Having only installed 2 days ago a web server running windows 2000/IIS5 and not having had a chance to patch we have been infected with the .ida "Code Red" Worm.

 

Having looked thru the MS site and eEye there seems to be a little confusion as to whether we need to do a clean re-install.

 

Any of you guys know if a re-boot and patch is sufficient? It look as if it only runs in memory.

 

More details at http://www.eeye.com/html/Research/Advisories/AL20010717.html

 

F***ing Arse

 

Cheers

 

Martin

Bloody Microshaft(nicked from Glen I think!)...install Unix and then you won't have any mainstream, common virus problems! Sorry Martin, not very constuctive but you know it makes sense.

 

 

Tim

;-)

 

...better still, install Solaris then for a negotiated fee I will come and Administer it for you(surf the web all day!), sorted!

 

 

Tim

;-)

 

So who's a tw@t for not taking IT security seriously then !

 

(Guess what my job is ;-) )

 

-----BEGIN PGP SIGNED MESSAGE-----

 

CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS

Indexing Service DLL

 

Original release date: July 19, 2001

Source: CERT/CC

 

A complete revision history can be found at the end of this file.

 

Systems Affected

 

Systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0

or IIS 5.0 enabled

 

Overview

 

The CERT/CC has received reports of new self-propagating malicious

code that exploits certain configurations of Microsoft Windows

susceptible to the vulnerability described in CERT advisory CA-2001-13

Buffer Overflow In IIS Indexing Service DLL. These reports indicate

that the "Code Red" worm may have already affected as many as 225,000

hosts, and continues to spread rapidly.

 

Description

 

In examples we have seen, the "Code Red" worm attack proceeds as

follows:

* The victim host is scanned for TCP port 80 by the "Code Red" worm.

* The attacking host sends a crafted HTTP GET request to the victim,

attempting to exploit a buffer overflow in the Indexing Service

described in CERT advisory CA-2001-13

* If the exploit is successful, the worm begins executing on the

victim host. Initially, the existence of the c:\notworm file is

checked. Should this file be found, the worm ceases execution.

* If c:\notworm is not found, the worm begins spawning threads to

scan seemingly random IP addresses for hosts listening on TCP port

80, exploiting any vulnerable hosts it finds.

* If the victim host's default language is English, then after 100

scanning threads have started and a certain period of time has

elapsed following infection, all web pages served by the victim

host are defaced with the message

 

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

 

* If the victim host's default language is not English, the worm

will continue scanning but no defacement will occur.

 

System Footprint

 

The "Code Red" worm can be identified on victim machines by the

presence of the following string in IIS log files:

 

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%

u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531

b%u53ff%u0078%u0000%u00=a

 

Additionally, web pages on victim machines may be defaced with the

following message:

 

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

 

The text of this page is stored exclusively in memory and is not

written to disk. Therefore, searching for the text of this page in the

file system may not detect compromise.

 

Network Footprint

 

A host running an active instance of the "Code Red" worm scans random

IP addresses on port 80/TCP looking for other hosts to infect.

 

Additional detailed analysis of this worm has been published by eEye

Digital Security at http://www.eeye.com.

 

Impact

 

In addition to web site defacement, infected systems may experience

performance degradation as a result of the scanning activity of this

worm.

 

Non-compromised systems and networks that are being scanned by other

hosts infected by the "Code Red" worm may experience severe denial of

service. This occurs because each instance of the "Code Red" worm uses

the same random number generator seed to create the list of IP

addresses it scans. Therefore, all victim hosts scan the same IP

addresses.

 

Furthermore, it is important to note that while the "Code Red" worm

appears to merely deface web pages on affected systems and attack

other systems, the IIS indexing vulnerability it exploits can be used

to execute arbitrary code in the Local System security context. This

level of privilege effectively gives an attacker complete control of

the victim system.

 

Solutions

 

The CERT/CC encourages all Internet sites to review CERT advisory

CA-2001-13 and ensure workarounds or patches have been applied on all

affected hosts on your network.

 

If you believe a host under your control has been compromised, you may

wish to refer to

 

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

 

Reporting

 

The CERT/CC is interested in receiving reports of this activity. If

machines under your administrative control are compromised, please

send mail to cert@cert.org with the following text included in the

subject line: "[CERT#36881]".

______________________________________________________________________

 

Author(s): Roman Danyliw and Allen Householder

______________________________________________________________________

 

This document is available from:

http://www.cert.org/advisories/CA-2001-19.html

______________________________________________________________________

 

CERT/CC Contact Information

 

Email: cert@cert.org

Phone: +1 412-268-7090 (24-hour hotline)

Fax: +1 412-268-6989

Postal address:

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh PA 15213-3890

U.S.A.

 

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)

Monday through Friday; they are on call for emergencies during other

hours, on U.S. holidays, and on weekends.

 

Using encryption

 

We strongly urge you to encrypt sensitive information sent by email.

Our public PGP key is available from

 

http://www.cert.org/CERT_PGP.key

 

If you prefer to use DES, please call the CERT hotline for more

information.

 

Getting security information

 

CERT publications and other security information are available from

our web site

 

http://www.cert.org/

 

To subscribe to the CERT mailing list for advisories and bulletins,

send email to majordomo@cert.org. Please include in the body of your

message

 

subscribe cert-advisory

 

* "CERT" and "CERT Coordination Center" are registered in the U.S.

Patent and Trademark Office.

______________________________________________________________________

 

NO WARRANTY

Any material furnished by Carnegie Mellon University and the Software

Engineering Institute is furnished on an "as is" basis. Carnegie

Mellon University makes no warranties of any kind, either expressed or

implied as to any matter including, but not limited to, warranty of

fitness for a particular purpose or merchantability, exclusivity or

results obtained from use of the material. Carnegie Mellon University

does not make any warranty of any kind with respect to freedom from

patent, trademark, or copyright infringement.

_________________________________________________________________

 

Conditions for use, disclaimers, and sponsorship information

 

Copyright 2001 Carnegie Mellon University.

 

Revision History

Jul 19, 2001: Initial release

 

-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 5.0i for non-commercial use

Charset: noconv

 

iQCVAwUBO1dohAYcfu8gsZJZAQGazQP/YSiWvPHNreLfTIBPp0JwM0KpJJ3Lif5y

BtF1G+EuE9tN+PQwF4HO4gC3h02VmJDb02IKMtiHTQxldN7fkzzodcjK7dNpc20x

YlNC/ez0XKpy+TRKNB9Rw/l/d+vglMRL5nt8ZaKocaGO7z1AYz8spVmhLnjXg3sU

kS2E8WJf38w=

=Ox7X

-----END PGP SIGNATURE-----

I have been infected by this worm, what can I do?

------------------------------------------------

The first thing you must do is go to the Microsoft security site, as referenced above, and install the .ida patch as soon as possible. The worm will remain in memory until you reboot your server so make sure to reboot after installing the .ida patch.

 

 

 

oh I know, but....... what can i say, i am a developer not an security expert

 

luckily there is only one site on the box at present and this is not live yet.

 

Timmy, suppose i could have a go at doing our sites with chillisoft asp and run on unix, but then i would have to pay you for unix/solaris administration

 

Andy, what would you recommended

 

1. patch and reboot (already done)

2. rebuild while still possible

 

Cheers

Hi Craig

 

As suggested "The first thing you .."

 

I have now done this, but is more action needed?

I think that a patch and reboot is all you need to do.

cheers guys, god all this IT stuff, I think i want to become a gardner, fresh air, sunshine, smell of flowers and no hassels

if you do become a gardner, i have a job for you.....

Let this be a lesson to you. BEFORE you install new toys, evaluate the risk - you got off lightly !

 

Andy

 

PS And always do everything the IT Security guys tell you !

And remember the "B" word - BACKUP. It's no use ringing IT On Call at 2 in the morning to say that your server has smoke coming out of the back of it oh and by the way, nothing works and expect them to give you a new server with all your data on if your HDDs are fragged and you don't possess a working, recent backup.

 

It's also a thumping good idea to Ghost servers / machines up to the network / backup facility before you play around with them so that if anything goes belly up and you don't have time to fiddle, just ramp the image back down onto the server. And try again when you have more time / know what went wrong the first time.

 

Not that I speak from personal experience at all

 

[This message has been edited by Ajay (edited 20-07-2001).]

Craig

 

Perhaps on second thoughts this is blighty and the sun doesn't shine and there is no fresh air LOL

 

Andy and Ajay

Thanks guys and gals. We have now passed on the security management to our ISP, seemed easier/better. The big B 4 backup is all in place.

 

Cheers

Martin

Martin - and what makes you think your ISP will be any better at security

 

Still - at least you have someone else to blame

 

------------------

Az

Lock your computer in a room with 1metre thick, huge steel door and no outside connections. Then your computer will be safe!

 

 

Stuart

It is true that the only way to have a 100% secure computer system is to do just that..

 

And another thing.. Why.. Why... *Why*.. do people still insist on running attachments that they aren't expecting!? That's four instances of the Sircam@mm.worm that Antigen has picked up today... (sigh) Users!

 

------------------

Az

Well bugger my back oriface with a number 27 netbus.... you lot astound me .. you can figure all this shit out but are shankered when it comes to changing a Knock Sensor - I see a slow down in the technology sector and a massive growth in the Silvia Engineering Markets.

Yours with a dose of Guru Meditations.

Glen

Glen - some of us can do both m8

 

Ahhh Guru Meditations... Damn that brings back memories!