That annoying little code red

It's not really that big of a deal...I mean, how much bandwidth can code red possibly take? Not enough for me to notice a slow down. The only thing that's annoying to most people are the entries in their access_log [I happen to enjoy seeing all the infected II$ servers :)].

From what I have read, Code Red II should stop its attack in the beginning of Oct [maybe even the 1st at midnight]. I'm not sure of the exact date, but supposedly it's supposed to shut the infected computer down. Do a search on news.com if you want to know specifics. I've read so many articles on it, I don't remember where I heard what.
 
This <B>CODE RED</B> doesn't really affect mac or linux users directly, however....
This type of thing causes ISP to change policy, and government to create new laws.

Next, you will have to have a license to serve a simple web page.
(and unfortunately, they will hire microsoft to help regulate and administer the tests)
I did a little research with your script and another perl script which I have.


I am guessing, but it looks like CODE RED opens at least 6 supposedly plugged holes in IIS servers.

These involve failure to parse unicode characters correctly.
when this happens, the machine loses it's mind and lets you execute command line commands (lke get directory listings of "protected" directories)
what I found was that the machines with only 4 of the holes open seemed to be partially or incorrectly patched against the worms intrusion.

Those could'nt be shutdown. and when I did a directory listing....

I very conveniently get this:

Directory of c:\inetpub\scripts

2000-03-30 02:58a <DIR> .
2000-03-30 02:58a <DIR> ..
2001-07-23 08:54p 291 index.asp
2001-07-23 08:54p 291 index.htm
2001-07-23 08:54p 291 default.asp
2001-07-23 08:54p 291 default.htm
2000-01-10 12:00p 310,544 root-codered.exe
2001-08-14 01:43p 2 root.exe
2001-08-14 01:43p 49 run.bat
2001-08-14 01:48p 233,980,700 stopcodered.txt
8 File(s) 234,292,459 bytes
2 Dir(s) 11,324,489,728 bytes free


seems this user has tried his own preventative measures, but they did not work!!!!
In the world of Mac and Linux this is a confounding issue. who could be so stupid as to apply half a patch? didn't htey read the instructions?
this article:
<b>It's a Dread to Patch Code Red </b>
from Wired.com
http://www.wired.com/news/infostructure/0,1377,45763,00.html

may contain some answers....

pay particular attention to the quote from the Microsoft guy:

<blockquote>"I don't think things are nearly as bad as you are making them out to be," the employee wrote. "Following the instructions, it boils down to installing the latest software for three packages, installing the SRP, following six workarounds and applying three patches."</blockquote>

this is too sad and hilarious at the same time....

best thing to do is start reading and educating yourselves.

There is at least one opinion that the Code RED is a "red herring". So start thinking about what will happen next.

Like, for example how are you going to get word out about your website which is running on some unknown port. Microsoft Explorer sure isn't helping with that, are they?
 
Seems to have a lot to do with location

August Code Red intrusion attemps thus far:
5352
plus since 8/16:
2480
-----------------
7832

the first is on 8/4

7832/17=~460 per day

NOTE: Here in Japan we have a service called OCN which is set up by NTT. I don't know the exact numbers but the addresses which are scanning me seem to be my neighbors.

That means that the majority of the addresses in my log start with 211.X.X.X
A few start with 64.x.x.x

My theory is that....
the worm scans in it's local neighborhood, if we are to believe the technical reports.

my service can be described thusly;


The service is set up on a ISDN emulation circuit where a fixed line is used at full capacity for a fixed monthly price. for example the typical set-up may be 128K total bandwidth. This is mostly used by non computer professionals for their private office needs(SOHO). Each customer has 8 addresses, and specialized routers to handle this service may be dynamically or statically allocating the addresses to any number of machines within the LAN. The eminent danger is that most of the customers are probably running Windows servers which are poorly maintained or basically not well-understood(or running machines which have IIS enabled and they don't really know about it). The base service is connected to a OC3 which extends from korea to San Jose California.

This is a field of grapes for would be hackers.

I was hit hard and learned a difficult lesson with the .L10n worm and the ADORE worms which were attacking Linux/BIND vulnerabilities among others.

Through this year I have been running the MacOSX public Beta and the Release with thankfully no intrusions.

If you are not being bothered by these pests then you live in a good neighborhood. Bully for you.

The randomly picked addresess which I have investigated have been chinese and Korean. According to the information which I gathered and posted above. There is some evidence that the owners of remaining infected servers believe that they have stopped the worm. !!!!

At this moment, mac users can be somewhat smug about the stability of this OSX. When someone does find it necessary to exploit some weakness, we hope that Mac Users will act in unison and correct the problems immediately.
 
Originally posted by Fahrvergnuugen
Not to sound totally stupid, but how do you execute shell scripts? Since I know Perl & PHP, I've always just written a script in either of those languages and then executed it in the shell. Just never had a reason to learn much about shell scripts I guess. Time to start...
Thanks.
Click to expand...

LOL! If you have Perl skills, learning bourne, awk and sed is the least of your problems. From what I can see (just picking Perl up), Perl does all they do plus a whole lot more. Your ahead of the game.
 
Just to go totally off topic......

If you want to see some shell scripts in action

read through the files in

/System/Library/StartupItems

you will notice that they start with

#!/bin/sh

there should be some manpages
this is not a computer it is a reference library

most of the various shells can be invoked in this way.

then you put a list of commands

in general "#" is a comment.

the main advantage of it is it will probably be runnable first....
as in before perl has been called, and before other shells.

the init process uses it to get the other things set up.

meanwhile, it is always there for you so you can use it to do some things for httpd cgi's if you want.

Back to the topic....

here is another kind of script....
the Code RED II worm

is doing some nasty things at the API level of windows.

This sort of thing could happen <i>anywhere</i><br>
especially interesting for the technically minded is the API hooking technique
used by the worm.
http://www.unixwiz.net/techtips/CodeRedII.html

The IIS server knows where and how to access a bunch of things on the local
machine. So the worm just "asks" IIS to do the dirty work.

Then, IIS doesn't know everything but it knows how to contact other apps
that do.

Makes you want to think twice about encoding the entire OS API into
MFC42.dll just so you can write a few "open a window and display some
text" without <br><div><h1>"thinking"</h1> </div><br>about it.
 
Originally posted by theed
I went all out with the code red stuff, and I have a page updating hourly with the code red statistics.
http://www.liquidbinary.com/CodeRed/

as for learning shell scripting ... you could try some stuff from O'Reilly, looking for csh, tcsh, or the like. Truth is, I think most of us learn "in the field." If you can figure aut the syntax for sed awk and grep. The only other things you should need to know before you can start scripting everythig are:
cat spews a file into standard output
| takes stdout to stdin
> writes to a file
ending a line with & makes it run as its own process.

I learned by watching other command line phreaks, I can't imagine learning any other way.
Click to expand...

There is excellent documentation if you use the 'man' command.
 
You must log in or register to reply here.
Back
Top