Please create an account to participate in the Slashdot moderation system


Forgot your password?
The Internet

Happy Birthday Code Red 373

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."
This discussion has been archived. No new comments can be posted.

Happy Birthday Code Red

Comments Filter:
  • by cbone00 ( 323341 ) on Friday July 19, 2002 @12:07AM (#3914465)
    It is the gift that just keeps on giving.
    • Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.
      • by thesolo ( 131008 ) <> on Friday July 19, 2002 @08:43AM (#3915777) Homepage
        Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.

        Yeah, that's fine and dandy for those who don't need the IDA, et all mappings; but what of those people who DO use them?! You know, a lot of those corporate servers that were hacked had those script mappings set for a reason, i.e. they were using them.

        That's great that you knew better than to keep the default script mappings, but what about people who needed them?? It would have been a lot nicer if Microsoft had written a secure server in the first place instead. Even the most vigilant sysadmin would still get infected running IIS if he needed to use the IDQ & IDA mappings. In short, don't blame the sysadmin, because it's not always their fault.
    • Recommended gifts from admirers:

      1) DIVX's of Hackers or The Net.
      2) Natalie Portman... Enough said.
      3) Port me to more platforms.

      and finally.... a 2nd chance.
  • by Jester99 ( 23135 ) on Friday July 19, 2002 @12:08AM (#3914471) Homepage
    ...that on the anniversary of an attack which paralyzed servers dead in their tracks, we hear the far-away screams of agony from the lone sysadmin of as 100,000 slashdotters pillage his machine simultaneously.
  • by colmore ( 56499 ) on Friday July 19, 2002 @12:09AM (#3914473) Journal
    Don't worry about Code Red and related problems. I'm sure Microsoft will fix everything before they start storing our National ID information.
  • Sorry. (Score:5, Interesting)

    by ryanr ( 30917 ) <> on Friday July 19, 2002 @12:09AM (#3914475) Homepage Journal
    One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

    Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.
    • Ya think? (Score:4, Interesting)

      by NFW ( 560362 ) on Friday July 19, 2002 @02:40AM (#3914969) Homepage
      I got curious about the default.ida hits I was getting my web server one day, so I took a look at the systems at a bunch of the IP address the attacks were coming from. I found mostly unix systems, a couple I couldn't ID (not that I tried much beyond telnetting to ports 25 and 80), and only a couple of Microsoft systems.

      This was not an exhaustive search, nor a statistically significant sample group, and dynamic IP allocation muddled the results a bit, but it was enough to make me wonder. How many of the 'code red attacks' these days are really script kitties with unix boxes? My guess is they account for most of them.

      Has anyone looked into this for more than the 15-20 minutes I put into it?

      • Re:Ya think? (Score:3, Informative)

        by ninjaz ( 1202 )
        I just looked into the 22 code red hits one of my hosts has gotten from midnight to 9am today.

        The results are:

        5 down
        14 reported as a Windows variant by nmap
        2 unknown
        1 Linux

        I looked into the 2 unknown results a bit more. Both respond on port 80 with an IIS banner and ASPSESSIONID cookies. One of them has a Serv-U banner for ftp as well.

        Interestingly, one of them (the one w/o Serv-U) is a site.

        The Linux result answers on port 443 as a vulnerable version of Apache on someone's firewall in Italy. This is likely being used as a launchpad for attacks.

        So, from what I gather, the bulk of the ongoing Code Red attacks are from Windows machines with extremely negligent administrators.
  • My server is still getting hit by code red infected
    servers on the avarage of every 5min. It would seem
    that after all of this time people would clean up their servers. What really bothers me is some of the machines hitting me are commercial web sits verses the home machines.
  • What about Morris? (Score:5, Insightful)

    by sconeu ( 64226 ) on Friday July 19, 2002 @12:14AM (#3914496) Homepage Journal
    Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since

    Granted, the 'Net was a lot smaller, but what about the Morris worm?
    • At least the Morris worm was gone within a month...
    • by Weffs11 ( 323188 )
      I was curious, so I did some research on what teh Morris Worm was. (I was 4 at teh time it was released)

      All About Morris []
      Wikipedia []
      It seems that a college kid [] wrote a small prgram to propagate itself to as many computers as it could, and try to run in the background unnoticed. But due to a bug(s) it copied itself manytimes over and ran multiple times on teh same machine, causeing to slow to a point of being unusable.

      It infected 6,000 VAX machines in November of 1988.

      Gotta love Google []
    • I was working for Siemens at the time as a young Unix hacker (

      The Morris worm was slowed down by the speed of the Internet... we had a 64kbps connection to ICL. We managed to pull our link to the next before we got affected. It was really quite exciting at the time, following the Usenet links as people pulled the Morris worm apart and analysed it byte by byte.

      In the end we were probably affected for around 3 days. We first realised there was a problem as Usenet dried up... we used to take all newsgroups with a feed of around 1000 posts per day! This slowed to a trickle during the 'attack'.

      Things got back to normal again as you really had to have people who knew what they were doing to get Unix and Vax systems on the 'net back then. Also there were nowhere near as many wankers online, even as a % of the total population. We were there in a spirit of cooperation and discovery. Happy days.

  • by SClitheroe ( 132403 ) on Friday July 19, 2002 @12:15AM (#3914497) Homepage
    It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

    Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

    Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

    Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.
    • but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance.

      Well corporate policy or not it's pretty freakin' irresponsible for not having a security patch that was out more than 25 days before Code Red even hit. (Not to mention anyone who followed Microsoft's best practices for IIS wouldn't have been hit anyway).

      Apache, IIS, MSSQL, PHP, BIND, OpenSSH--it doesn't matter... they all gotta be patched.
    • Except there are patches I would be a little careful with as well. If you choose to run XP, there is a patch that makes the Guided Mode available through Nat and firewalls - tunneling effectively. Surely if someone has these in place- they sure as hell dont want such an obvious hole wide open...

      I sometimes use VNC - but restrict it through a firewall so only a specific IP(my work PC) can communicate with it, in specific timeframes. It also does not run as default - I use SSH to start it, also Ip filtered and time restricted. Which I think is all possible in windows as well(have not tried that). Oh - And it does not run as ROOT. I restrict root to console only.

      You see the other problem is that XP and 2k may well be running security vulnerable services without the user knowing -as default setup. Which is why XP is so bad as a joe user OS- it has more security holes than my socks...Unless you are competant to configure and patch it - and lets face it even many trained MIS staff miss them - let alone Joe Shmoe Wordprocessor who bought an XP box from PC world.
    • by Otis_INF ( 130595 ) on Friday July 19, 2002 @07:34AM (#3915538) Homepage
      Hotfixes don't kill webapps. I develop webapplications (the n-tier stuff, VC++/VB/ASP/IIS/SQLServer etc) for over 5 years now and have applied a zillion or so hotfixes on IIS and NT / Win2k server to keep the systems up to date, but never ever have I encountered 1 single hotfix which killed a webapplication nor did I hear from collegues that hotfixes killed their webapplications. If the webapp is written solidly, by the guidelines MS has supplied, you can apply any hotfix, period.

      When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied (allthough I doubt it, hotfixes mostly overwrite existing files without updating CLS_ID's etc, because these stay the same) and the app will die after the hotfix is applied: one reason to kick them out the door for some real professionals.
  • &oe=UTF-8&q=CodeRed.gif&btnG=Google+Search
  • by morcheeba ( 260908 ) on Friday July 19, 2002 @12:17AM (#3914511) Journal
    from the original analysis by David Moore []:

    UK Mirror []
    UK FTP []
    AU Mirror []
    Flipbook animation (207k .FLI) []
    Quicktime animation of growth by geographic breakdown [] (200K .mov {requires QuickTime v3 or newer} )
    original gif animation []

    • I don't know why the original poster didn't list the mirror information, after all the gif has the site name printed on it, but oh well. The mirrors are a lot faster, and I think it should be pointed out that the gif is 4.1M and the mov is 13.4M
  • Happy Birthday? (Score:4, Insightful)

    by SoupaFly ( 558227 ) on Friday July 19, 2002 @12:17AM (#3914513)
    What exactly are we supposed to celebrate? The inept SAs that have failed to patch their systems? The sad lack of software development skills and abundance of corporate greed that combine to push shoddy software upon millions of users?

    Maybe we should celebrate the resiliency of the Net. The fact that while attacks on systems continue to come daily, and at a seemingly increasing rate, everything still works most of the time.

    --knowledge, not information, is power
  • by Skreech ( 131543 ) on Friday July 19, 2002 @12:32AM (#3914571)
    From the official #python@OPN quotefile:

    <skreech> I'm gonna miss code red when its gone, my webpage has never gotten this many hits before
  • by ActMatrix ( 246577 ) on Friday July 19, 2002 @12:35AM (#3914577) Homepage
    DShield's Code Red Anniversary Page [] has an interesting graph showing scanning activity they've detected from active hosts since the beginning of this year. Some 35,000 IPs still continue to regularly come alive around the beginning of the month, quiet down towards the middle, and then resume the cycle again - the numbers have remained remarkably consistent.
  • June 18, 2001 14:29:28 -0700
    Microsoft Security Bulliten MS01-033

    June 18, 2001 14:36:53

    When did Code Red hit? Did I bother to notice? Did I bother to record? No. It didn't affect me much.
  • times out (Score:5, Insightful)

    by bilbobuggins ( 535860 ) <bilbobuggins@junt j u n t .com> on Friday July 19, 2002 @12:50AM (#3914627)
    To really appreciate the spread of this program, look at this animated image.

    Is it slashdotted or is that the demonstration?

  • My school district's (Score:5, Informative)

    by DMDx86 ( 17373 ) <> on Friday July 19, 2002 @12:50AM (#3914633) Homepage Journal
    Server is still infected with a IIS virus (though not Code Red). Here it is []

    I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
    You can read the e-mail here [].

    Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.
    • by Qnal ( 593075 )
      Weird, I found a sadmind/IIS worm infection on [] Texas Community college [] website, I sent an email to the administrator but never got a reply back. I checked and its fixed now though.

      Another rampant problem with IIS that is still VERY VERY widespread is older Servers IIS 4.0 mainly, and some 5.0, that have FrontPage extensions installed, have botched NTFS permissions on the "Front Page Web".

      I don't know if anyone has noticed this, but if you have Microsoft Front Page installed on your browser, a little button shows up on your Internet Explorer toolbar, the default is usually the Word Icon, as in edit this page with Microsoft Word, but if you have Front Page installed on your computer, you can select Edit with FrontPage, and FrontPage will attempt to communicate with the Web Server for remote authoring, now if this web server is an IIS server, and has Front Page Extensions installed for remote authoring, and the NTFS permissions have not been set correctly, it will give you, the IUSR_ (Internet User) account FULL Priveleges to change the "Front Page web".

      As of now, I know 3 high profile companies who have this issue with their sites WIDE OPEN. Anyone can waltz in and alter their website, using the IUSR_ account. I would like to let them but how do I know they are not going to accuse me of something I didn't do, and just happened to stumble on.

      Oh well.
    • They will have a field day with it!
    • FWIW, I sent this to the superintendent several months ago (this was several months after I notifed the webmaster people who dropped the ball). All they did was 403 the /images (which contained the defacement), but it still is in other directories. That was because it was /images that I sent them the link to. I just love MCSEs!!
    • Heh, think that's bad?

      You'd be amazed [] at the places []still running old [] apache [] versions despite the ominous [] warnings []!

      (Yes, I found the lwn [] link very ironic too, but not as funny as this [])
  • by hagar© ( 115031 )
    "Happy Birthday Code Red, Happy Birthday Code Red, Bill sucks with his coding, Happy Birthday Code Red."

    Now blow out the flaming servers, and make a wish.
  • Argh (Score:3, Interesting)

    by Myuu ( 529245 ) <> on Friday July 19, 2002 @01:00AM (#3914671) Homepage
    No one ever notes that the CRW absolutely rape cisco dsl routers.

    At its peak, Qwest had a 5 hour hold time for people who's cisco was taken down by the vuln.

    Incidently, the fix was killed more routers.
  • The most recent service pack for Windows 2000 [] is dated May 2, 2001. There's a Security Rollup Package [] dated January 30, 2002. Nothing since then, despite the "month of effort" Microsoft supposedly put into fixes earlier this year. Whatever happened to that, anyway?

    Corporate America mostly runs Windows 2000. That's the system that needs security and reliability most. And where's Microsoft?

  • Is there a apache log analyser that shows nifty graphs of all the different kinds of attacks somewhere out there?

    That'd be cool :)
  • It says right on the image, so ewframes-small-log.gif []
    go there...

    Of course, that is a 4.1 MB GIF file.
  • What pisses me off (Score:4, Informative)

    by Com2Kid ( 142006 ) <> on Friday July 19, 2002 @01:37AM (#3914797) Homepage Journal
    What pisses me off is that when an early exploit was detected awhile back (err, many years), somebody released worm to go around and fix it but THEY where the ones who got in trouble with the FBI, thus setting a precident in the future saying that the computer community was not allowed to take all neccisary steps to fix problems that may pop up.

    Kind of killed off community effort right there. >;(
    • by jeffy124 ( 453342 )
      that's definitely interesting. Makes me wonder -- there was that Code Red Vigilante program written up. It was basically a Java program (speed issues aside, it was for maximum cross-platformness) that listens on port 80 for Code Red exploit attempts, then fires back at that machine, using the same default.ida exploit, causing a window to pop-up on the infected machine with information about what's wrong, what to do about it, where to go for more information, etc.

      The author made the program available on his website, so that anyone not running a webserver could run CRV themselves. I know the author also got a lot of thank you emails from infected users who thought they weren't vulnerable because of misinformation that was going around about the worm.

      As to your FBI story, I think the problem there was that the worm-patching-another-worm was making changes to the system without permission of the admin. But it makes me wonder how the FBI may have reacted to the CRV program. Given that the FBI has better educated themselves on computer hacking issues (especially since the witchhunts following the AT&T outage in the early 1990s), my guess is that they saw it as no biggie because it made no permanent changes to the infected machine.
  • I guess I should consider myself lucky.

    Nimda hits: 6213/134
    CodeRed hits: 76/76

    Damn annoying, though.
  • Hey, photographer! You wanna take a good picture? Here man, take this.

    This... is my bro.

    CRAZY EARL the sysadmin lifts a dustcover to reveal a toasted server

    This is his party. He's the guest of honor. Today... is his birthday.

    Email Mother calls out from down the hall: "Happy Birthday, Code Red."

    I will never forget this day. The day I came to IIS city and fought one million Code Red worms. I love the little Commie bastards, I really do. These enemy worms are as persistent as thick-headed CIOs.

    These are great days we're living, bros! We are jolly caffeinated giants walking the earth, with Bawlz []. These worms we wasted here today, contain the finest code we will ever see. After we start working with real servers again we're gonna miss not having any worms around worth killing!

    (obligatory reference [] for those who've never seen Full Metal Jacket)

  • 42 (Score:2, Funny)

    by kasperd ( 592156 )
    my web log shows an average of forty-two requests per day

    That is indeed interesting, a short time ago when discussing [] Windows security in a danish newsgroup, I counted the entries in my log. I also had an average of forty-two requests per day.

    This couldn't be a coincidence, could it?
  • by tlambert ( 566799 ) on Friday July 19, 2002 @03:41AM (#3915148)
    We jokingly discussed an Evil Plan where I worked when CodeRed first came out.

    One thing we discussed doing was getting a copy, disassembling it, and building a version that would install FreeBSD with Apache with Front Page Extensions and the Active Server Pages module over top of the Windows installation, with all of the web site content left more or less intact.

    We figured that it would be pretty cool if we could make it so that people would not notice that their server had been "competitively upgraded" until the next scheduled reboot/update.

    We thought that it would be even more likely to go a long time if we captured the console screen of the running server, and used it as the boot "splash screen" for the replacement OS...

    Of course, as I said, doing this would be Evil, so we only discussed the possibility.

    -- Terry
  • Haha (Score:3, Funny)

    by Cave Dweller ( 470644 ) on Friday July 19, 2002 @05:28AM (#3915361)
    I share a birthday with an IIS worm! Seriously!
    Do I get a cookie?
  • Mirror (Score:2, Informative)

    by Kjellander ( 163404 )

    Here's a mirror of the image. if []

  • 509 (Score:3, Interesting)

    by Ender Ryan ( 79406 ) on Friday July 19, 2002 @08:25AM (#3915692) Journal
    My web server received 509 requests for default.ida last week, 7 days.

    You should have seen it last year, one day we were receiving so many requests for non-existant files that out server was crawling, because our not found page was generated by some scripts. I simply wrote a Perl handler to handle it(roughly 60 secs) and that took care of it.

    Quite humorous it was. And that we still get thousands of hits from infected machines is hilarious.

    Heh, Internet worms... fun stuff.

  • by Proudrooster ( 580120 ) on Friday July 19, 2002 @10:07AM (#3916253) Homepage
    Believe it or not, out of all the people in in the world running MS Outlook, fewer than 1% have ever pulled down security patches, see The Great MS Patch Nobody Uses [].

    Additionally, the Win2K/NT server guys are afraid to install security patches since they never are really how much of their server is going to break []. Often times, Admins will patch the servers which touch the Internet but not the Internal servers for fear of breaking them. With Code Red, this was quite humorous because the outer servers were patched as soon as the Code Red patch was available, thinking this action would defend the realm against Code Red, but they forgot about the laptop users which brought Code Red in the back door via the local LAN.

    But not to worry folks, once we get Palladium hardware in all our servers, this will not happen again right? In fact we won't even have to patch anymore, since everything will be secure and, only secure applications will be allowed to run.

    Oh, wait, wouldn't IIS pass the palladium trusted application test?

    Why yes it would...... and Code Red would join the list of "Trusted Secure Applications".!
    Sorry, I have to smack Palladium everytime I get a chance.

I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes. -- Dennie van Tassel