
I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?
Already got one! [glowingplate.com] Remember, the list, including fully-qualified hostnames [glowingplate.com], is for _educational_ purposes only. I've made it available [glowingplate.com] so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.
CodeRed Information (Score:2, Informative)
CodeRed 2 - This is the worm we're seeing now, the one with the XXXX's in your logs. This worm seems to most frequently scan in it's own IP range (Class A I think?) So, if you're in the 24/8 range, you'll probably see a lot of scans from people using various cable providers. You can find more information about CodeRed 2 here [eeye.com].
So far, I haven't seen anything on the security sites confirming a 3rd version of this worm. The media has often used the term CodeRed3 to describe what is actually CodeRed2, the one giving us grief right now.
If a new variant of this worm does make it into the wild, it'll be interesting to see how quickly it can spread. It seems that a lot of hosts infected with CR2 give the error (403.9 Too many users connected) when you try to access port 80, which causes the eeye scanner to miss them, and apparently keeps them from being exploited by a new worm. It also keeps people from getting to the
It was also mentioned yesterday that NT4 servers that have been patched are still vulnerable to CR2 if they're using redirection. This seems odd to me, since the patch should have fixed a buffer overflow in idq.dll. If that overflow was fixed and IIS is still crashing, perhaps there is another buffer overflow that's showing up when it gets the long string from CR2 as part of the redirection. Just a guess on my part though.
Re:Help me out on this one... (Score:5, Informative)
What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.
Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.
Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.
Re:Bah. (Score:4, Informative)
You might be interested in this article [securityfocus.com]titled, "Securing an unpatchable webserver"
Code Red 'counter' (Score:2, Informative)
cat
acts like a simple 'counter', if you have your logs for different sites split up and using rotatelogs like I do.
K5 contest (Score:2, Informative)
I just have my web server do a "net send %DOMAIN%" to warn them about their problem.
Re:More information? (Score:2, Informative)
Re:Gives me an idea to stop it spreading so fast.. (Score:2, Informative)
[slashdot.org]
http://slashdot.org/article.pl?sid=01/08/04/141
Look for "codeRedNeck"
I think you're on to something... (Score:5, Informative)
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C