August 7, 2001

F*** you, Code Red

Author: JT Smith

- by Tina Gasperson -
My firewall logs are bigger ... I mean, longer ... I mean, more verbose than yours. Comparisons are rife across the 'Net among those non-Windows users for whom Code Red is nothing more than a curiosity. One guy even wrote a Perl script to log Code Red scans and warn offenders.That script was posted on the comp.os.linux.security newsgroup. Here's how it begins (with expletives deleted):

#!/usr/bin/perl

print <END;
Content-type: text/html

<HTML><TITLE>Error</TITLE><BODY>
<H1>F*** you, code red...</H1>
No, I am no IIS... bad luck, CODE RED!<BR>
You have been LOGGED, LOGGED and LOGGED!!!!!!!!!!!!!!!!!<P>

<A HREF="http://www.amishrakefight.org/gfy/">Go f*** yourself!</A>
</BODY></HTML>
END

Not everyone is out to flame scanners, though. Some of the conversations simply noted increasing numbers of the offending scans. In typical pissing contest fashion, those who'd received more scans were the coolest. "Why are you getting more Code Reds than I? Do you have multiple IPs? Aren't they randomly chosen, so everyone should get equally many?" was one lament seen by a dribbler in the Code Red races.

Geeks are curious folk, so its no surprise they are examining Code Red and considering the possibilities; no matter that it is a Windows problem. It is an equal opportunity visitor, knocking on all doors. When it shows up, some hackers can't help but grab it and inspect closely.

Some people are starting to share their observations about the worm that infects systems running Windows 2000 or IIS. "I set up apache on my home machine to count the attempts. What is interesting is that within 10 seconds of starting apache and
tail -f'ing the access_log, I had 1 attempt. Now suppose I was
setting up a Win 2000 machine from the install CD. Chances are
I (and probably most new installs) would be infected before they
have a chance to patch the system," wrote one LUG list participant.

Collectors of Code Red-infected IPs are also noticing certain broadband ISPs are getting hit hard. Understandably, the worm seems to travel fastest within its own IP block, which could cause big problems for cable networks. In fact, subscribers to broadband are starting to get letters like this one from the Road Runner system in Tampa Bay, Fla.:

ROAD RUNNER ALERT

VIRUS ALERT.  YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has
today experienced an attack on its network which is apparently
attributeable to the Code Red virus.  It is possible that this virus has
infected the PC's of Road Runner's subscribers using the Microsoft
Windows NT or Microsoft Windows 2000 operating systems.  Infected PC's
may continue to flood the Internet and Road Runner's network with virus
generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus.  In the meantime, Road Runner subscribers may
experience slow network response, flashing connectivity lights on the
cable modem, and other symptoms (such as unusual port scan log activity
or increased firewall activity) while Road Runner and the Internet
community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY
DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security

One guy set up a site on his cable connection that shows a real time log of Code Red scans and the accompanying IPs. Rinse and reload to get a picture of just how frequently the worms are hitting.

Kai Lien, a Tampa, Fla., technology consultant, got curious about Code Red after he was "bombarded with a few thousand hits over the weekend." He took it upon himself to read up on the worm and do some thinking. He realized that his logs had provided him with a ready collection of IPs from compromised machines, because Code Red scans only come from systems that have been infected.

"In essence, my Apache log is telling me which machines I can easily manipulate. In a round about way, I have a honey-pot box for compromised machines," says Lien.

It's kind of a black-hatted honey-pot, one that would be most helpful for crackers. Instead of scanning IP blocks looking for vulnerable systems, all they'd have to do is set up a Linux system and collect IPs for a few hours. Says Lien: "Although I would not do it, any 'hacker' could easily damage those compromised machines with something as simple as this:
get /scripts/root.exe?/c+any_dos_command+c:\
."

In other words, a machine that has been infected by Code Red is now open to attacks from all sides.

Lien says because of the Code Red problems, the time is ripe for pushing Linux as a secure alternative to Windows for servers. "This is a great time to let people know that with Linux they don't have to worry about this problem," he says. "Of course, it's a great time for 'hackers' to start using Linux, too."

Category:

  • Linux
Click Here!