Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Code Red Back For More

timothy posted more than 13 years ago | from the more-bells-more-whistles dept.

Bug 866

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

cancel ×

866 comments

Sorry! There are no comments related to the filter you selected.

it really is heavy in 24.*.*.* (1)

SkyIce (184974) | more than 13 years ago | (#2109579)

In the last ten minutes:
[Sat Aug 4 19:50:03 2001] [error] [client 24.45.135.139] File does not exist: /var/www/default.ida [Sat Aug 4 19:50:18 2001] [error] [client 24.10.20.81] File does not exist: /var/www/default.ida [Sat Aug 4 19:51:30 2001] [error] [client 24.43.198.115] File does not exist: /var/www/default.ida [Sat Aug 4 19:58:09 2001] [error] [client 24.102.17.144] File does not exist: /var/www/default.ida [Sat Aug 4 19:59:18 2001] [error] [client 24.190.160.240] File does not exist: /var/www/default.ida

Re:it really is heavy in 24.*.*.* (1)

mjowiz (449205) | more than 13 years ago | (#2136083)

My IP is 24.17
The modem light is just constantly on. I've even unplugged the modem from my router to confirm it is an external access, and sure enough the modem light is just chattering on constant with incomming traffic. Amazingly, I am still able to get out and the throughput is still very good in SE Michigan.

Spreading faster? (1)

PlazMatiC (11127) | more than 13 years ago | (#2109958)

I already have more hits for codered II than I did for the original.
Does it spread differently / attack more often?
Or is the random number generator better than in the original?

root@beethoven:/usr/local/apache/logs# grep default.ida access_log | wc -l
254
root@beethoven:/usr/local/apache/logs# grep NNNNNNNNNN access_log | wc -l
119
root@beethoven:/usr/local/apache/logs# grep XXXXXXXXXX access_log | wc -l
135

Re:Spreading faster? (1)

kilrogg (119108) | more than 13 years ago | (#2112163)

I'm in the 24. domain:

$ grep "default.ida" /var/log/httpd/access_log -c
497

$ grep "default.ida" /var/log/httpd/access_log | cut -d . -f 1 |grep 24 -c
392

$grep "default.ida" /var/log/httpd/access_log |grep XXXXXXXXXX -c
385

I was only at ~80 NNN yesterday!

Re:Spreading faster? (1)

SkyIce (184974) | more than 13 years ago | (#2120395)

it's even better here, in 24.*.*.*:

oak:/var/log/apache# grep default.ida access.log | wc -l
293
oak:/var/log/apache# grep NNNNNNNNNN access.log | wc -l
90
oak:/var/log/apache# grep XXXXXXXXXX access.log | wc -l
203

After this... (0)

Anonymous Coward | more than 13 years ago | (#2110879)

After this whole mess anyone still running IIS is just a fscking moron.

In my honor too ... (5, Funny)

CodeRed (5676) | more than 13 years ago | (#2110880)

Errrr.... More things named in my honor... This can't be good!

If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck. :-P

Re:In my honor too ... (2, Funny)

Anonymous Coward | more than 13 years ago | (#2114854)

At least your name isn't Michael Bolton!

Your name is Michael Bolton? Wow, like the singer guy?
Yes, and it's just a coincidence.
So do you like his music?

Re:In my honor too ... (0)

Anonymous Coward | more than 13 years ago | (#2128362)

God you're a dork. I will most definitley not be adding you to my ICQ.

A few more details (5, Informative)

ryanr (30917) | more than 13 years ago | (#2110882)

It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.

We'll have full details posted to the Incidents [securityfocus.com] list shortly.

Re:A few more details (1)

ShavenGoat (63696) | more than 13 years ago | (#2111965)

Looking at my logs, the first time I got an "/default.ida?XXX" was at about 9:45am PST. About an hour later I stopped getting Code Red I's NNN's in my logs.

This seems to show that the new Code Red worm kills the old version. I don't have any attempted connections from Code Red I in my logs anymore (since about 11am PST).

Re:A few more details (5, Insightful)

nebby (11637) | more than 13 years ago | (#2127731)

I haven't done any analysis of the worm myself, but has anyone questioned the possibility that this new version is phase two of the original worm? Not the same code per say, but perhaps the old code red does something to tell the new code red to "come here" or something?

The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.

But does it actually *do* anything different? (1)

EvilMagnus (32878) | more than 13 years ago | (#2110883)

...or does it just have a different set of IPs that it targets?

We're still talking about an IIS4/5/PWS vulnerability that just defaces the default web page and trys to propagate itself, right?

Re:But does it actually *do* anything different? (2)

ryanr (30917) | more than 13 years ago | (#2127189)

It installs a back door. (As indicated in the link referenced.)

Re:But does it actually *do* anything different? (1)

EvilMagnus (32878) | more than 13 years ago | (#2114853)

Eep. My bad. I should read the comments first...;-/

Anyway, my class-C's been scanned >200 times by CodeRedII infected clients in the last 90 minutes. Yay.

Re:But does it actually *do* anything different? (2, Informative)

Anonymous Coward | more than 13 years ago | (#2137710)

"Antony Riley has further made a tentative confirmation that the new worm installs a back door that leaves the server wide open for attack (a command shell is available by using telnet to access the server)." from today's diary entry at a well known worm incident place (please don't post the url, I don't want them swamped; I already can't get thru to another place that posted an url that gives further details).

My subnet is hit (2)

wilkinsm (13507) | more than 13 years ago | (#2111812)

I'm on a /128 cox at home subnet. It's normally very quiet on my subnet, but since this morning it's my firewall has been bouncing packets like crazy.

I'm guess I'm going to have to put a packet sniffer on the other side of the wall and see what the hell is going on with this code red II.

Re:My subnet is hit (2, Funny)

matthewg (6374) | more than 13 years ago | (#2112162)

Wow, Cox has deployed IPv6 already? ;)

@home gettin' hit (0)

Anonymous Coward | more than 13 years ago | (#2111828)

233 attempts so far.

Seems pretty light in 128.x.x.x (1)

meta-monkey (321000) | more than 13 years ago | (#2112393)

Checking my web logs, I only see 4 Code Red IIs. Of course, I'm swamped with Code Red the First attacks. Thankfully, running Apache, all my servers do is say "huh?" and log it. Linux condoms are great for stopping Microsoft transmitted diseases.

Re:Seems pretty light in 128.x.x.x (1)

jgaynor (205453) | more than 13 years ago | (#2136088)

Learn your Ranges, Buddy. 128.x.x.x is a class B. Different search and attack patterns than a full-blown A.

Re:Seems pretty light in 128.x.x.x (1)

meta-monkey (321000) | more than 13 years ago | (#2111964)

Duh. I never said it was a Class A. A class A network has a 0 as the MSB, and a class B has a one. 128.x.x.x is 10000000.x.x.x in binary. However, the article mentioned that the worm stuck either within its own class A or its own class B, and I was merely commenting on the sitution in my own slice of class B heaven.

People who don't know they are running IIS (2)

Proud Geek (260376) | more than 13 years ago | (#2112411)

Someone should tell all those idiots out there who pirate Windows 2000 that they should pirate "Windows 2000 Workstation" and not "Windows 2000 Server" because they're all going to get themselves own3d that way.

Why? (0)

Anonymous Coward | more than 13 years ago | (#2113453)

If these viruses/worms/trojans/what have you are designed to make the general public aware of the design faults of the Windows operating system then why don't they write them to do something even more drastic like install Linux or one of the BSDs* over top of the existing OS?

The ideal code red worm in my opinion would take the contents of a website, send it off to another infected host, go about it's business installing an alternative OS and then bring back the data and have the system up and running again with the alternative OS. This would bring up all the uproar about the problems which is what the writer wants, while seemingly solving a problem at the same time. Plus it gives all those administrators that are stuck working with Windows but want to switch to something else thier chance!

* yes I know that Linux and *BSD have thier fare share of security problems too, I am mearly using them as an example.

Re:Why? (0)

BassGuy23 (308297) | more than 13 years ago | (#2114057)

Anyone who could write an install program for Linux that worked correctly, worked quickly, was small enough to propogate itself in a reasonable amount of time, and was able to translate the host software config to the new Linux config would be sitting on a fat stack of cash. That would truly be Linux for the masses. Hell, if it could recognize my network card without a major effort on my part, it would be Linux for the masses. Unfortunaetly such a thing will probably never happen. But if it did, it would be even better if it spread itself. Imagine the embaressment at Microsoft when all of a sudden all their servers are running Linux and, due to a "security flaw" in the distro, Windows has become "open source". Just my 2 cents. I should probably be sleeping right now.....

All I want to know is (1)

VFVTHUNTER (66253) | more than 13 years ago | (#2114056)

can I sue @home for using Microsoft IIS? ;-)

There's got to be a legal basis for it somewhere.

The request (2, Redundant)

ConsumedByTV (243497) | more than 13 years ago | (#2115786)

Here is the request I was hit with:

"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0"


So does this do anything differently?

24.43.*.* is rather heavy.. (1)

milkme123 (302350) | more than 13 years ago | (#2116687)

Must be a lot of people running win2k without turning off (or patching) IIS.. I read this story and noticed that ZoneAlarm recorded about 450 attempts in the last 10 hours.

what is code red. . (1, Insightful)

n3m6 (101260) | more than 13 years ago | (#2117108)

when will you people realize that code red is not just another worm that will fade away soon.. code red makes not only IIS webservers vulnerable.. but any service with an available exploit. i'm talking about the "code red algorithm" that it uses to scan the ip's and spread so fast. this is what makes code red so special.. and this is why we'll be having more of this soooner than you guys think.. its DDOS days all over again..

Re:what is code red. . (1)

mcleodnine (141832) | more than 13 years ago | (#2114855)

Someone should copyright the "code red algorithm". No. Wait. That would make it more popular.

Changing the name to "Code Bob" or "Clippy" might slow things down a bit.

My totals. (1)

Trifthen (40989) | more than 13 years ago | (#2118724)

grep default.ida access_log | awk '{print $1}' | sort | uniq | wc -l

155 unique IP's.

grep default.ida access_log | awk '{print $1}' | wc -l

232 Total Hits

grep default.ida access_log | grep home.com | awk '{print $1}' | sort | uniq | wc -l

32 Uniqe @amp;home hits.

grep default.ida access_log | grep home.com | awk '{print $1}' | wc -l

96 Total @amp;home hits.

Yeah, most attacks are definitely coming from the block I'm on. ::sigh::

that's what i thought (1)

aechols (443299) | more than 13 years ago | (#2118778)

i have an old 486 running freesco as my broadband splitting device. klogd must be going crazy. since i got back home this morning it has rejected TONS of attempts on port 80. i suspected it was code red of course, but what bugged me was that it was mostly coming from my neighbors in 24.167, a few more in 24.something else, and an occasional one from a different class A. i thought code red was random. and then this story pops up. make sense. well its been fun all day going to http://insert.victim.ip.here/. :) there must be others doing the same since i get this once in a while: HTTP 403.9 - Access Forbidden: Too many users are connected

Re:that's what i thought (1)

aechols (443299) | more than 13 years ago | (#2128631)

i left this stuff out... i'm pretty sure this is the hacked page in the source, this warning is a comment at the top:
WARNING! Please do not alter this file. It may be replaced if you upgrade your web server

If you want to use it as a template, we recommend renaming it, and modifying the new file.
Thanks.
and the remainder of the page is like this:
Under Construction

The site you were trying to reach does not currently have a default page. It may be in the process of being upgraded.
Please try this site again later. If you still experience the problem, try contacting the Web site administrator.

Seems pretty light in 127.* (1)

CentrX (50629) | more than 13 years ago | (#2119349)

Checking my web logs, I only see 1 Code Red IIs. Thankfully, running IIS, all my servers do is say "huh?" and log it.

Things learned from Code Red (1)

MavEtJu (241979) | more than 13 years ago | (#2119350)

- reverse DNS is not done everywhere. It would be so easy to track things down if forward and reverse DNS were in sync
- email aliases like abuse, webmaster and hostmaster are not common on windows-machines.
- email aliases like abuse, webmaster and hostmaster are not common under domains.
- whois-servers of ccTLD are often hard to find or inoperative (hint to ICANN: we *NEED* whois!)

I really hate these webservers which give me an unreadable (prolly some asian font) page, without any clue on who to inform.

Of the more than 100 unique messages I send out this weekend, more than 80% completly bounced because there was no abuse/webmaster/hostmaster alias.

Anyway, I don't foresee any job-problems for people who try to educate internet-newbies with common rules like reverse dns and aliases for common mail-names...

Getting hit hard (1)

stuccoguy (441799) | more than 13 years ago | (#2120460)

I am logging about 50 attempts per hour and nearly all of them are coming from IPs within my ISP (61.x.x.x). This is a 5MB wireless network and it seems to be very busy tonight.

me too (1)

aozilla (133143) | more than 13 years ago | (#2120732)

Several @home customers have written about slowed service today, but they're definitely not alone.

I've had slowed service today, but I think that's because I've been using Mozilla (which is now up to 69,428K in memory usage).

Re:me too (0)

Anonymous Coward | more than 13 years ago | (#2146668)

Take a good look people. Yet another person who broadcasts to the world that he doesn't understand threads under Linux.

My range... (2, Funny)

heliocentric (74613) | more than 13 years ago | (#2121148)

Well, with everyone feeling the need to chime in about what ranges they see like we did when we were taking bets if school would be canceled, I just felt like saying:

Nothing from the 192.168.0.x range here!!

=)

It's certainly more ambitious... (2)

David E. Smith (4570) | more than 13 years ago | (#2121149)

I just pulled out the logs from the home Web server on a 24.x.x.x cable modem (which never really does anything but redirect people to my real Web server). The original tried to attack my Apache web server about a dozen times over three days; this one, over the past four days, has tried over 200 attacks.

Getting bombed from 61.*.*.* too (1)

drunkmonk (241978) | more than 13 years ago | (#2121321)

I'm getting hammered from the 61.*.*.* range, too... and I'm just on a laptop with a dialup. Aren't I glad I run Apache and not IIS to do local web dev... - John

Getting slammed from 24.*.*.* (1)

sonnik (49704) | more than 13 years ago | (#2121650)

I also am an @Home subscriber, it seems to have gotten a lot worse for me in the past hour.

I'm just suprised with all the <sarcasm>excellent media coverage</sarcasm> that more hype wasn't made about possible attacks today.

I guess crappy reporting takes the weekend off.

I'm not really at threat from this latest version, but I still don't like the fact I'm getting slammed like this.

Re:Getting slammed from 24.*.*.* (0)

Anonymous Coward | more than 13 years ago | (#2125215)

I'm getting a lot from them and the 65.'s, too.

Re:Getting slammed from 24.*.*.* (1)

mjowiz (449205) | more than 13 years ago | (#2127888)

Yes it is amazing how the news organizations think the whole world takes the weekends off. I noticed nothing from the other attacks but I am wondering if it wouldn't be better to just unplug my cable modem tonight.

Yeesh....time to write antiviruses... (0)

spam368 (43865) | more than 13 years ago | (#2122922)

I think someone needs to write virii to combat these Code Red virii....although that would probably increase the network slowdown...for a while anyways..

Yep, this one is a little different. (1)

DragonWyatt (62035) | more than 13 years ago | (#2122923)

Here's the "new" URI request (apologies for the broken lines; lameness mangler?):
208.XX.XX.XX - - [04/Aug/2001:20:20:26 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 282 "-" "-"

Notice the gratuitous X's instead of N's...
Of course, Apache just laughs back with a 404.

I am happy that QuickPlace and Domino also 404 (1)

iconnor (131903) | more than 13 years ago | (#2128361)

I was searching for the XXXX and NNNN stuff all over (altavista, google, msdn, dejanews). Thanks for posting the request, I now know why all these useless lines are showing up in my logs.
I have noticed that Altavista and Google just don't seem to keep up any more. I guess the internet became too big for them. A few years ago I liked using Altavista.

Code Red source available (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2125907)

The #1 resource for virus writers and security experts alike, Comp-U-Geek(tm) [comp-u-geek.net] , has the Code Red (1, not 2) source available for download. Looks like it was written by a 5-year-old.

Re:Code Red source available (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2110881)

Wow, thanks dude. Jeez, that is some messy code. I'll clean it up and release it under the GPL.

Re:Code Red source available (1)

testify (174404) | more than 13 years ago | (#2127665)

Don't hit the link. Pop-up hell.

Attempts here (2, Informative)

spinfire (148920) | more than 13 years ago | (#2126010)

I've compiled a list of IPs [isomerica.net] that have made 404 hits on default.ida. Companys like @home and speakeasy (my ISP) need to crack down on IIS users on home DSL networks and get them to install the patch. This many infected hosts is not a good thing.

Analogy (0)

Anonymous Coward | more than 13 years ago | (#2126294)

It's like it's raining outside, and I didn't notice until I opened the door and looked outside... I didn't know anything was going on till I read slashdot, saw this article, thought "I wonder if any are hitting me" and check my web logs... a voila, there were a few hundred hits from Cr2, coming in every 1-2 minutes. amusing.

If this can't break Microsoft's back nothing will. (3, Insightful)

cybrthng (22291) | more than 13 years ago | (#2126423)

If there isn't one thing that can break the straw nothing will.

I'm warned that smoking and drinking are bad for my health

Medicines and drugs aren't legal unless they're fully tested and approved

My car doesn't lock up and freeze

My microwave doesn't blue screen and cook my brain inside out.

SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

WHY doesn't microsoft NOTIFY me of the risks of using its OS?

I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.

I hope no one running Windows is on the internet for that matter.

Re:If this can't break Microsoft's back nothing wi (0)

Anonymous Coward | more than 13 years ago | (#2118511)

I safety test pot everyday and its still not sold at Walmart. MS endangers data everyday and its doing just fine. Go figure...

Re:If this can't break Microsoft's back nothing wi (1)

mjowiz (449205) | more than 13 years ago | (#2120459)

If you read the Micro$oft EULA it is basically unwarrented for anything. Furthermore, M$ limits their liability to the cost of the software or $5 US, whichever is more.

Personally, I think the time for talking is over. It's time for what we used to call "muscle" during labor strikes. M$ deserves a little muscle right now.

From the Windows 2000 EULA (3, Interesting)

Waffle Iron (339739) | more than 13 years ago | (#2112516)

This Limited Warranty is void if failure of the Product has resulted from accident, abuse, misapplication, abnormal use or a virus.

Interesting.
Also...

Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

Does this really mean anything? Could somebody in some state conceivably sue them successfully? The rest of the EULA is an absolute, complete, iron-clad denial of any liability whatsoever. This last sentence is the only shred of hope I could find.

OTOH, be careful what you wish for. The GPL has similar disclaimers...

Re:If this can't break Microsoft's back nothing wi (3, Funny)

SlashGeek (192010) | more than 13 years ago | (#2112678)

As long as they don't change that to the worth of their software, or $5 US, wichever is more.

Re:If this can't break Microsoft's back nothing wi (3, Funny)

meta-monkey (321000) | more than 13 years ago | (#2123148)

WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

Actually, you don't. Linux is free :-p

Re:If this can't break Microsoft's back nothing wi (2)

cybrthng (22291) | more than 13 years ago | (#2136086)

Well, i do run linux at home, but at work they require windows for the sake of office which i don't use anyhow. (i'm a DBA, i sit on Sun boxen all day writing sql code or fixing databases from a shell prompt).

Even for windows users, a 120.00 linksys box and some know how will protect you. Atleast close the blatent problems and protect your internal network.

People need to realise it is like putting locks on the doors to your house. Unless your safe and secure your allowing *ANYONE IN!*

Would you like some cheese to go with your whine? (0)

Anonymous Coward | more than 13 years ago | (#2136087)

Cry me a river.

C:\dos C:\dos\run | run\dos\run (5, Informative)

mcleodnine (141832) | more than 13 years ago | (#2126740)

Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.

Snipped from incidents dot org (emphasis added)
Both Henk Wevers and corecode submitted packet traces of the complete request as shown below. Comparing this trace with the original Code Red (see the Code Red Infection Illustrated section of the July 23 Handler's Diary at: http://www.incidents.org/diary/july2001.php) it is immediately obvious that we are dealing with a new worm. Note that line 820 shows that the worm is doing something with
CMD.EXE; also the dump contains the string 'CodeRedII' on line 230. Note the references to root.exe on lines 840 and 880.

Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.

The editorial accusations of crying wolf might look a little pale this evening...

Re:C:\dos C:\dos\run | run\dos\run (0)

Anonymous Coward | more than 13 years ago | (#2124768)

"stays crunchy even" you say?

ARP Broadcast spamming (1)

skilbeck (315177) | more than 13 years ago | (#2127037)

I am being ARP passthru spammed - is this part of the CodeRed II deal?

Broken random number generator (again!) (2)

cperciva (102828) | more than 13 years ago | (#2127039)

It looks like someone has a broken random number generator again.

At least, that's the only explanation I can see for the fact that out of 250 attacks I've seen so far, 47 came from the same source IP. Admittedly, it being in the same /16 I'd expect to see more attacks from it, but unless it scans the entire /16 every 5 seconds I think it is a sign of a broken random number generator.

Come on guys, if you're going to try to bring down the internet, at least do it right!

The beginning of the end of free rides... (2)

pongo000 (97357) | more than 13 years ago | (#2127132)

...on @home for those who run small, low-bandwidth http servers. Most of the attacks on my Apache box have been from the 65.x.x.x subnet belonging to @home. I suspect @home will start scanning for open 80 ports, much as they did with port 119 when @home received the USENET death penalty. [slashdot.org]

RoadRunner (1)

spunkypimp (17324) | more than 13 years ago | (#2127140)

Here in the road runner Class A of 65.x.x.x I've gotten 14 hits on default.ida in the past 20 minutes, so obviously it's spread to Time Warner too, not just @home and speakeasy.

It's been crappy since yesterday. (1)

Cow_With_Gun (204379) | more than 13 years ago | (#2127186)

My internet has been slow and choppy since yesterday, and I am an @home cable user. SO this has been around longer then 9:11am EST.

cost of bandwidth (0)

Anonymous Coward | more than 13 years ago | (#2127700)

so can I sue Microsoft for allowing this to be installed on all their servers and for their use of my apache's server resources?

logs (5, Interesting)

Kryptolus (238444) | more than 13 years ago | (#2128143)

automatically generated list of attacks against my server [kryptolus.com]

147 attacks so far

the page is generated through a perl script that reads my apache logs

Source? (0)

Anonymous Coward | more than 13 years ago | (#2109578)

Can you either post the source, or a link to the source? I'd like to do the same (I have over 350)
Thanks

Re:Source? (1, Informative)

secs (262721) | more than 13 years ago | (#2136776)

its not the greatest script but its what i used

#!/usr/bin/perl
# Opens logfile and picks the ip's that attempt to pass the code red virus
# Location of Log File
$LOG = "/var/log/apache/access_log";
#begin code
open LOG or die "Cannot open $LOG for read:$!";
$count = 0; # ip count
@ip; # array of ip's
while (){
if(m@GET /default.ida?@){
/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
$count++;
push(@ip,$1);
}
}
#sort ip's (this is a slow sort.. beware)
print join "\n", sort {
pack('C4' => $a =~
/(\d+)\.(\d+)\.(\d+)\.(\d+)/)
cmp
pack('C4' => $b =~
/(\d+)\.(\d+)\.(\d+)\.(\d+)/)
} @ip;
print "\n\nThis Box Has Had $count Attempts On It By The Code Red Virus.\n";
#end code

Re:logs (0)

secs (262721) | more than 13 years ago | (#2121322)

i did the same thing to.. 315 hits from 24.*.*.* on my my logs [wox.org]

Re:logs (5, Informative)

Kryptolus (238444) | more than 13 years ago | (#2125219)

For those who are interested in the source:
http://www.kryptolus.com/red.txt

On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).

Re:logs (2)

ConsumedByTV (243497) | more than 13 years ago | (#2127187)

post the perl script? I would be very thankful :)

Re:logs (0)

Anonymous Coward | more than 13 years ago | (#2127188)

what do you use to log those attacks? thats very interesting...

a quick fix (2, Informative)

Swordfish (86310) | more than 13 years ago | (#2128360)

Here's a perverse idea for a quick fix for CR2.

First, see here [incidents.org] for how to telnet into the back door left by all CR2 infections. Second, write a script to telnet to all infected hosts which probe you on port 80 and shut down the offending machine. Third, run this script on your web server so that all hosts probing your site get shut down.

If everyone did this, then CR2 would disappear off the net within 24 hours, and we could all rest easy!

Re:a quick fix (2, Funny)

dozing (111230) | more than 13 years ago | (#2136777)

Wouldn't the best and quickest fix be to telnet into the machines and give 'em the old:
c:\deltree windows

maybe we could even install scripts on our own servers to automatically do this each time we recieve a new attack. Automated windows repair solutions.

New Code Red Variant (1)

cfreeze (146454) | more than 13 years ago | (#2134662)

I sent this in as an anonymous story, but it looks like this one got posted instead. According to www.incidents.org [incidents.org] there is a new variant of Code Red (of which this would be the third version). This one installs a backdoor. As someone else posted here, the tell tell sign is that the buffer overwrite payload is now a string of 'X's and not 'N's as in the previous two versions of Code Red. The stakes have been raised folks.

gee, imagine that... (1)

quackPOT (100330) | more than 13 years ago | (#2136084)

I was wondering when this mutant roach would be released. How much longer till more "mimin" type ugly bugs are sent out? -quackPOT

@home problems... (2)

garett_spencley (193892) | more than 13 years ago | (#2136085)

Slow service? I don't know about other @home customers (I'd like to hear) but my net connection was completely _down_ for about 8 hours this afternoon. As a matter of fact I just got back on.

The interesting thing was that the "cable" light on my cable modem was still on when usually when I can't get on the net it is off.

So I wonder what the problem really was. If maybe the routers were all up but the dhcp servers were down or something....

Anyone else have similar problems?

--
Garett

Re:@home problems... (1)

jmitchel!jmitchel.co (254506) | more than 13 years ago | (#2133155)

I noticed this afternoon that my recieve light was always on on my cablemodem too. It is continual arps, which I just realized were the product of infected computers trying to scan non-existent addresses, which the routers have to try to resolve.

The benifits of friendly neighbors (1)

dozing (111230) | more than 13 years ago | (#2136089)

I see a couple people saying they are getting a lot more of these hits than the original code red. Considering that someone earlier posted that it attacks the largest percentage of the time in its own netblock I'm happy to have my server living in an exclusivly linux netblock. I've only seen one of this new variant so far (from 61.211.105.21 if anyone's interested.) According to my snort logs its come accross my /24 network only 18 times. It pays to have nice neighbors.

Why don't they... (4, Insightful)

Greyfox (87712) | more than 13 years ago | (#2138054)

Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

Re:Why don't they... (1)

jgaynor (205453) | more than 13 years ago | (#2118513)

That is probably the smartest thing I've ever heard anyone say on slashdot. Ever. Someone Show their skills and write a variant that will run the patch (obviously not locally if they dont have it) from a remote server. Yeah you can hate MS all you want but until someone does something about it we're all going to be sucking bad HTTP requests.

Re:Why don't they... (0)

Anonymous Coward | more than 13 years ago | (#2146666)

Robert Morris, Jr., the worm crippled hundreds of thousands of computers connected to the Internet. It just so happened that young Mr. Morris's dad was the Chief Scientist at NSA. [cryptome.org]

Irish need not apply. (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2138055)

I think that the negros are at the heart of this worm - and the jews for that matter!

Something that should happen more often. (5, Funny)

RzUpAnmsCwrds (262647) | more than 13 years ago | (#2138057)

Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!

cisco 675 hanging. (1)

Teratogen (86708) | more than 13 years ago | (#2146669)

I have port 80 on my Cisco 675 router turned off.
In fact, it was the first thing I did when I configured the router. But somehow this Code Red worm is still hanging the router occasionally, so that I have to power cycle it. Anyone know why this is happening?

Hypothesis (2)

nebby (11637) | more than 13 years ago | (#2146670)

I bet they launched it on Saturday morning on purpose (or Friday night even.) By the time Sunday is over, the hacker(s) will have root access to a shitload of computers, and the sysadmins who hesitated patching showing up Monday morning will have long been 0wned.

Like someone said elsewhere, the best (and only I think) way to partially fix this problem is to write a variant of the worm (Code Green? :)) that fixes all the servers before it gets out of hand. Apache server or not, if 100,000 computers are infected, the traffic costs of Code Red 1, 2, etc. hits alone will be enough of a incentive to fix the IIS servers. (Though it is kind of exciting to think of Microsoft having egg on their faces Monday morning when they get DoSed by 100,000 cable modems in one deafening yell.. but I digress)

What is this? (-1)

Pr0n K1ng (160688) | more than 13 years ago | (#2149694)

A comment of the first order? I think so!

Get it in ya!

Re:What is this? (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2138056)

you don't post anything worthwhile, do you?

Re:What is this? (-1)

Pr0n K1ng (160688) | more than 13 years ago | (#2125214)

What about you? What kind of a crap reply was this?

RIAA!! (-1, Troll)

jrockway (229604) | more than 13 years ago | (#2149696)

Get this while you still can and change the address to riaa's IP ;) *Evil grin* Let's get the MPAA, too. And microsoft.com

Re:RIAA!! (0)

Anonymous Coward | more than 13 years ago | (#2120743)

Do you think the RIAA cares what happens to their web server? They'd love it if the entire Internet went down in flames, which we're told is what will happen if code red or some variant that actually worked would clog every pipe entirely. Their puny web server would be a small price to squeeze out all the bandwidth being used by mp3s.

Re:RIAA!! (0, Troll)

Silver222 (452093) | more than 13 years ago | (#2148818)

What about Adobe? :)

cockandballs (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2149698)

mmmm, dinner! m!

Free r00t for all! (1, Insightful)

whatnotever (116284) | more than 13 years ago | (#2150030)

So here we basically have thousands of boxes with open backdoors, _broadcasting_ their presence to the world.

And with people so nicely distributing their logs here in this forum, the collection of ips is easier than ever!

Now that they have the backdoors, though, how hard would it be to patch them remotely? I'm thinking that if you put up a single exe on any old webserver, you could tell each infected host to just download and execute it. The only problems are writing the exe (not too hard), and figuring out how to get the host to download it, using the backdoor (probably trivial).

Re:Free r00t for all! (1)

testify (174404) | more than 13 years ago | (#2120744)

Yes, and where you have an unpatched IIS install, you often get a wide-open FTP server running as well. It's been making for some interesting browsing.

Re:Free r00t for all! (1)

krogoth (134320) | more than 13 years ago | (#2127570)

just write a win2k .bat to install the patch, and write a perl script to telnet in to any IP and use it if possible. It might cause data loss, but if there is no other way to fix sysadmins, it should be done.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?