Are Code Red attacks continuing?

handy, if you’re getting emails with an infected attachment, you’re probably getting the SirCam virus and you’re definitely not getting the Code Red worm. Code Red does not spread through email.
Code Red affects anyone running Microsoft IIS, which is a web server found in products like Windows 2000 but not Windows 98 or lower. Many people have IIS installed on their home computers and do not realize it.

Aaah … I’m still running Win98 at home. THAT explains why I haven’t seen any Code Red weirdness at home.

What a relief! Thanks for the info, all.

Note: Windows 2000 Professional does not contain IIS unless you’ve explicitly added it. If you’re running Windows 2000 Server and you don’t know you’ve got IIS, you’ve probably chosen the wrong OS to run.

Chas.E wrote

Not True.

True.

Extremely Unlikely.

Whatever you say, Mr. Bill. Except that I’ve pulled IIS off 3 people’s PCs this week and none of them knew they had installed it.

And, of course, IIS can be added to NT via the Option Pack, freely available for download.

As to the OP…you’re damn right they are. The UnaBoard was attacked more than 12,000 times overnight alone, and while I run Apache and thus am immune to infection/destruction, it still tied up my bandwidth and made my server work far, far harder than it normally would have. I had to ban another 800,000 IPs at the firewall.

Which does not in itself mean anything other than they might be pretty stupid users, or whoever set up their PCs may have chosen to add the option of IIS during the install process. In my office, likely 50% of the people here don’t know that they have PowerPoint or AutoCad installed as part of our “standard corporate desktop” setup. And when you get a “standard corporate desktop” setup, nearly 2 GB of unneeded software is automatically installed (and many of the programs set to run automatically), whether you want them or not. One thing I help people do in my spare time is to remove these unneeded piles of electronic junk from their PCs.

Since my last reboot yesterday morning, my home machine (NT 4 Server + IIS) has been the subject of 430 connection attempts on port 80. The logs files confirm that all of these are Code Red attempts.

I had the patch in place the day MS announced the vulnerability, so the onyl problem has been the saturation of my cable modem’s system with traffic, which, for a few days, amounted to a denial of service attack against me.

I think at least one variant of Code Red creates ARP broadcasts in addition to explicit random IP address attacks - the volume of IP traffic alone wouldn’t have been enough to cause problems, but I think my genius ISP permits ARP broadcasts across or within their subnets.

Short answer: yes, it’s still cooking. I sent my log files to my ISP with a terse note suggesting the attacking IP addresses should be cut off until they’ve fixed their infections.

  • Rick

And if your ISP is as competent as SW Bell (my ISP), you likely got a short e-mail back asking:

“First step. Is your computer on? Do you know where the power switch is?..” :rolleyes:

I thought we got rid of you. I ask an actual, REAL LIVE COAL QUESTION on your board last night and NOT ONLY do I not get an answer, but I find you gallavanting around the SDMB.

Well, I never!

:wink: