homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

New Code Red Variant
Was bound to happen sooner or later...

 12:55 am on Aug 6, 2001 (gmt 0)

A new strain of the Code Red IIS worm has been detected. This version leaves a backdoor into the machine.

According to an analysis by Marc Maiffret of eeye.com, the new version uses the same infection techniques, but does not contain the www.whitehouse.gov DOS.

Additional info can be found at CNN [cnn.com] and at Security Focus/Bugtraq Archives [securityfocus.com].

Soooo...if you haven't or know someone who hasn't patched their IIS system yet....



 1:04 am on Aug 6, 2001 (gmt 0)

>>>Soooo...if you haven't or know someone who hasn't patched their IIS system yet....

Judging from my log files there's plenty of people who haven't done the patch yet.


 2:19 am on Aug 6, 2001 (gmt 0)

Same here, Toolman.

Unfortunately this virus is hurting more than IIS systems. Public access to my site is sporadic at best. Here's what the tech told me about the problem:

Hi, currently one of our main network providers is experiencing massive connectivity problems due to a new variant of the Code Red Virus. Our servers have not been affected by this virus since we're running Linux on all of our servers. The virus is bogging down many networks and this is causing the intermittent connectivity issues you are currently experiencing.

[rant]Microsoft should be held criminally liable for the cr@p they sell. In the very least, the government needs to step in and force Microsoft to recall the shoddy operating systems.[/rant]


 3:04 am on Aug 6, 2001 (gmt 0)

I am in the same boat. My site has been sluggish for the last day or so and now today I can't hardly connect. This may be a MS caused problem but......Its hard to understand with all the publicity how there can still be that many hosts that have not fixed the problem.


 4:51 am on Aug 6, 2001 (gmt 0)

This worm is a leech on any computer connected to a network .....

I installed a application based firewall this last week and the port scans I see going on across the @home network is insane! In the last 2 days I have been scanned well into the thousands of times .... and some times it gets a little demanding to the point of the firewall eating up a lot of resources. In fact I have been scanned over 20 time just in writing this little paragraph arrgh Now I am not 100% sure its all because of the worm but, I can not imagine that many people scanning ports a day looking for weaknesses though with the web anything may be possible!


 12:18 pm on Aug 6, 2001 (gmt 0)

>>Its hard to understand with all the publicity how there can still be that many hosts that have not fixed the problem.

I some large corporations it sometimes take 3 months to make a decision alone. The best one would be to drop MS.


 5:29 pm on Aug 6, 2001 (gmt 0)

Its hard to understand with all the publicity how there can still be that many hosts that have not fixed the problem.

Well, if my logs are any indicator of the average, then I'd have to assume there's a lotta IIS home installations out there. There are a ton of entries from cable modem networks, addresses that would seem to indicate PPP connections, and DSL. Probably people who just thought it'd be cool to run their own webserver, or people who purchased a machine and didn't know it was running on there.

Many companies, the one I work for included, lease their computers for a set amount of time. At the end of that lease, the company can either return the computers, or purchase them. In our case, and many others, after we buy them back, we sell them to any employee who happens to want one (or two...). While we wipe the computers clean before selling them, that still means a bunch of employees will now have a machine running Windows NT, and capabable of running IIS.

Add to that the number of home users who simply want the latest greatest thing from Microsoft (yes they are out there!) and you wind up with a bunch of home users with Windows NT and W2K. A quick scan of some of the hosts in my log on Netcraft seems to suggest a high usage of W2K. Not suprising, when I think back on it, seeing tons of advertising in places like OfficeMax. Or, people who started using it at work, and decided to "borrow" a copy for home. ;)


 5:32 pm on Aug 6, 2001 (gmt 0)


IBM technicians kept track of Sunday night's virus outbreak -- dubbed 'Code Red 2' -- and watched in awe as the bug knocked down systems worldwide.



 7:26 pm on Aug 6, 2001 (gmt 0)

How about the source being a government agency keen to secure more funding for investigating cyber crimes?
Just a thought :)

Code Red appears to have taken down the internal network of a large company in this country.


 7:49 pm on Aug 6, 2001 (gmt 0)

I think somebody should code up a new code red package with the same distribution mechanism, but instead of installing backdoors or DOS'ing gov't websites, it simply should patch the system it infects, try to spread for a few days, then die.


 7:55 pm on Aug 6, 2001 (gmt 0)

Charity worms... LOL. I think I've heard discussion of that concept before.

Normally, I'd say not to bother protecting people from their own laziness/ignorance/bureaucracy... but since their ineptitude inconveniences everyone, I suppose I'll allow it. ;)


 7:58 pm on Aug 6, 2001 (gmt 0)

>>Its hard to understand with all the publicity how there can still be that many hosts that have not fixed the problem.

It's hard to understand why the media is now saying it has pretty much come to an end. That things are getting back to normal.

I see more in my log files today than all the previous days combined.


 8:16 pm on Aug 6, 2001 (gmt 0)

Umm, someone correct me if I am wrong, but isn't one of the traits of this particular worm that it lies dormant, and resurfaces again and again?

<rant>How long must the world suffer the pranks and hijinx of hackers based on Microshaft's inept security standards? Trust them with my data? Yeah, sure. Dotnet, hellstorm, why not? Go ahead give Ms the keys to your most precious asset -your data. They can't keep the backdoors locked anyway.</rant>


 10:34 pm on Aug 6, 2001 (gmt 0)

Experts say here [dailynews.yahoo.com] it spreads 4000 times faster than previous version.

The new analysis of the Code Red II worm shows it to be more than 4,000 times faster than the previous worm at picking its targets. One estimate Sunday reportedly put the number of infected systems at 400,000.

The log file of one of my high traffic site show 20.000+ hits a day ago from infected servers. Others less than 200.


 1:15 am on Aug 7, 2001 (gmt 0)

Is this one asking for /default.ida?XXXX... instead
of /default.ida?NNNN... ? That's what I've been seeing in my logfiles.


 1:26 am on Aug 7, 2001 (gmt 0)

I believe so... I had about 100 requests for each when I checked this morning. Dunno what that's gone up to since then.


 2:21 am on Aug 7, 2001 (gmt 0)

Wow! I just checked my logs for my dear old friend default.ida. Prior to today, I topped out at about 35. Today so far, it's up to 74.

My server doesn't seem slow, and my connection to the internet is not appreciably slower. Maybe I'm just lucky.



 2:45 am on Aug 7, 2001 (gmt 0)

Is this one asking for /default.ida?XXXX

Yep. That's the signiture of the new version that leaves a backdoor. It's currently accounting for about 90-95% of the scans on my home web server (which is up to over 800 scans since Friday)


 10:07 am on Aug 7, 2001 (gmt 0)

Does any of you can access a recent .gov or .gc log file? It seem to favor them.


 2:36 pm on Aug 7, 2001 (gmt 0)

Code Red Status page: [digitalisland.net...]

Graphs of code red scanning activity over the previous 6 days.


 8:22 pm on Aug 7, 2001 (gmt 0)

Macguru- from a .gov log, I've got 82 scans starting Sunday, with 49 today. Mixture of /default.ida?XXXX... and /default.ida?NNNN... , with most ?XXXX now.


 3:08 am on Aug 8, 2001 (gmt 0)

Here is a kicker you may all hate ....

I was billed today for the extra bandwidth that code red is using on my servers ....

I called @home today to find no tech support line due to the people calling them. So I used the online support and since the majority of the requests come from there network I requested they email there users to no avail they were not cooperative.
So I am paying higher bandwidth bills because there networks are so full of the virus .... Don't get me wrong I am a @home user but I do not have worms. It does not make sense that they have not emailed there user data base yet and this worm leeching there users computers is definatly in violation with there TOS ...... I could rant about this for hours though I won't ...

I know that some road runner and all the videotron users were emailed warning them to patch there computers and stop this behavior but to no avail @home feels it is not responsible .... Should I bill them for the users computers that are querying my server non stop ? I only wish it was that simple ohh well another day another wasted dollar that I worked my behind off to make!


 1:07 am on Aug 9, 2001 (gmt 0)

It appears M$ hasn't been practicing what it preaches [dailynews.yahoo.com].

Thank you Bentler, so I was wrong.


 3:03 am on Aug 9, 2001 (gmt 0)

I did a reverse ip lookup on a few of the infected servers out of curiosity to see who wasn't installing patches, besides being a good web samaritan ...came up with a small software company in Philadelphia, General Mills Inc, and SW Bell-- probably a dial-up account.

Was able to connect with the server admin for the software company-- he said it was a mail server that they skipped by accident. General Mills never did respond -- got a returned email on their ip registration info.

(edited out the word "slackmeyers")


 3:30 am on Aug 9, 2001 (gmt 0)

I emailed roughly a dozen admins and haven't heard back from any of them. I s'pose, though, that it does put the large numbers of infected servers into perspective. If the admins of these sites don't give a d*** about their servers, I doubt their lack of responsiveness should be any suprise. With around 900 unique sources in my logs, the thought of emailling them all with little or no response hardly seems worth it at times.

Of the three largest "collections" of offenders: RoadRunner, @Home, and, in my case GCI (the service provider I use, go figure) only one has responded to an email, and that response was an autoreply. I s'pect they are being flooded with emails, actually. Of the group of people I work with, at least three are actively emailing admins. And we all are feeling frustrated in the lack of responses.

While I don't think Code Red has lived up to its network killing media hype, it certainly has proven to be an education in the general attitude of system administration. While 900 unique hosts isn't all that many in the grand scheme, and a dozen emails even less...the fact that none have cared enough to respond just leaves me a bit taken aback. I think I'll just comfort myself with the possibly optimistic thought that maybe they just haven't gotten around to it 'cause they are too busy patching their servers. ;)


 4:19 am on Aug 9, 2001 (gmt 0)

I suspect there's more to the Code Red II story than we've heard about yet--seems the backdoor was put in for a reason. I imagine F0rpaxe and Global Hell members staying up nights taking advantage of this unusually grisly opportunity. Then again, maybe not.


 11:50 am on Aug 9, 2001 (gmt 0)

Ok I heard this morning on the news that @home/att is going to start pulling the plug on people connected to the network without the patch. Finally after days on end of port scans and queries to our servers someone is going to start getting something done. In all the emails, phone casll and chats with @home they listened ... Yippee

@home has scanned my ports a few times trying to see if I have a patch so maybe this should help ..

Maybe it was the white lie I told them about a friend at CNN that is a reporter ? hahahahaha

The port scans have already started to die down since the last two days of constant annoyance. I still will not believe it totally until I see them cease altogether.


 1:44 pm on Aug 9, 2001 (gmt 0)

Nice work Traffic--hopefully they reduced your bill!


 10:57 am on Aug 10, 2001 (gmt 0)

Great article by Bob Cringely on MS and its parasites at [pbs.org...] ...

"The wonder of all these Internet security problems is that they are continually labeled as "e-mail viruses" or "Internet worms," rather than the more correct designation of "Windows viruses" or "Microsoft Outlook viruses." It is to the credit of the Microsoft public relations team that Redmond has somehow escaped blame, because nearly all the data security problems of recent years have been Windows-specific, taking advantage of the glaring security loopholes that exist in these Microsoft products. If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now."

Read the rest... given the WinXP debacle, it's certainly not far fetched that it's goodbye to TCP/IP and hallo to TCP/MS riding on the backs of .Net, Hailstorm, and the Apocalypse :)

"And now, we have the impending release of Windows XP, and its problem of raw TCP/IP socket exposure. As I detailed two weeks ago, XP is the first home version of Windows to allow complete access to TCP/IP sockets, which can be exploited by viruses to do all sorts of damage."

Just who is the Unknown Rider? Gates, Ballmer or Allchin? And how the hell do they continue to get away with it?

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved