homepage Welcome to WebmasterWorld Guest from 54.227.67.210
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 47 message thread spans 2 pages: 47 ( [1] 2 > >     
Code Red Worm exploits Windows IIS; Widespread servers hit
probes for default.ida files to set up attack on White House
msgraph




msg:616632
 6:59 pm on Jul 19, 2001 (gmt 0)

Anyone know what kind of request this is? I'm getting a bunch of them across multiple sites. The IP addresses are different and they come from all over the globe at different times throughout the day. No UA is attached.

"GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a HTTP/1.0"

edited to wrap the text

(edited by: msgraph at 7:14 pm (gmt) on July 19, 2001)

 

ArtSEPI




msg:616633
 7:08 pm on Jul 19, 2001 (gmt 0)

I got the same thing man! What is up with that? Hackers?

mivox




msg:616634
 7:16 pm on Jul 19, 2001 (gmt 0)

Same here... one request today. (BTW - could you possibly insert a couple of line breaks into that page reuest, msgraph? Got some hellacious horizontal scrolling going on here! :) )

I've heard reports elsewhere that strange traffic is out in force today... could be some kind of en masse probing for server weaknesses?

agerhart




msg:616635
 7:33 pm on Jul 19, 2001 (gmt 0)

>>>I've heard reports elsewhere that strange traffic is out in force today...>>>>

yeah, and if you are in my range of the NE you will know this them hard way.....someone hacked their way into IDT, which serves a good part of New England.

ArtSEPI




msg:616636
 7:41 pm on Jul 19, 2001 (gmt 0)

Someone also made the following request:
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\s
cripts\shell.exe
If you ask me this one looks like more of a h@<k than the other one ... now I'm pi$$3d!

msgraph




msg:616637
 7:44 pm on Jul 19, 2001 (gmt 0)

>>>possibly insert a couple of line breaks

Yeah that was one helluva scroll when I checked back.

At first I thought I was getting hit by a bunch of mobile devices because many of the IP's were comming off of Telecom sites offering those services. Now I see that they are coming from regular ISP's as well.

I wonder if it is some global network of people trying to exploit servers. Maybe tied to that worm.com thing going around?

ggrot




msg:616638
 7:44 pm on Jul 19, 2001 (gmt 0)

ARTSepi...That is a hack probe most definitely. There is a common weakness in an unpatched old IIS server. Apache never has such problems. That is a query string that will return enough information to the probing software to let them know whether or not your server has this vulnerability. It's very unlikely that it does.

evinrude




msg:616639
 7:46 pm on Jul 19, 2001 (gmt 0)

This looks like the request generated by the "Code Red" IIS worm that has been "released" recently.

Better info then I can supply can be found at Security Focus [securityfocus.com]

I believe that also includes a link to the patch.

mivox




msg:616640
 7:56 pm on Jul 19, 2001 (gmt 0)

Here's some data on the machines making the default.ida request on my site (in case anyone wants to do an in-depth comparison of where all the requests are coming from...):

[snip: edited by Brett_Tabke]

msgraph




msg:616641
 7:58 pm on Jul 19, 2001 (gmt 0)

Thanks for the link Evinrude, that appears to be the source.

Nothing to worry about for me. No MS garbage on our servers.

evinrude




msg:616642
 8:02 pm on Jul 19, 2001 (gmt 0)

>Here's some data on the machines making the default.ida request on my site..

Odds are the machines are compromised by the worm. It affects (errr, takes over...) only IIS machines using US English WindowsNT/2000. However, the method in which it seeks out new hosts can also DOS other servers, and apparently from a more recent email in the BugTraq forum, can play havoc with certain Cisco DSL routers that have web-admin enabled.

This worm exploits a buffer overflow in IIS's handling of .ida. A patch has been available for some time now. However, even patched systems can fall to the possible DOS capabilities (errrr...the bad pseudo-random handling of host seeking...) of the worm.

mivox




msg:616643
 8:10 pm on Jul 19, 2001 (gmt 0)

only IIS machines using US English WindowsNT/2000

Why in heaven's name would the Xi San Qi Local Telephone Office in Beijing be using the US English version of anything? MS must have some really good salespeople in China...

evinrude




msg:616644
 8:18 pm on Jul 19, 2001 (gmt 0)

*shrug* According to NetCraft, they are indeed using Windows 2000/IIS5, though why English? No good answer for that one. Their web page requested I download the Chinese character set, though. :) The people who wrote up the advisory noted that the code explicitly checks for the US English version.

Brett_Tabke




msg:616645
 8:31 pm on Jul 19, 2001 (gmt 0)

Mivox, this is all script generated. Posting info about those machines is letting people know that they are comprimised. Major security threat to the systems posted.

Brett_Tabke




msg:616646
 8:33 pm on Jul 19, 2001 (gmt 0)

What the script does is scan ip ranges looking for webservers, then issues requests like the ones above. Even my home machine was scanned 81 times today.

It's why the whole net is slow today.

agerhart




msg:616647
 8:37 pm on Jul 19, 2001 (gmt 0)

Brett,

slow is one thing.....our whole server went down....and it wasn't only our server, our colocated box went down, and alot of other people's too

mivox




msg:616648
 8:43 pm on Jul 19, 2001 (gmt 0)

Major security threat to the systems posted.

oops. sorry.

Xoc




msg:616649
 8:47 pm on Jul 19, 2001 (gmt 0)

If you have an Win2000/IIS box, it pays to regularly run hfcheck. This is a tool that examines your system and tells you what hotfixes you need to install. These hotfixes patch all the known security holes. That, plus a decent firewall, should protect you from almost all attacks. Almost all compromised systems are attacked through security holes that have been known for over a year.

You can download hfcheck from [microsoft.com ].

msgraph




msg:616650
 8:59 pm on Jul 19, 2001 (gmt 0)

I guess I should have named this discussion something else when I started it. Can it be renamed something else to catch those users out there that are seeing the same things on their servers?

evinrude




msg:616651
 9:11 pm on Jul 19, 2001 (gmt 0)

Upon rereading the advisory, I may have misinterpreted the US English portion. I think what happens is, the worm will only deface US English servers. The worm can still spread via other versions of NT/2000.

A brief, "Readers Digest Condensed Version" of Marc Maiffrets analysis from BugTraq:

---- Worm Core Code ----
1. Host machine is infected via .ida buffer overflow.
2. 99 "attack" threads are spawned - each a replica of the worm.
3. 1 thread checks the version of NT/2000 for US English.
4. Checks for the existance of the file c:\notworm if found worm goes dormant.
5. Check system time. Perform different actions depending on the time. Either DOS attack www.whitehouse.gov or try to infect more hosts.

---- Deface Web Page Code ----
1. Step 3 in Worm Core Code checks system version.
2. If the system is not US English go back to Core Code, ignore defacement code.
3. Wait a few hours.
4. Do nifty trick to "hook" defacement code into memory (I could never explain this in a million years...) Users now see a defaced web site.
5. Wait 10 hours (users still see defaced web site.)
6. Replace old web site. (users now see usual web page.)

Gads, I hope I did that justice. A considerable portion of the code explination was above my head. ;) Bottom line, though, is A) patch your IIS servers. B) even patched/non-IIS servers can be slowed down/crashed/DOSed by this. At the time of the advisery, at least 12,000 systems had been infected.

David




msg:616652
 9:33 pm on Jul 19, 2001 (gmt 0)

Well, I feel better that I am not alone and a apache server user.

Doofus




msg:616653
 11:14 pm on Jul 19, 2001 (gmt 0)

This worm must be spreading pretty good.

In the last eight hours, I've had 40 of the default.ida?NNNNNNNNNNNNNNNN... entries in just one of my domain logs, and they're from all over the world.

Two other domains I checked also have a dozen or so each.

Until eight hours ago, I didn't see any.

I think we'll be hearing more about this worm in the future.

Brett_Tabke




msg:616654
 2:01 am on Jul 20, 2001 (gmt 0)

It's huge.

[cert.org...]

msgraph




msg:616655
 2:15 am on Jul 20, 2001 (gmt 0)

I say it'll take a week before CNN, Reuters, or AP picks it up

scratch that

[news.excite.com...]

Bolotomus




msg:616656
 6:57 am on Jul 20, 2001 (gmt 0)

I'm getting them too... from all over the place. So a Linux box is immune I take it?

evinrude




msg:616657
 9:03 am on Jul 20, 2001 (gmt 0)

> So a Linux box is immune I take it?

Any systems other then unpatched IIS4/5 on WindowsNT/2000 are immune to the actual exploit. However, there is a strong denial of service possibility if you happen to be targetted (albiet somewhat randomly...) by any of these. At the end of the day July 19th, only 1 of 4 servers I work on outside of a firewall had even seen this thing, and it only got hit 29 times. Other people, obviously, didn't fare so well....

According to a post made to the BugTraq mailing list later in the afternoon of the 19th, the worm is supposed to stop spreading and go into "attack mode" against www.whitehouse.gov at 5pm PST the evening of the 20th. It will continue in attack mode for a week, at which point it will go dormant.

The mathematics of it were quite intrequing. Paraphrasing a later post by Marc Maiffret to BugTraq:

100 threads/infection
4.1Megs of data transmitted/thread
100 threads * 4.1megs = 410Megs
Hosts can be infected multiple times so... 410Megs * # of infections
Repeat every 4.5 hours (or so...)
A possibility of 300,000 infections (possibly more)
300,000 * 410Megs = 123,000,000Megs every 4.5 hours...all funnelled to one URL.

His final words of that post:
If this is true and the worm "works as advertised" then the fact that whitehouse.gov goes offline is only the begining of what _can_ possibly happen...

Sigh, I dread the day they find something like this in Apache. ;)

bobriggs




msg:616658
 12:32 pm on Jul 20, 2001 (gmt 0)

The worm had hard-coded the IP address of whitehouse.gov (198.137.240.91) This was known by disassembling the code: [eeye.com...]

whitehouse.gov changed its ip to 198.137.240.92 and the worm did and presumably still is attacking the old ip, but packets go into the bit bucket.

Brett_Tabke




msg:616659
 2:56 pm on Jul 20, 2001 (gmt 0)

>Sigh, I dread the day they find
>something like this in Apache.

I don't, because it will be patched in 24hours.

The bug that the worm exploits is over a year old.

agerhart




msg:616660
 3:49 pm on Jul 20, 2001 (gmt 0)

we were without a connection for about 6 hours yesterday.......pain in the ______

evinrude




msg:616661
 4:03 pm on Jul 20, 2001 (gmt 0)

> because it will be patched in 24hours.

No, a patch will be AVAILABLE within 24 hours (perhaps). A patch for what this worm is doing has been available for quite some time, as well. The problem is, system admins are not updating their servers, so worms such as this can propagate to large numbers of machines. There are a large number of Apache web servers out there installed on machines run by people who are not all that technically inclined or even interested. Not to disparage any of the Cobalt crowd (I own one myself) but the proliferation of machines/internet appliances that try to put as much of the OS in the background (generally a unixish OS w/Apache) have increased the number of people running machines who don't take an active interest in what is actually running the beast. Ask them to install a patch or modify their software and they haven't a clue. They generally ask if the company that sold/built the machine has issued a package yet, that can be installed from the pretty web based GUI. All to often the release of such a package can follow the initial exploit by weeks....or more. In the case of Cobalt, such packages have also proven to be buggy themselves.

So, yes...I still fear the day when such a bug hits Apache. :)

This 47 message thread spans 2 pages: 47 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved