– by Tina Gasperson –
My firewall logs are bigger … I mean, longer … I mean, more verbose than yours. Comparisons are rife across the ‘Net among those non-Windows users for whom Code Red is nothing more than a curiosity. One guy even wrote a Perl script to log Code Red scans and warn offenders.That script was posted on the comp.os.linux.security newsgroup. Here’s how it begins (with expletives deleted):

#!/usr/bin/perl

print <END;
Content-type: text/html

<HTML><TITLE>Error</TITLE><BODY>
<H1>F*** you, code red...</H1>
No, I am no IIS... bad luck, CODE RED!<BR>
You have been LOGGED, LOGGED and LOGGED!!!!!!!!!!!!!!!!!<P>

<A HREF="http://www.amishrakefight.org/gfy/">Go f*** yourself!</A>
</BODY></HTML>
END

Not everyone is out to flame scanners, though. Some of the conversations simply noted increasing numbers of the offending scans. In typical pissing contest fashion, those who’d received more scans were the coolest. “Why are you getting more Code Reds than I? Do you have multiple IPs? Aren’t they randomly chosen, so everyone should get equally many?” was one lament seen by a dribbler in the Code Red races.

Geeks are curious folk, so its no surprise they are examining Code Red and considering the possibilities; no matter that it is a Windows problem. It is an equal opportunity visitor, knocking on all doors. When it shows up, some hackers can’t help but grab it and inspect closely.

Some people are starting to share their observations about the worm that infects systems running Windows 2000 or IIS. “I set up apache on my home machine to count the attempts. What is interesting is that within 10 seconds of starting apache and
tail -f’ing the access_log, I had 1 attempt. Now suppose I was
setting up a Win 2000 machine from the install CD. Chances are
I (and probably most new installs) would be infected before they
have a chance to patch the system,” wrote one LUG list participant.

Collectors of Code Red-infected IPs are also noticing certain broadband ISPs are getting hit hard. Understandably, the worm seems to travel fastest within its own IP block, which could cause big problems for cable networks. In fact, subscribers to broadband are starting to get letters like this one from the Road Runner system in Tampa Bay, Fla.:

ROAD RUNNER ALERT

VIRUS ALERT.  YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has
today experienced an attack on its network which is apparently
attributeable to the Code Red virus.  It is possible that this virus has
infected the PC's of Road Runner's subscribers using the Microsoft
Windows NT or Microsoft Windows 2000 operating systems.  Infected PC's
may continue to flood the Internet and Road Runner's network with virus
generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus.  In the meantime, Road Runner subscribers may
experience slow network response, flashing connectivity lights on the
cable modem, and other symptoms (such as unusual port scan log activity
or increased firewall activity) while Road Runner and the Internet
community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY
DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security

One guy set up a site on his cable connection that shows a real time log of Code Red scans and the accompanying IPs. Rinse and reload to get a picture of just how frequently the worms are hitting.

Kai Lien, a Tampa, Fla., technology consultant, got curious about Code Red after he was “bombarded with a few thousand hits over the weekend.” He took it upon himself to read up on the worm and do some thinking. He realized that his logs had provided him with a ready collection of IPs from compromised machines, because Code Red scans only come from systems that have been infected.

“In essence, my Apache log is telling me which machines I can easily manipulate. In a round about way, I have a honey-pot box for compromised machines,” says Lien.

It’s kind of a black-hatted honey-pot, one that would be most helpful for crackers. Instead of scanning IP blocks looking for vulnerable systems, all they’d have to do is set up a Linux system and collect IPs for a few hours. Says Lien: “Although I would not do it, any ‘hacker’ could easily damage those compromised machines with something as simple as this:
get /scripts/root.exe?/c+any_dos_command+c:
.”

In other words, a machine that has been infected by Code Red is now open to attacks from all sides.

Lien says because of the Code Red problems, the time is ripe for pushing Linux as a secure alternative to Windows for servers. “This is a great time to let people know that with Linux they don’t have to worry about this problem,” he says. “Of course, it’s a great time for ‘hackers’ to start using Linux, too.”

BBC: “The Asia-Pacific region is set to overtake the United
States as the world’s largest internet market in two
years, according to a US-based research firm.

Led by China and Japan, the region will have 183.3
million internet subscribers in 2003, compared with
162.8 million in the US, and 162.2 million in western
Europe, according to projections by Gartner Dataquest
analysts.”

Lexis-nexis.com: “A survey of American companies reveals that not only are companies’ networks being attacked six or more times per year, but these attacks are
becoming increasingly criminal in nature, compromising private information, destroying valuable data and exposing businesses to significant liability.

Further, government networks were identified as being the most “at risk.”

CNET: “One e-tailer that’s been bitten is 1800Flowers.com. When certain Web surfers visit the site to
browse for bouquets, a pop-up ad appears for $10 off at chief rival FTD.com. The same sort of
thing happens at AmericanAirlines.com, where a Delta Airlines promotion is waiting in the wings.”

The Standard: “One thing about Eric Schmidt’s new position at
the helm of the popular search-engine service
Google strikes him as funny: He got the job
because of his business acumen – not his
technical expertise.”

Kelly McNeill writes: “The Internet rumor mill has been buzzing once again, as recent reports have suggested that struggling Be, Inc. has found a buyer. Similar stories have been floating around the Internet for several months now, but talk of the Be buyout kicked into high gear last week after the company made yet another round of sweeping layoffs which reportedly were part of the supposed buyout agreement. While Be hasn’t made any official statement on the topic, industry analysts have held up a few likely contenders for the rumored buyout.”

Wired: “Computer hackers and free-speech activists were pleased with the release of accused DMCA scofflaw Dmitry Sklyarov, and vow to continue working to get the law changed.”

CNET: “No, not the Atari, big hair, Flock of Seagulls and Ronald Reagan version of the 1980s. The 1980s
that witnessed tech stocks founder for about five years from 1984 to 1989.”

Wired: “Revealing information about a classified surveillance technique would threaten national security and put government agents at risk, say U.S. government attorneys.”

CNN: “The Software
Development Forum audience in the Palo Alto,
Calif., Cubberly community center was one tough
crowd. Before attempting to sell the hard-core
programmers on his groundbreaking Curl software,
Brent Young made sure his company’s pedigree was
high in his PowerPoint display. There on the second
slide, listed as a founder, was “Tim Berners-Lee,
inventor of World Wide Web.”