Code Red?

seamus

Has anyone noticed any effect of this virus, or is someone after messing up somewhere after trying to scare everyone??!

dahamsta

It's just the feebs trying to draw a little attention to themselves. They'll have another press conference now saying that Code Red *didn't* have such a devastating effect *because* they told everyone about it. It's just an exercise in PR - the NIPC is in trouble because they're absolutely hopeless at "protecting America" from "cyberthreats", and they're trying to justify their funding. Code Red was a magnificent opportunity for them to show that the NIPC is needed, and because the majority of the American population is as thick as two short planks - their leader being a prime example - they'll swallow it whole and smile like porn stars.

adam

PS. No disrespect intended to our American vistors. I said "the majority", but I know some very intelligent Americans. As a whole though, they have the intelligence of mentally-challenged gnat.

PPS. The conspiracy theorist in me thinks that "Code Red" is all *too* convenient. Particularly when the feebs are so quick to point out how hard it will be to track down. Think back to every other "cyberthreat" we've had now - didn't the feebs *always* say they'd track down the "perp" by all means necessary? I'll let you draw your own conclusions...

chernobyl

I like the way microsoft always blame the ppl who find flaws in IIS and never admit their own coc|<up, and get away with it.
Anyone remember the lamers who cracked the eircom page a few years ago?, that was done with a single program because of a flaw in IIS 4.0.

---

Ashley...if only

Ashley Lyn Cafagna

Draco

According to the logs on one of my machines (a linux box running apache), there has been 18 attempts to infect it, all from different IP addresses. Not the flood of attacks predicted.

LoLth

FBI only got involved because
a. it targets the white house
b. it targets a flaw from mr. america Bill's company.

the warning was extreme and will only serve to give the author huge standing and inspire copycat / more malicious versions.

We got zero infection attempts. Fair nuf. But I don't want to take the chance that the next one will ignore me as well.

The panic was ridiculous. I know Admins need to know, but broadcasting it on the radio and in the papers only caused the users to panic. I even had the co. accountant on to check if I'd protected against this (a week after I ahd upgraded the AV package to protect against it!)

Now, the problem is, will people believe the "experts" when they come out with the next warning? Or is it a case of crying wolf?

First the milennium bug, now virus flops... all very dissappointing really. I was looking forward to the collapse of civilisation and the descent into brutality and bestial law... i even bought new shoes for the occasion

Hobbes

http://www.incidents.org/

Not doing anything me azz. 228,949 sites infected.

Btw, does CodeRed attack MySQL? a lot of sites I visit seem to be down and when they were last up they said it was due to MySQL errors.

Draco

<font face="Verdana, Arial" size="2">Originally posted by LoLth:
We got zero infection attempts.</font>

Check your IIS logs again. I've noticed a marked increase in attempts since this morning.

<font face="Verdana, Arial" size="2">Originally posted by LoLth:
(a week after I ahd upgraded the AV package to protect against it!) </font>

You patched the wrong thing. You need to patch IIS.

<font face="Verdana, Arial" size="2">Originally posted by LoLth:
First the milennium bug, now virus flops... all very dissappointing really.</font>

It's alegedly incfect 220K+ machines since the 1st. The reason it hasn't infected more is becuase of all the media hype about it. Network Admins got off their arses and patched their servers. Now they should pull the finger out and kill IIS and replace it with Apache.

Hobbes

btw, I'm not running any services for Code red to attach too however my router is getting hammered with connection attempts from various machines.

Gavin

Aye same here, firewall is bouncing off quite a few port 80 connections.

Gav

course when i go look at the ip's trying to connect i get the www.worm.com thing. heh

flamegrill

i have posted on already here, but what does a scan for the vulnerability look like in ur access log?

look at my origninal post in security.

thanx

Hobbes

Sweet mother of god.

On average I get 20 port scans a day on my machine. Today I have had 178 so far.

All on port 80.

(current count 246 and still climbing)


[This message has been edited by Hobbes (edited 05-08-2001).]

jmcc

<font face="Verdana, Arial" size="2">Originally posted by seamus:
Has anyone noticed any effect of this virus, or is someone after messing up somewhere after trying to scare everyone??!</font>

Code Red II (also being reported as Code Red generation 3) is now making the rounds. This is a more dangerous version in that it carries a payload that installs a backdoor in the affected server. The backdoor also deactivates the M$ privs and in effect give a cracker root shell access to the server. I have seen a number of Code Red II probes in the last 24 hours (The majority had been Code Red 1 up until yesterday.). The Code Red II differs from the Code Red I in the logs (the full line of the log entry has been truncated as I am not going to type in all the rest of the stuff:

Code Red I: "GET /default.ida?NNN" etc
Code Red II: "GET /default.ida?XXX" etc

In the last few minutes, I have seen four probes from Indigo dialups.

No doubt the usual fscking technology journalist muppets will be writing about how the CR is a damp squib in the newspapers tomorrow.

Regards...jmcc

Hobbes

yesterdays count finished off in the 700's

Currently today it's up to 96.

Whats funny is each scan means they persons machine I could go look at it. Someone should right a CR-4 which removes the software and patches your machine to anything else from attacking it.

jmcc

<font face="Verdana, Arial" size="2">Originally posted by Hobbes:
yesterdays count finished off in the 700's

Currently today it's up to 96.

Whats funny is each scan means they persons machine I could go look at it. Someone should right a CR-4 which removes the software and patches your machine to anything else from attacking it.
</font>

15 on one server here already. 20 on another. All affected Irish IPs seen so far are on Indigo boxes, typically dialups in Cork, Dublin, Drogheda.

Best solution: a non M$ OS.

Regards...jmcc

Chaos-Engine

Does Apache come free w/ Linux OS's

Which is the best one out there?
Retail or Free....... Newbie to Linux but not after something for dummies like Red hat

any help would be wonderful

---

"Information is Ammunition"
Choas Engine
Email: choas@netshop.ie
ICQ: 34896460

phaxx

Apache comes with most Linux distributions, if not it's always available from www.apache.org

In *my* opinion, Slackware Linux is very nice indeed, but I'm getting into FreeBSD a lot lately.

Try Debian or Slackware, sensible and hardly any bull.

jmcc

<font face="Verdana, Arial" size="2">Originally posted by jmcc:
Code Red II (also being reported as Code Red generation 3) is now making the rounds. This is a more dangerous version in that it carries a payload that installs a backdoor in the affected server. The backdoor also deactivates the M$ privs and in effect give a cracker root shell access to the server. I </font>

The New worm (Code Red II) will crash NT when it attempts to run. It infects W2K running a vulnerable IIS.

From the activity in the last 24 hours, I have noticed at least 20+ Indigo.ie dialups that are infected. I have seen one Esat surfnolimits box infected and about 3 Esat/IOL leased line boxes.

Regards...jmcc

Hobbes

DoS I think is the least of the worries.

I think it's a lot more serious, especially after reading this.

http://www.incidents.org/diary/diary.php

Basically if a backdoor trojan is piggybacked you are probably better off formatting and reinstalling.

Carnate

Code red Worm or crw has totally closed the irish ibm intranet as of this morning! the servers are spitting out data to numerous websites and in turn we are getting spammed in turn.

we have no w3 working atm(for those going to ask what is w3? its IBM's own Intranet)

So to answer the question is yes it has effected us greatly!

[This message has been edited by Carnate (edited 07-08-2001).]

amp

No (I both remove IIS and patch it) and then lash on the win32 version of apache if they really need it.
Sircams a pain in the ass though.

---

Lunacy Abounds! GLminesweeper RO><ORS!
"Boxes for show, Baskets for a pro" - [FCA]SyxPak

flamegrill

count of CRW scans as of time of this post for that last 7 days on my box states side -> 1445. iv had 400 + each day for that last 2 days and today has had 285 at time of this post.

how do you identify which strain of "code red" is attacking?

heres one such scan/attack from my apache logs.

24.178.103.83 - - [07/Aug/2001:15:05:23 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 285


i had setup an ipchains rule to block these scan from 24.0.0.0 which is the home.com cable network, but i took it out cause i want an accurate count of the attacks.

[This message has been edited by flamegrill (edited 07-08-2001).]

jmcc

<font face="Verdana, Arial" size="2">Originally posted by flamegrill:
t.

how do you identify which strain of "code red" is attacking?

heres one such scan/attack from my apache logs.

24.178.103.83 - - [07/Aug/2001:15:05:23 -0500] "GET /default.ida?XXX</font>

"GET /default.ida?NN - Code Red
"GET /default.ida?XX - Code Red II

Regards...jmcc

flamegrill

have had 1346 code red II attacks/scans in a day and half so!

thats seriously more than code red.


jmcc thanks for the info

Gavin

<font face="Verdana, Arial" size="2">Originally posted by flamegrill:
count of CRW scans as of time of this post for that last 7 days on my box states side -> 1445. iv had 400 + each day for that last 2 days and today has had 285 at time of this post.

how do you identify which strain of "code red" is attacking?

heres one such scan/attack from my apache logs.

24.178.103.83 - - [07/Aug/2001:15:05:23 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 285


i had setup an ipchains rule to block these scan from 24.0.0.0 which is the home.com cable network, but i took it out cause i want an accurate count of the attacks.

[This message has been edited by flamegrill (edited 07-08-2001).]</font>

Not just stick a -l at on your rules to log it, then run the messages file through a quick grep,cut,cut,grep ,uniq, blah, blah, blah

It's getting annoying now alright. Constant bloody bashing against our firewall.

Gav