I considered posting this under MPSIMS, but then I decided that General Questions would be better. I’m the moderator of a message board hosted by http://www.wantsomegetsome.net . Well, due to the Code Red Virus, this server is blocking any IPs that are coming from a certain range. To quote:
My IP begins with 66, but for some reason it’s affecting me as well. I can’t access any web site hosted by this server. This started last night, and I’m getting really frustrated. Aren’t the Code Red attacks over? How long will I get shut out?
FWIW to you, pal, I just got hammered by one that’s not even making the news. The W32.Magistr.24876@mm virus is a nasty one, and it’s not a one trick pony. It’s an email worm that, of course, sends itself to everyone whose address you’ve got, deletes your hard drive, flushes your CMOS, flashes your BIOS and calls you a piece (well, to be accurate, a chunk) of s*** to boot.
Yes, I’m seeing several attacks per minute on the @Home cable network. Some portions of the @Home net have disabled port 80 access to slow the worm down. However, this is not the worst part of the worm’s activity. The network is bogged down with bogus ARP requests aimed at random IPs, most of which do not exist. These requests are clogging up the net a bit.
For statistics on the spread of the worm, go here:
Oh, I forgot to mention… You may find http://www.incidents.org of interest, it is tracking other aspects of the worm, such as the ARP flooding caused by the worm.
That’s right. There’s a new strain called Code Red II. This one is more malicious, since it’ll allow anybody to take control of the machine and do as they wish (download files, delete the hard disk, whatever). I work at a network security scanning company, and this Code Red thing is definitely a marketing gold mine for us.
Well, I’m now able to access Comicboards.com and any other site hosted by http://www.wantsomegetsome.net , but it’s clear from your posts that these attacks are far from over. I’ll keep my eyes peeled…
As of this morning, my home machine on a residential DSL service had gotten a nice big pile of them. Haven’t been home yet to see what the error log for my webserver looks like (I’m running Xitami). I suspect there’s some more instances of “Get /default.ida?XXXXXXXX …” cluttering it up. There seems to be some using X’s to generate the buffer overflow, and some using N’s. Actually, I noticed a few of these in my logs a couple weeks ago, I think, before “Code Red” hit the news. Well, now it’s got a name, and there’s more of them.
In a way, I’m glad I’m running a webserver, or I’d have zonealarm reporting the damned things, I suppose - I’d have to turn off the little notification balloons.
Zonealarm has been blocking port scan attempts on my home (ME, dialup) machine every 2-3 minutes for the past month, including last night. I assume that’s from CR. They do seem to be decreasing in frequency, though… last week, I was getting 15 attempts at once.
I noticed that the http://www.incidents.org website upgraded the level of threat from yellow to orange, just after I posted their link. The next step is red, which means total meltdown of the inernet. Another shining moment in Microsoft history.
A minor quibble: this virus didn’t “mutate.” These viruses don’t have self-modifying code or any ability to change on their own. Someone sat down at a keyboard and rewrote it by hand. There were apparently 3 versions of Code Red, and one new variant of Code Red 2.
I read with amusement a report that nobody can update their Microsoft IIS with the patch without getting infected in the process. One person reported being attacked within 10 seconds of going online. So even a fresh install from the CDs would be infected before you could finish downloading the patch.
The standard way to obtain the IIS patch is by downloading it from Microsoft. The only way to download it will expose you to the virus, typically in 10 seconds or less. You would have to download the patch and install it in less than 10 seconds, or else you’d have to be extremely lucky and not be attacked for the duration of the upgrade, which is extremely unlikely, almost impossibly lucky.
Of course, you can just reboot after the patch and eliminate the virus along with activating the preventative measures, but I’m merely commenting on the irony of being forced to expose yourself to the virus in order to prevent it. This is the sort of thing that makes IT managers go crazy.
You specifically said that everyone who downloads the patch will get infected. That’s completely untrue, although you did back-pedal in your following post.
It’s also untrue that users are exposed to Code Red II “typically in 10 seconds or less.”
A machine that is vulnerable to any security flaw must connect to the Internet to download a patch.
It’s a minor nit, but Code Red II is not a virus; it’s a worm.
Simple enough. Physically disconnect the computer from the network before you install the OS. After it’s installed boot the system and disable the WWW service. Reconnect the ethernet connection, set up the network, and reboot. You can then safely download the patch without fear of the virus infecting your computer (since it can only spread over port 80 which is the www service that you have already disabled).
Well, first, “nobody can update without getting infected in the process” makes it sound as though the patching procedure actually infects you. This is not the case. I presume you mean, “if you get online long enough to download the patch, odds are you’ll get infected.” But this is wrong too. Any administrator worth a nickel is either going to a) disable IIS (or better yet, just the indexing service, which is the vulnerable piece) while he downloads the patch, or b) download the patch from a different machine.
You don’t even need to reboot. From the command line:
> net stop /y iisadmin
then download the patch and run it, then:
> net start w3svc
That’s precisely what I meant, but note that I said a default install from CD. Your average shmoe does not know this sort of preventative measures for blocking the virus vector, he just knows that if he reformats and installs fresh from the CD, then downloads the latest service packs and security patches, he’s supposed to be safe from all known viruses and worms. Except he isn’t. With the exceptionally high traffic of attacks, the odds of escaping the attack during the update process are almost infinitesimal. But ultimately, it doesn’t matter, except to the people whose distant machines YOU infected during the short time before your machine was patched and rebooted. Once you’re done, you are updated and safe, almost certain to get infected (briefly) during the process.
I have got about 30 emails with this worm attached or something similar in a week. The people don’t know it’s coming from their computer. One lady wrote me saying she has it on her computer & that explains the ones from her.
I use Agent for reading my email & its not affected by the worm because I can see the worm/virus/script attachment before decoding it.
I got another email today with the attachment but Im gonna email them back & let them know their computer is infected.