homepage Welcome to WebmasterWorld Guest from 54.211.68.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 47 message thread spans 2 pages: < < 47 ( 1 [2]     
Code Red Worm exploits Windows IIS; Widespread servers hit
probes for default.ida files to set up attack on White House
msgraph




msg:616632
 6:59 pm on Jul 19, 2001 (gmt 0)

Anyone know what kind of request this is? I'm getting a bunch of them across multiple sites. The IP addresses are different and they come from all over the globe at different times throughout the day. No UA is attached.

"GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a HTTP/1.0"

edited to wrap the text

(edited by: msgraph at 7:14 pm (gmt) on July 19, 2001)

 

Xoc




msg:616662
 4:58 pm on Jul 20, 2001 (gmt 0)

I agree with evinrude: There was a patch available for IIS for this bug since June 18. One estimate says that 200,000 machines have been affected. What does that tell you?

Bolotomus




msg:616663
 6:00 pm on Jul 20, 2001 (gmt 0)

Funny, my server logs do not show up exactly like posted above

Instead of this

"GET /default.ida?NNN....%u0000%u00=a HTTP/1.0"

I receive this

"GET / default.ida?NNN....%u0000%u00=a"

The "default.ida?NNNNN..." stuff is sent as the *protocol* not the page requested. Server logs report,

[Thu Jul 19 13:57:34 2001] [error] [client 65.10.132.75] Client sent malformed Host header

Bolot

evinrude




msg:616664
 7:07 pm on Jul 20, 2001 (gmt 0)

> I say it'll take a week before CNN

:) Made CNN [cnn.com] this morning.

pageoneresults




msg:616665
 8:52 pm on Jul 20, 2001 (gmt 0)

Hit us pretty bad. We had quite a few sites down for about six hours while we frantically transferred everything over to a new box running IIS5. Yes, I know, get away from MS! If it were that simple we probably would!

jimbob




msg:616666
 12:17 pm on Jul 21, 2001 (gmt 0)

Was affected in way that caught me by surprise. We're running Apache but a significant affiliate was running MS. All the affiliate links were affected.

Bentler




msg:616667
 2:10 pm on Jul 21, 2001 (gmt 0)

We had two servers go down intermittently all day without getting infected. Interesting behavior.

On another note, I just received the Sircam virus in an email this morning, so be on the lookout. Sircam distributes personal files from your computer to infect others.

More about it at the CNN link mentioned in an earlier post on this thread.

Brett_Tabke




msg:616668
 7:16 pm on Jul 24, 2001 (gmt 0)

Moved the virus talk over to Foo [webmasterworld.com].

It seems the CodeRed worm is all done with.

paynt




msg:616669
 10:39 pm on Jul 29, 2001 (gmt 0)

Received this today from my systems administrator.

For Immediate Release: 3:00 PM EDT July 29, 2001

A Very Real and Present Threat to the Internet: July 31 Deadline For Action

Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required to
combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.

How Big Is The Problem?

On July 19, the Code Red worm infected more than 250,000 systems in
just 9 hours. The worm scans the Internet, identifies vulnerable
systems, and infects these systems by installing itself. Each newly
installed worm joins all the others causing the rate of scanning to
grow rapidly. This uncontrolled growth in scanning directly decreases
the speed of the Internet and can cause sporadic but widespread
outages among all types of systems. Code Red is likely to start
spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that
it may be even more dangerous. This spread has the potential to
disrupt business and personal use of the Internet for applications
such as electronic commerce, email and entertainment.

Who Must Act?

Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable. IIS is
installed automatically for many applications. If you are not certain,
follow the instructions attached to determine whether you are running
IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows
Me, there is no action that you need to take in response to this
alert.

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft?s patch for
the Code Red vulnerability problem:
* Windows NT version 4.0:
[microsoft.com...]
* Windows 2000 Professional, Server and Advanced Server:
[microsoft.com...]

Step-by-step instructions for these actions are posted at
www.digitalisland.com/codered

Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:

[microsoft.com...]

Because of the importance of this threat, this alert is being made
jointly by:

Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance


Slade




msg:616670
 10:58 pm on Jul 29, 2001 (gmt 0)

They're a bit behind the times aren't they?

This discussion started over a week ago and they just sent you a warning email...

Sounds like Mickey$oft, billion dollars short and 10 days late :)

paynt




msg:616671
 10:59 pm on Jul 29, 2001 (gmt 0)

Hi Slade and Welcome to WmW,

Read the part that says...

>..spreading again on July 31st, 2001 8:00 PM EDT ....>

Bob1986




msg:616672
 2:52 pm on Jul 30, 2001 (gmt 0)

I checked my log files and all access didnt find any thing that the worm was doin to you guys did to me.... guess saving me for next target well did they find out who he is?

littleman




msg:616673
 3:58 pm on Jul 30, 2001 (gmt 0)

What an embarrassment this has been for ms. Apparently ms, the White House, and the FBI are holding a joint press conference today on the subject.

evinrude




msg:616674
 5:53 pm on Jul 30, 2001 (gmt 0)

> They're a bit behind the times aren't they?

I believe the advisory was re-released recently since the Code Red worm has the potential to restart itself tomorrow evening. Because it's obvious many admins are not updating their systems with the latest patches/security fixes, it's a good idea to get this sort of information out as far as possible.

msgraph




msg:616675
 2:18 am on Jul 31, 2001 (gmt 0)

The funny thing for me is that I have to resubcribe to MS's security bulletin every 3 months or so. For some reason after a few months I don't receive them any more.

I wonder if certain ISP's out there see these bulk security mailings from MS as spam attempts and therefore block them after a certain amount is sent. Like if they receive more than x amount of mailings at one time on their server then they block the rest until another time. Either that or MS's subscription list gets wiped clean from time to time

I mean I'm sure only 10%, if that many, of those running MS software know about these bulletins but that is beside the point.

Another thing is MS's Windows update application. The one that sends info to MS to check for any updates related to your OS. They release a patch on their security site on one date, then three or more months down the road they post it on their Win update site.

backus




msg:616676
 9:12 am on Aug 1, 2001 (gmt 0)

I heard that somebody is sending out a virus called Bliss2001 which will mess up Apache systems.

evinrude




msg:616677
 4:31 pm on Aug 1, 2001 (gmt 0)

> a virus called Bliss2001

Just so long as McAfee doesn't catch wind of it.... ;)

Somehow, I doubt the beast currently exists, as it hasn't hit the radars of...errr...well, any place I've searched, including BugTraq and McAfee (the guys who claim to have found the original "Bliss" first.)

I'd wonder where you heard it from. I'd chalk it up to hoax or wishful thinking. ;)

Fozner




msg:616678
 6:00 am on Oct 17, 2001 (gmt 0)

Yes, that would be amusing if it would open that site up on the infected server. Unfortunately, the worm does not access the internet through a browser and as far as I know doesn't even listen for a reply.

The message, if any, that this and other worms delivers is that there needs to be a standard way to contact system admins and anybody who runs a web server and provides no way for you to contact them should be metered out some form of disciplinary action, like a $1 fine to get their attention.

Yes, my grammar is suffering. It's late and I've just finished digesting my webserver logs!

This 47 message thread spans 2 pages: < < 47 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved