Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: incrediBILL
edited to wrap the text
(edited by: msgraph at 7:14 pm (gmt) on July 19, 2001
I've heard reports elsewhere that strange traffic is out in force today... could be some kind of en masse probing for server weaknesses?
Yeah that was one helluva scroll when I checked back.
At first I thought I was getting hit by a bunch of mobile devices because many of the IP's were comming off of Telecom sites offering those services. Now I see that they are coming from regular ISP's as well.
I wonder if it is some global network of people trying to exploit servers. Maybe tied to that worm.com thing going around?
Better info then I can supply can be found at Security Focus [securityfocus.com]
I believe that also includes a link to the patch.
Odds are the machines are compromised by the worm. It affects (errr, takes over...) only IIS machines using US English WindowsNT/2000. However, the method in which it seeks out new hosts can also DOS other servers, and apparently from a more recent email in the BugTraq forum, can play havoc with certain Cisco DSL routers that have web-admin enabled.
This worm exploits a buffer overflow in IIS's handling of .ida. A patch has been available for some time now. However, even patched systems can fall to the possible DOS capabilities (errrr...the bad pseudo-random handling of host seeking...) of the worm.
You can download hfcheck from [microsoft.com ].
A brief, "Readers Digest Condensed Version" of Marc Maiffrets analysis from BugTraq:
---- Worm Core Code ----
1. Host machine is infected via .ida buffer overflow.
2. 99 "attack" threads are spawned - each a replica of the worm.
3. 1 thread checks the version of NT/2000 for US English.
4. Checks for the existance of the file c:\notworm if found worm goes dormant.
5. Check system time. Perform different actions depending on the time. Either DOS attack www.whitehouse.gov or try to infect more hosts.
---- Deface Web Page Code ----
1. Step 3 in Worm Core Code checks system version.
2. If the system is not US English go back to Core Code, ignore defacement code.
3. Wait a few hours.
4. Do nifty trick to "hook" defacement code into memory (I could never explain this in a million years...) Users now see a defaced web site.
5. Wait 10 hours (users still see defaced web site.)
6. Replace old web site. (users now see usual web page.)
Gads, I hope I did that justice. A considerable portion of the code explination was above my head. ;) Bottom line, though, is A) patch your IIS servers. B) even patched/non-IIS servers can be slowed down/crashed/DOSed by this. At the time of the advisery, at least 12,000 systems had been infected.
In the last eight hours, I've had 40 of the default.ida?NNNNNNNNNNNNNNNN... entries in just one of my domain logs, and they're from all over the world.
Two other domains I checked also have a dozen or so each.
Until eight hours ago, I didn't see any.
I think we'll be hearing more about this worm in the future.
Any systems other then unpatched IIS4/5 on WindowsNT/2000 are immune to the actual exploit. However, there is a strong denial of service possibility if you happen to be targetted (albiet somewhat randomly...) by any of these. At the end of the day July 19th, only 1 of 4 servers I work on outside of a firewall had even seen this thing, and it only got hit 29 times. Other people, obviously, didn't fare so well....
According to a post made to the BugTraq mailing list later in the afternoon of the 19th, the worm is supposed to stop spreading and go into "attack mode" against www.whitehouse.gov at 5pm PST the evening of the 20th. It will continue in attack mode for a week, at which point it will go dormant.
The mathematics of it were quite intrequing. Paraphrasing a later post by Marc Maiffret to BugTraq:
4.1Megs of data transmitted/thread
100 threads * 4.1megs = 410Megs
Hosts can be infected multiple times so... 410Megs * # of infections
Repeat every 4.5 hours (or so...)
A possibility of 300,000 infections (possibly more)
300,000 * 410Megs = 123,000,000Megs every 4.5 hours...all funnelled to one URL.
His final words of that post:
If this is true and the worm "works as advertised" then the fact that whitehouse.gov goes offline is only the begining of what _can_ possibly happen...
Sigh, I dread the day they find something like this in Apache. ;)
whitehouse.gov changed its ip to 18.104.22.168 and the worm did and presumably still is attacking the old ip, but packets go into the bit bucket.
No, a patch will be AVAILABLE within 24 hours (perhaps). A patch for what this worm is doing has been available for quite some time, as well. The problem is, system admins are not updating their servers, so worms such as this can propagate to large numbers of machines. There are a large number of Apache web servers out there installed on machines run by people who are not all that technically inclined or even interested. Not to disparage any of the Cobalt crowd (I own one myself) but the proliferation of machines/internet appliances that try to put as much of the OS in the background (generally a unixish OS w/Apache) have increased the number of people running machines who don't take an active interest in what is actually running the beast. Ask them to install a patch or modify their software and they haven't a clue. They generally ask if the company that sold/built the machine has issued a package yet, that can be installed from the pretty web based GUI. All to often the release of such a package can follow the initial exploit by weeks....or more. In the case of Cobalt, such packages have also proven to be buggy themselves.
So, yes...I still fear the day when such a bug hits Apache. :)