Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Code Redux

michael posted more than 13 years ago | from the carpetbombing-the-new-economy dept.

Bug 472

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

cancel ×

472 comments

Sorry! There are no comments related to the filter you selected.

fp (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167060)

mother

sp (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167074)

damn that sucked.

Re:fp (-1)

evil_spork (444038) | more than 13 years ago | (#2167125)

I'm claiming your first post for myself since you're an AC.

Re:fp (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167154)

I'm claiming your first post for myself since you're a fuckin' spork.

Re:fp (-1)

evil_spork (444038) | more than 13 years ago | (#2167166)

I'm claiming my first post back since you're lame enough to use "Cmdr" and "Taco" in your name.

Re:fp (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167185)

I'm claiming my first post back since I'm clever enough to use "Fuck" and "You" in my name.

Re:fp (-1)

evil_spork (444038) | more than 13 years ago | (#2167193)

I'm claiming my first post back since I'm clever enough to be the original spork.

Re:fp (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167209)

I'm claiming this and all your future first posts because no spork has ever been clever.

Re:fp (0)

Anonymous Coward | more than 13 years ago | (#2167220)

I'm claiming ALL your fp's because you're a spastic fuckwit AC!!

er.. wait a second...

Re:fp (-1)

evil_spork (444038) | more than 13 years ago | (#2167269)

He's not an AC, and calling someone a "spastic fuckwit" is certainly not original nor is it clever. Get a fucking clue, AC.

wow (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167222)

y'all are dumb, arguing about an FP that isn't even yours

Re:wow (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167234)

Hey dumbass, can't read, or what? It is mine!

heh (0)

Anonymous Coward | more than 13 years ago | (#2167243)

no hablo espanol, shithead

sorry (0)

Anonymous Coward | more than 13 years ago | (#2167281)

just got off the phone with your mom. she said she wants to blow you.

Re:wow (-1)

evil_spork (444038) | more than 13 years ago | (#2167287)

No AC is allowed to claim a first post, thus it can be disputed by logged-in users posting at -1 automatically. Therefore we are not dumb to argue over this first post. How fucking ignorant, but then again, I don't expect anything better from an AC.

Re:fp (-1)

evil_spork (444038) | more than 13 years ago | (#2167249)

lol.. I'm claiming this and all my future first posts back in the name of goats and whores everywhere.

Re:fp (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167273)

I'm getting tired. I think I should just claim all first posts on Slashdot because I'm motherfuckin' CmdrTaco bitch.

tired? (0)

Anonymous Coward | more than 13 years ago | (#2167299)

but are you as tired as your dad was after i finished fucking him in the ass?

Re:fp (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167187)

ahh, i just FP on occasion, and since bitchslap is not an option for my main account, and since i'm too lazy to make an account for this sort of stuff, i just don't bother.

Cutting off port 80? (1)

Heem (448667) | more than 13 years ago | (#2167070)

I know of at least one broadband provider that is completely shutting off access to machines known to be infected.. and not allowing them back on untill they patch up. (well i imagine they must let them on to at least downlaod the patch). If @home blocks my port 80 i'll be quite pissed. Yes I'm lame, I'm running IIS (patched) on my cable modem.

Man, I wish... (5, Insightful)

Rimbo (139781) | more than 13 years ago | (#2167127)

I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.

I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.

The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Re:Man, I wish... (5, Funny)

blang (450736) | more than 13 years ago | (#2167230)

You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

Sorry for being such a troll, but what makes you believe that this patch is the ultimate cure of IIS security bugs? You may not be lame, but you do posess an impressive threshold for pain.

Re:Man, I wish... (1)

onepoint (301486) | more than 13 years ago | (#2167266)

You and me both. My log file has a total of 6000 + ip address that have hit my modem. Since sunday afternoon.

I did find something strange. 65 IP addresses hit my modem more than 90 times, mostly in a row. Also I have noticed that UDP (port 6970)and port 53 attacks are up.

anybody noticing simular stuff

ONEPOINT

Re:Man, I wish... (0)

Anonymous Coward | more than 13 years ago | (#2167275)

"You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there."

A properly configured IIS box with .ida/.idq extentions disabled is immune to the worm. If you are running IIS and have no idea how to remove it from it's horrible out-of-box configuraiton, you are lame.

Re:Cutting off port 80? (1)

Atzanteol (99067) | more than 13 years ago | (#2167159)

I *am* pissed! I'm running Apache on mediaone's (read: att) network and can't get to my site...

Funny how I had to read slashdot to find out though. I got no notice from att, and can't find a thing about it on any of their sites.

Cutting off Port 25! (2)

BigBlockMopar (191202) | more than 13 years ago | (#2167286)


If @home blocks my port 80 i'll be quite pissed.

My ISP (www.dsl.ca) specifically allows you to run servers - and even rents a static IP. Then, one day recently, they surprised me by firewalling all outgoing SMTP. Of course, this coincided with a BIND change on my nameserver, and so when my mail spool started to fill up, my first assumption was that I'd killed the reverse lookup! I spent an hour or so trying to figure out how I'd gone wrong, but I didn't think I did. Finally, I contacted 'em about it. They just shut it off because there were too many spammers and they didn't want to do a mass-mailing, which would become a tech support nightmare ("uhh... this port 25 thing, do I need it?").

Anyway, I'm started to get really annoyed by Code Red II. My webserver log file [glowingplate.com] is full of IIS crap. I hold Microsoft responsible for marketing a faulty product.

Yes I'm lame, I'm running IIS (patched) on my cable modem.

You are lame, for sure. You know, it's really not that much work to set up an old 486 or something with FreeBSD and NAT, add Apache from the ports collection, and laugh at all the IIS lusers. Please ditch IIS; I'll provide a helping hand if I can.

Medium damage (1)

EndlessMe (512453) | more than 13 years ago | (#2167078)

Meaby that's becouse Symantec threat Microsoft software as non-popular and that's why this is not very dangerous :)))

Re:Medium damage (5, Insightful)

Tackhead (54550) | more than 13 years ago | (#2167251)

> > I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...

For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.

Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.

Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".

Piss frost (-1, Troll)

AssByte (244004) | more than 13 years ago | (#2167083)

I have frost on my piss.

Gasp.... (1)

JoeLinux (20366) | more than 13 years ago | (#2167090)

You mean Windows isn't secure? Network specialists are being PAID to figure this out? I wonder what happens if a consortium sits down and decides how to make the perfect virus...a friend of mine suggested that having it recompile itself on the system it hit, and contact the last instance of it to recieve updates. Just a thought...

JoeLinux

Re:Gasp.... (1)

eh2o (471262) | more than 13 years ago | (#2167246)

My god... thats a scary thought... a worm which can mutate its own binary? It could be a hard thing to squash with simple detection methods.

Its all too easy to think of evil viruses which can be written... maybe that is why it keeps happening.. because its just too easy not to try it. ;)

Its kinda like the brass in the Pentagon talking about some new bio-weapons they made... danger schmanger joe, it was so easy to make this virus, we gotta try it out!

michael (-1)

Cmdr (Fuck You) Taco (469621) | more than 13 years ago | (#2167091)

I love you.

To all others: Fuck you.

Intranet Code Red (0)

Anonymous Coward | more than 13 years ago | (#2167094)

I work for a certain, um, large company that makes microprocessors and the Code Red has hit us particularly hard internally. We've had to take down a lot of the port 80 intranet applications and the packet storms are playing havock with our email. It's driving everyone nuts!

Ease of Attack (1)

aoeuid (250239) | more than 13 years ago | (#2167100)

I did a little experimenting myself, and I absolutely cannot believe the ease at which you can get into these systems and download any file you wish (root.exe?/C+copy+file.txt+c:\inetpub\wwwroot). How this is not all over the media, considering the sheer number of infected hosts is beyond me.

increasing number of scans (0, Redundant)

kajoob (62237) | more than 13 years ago | (#2167101)

I'm running blackice defender (i know, i know, real men run firewalls at the network layer) however I'm up to about 8-9 scans or my port80 every hour and it seems to be increasing.

Network traffic seems high - is this why? (1)

Jerf (17166) | more than 13 years ago | (#2167102)

I'm on an @home cable network, and for the last couple of days my little activity light has been blinking at an astonishingly high rate. Today I finally sniffed the network to see what it was, and it's an amazing rash of ARP requests... about 20 per second. Normal seems to be more like .5-1 per second. (The cable modem of course only allows me to see broadcast traffic and traffic meant for my network, and I don't normally see this much traffic.) Think this new Code Red is the reason why? Makes sense...

Re:Network traffic seems high - is this why? (0)

Anonymous Coward | more than 13 years ago | (#2167285)

Yes -- it is Code Red. The arp requests are coming from your default gateway looking for the MAC addresses of the hosts that are being scanned.

this thing is fascinating (2, Interesting)

BitchAss (146906) | more than 13 years ago | (#2167105)

I gotta say this worm is really amazing. You can watch it's growth in your log files. Mine roll over daily and you can see the file sizes increase day by day. On Aug 1 I had an 8k log file. The 2nd I had a 12k one. The third was 32k the day after that was 64k. Today it was up to 192k so far and there's still another 2 hours till the log file rolls over.

Re:this thing is fascinating (2)

garcia (6573) | more than 13 years ago | (#2167199)

I am noticing quite a bit of hits coming w/in 1-2 minutes of each other from the same IP. They come in three in a row now...

I am apparently lucky as I have yet to see too too much traffic yet I feel it has only begun... :(

Roadrunner Outage (1)

cei (107343) | more than 13 years ago | (#2167106)

I have AT&T Broadband at home (in Los Angeles) and yes, it seemed like port 80 was being blocked perhaps from Sunday until some point last night. Web browsers stopped functioning but other IP ports remained open.

Didn't see any warnings on their site (connected from elsewhere) yesterday though. You'd think they'd give people warning, and their suport phone number kept me on hold for hours on end...

What ports does the worm attack? (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2167110)


If I put a sniffer on the network, what kind of traffic should I be looking for?

fresh (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167113)

turd.

eat me.

BIG NEWS: (1)

AdamInParadise (257888) | more than 13 years ago | (#2167114)

The Internet is insecure!

Sysadmin that doesn't apply patches get owned!

Writing virus is as simple as opening Word! (Yes I know Code Red is a bit more complicated, it's written in Delphi)

Come on, this is completly predictable. What really amuse me is the fact that we haven't seen a really dangerous bug yet: something along the lines of Code Red, mixed with CIH (destroy motherboards), that format each hard-drive it encounter. Are virus's writers responsible or what? This would make the Internet a lot more secure, one way or another. And yes, this is a Microsoft worm for God sake's !

netblock (1)

psychalgia (457201) | more than 13 years ago | (#2167116)

we make a lot of home products at our company, you've probably used 5 or 6 or more in a lifetime. Our entire multi-billion dollar operation came to a halt today when our netblock was attacked by the nt4 servers and nt5 clients. I guarantee that none of those clients had the sp2 fix...

In Poland too! (3, Funny)

zdzichu (100333) | more than 13 years ago | (#2167120)

Polish Telecom, the biggest ISP down here, also announced that they will block traffic from 'infected' sites. Trying to connect to whitehouse server is taken as a proof of infection.

Re:In Poland too! (1)

ivan37 (149147) | more than 13 years ago | (#2167219)

Ahhhh...so this worm was released by the Polish government so that they could punish people if they decided they wanted more information about America!

Massive arp traffic (0, Redundant)

PoochieReds (4973) | more than 13 years ago | (#2167124)

I just got home from work and saw the little light on my cable modem going nuts. I did tcpdump from my firewall box and I'm seeing MASSIVE amounts of arp traffic.

Perhaps I'll call roadrunner and see about a refund for the crappy bandwidth I'm getting tonight ;-).

Code Red Self Test (5, Interesting)

staplin (78853) | more than 13 years ago | (#2167129)

While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test [securityspace.com] which is supposed to tell you if you are vulnerable, and if you have been infected.

I don't know if it works, I don't have a Win boxen to test it on...

Re:Code Red Self Test (0)

Anonymous Coward | more than 13 years ago | (#2167177)

That test tends to report false positives.
(better than false negatives, at least)

OT: pedantic correction (2, Insightful)

rkent (73434) | more than 13 years ago | (#2167252)

I don't know if it works, I don't have a Win boxen to test it on...

Okay, if you're going to use the archaic, tongue-in-cheek unix-guru term "boxen," at least bother to learn that its denotation is plural.

And now back to your regularly scheduled worm discussion.

Re:Code Red Self Test (2)

Omerna (241397) | more than 13 years ago | (#2167300)

According to it I don't have it (and I know I don't) so it either works or is just going to provide everyone who DOES have it with a nice surprise.

Cutting off port 80? (2)

yerricde (125198) | more than 13 years ago | (#2167130)

AT&T's residential broadband division (MediaOne) has cut off port 80 across their network

Seeing as how HTTP runs on port 80, how are outgoing HTTP connections (i.e. web page pulls) supposed to proceed across the network? Given that frontends to mail [hotmail.com] , newsgroups [google.com] , and file transfers are increasingly HTTP-based, they might as well just schedule total network downtime during Code Red attacks.

Re:Cutting off port 80? (5, Informative)

interiot (50685) | more than 13 years ago | (#2167151)

You can block incoming and outgoing http connections separately. eg. if a SYN packet is going from an outside address to an inside address, and the port number is 80, block it. But don't block anything else.

Re:Cutting off port 80? (1)

bacchusrx (317059) | more than 13 years ago | (#2167186)

I'm not sure of the extent of AT&T's actions, but, they've probably blocked all incoming connections on port 80. This wouldn't prevent connections *to* port 80, of course, since web content itself is returned to the client on an ephemeral port...

I've been afraid broadband providers would move to do this anyways... since in most cases the ISP explicitly forbids server activity on end-user systems. Rogers@Home, in my area, sets their cablemodems to "sleep" after some predetermined interval-- this prevents any incoming connections unless the modem is awakened by outgoing traffic. Of course, putting "ping > /dev/null &" where into your rc.local makes short work of that ;)

BRx.

hrm. correction (1)

bacchusrx (317059) | more than 13 years ago | (#2167202)

Hm. Slashdot ate part of my ping example ;p the correct command should've been:

ping xxx.xxx.xxx.xxx > /dev/null &

where xxx, etc. is your gateway's IP.

You all assumed that anyways, but... ;)

BRx.

Re:Cutting off port 80? (1)

aoeuid (250239) | more than 13 years ago | (#2167192)

Uh, you can cut off a port in one direction only you know......

Cutting off port 80 (5, Interesting)

Grim Grepper (452375) | more than 13 years ago | (#2167131)

I really hope that RoadRunner doesn't decide to cut off port 80, as I happen to be running a webserver. Since I don't use IIS or Windows, it seems unfair that they would cut me off; it doesn't seem quite fair.

What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!

Re:Cutting off port 80 (1)

interiot (50685) | more than 13 years ago | (#2167206)

Can you change the server's port to another port, say 8080? Or do you have quite a few links to the server?

Re:Cutting off port 80 (1)

Twilight1 (17879) | more than 13 years ago | (#2167290)

Actually, if you check your Acceptable Usage Policy, you will probably find that you are not allowed to run servers on your connection. I have always avoided any ISP that prevented me from fully utilizing my connection.

I just think it's rather amusing to see a bunch of people complaining about a service blocking access to something that they weren't supposed to be doing in the first place. Did you read your AUP and Terms of Service before you signed up? No? Tsk tsk...

-Twi

lp (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2167132)

last post!!!

if you post belwo this your totaly GAY!!!!1

"Medium" Damage (1)

turbodog42 (122173) | more than 13 years ago | (#2167137)

From Symantec's website [symantec.com] :

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.


In terms of what it does locally (ie doesn't erase your entire harddrive), medium damage isn't that far out of line.

Maybe they should add a Mainstream Media Hype rating...

Re:"Medium" Damage (2)

JoeBuck (7947) | more than 13 years ago | (#2167258)

Oh, come on. You say that it doesn't erase your entire harddrive. Rather, it tells the entire net "Hey everyone! I am an infected computer, you can run any command you want on me!".

For example, my web log (and everyone else's web log) has the hostnames or IP addresses of dozens of infected systems. It would be a trivial matter for me (or anyone else) to now erase the hard drives of any of these machines, or just to browse through the entire hard drive and take what I want and trash the rest.

Or even better: use the back door to install a new Trojan that will still be present even after the owner applies Microsoft's patch.

It _is_ quite benign. (3, Interesting)

Hobbex (41473) | more than 13 years ago | (#2167139)


Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.

Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.

In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)

Worse, much worse (1)

digitalhermit (113459) | more than 13 years ago | (#2167141)

Remember reading in high school biology that getting cowpox would confer a resistance to smallpox? I wished more IIS servers had gotten hit with Code Red I and forced them to patch. On my tiny little site I'm getting over two hundred unique requests for default.ida every half hour. I guess that this is because of my IP address being in the DSL neighborhood.
Lots and lots of the machines I checked have the default IIS page. This may mean that the owners don't know they're running a web server (thanks to default installs) or are home users reading about this new Code Red II and thinking, "Hmm... I'm glad I'm not running a server." I've only seen a small percentage of duplicates too, so the rate of infection is definitely high.

Re:Worse, much worse (0)

Anonymous Coward | more than 13 years ago | (#2167293)

I have a high number of duplicates, as many as 15 from some hosts...

Someone should update that Everything entry. (1)

JeffHunt (129508) | more than 13 years ago | (#2167143)

I think it's great how there was the link to give the definition of Code Red in the story, but nobody had actually given the contextual definition.

AT&T Broadband.. (1, Informative)

Anonymous Coward | more than 13 years ago | (#2167144)

..has DEFINITELY shut off inbound port 80 traffic to some (if not all) of their cable modem infrastructure. I am in Massachusetts, and I'm cut off. The roadrunner.* newsgroups are boiling over this, and there's been NO official release from AT&T, although their customer support reps readily admit that 80 is off and will remain off, presumably indefinitely. I am bullshit about this, but have nowhere to go. DSL is collapsing while AT&T is getting bigger. Behold the fruit of two monopolies: AT&T and Microsoft.

It is only Medium DAMAGE! (2, Insightful)

thufir (129668) | more than 13 years ago | (#2167145)

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

Maybe because they don't! You are thinking in terms of security hole. With a virus it is different, you are more concerned about data loss.

A virus can inflict low damage, ie: print a message on the screen that you are stupid, or a high DAMAGE rate of deleting your whole hard drive. Medium is a good measurement of this one, as it only has the POTENTIAL for data loss.

Create a Good Virus? (1, Redundant)

nicoz (191825) | more than 13 years ago | (#2167152)

Why not create a good virus to interact with Code Red and force it into a benign state?

Is this possible?

Re:Create a Good Virus? (0)

Anonymous Coward | more than 13 years ago | (#2167298)

Possible, yes, but you'd still potentially get in trouble with the law.

It's about time... (0, Redundant)

sfe_software (220870) | more than 13 years ago | (#2167156)

I agree that cable users are causing the most damage from what I can see. I wish Road Runner (Time Warner Cable) would cut off port 80 as well. I'm logging thousands of attempts from other RR users on my firewall.

My webserver is also logging in the hundreds, mostly from various cable and DSL users. Personally I think it would be nice if they could re-enable port 80 on request for those who actually need it, but unless you're a business customer, I would think blocking port 80 temporarily would be for the greater good...

BTW, visiting most of the Road Runner IPs I'm logging, most of them don't have a page up at all. I get an IIS error about there being no "default" page... IOW, I suspect these users have no idea that they're even running IIS, much less that they're infected. Others show a page saying that too many connections are open (is this some sort of artificial limit in IIS, which depends on the license you've purchased, or is it actually an overload condition? Or an OS limitation?)

It seems like the cable networks should let their users know (this could easily be automated: "Dear Customer, you are infected with Code Red, go here...")

Besides, these people are killing my ping times in UT :)

Kind of scary (1)

Yorrike (322502) | more than 13 years ago | (#2167158)

It's weird. I have a list of about 1000 machines in my Apache log that I can just log into via root.exe.

1000 machines! If this is phase 1, and phase 2 is a massive dDOS attack, the internet in in for a rough ride.

I've refrained from logging into any of those boxes, but the more the attacks roll in, the more I feel I have to do something (like bitch slap anyone stupid enough to run an unpatch IIS, or IIS full stop for that matter).

Bringing up the websites of the infected machines is always good. One of the machines in my blacklist was touting "Advanced Network Security Training". I'm still giggling at that one :)

Road runner's "warning" (3, Informative)

EvlPenguin (168738) | more than 13 years ago | (#2167160)

I recieved an email today from road runner (aka time warner cable) regarding the "VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED". For the intrigued, here's the letter:
------
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributeable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the Internet community to address this virus. Thank you. Road Runner Security
P.S. Please, do not reply to this message
--------

Well, gee, if the whole "internet community" is at work at resolving the issue, I can rest easy. But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?

Re:Road runner's "warning" (0)

Anonymous Coward | more than 13 years ago | (#2167294)

Too bad they forgot to tell the user to install the patch after the downloaded it before they told them to reboot.

Cutting Off Port 80? (2, Informative)

Bonkers54 (416354) | more than 13 years ago | (#2167163)

To specify more specifically for the people misunderstanding this poorly worded post, port 80 is not completely block. Only the _INCOMING_ connections to port 80 are block, so only people running webservers are infected. Because I currently run a webserver using Apache under Linux on my MediaOne cable modem, I am currently on hold on the MediaOne tech-support line attempting to get port 80 unblocked.

Re:Cutting Off Port 80? (1)

Bonkers54 (416354) | more than 13 years ago | (#2167223)

I just got off the phone with the MediaOne tech-support and the person I spoke with said that "My supervisor told me that there is no way to unblock port 80 on your account" and she went on to tell me that until the virus has been stopped, it will not be unblocked. I think they should just block people's accounts completly that are infected and too dumb to patch their webserver, and if they'd like I could give them a list of every infected user generated nicely by my Apache logs. I don't see why they should have to block port 80 at all because the contract states that servers are not allowed, but I'm not complaining about them being loose on that.

Against the DMCA? (2, Funny)

duncan (16437) | more than 13 years ago | (#2167164)

From the article:

"The group gathered around the dinner table then managed to get a copy of the worm and began disassembling its code"

Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA? I think that those at this conference should be held accountable.

Cable Modem Providers (2, Funny)

r1ckt3r (302503) | more than 13 years ago | (#2167173)

I work for a rather large cable modem provider in the callcenter. We are getting inunduated with calls about the code red virus. Especially concerning hyper-active activity lights on cable modems. It's been like this ever since sunday. I must admit, we are very close to blocking port 80 as well, since we don't allow web servers anyways. oh well, I start my new job next monday.

@Home not blocking port 80 yet (3, Informative)

interiot (50685) | more than 13 years ago | (#2167174)

@Home's AUP specifically says "no servers". Also, they've always blocked port 137, so the tools are already installed. Yet they still haven't blocked port 80, even though each IP is getting hit approximately every other minute.

Windows related (0)

Anonymous Coward | more than 13 years ago | (#2167176)

Some companies will always try to minimize potential risk to your network if it's windows related.

This sucks (0)

r0ach (106945) | more than 13 years ago | (#2167178)

I'm quite upset right now... I run a few fairly popular websites from my cable connection, and I'm not even running ISS, or Windows for that matter, so why do I (and my viewers) have to suffer? I can understand why AT&T is doing it, but still, it irks me... Just another example of Microsoft (indirectly) screwing over people that don't even use their software...

Watch Code Red infect (1)

iNiTiUM (315622) | more than 13 years ago | (#2167196)

I've setup BitchX and a shell script to monitor Code Red attempts to my AT&T based apache serv. They are 100% right about at&t being nailed hard, and yes the arp traffic is thru the roof.... Irc.Piratesnet.Net on #CodeRed if anyones interested :)

damage only _medium_ to self ! (1)

cyrilc (126593) | more than 13 years ago | (#2167197)

the problem is medium because for a user point of view, the damage is relatively low risk for the computer compare to reformating the hard drive or erasing the BIOS

who said Symantec cares for ISP and other system maniacs !!!

their only interest is to sell you the latest anti virus that can protect your Winblows <whatever> against naughty worms or viruses...

There seems to be a newer variant (2, Informative)

friday2k (205692) | more than 13 years ago | (#2167205)

or the worm has a sleeping behaviour pattern. Please review the following message [securityfocus.com] from the Securityfocus Incidents Archive (the message was sent 30 minutes ago)

No change here (1)

NullPointer (6898) | more than 13 years ago | (#2167207)

I'm connected through MediaOne (AT?T@Home) and I've not seen any evidence of blocking. The log has not shown a reduction in connection attempts since I first noticed something was happening Saturday afternoon, typically 1 to 4 attempts per minute. And, unlike what some others have reported, I've not seen any degradation in service. The continuous blinkin' lights are sortof annoying though.

My 'Data' Light has been going steady since Friday (3, Funny)

BroadbandBradley (237267) | more than 13 years ago | (#2167210)

and I'm on @home's network. I like the program 'etherape' to sit and watch the requests come in and then browse to the IP's to see JoeBlow's homepage.
really, do these home users PAY for IIS? of course not, would you? If you're going to use software free, use free software!!!
I can't imagine that anyone who administers servers for a living hasn't already patched againts this. Thus I think most of this Code Red comes from home users windows boxes with pirated software. I wish MS did pursure those people because we'd have a whole lot more Linux users if that was the case. ( I guess that's why they don't)

a note to IIS users: /etc/httpd.conf it's not really that hard.

A Rash of very well written viruses (1)

Peridriga (308995) | more than 13 years ago | (#2167212)

Along w/ Code Red (no need to explain how well this has propogated) Sircam has also caused general havoc w/ the computer's I support at work.
Yeah, it's an Outlook specific virus and now after this infection I've finally gotten my "higher up's" to get away from the Microsoft syndrome. After the intial infection, spread, and removal of Sircam I did some research and found it to be an extremly well written virus.

The intresting details:
1) Of course it does the all common spread through Outlook's address book.

Sidenote: It also attachs the last document used (gotten from the 'recent' directory) to the spread email. Which in our case luckily didn't send out any sensitive data but, more than likely could have. This also has generated a huge peak in our network traffic. (Imagine our database department (30 computers) all sending out our 200MB dBase files to every address listed)

2) Also the virus scans all of the resident HTML cache and pulls out every email address listed in it

3) Then, connects to every shared computer it can find w/ write access and infects that as well

4) And the kicker that I love so much, is that it is bi-lingual. If it detects the native systems language as Spanish it will send all the emails out en espanol.

Just a little course to those not completely familar w/ our newest addition to the viruses that plague IT specialists.

RoadRunner Fairfax VA unusable (4, Interesting)

banky (9941) | more than 13 years ago | (#2167216)

Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.

The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.

Phone tech support is turned off, at least in my wanderings in the phone system.

Anyone else having these problems?

@Home (2)

Micah (278) | more than 13 years ago | (#2167217)

Well I'm on @Home and I'm not sure if this has to do with Code Red or not, but my cable modem light indicating bandwidth use has been flashing pretty much CONSTANTLY since Sunday or so, even when the computer was off!

I know it's more than port 80 hits, because there's not a constant stream of them in my log file, and I don't even run the web server most of the time. I get plenty of them when it does run, but it's got to be more than that.

Indirect cost. (1)

Fat Casper (260409) | more than 13 years ago | (#2167224)

With insurance companies charging more to insure companies that run MS servers and every new virus/worm headline, why do people stay there? MS doesn't cost me any money directly, but I wonder what prices out there would be lower if companies didn't need to give Bill more money that he already doesn't need.

How much better would software in general be without the anticompetitive practices, "standards" and "enhancements?" How much smoother would the net run if admins could plug all their security holes as they became known, not just when MS deigns to acknowledge that they exist and provides a band-aid? What prices out there would be lower if companies didn't have those extra costs? What profits (other than Bill's) would be higher? I'm sorry, but it just pises me off.

So that's what it is! (1)

Francis Frisina (447570) | more than 13 years ago | (#2167238)

From the "Code Red" link on E2: A red version of Mountain Dew, a soft drink second in caffeine content only to Jolt, openly marketed to the urban, minority community. The desire to penetrate minority markets was so prominent that Pepsi largely chose the drink's flavor in order to do so. At first, the company toyed with the idea of coloring the new soda blue and sticking "arctic" in the name. But conventional wisdom in the soft drink business states that people from minority groups favor sweet, fruity flavors. So, the company's researchers regrouped and came up with Wild Cherry Mountain Dew. The taste was right, but the name was too tame. Enter Code Red."

Of course, if you want to know what the Code Red Worm is, you might want to check out: http://www.everything2.com/index.pl?node_id=112673 9&lastnode_id=1037487

Crazy (1)

zexxxx (87421) | more than 13 years ago | (#2167241)

Its just crazy that I still get hits [genotrance.com] because of this stupid virus. Just a waste of bandwidth and hdd space in log files.

I just feel that it should be reasonably complex to set up such servers. Not just for M$ which is Plug and Play (BSO.. oops... PnP) but also with linux. For example, an apt-get install of telnetd on a debian system adds the service to inetd by default, no questions asked. I don't know how other distros are like, but the consolation for linux users is that they are usually younger than grandma.

Digital Honeypots (0)

Anonymous Coward | more than 13 years ago | (#2167242)

"I noticed a sharp increase in activity," Mr. Levy said. So he set up a "honeypot," or computer intended to lure attackers, to get a copy of the worm

Oohh, A digital "honeypot" to "lure" attackers. Maybe it sends out a digital scent irresistable to worms. It's all very mysterious, but he's an expert, so I'm sure he knows what he is doing.

Or maybe it is as simple as a random ip on a cable provider like rr.com, where my port 80 was getting hammered about 1000 times an hour between 2 AM and 5 AM Sunday morning. Logs, anyone?

Does the back door actually work? (1, Interesting)

Anonymous Coward | more than 13 years ago | (#2167250)

% telnet 128.134.111.8 80
Trying 128.134.111.8...
Connected to 128.134.111.8.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 07 Aug 2001 22:47:22 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>

It gives a command prompt, but typing commands doesn't seem to do anything...

As one of those blocked (1)

smnolde (209197) | more than 13 years ago | (#2167262)

Yes I noticed this early this morning. It appears my code red hits stopped shortly after 11:05pm last night.

They might have blocked 80 from the outside world, but internal infections can still take place.

I can connect to a few IPs that affected me within the 24.163.x.x network.

On the chat with tech support they have no date when the block will be lifted.

Why code red is still around (1)

jerrytcow (66962) | more than 13 years ago | (#2167264)

I was looking at my server log, and couldn't believe how many hits from the second round code red it received. I did a DNS lookup on a few of the addressed (most of the hits seem to be from 64.x.x.x). Several are from 64.4.13.232 (msgr-cs22.msgr.hotmail.com).

At first I was astounded that so many users could running IIS still unpatched, but if sites like hotmail can't patch their servers, how can we expect the average home user to?

RoadRunner (1)

mattvd (44096) | more than 13 years ago | (#2167267)

I'm on Road Runner, and my firewall is logging between 10 and 30 requests per minute -- most of these coming from within the road runner network (24.x.x.x range).

The funniest thing though-- if you go to just about any of these IP address with a web browser, its the default page for IIS. Meaning someone set up a web server (perhaps unknowingly) and forgot about it.

Crikey (3, Interesting)

Illserve (56215) | more than 13 years ago | (#2167276)

Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.

So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.

It's going to be a rough year.

Damage rating (1)

Anemophilous Coward (312040) | more than 13 years ago | (#2167280)

Perhaps their damage rating only refers to immediate damage done to the machine. There is no web defacement, mass amounts of files are not deleted, the drive isnt reformatted. Of course, all this *could* be done via the installed backdoor.

-A non-productive mind is with absolutely zero balance.
- AC

Possible Simple Large ISP solution (1)

sportal (145003) | more than 13 years ago | (#2167283)

Can someone please tell me why the big ISPs just don't take this simple approach to handling the increased traffic by Code Red I & II.

1. Run IDS at the backbone level.
2. When you see a packet come across that is a Code Red I or II web server probe (it is real simple in detecting this), mark down the IP address.
3. Transfer the IP address to your routers and drop all packets coming from that machine for a period of time (say 2 days).

Ta da .. Suddenly you stopped all the excess traffic that is happening from these infected machines probing your network.

Better yet, why aren't they turning off the connections of machines that are infected and thus generated the majority of the traffic on their network???

Road Runner in NYC is getting a ton of traffic (mainly ARP requests from the machines looking for hosts) because of Code Red. No packet loss though.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>