Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
An Open Plea to Code Red II Watchers

By 11223 in Internet
Thu Aug 09, 2001 at 02:48:57 PM EST
Tags: Security (all tags)
Security

I've been dismayed of late when looking through various Linux website admin's "Code Red"-spotting pages. It's not because I feel that giving attention to these things is bad, nor do I feel that reporting statistics on the impact of the worm is a problem. The problem is that a large number of these sites are reporting lists of IPs that are infected (most likely) with the Code Red II worm - the same one that opens the machine to any script kiddie with a working knowledge of the command prompt.


It's almost as if everybody has collectively gone off their rockers. Ordinarily, we wouldn't even consider posting a list of IP's and saying to the world - "Hey! These boxes are easily rooted! Go get 'em!" But the minute the Code Red series of worms gains attention (and spreads rapidly), all of a sudden we want to put up pages on our servers detailing how the scans are coming along.

That's great. I'm running one on my servers. It collects how many new attempts have been made since it was started and determines the average number of seconds between attempts. I watch it from home and show it to my friends - friends don't let friends run IIS.

But why in the world would you publish a list of the IPs that are scanning you, unless you wanted to see further damage done? Right now, we know two things about this worm:

  1. At this stage in the game, most computers that are scanning are infected with Code Red II, not I.
  2. Those that are scanning with Code Red II are easily exploitable via /scripts/cmd.exe and the /c/ drive mappings.

Are you supposed to be displaying a flashing advert that says to the script kiddies of the world, "Here! Come get some!"? Or are everybody's brains just switched off? Are you thinking that the list of IPs will be good for those who have to clean up sites? Well, chances are, IIS site admins aren't watching your page (unless they've already patched and are just watching the fun), and even if you wanted to have a master site to help IIS admins determine their infections, you could mantain a one-way-hashed list of IPS so that malicious parties don't obtain them.

Please, folks, don't cause more trouble than this worm has already caused. Have some common sense, OK?

Feel free to link to this or send it on if you know someone who needs a sanity check.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
How many seconds between CR II attacks on your boxen?
o 0-25 20%
o 25-50 23%
o 50-75 7%
o 75-100 7%
o 100-150 2%
o 150-200 5%
o 200+ 33%

Votes: 39
Results | Other Polls

Related Links
o Also by 11223


Display: Sort:
An Open Plea to Code Red II Watchers | 23 comments (22 topical, 1 editorial, 0 hidden)
And The Lord Says: 'Let the kiddies script...' (4.00 / 5) (#1)
by tomte on Thu Aug 09, 2001 at 01:26:37 PM EST

Let them go down. let them erase the hds without mercy, for then maybe the insane M$-IIS admins that didnīt manage to patch there systems until now will realize that they are causing great evil to the internet and will turn from saul to paul.
 
I mean, its not that hard to realize by now, that such a thing as code red exists, is it ?
If security doenīt mean anything to these poeple, I donīt care most of the time; but the ignorance of a threat of this kind that lasts over a few weeks, changes pure stupidity into an attack on my server.
If posting an ip-address helps to get such a server down for while, and maybe make the admin realize that he/she has a job that may mean he/she has to work sometimes; I at least reserve the right to think about it....
nevertheless +1 section
--
Funny. There's a brightness dial on the monitor, but the users don't get any smarter.
Really, really bad idea. (3.00 / 1) (#8)
by WombatControl on Thu Aug 09, 2001 at 01:55:09 PM EST

Doing something like that can make you an accessory to a crime, which could be really bad. For some reason, people seem to get really pissed when you delete all their data without them even knowing about it. Especially if they're in a place where they can't get to that server, or they are swamped fixing all the other Code Red problems they've been having.

Believe me, the first reaction of most admins who'd run IIS in the first place would be to sue first and ask questions later. Better to be more subtle, and simply e-mail the webmaster of the domain about the problem.



[ Parent ]
But they are attacking me...by being stupid,ok... (4.00 / 1) (#12)
by tomte on Thu Aug 09, 2001 at 02:52:18 PM EST

> Better to be more subtle, and simply e-mail the webmaster of the domain about the problem.
ha, I could script this, but I suppose a caring admin should just do his/her job, I canīt overemphasize it....
if theres a security warning, backed up by at least one trusted sites/persons, I react and close the hole ASAP...how many weeks is this infection known ?
We are operating on our upper limits and need every bit of performance, and Iīm sock of it that every 5 to 10 seconds a bit of performance is stolen....
I donīt bash on them for using M$ products, apache has had its fair share of security-holes, I want these admins to do there fucking job, nothing more, and I wanīt them to be punished for stupidity, and loss of data is a good punishment for an admin called lazybones....
--
Funny. There's a brightness dial on the monitor, but the users don't get any smarter.
[ Parent ]
So you don't care... (none / 0) (#9)
by ucblockhead on Thu Aug 09, 2001 at 02:31:19 PM EST

I suppose that you want care if some script-kiddie grabs 1000 of these easily rooted boxes and then launches a DDoS attack on you, right?
-----------------------
This is k5. We're all tools - duxup
[ Parent ]
Yepp, I would care then (none / 0) (#11)
by tomte on Thu Aug 09, 2001 at 02:38:19 PM EST

but a ddos against my machine isnīt really interesting and as I suppose not the kind of drive-by-cracking a script-kid would like to do....
and its just the anger about servers still being unpatched, uncared, about poeple not doing there job properly
--
Funny. There's a brightness dial on the monitor, but the users don't get any smarter.
[ Parent ]
Not *everyone* knows this is an issue (5.00 / 1) (#14)
by xrayspx on Thu Aug 09, 2001 at 04:06:37 PM EST

Here is a comment from Bugtraq Security Basics.
I really hope this guy is joking, but just in
case he's actually "smart" enough to post to Bugtraq, yet "stupid" enough NOT to read Bugtraq...



I Was looking through my log files this morning and noticed this:
www.aldiss.com 64.50.103.8 - - [08/Aug/2001:11:07:05 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --snip-- %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 302 576 "-" "-"

Is this an attempt to exploit a buffer overflow flaw ?


"I see one maggot, it all gets thrown away" -- My Wife
[ Parent ]
You know... (3.80 / 5) (#2)
by Farq Q. Fenderson on Thu Aug 09, 2001 at 01:26:57 PM EST

a lot of people hold the opinion that the owners of the infected boxen should be punished, in a natural way.

I think publishing infected IPs is a great thing. If the script kids get in these boxen, then the admins can link their negligence to direct consequences.

Some people are pushing for auto-response scripts that shut down CR infected machines by exploiting the same IIS vulnerability.

farq will not be coming back
That's sad. (4.33 / 3) (#6)
by 11223 on Thu Aug 09, 2001 at 01:34:00 PM EST

The only thing that attitude encourages is a vigalante-style justice, which I hope we all recognize is not the best kind of justice. What if that web server that the script kiddie gets into has *your* credit card on it? Or, maybe, it has your personal information. Or, maybe, it's the DMV's web site, and they're now holding a copy of your traffic offense records.

Those are only some of the practical problems with the vigalante justice, not to mention the ethical problems. Yes, the IIS admins who refuse to secure their machines or can't be bothered are extremely irresponsible. But aren't we, if we publish the infected IPs, partly to blame for what results?

--
The dead hand of Asimov's mass psychology wins every time.
[ Parent ]

caveat (5.00 / 2) (#7)
by theantix on Thu Aug 09, 2001 at 01:48:07 PM EST

While I agree with you completely, they are really doing the damange to themselves, publishing doesn't make much of a difference. Anyone with a webserver (be it a script kiddie, cracker, or an unscrupulous admin) already has an infected IP log themselves, so it would not be much of a difference publishing it except for matters of scope.

And any IIS admin that has not patched their machines at this point deserve to be fired. Or banned from running any sort of server off their Cable/DSL connection. It's damn irresponsible at this point -- it's been in the news for weeks now. You're right -- it would suck if my credit card was swiped, but the card companies take care of the damage for me. It's the risk we take I suppose with any electronic transaction these days.

--
You sir, are worse than Hitler!
[ Parent ]

Okay, fuck it then. (3.00 / 3) (#13)
by Farq Q. Fenderson on Thu Aug 09, 2001 at 03:02:59 PM EST

How about this... no one has to be responsible for anything anymore, is that any better?

Consequences are a big part of learning. You can't really sue these idiots, so there's only one way to teach 'em.

farq will not be coming back
[ Parent ]
The Only Kind Of Justice (4.00 / 1) (#17)
by Nater on Thu Aug 09, 2001 at 07:03:17 PM EST

The only thing that attitude encourages is a vigalante-style justice, which I hope we all recognize is not the best kind of justice.

This is what happens on all frontiers, whether it's the high seas, the wild west, or the Internet. Until the law can catch up with the frontier, the only justice that is available to the people living on the frontier is vigilante justice.


i heard someone suggest that we should help the US, just like they helped us in WWII. By waiting three years, then going over there, flashing our money around, shagging all the women and acting like we owned the place. --Seen in #tron


[ Parent ]
Shame (4.20 / 5) (#3)
by Nafai on Thu Aug 09, 2001 at 01:28:48 PM EST

Just to be devil's advocate for a bit, wouldn't this help shame the individuals responsable (and they ARE responsable for setting up an insecure web server) into taking their compromised box offline and fixing it?

After all these boxes are just hurting everyone else that takes the time to secure their stuff. (Just look at the ISPs that are blocking port 80 and stuff like that).

(BTW, I'm sure people would be responding differently if it wasn't so widespread.)

And effective force... (4.50 / 2) (#5)
by simon farnz on Thu Aug 09, 2001 at 01:33:46 PM EST

The patch is easily available; anything that encourages people off their backsides is good at this point. It would be very different if the patch were new, or MS's servers overloaded, but the simple fact is that the worm is old, the patch is older, and the servers are available.

In addition, those admins who claim that "Accounts will kill me if we lose 20 mins of uptime to a reboot" now have an argument: "What price 20 mins of uptime vs the losses from the break in?"
--
If guns are outlawed, only outlaws have guns
[ Parent ]

An example of this (4.50 / 4) (#4)
by Maniac on Thu Aug 09, 2001 at 01:33:33 PM EST

That brings to mind the DDOS attack list hosted by Gibson Research Company. There is other stuff at this site that I find interesting, but this kind of information fits what you are talking about. The people who care about security (or perhaps better - breaking security) know about this list. The people need to fix it don't have a clue it exists (a quick review of the list indicates that less than 1/2 of the admins have contacted GRC after fixing their site).

Invalid assumption at work (4.75 / 4) (#15)
by SlydeRule on Thu Aug 09, 2001 at 04:34:40 PM EST

A collection from various postings...
maybe the insane M$-IIS admins that didnīt manage to patch there systems

the first reaction of most admins who'd run IIS

want these admins to do there fucking job

anger about servers still being unpatched, uncared, about poeple not doing there job properly

the IIS admins who refuse to secure their machines or can't be bothered are extremely irresponsible

any IIS admin that has not patched their machines at this point deserve to be fired

they ARE responsable for setting up an insecure web server

Contrary to what everyone is assuming, this is not generally the result of screwed-up admins running unpatched servers. Although there are a few (apparently HotMail got hit) screwed-up admins, most of the IIS servers that are being infected are running without their owner's knowledge.

Somebody simply installed Win2K with "all the goodies" and never realized that part of "all the goodies" is IIS. If you browse to port 80 on those machines, almost all of them still have the default IIS placeholder Web page.

These system owners don't know they're running IIS, they think they're just using Win2K, and so they think that the problem is not relevant to them. This is why Road Runner's letter to its customers told everyone running WinNT or Win2K to install the patch, and didn't say anything about whether you're running an IIS Web server or not.

Water on my mills... (5.00 / 1) (#16)
by tomte on Thu Aug 09, 2001 at 05:56:09 PM EST

as is a proverb here.
Why are these people running W2K or NT when they donīt know what they are doing ?
To play a little bit, "letīs see what this baby can do" ?
Thats fine with me, but take the machines out of the Internet then...
If this arenīt production web-servers...well "spread the word" didnīt do it, so it remains the fact that people messing around with computers should at least
  • know what they are installing
  • or
  • block ports of services that are not intended to run, oh wait...
...they donīt know what they are doing and are therefore not responsible ?
they are the more...and I donīt mind someones private machine crashing (
--
Funny. There's a brightness dial on the monitor, but the users don't get any smarter.
[ Parent ]
Anecdotal Evidence (none / 0) (#21)
by zephiros on Fri Aug 10, 2001 at 01:24:37 PM EST

So I checked out the last ten CR2 machines to hit my server:

7 Windows 2000 Professional, no web site configured
1 Windows NT Server, no web site configured, but with the ominous nbname DATA-SERVER
1 Windows 2000 Server, public web site, DSL hosted
1 Windows 2000 Server, public web site, in a web farm

Another reminder that general purpose, service-exposing, networked systems are still more complex than your toaster.
 
Kuro5hin is full of mostly freaks and hostile lunatics - KTB
[ Parent ]

You can't securely hash IP's (3.50 / 2) (#18)
by rcw on Thu Aug 09, 2001 at 11:36:58 PM EST

you could mantain a one-way-hashed list of IPS so that malicious parties don't obtain them.

The IPv4 address space is less than 32 bits. Not only is bruteforcing an address space this small very quick, but you'd only have to go through it once to get all the IP's.

Even with IPv6, enough of the bits will be unused initially that MD5 or SHA won't secure them.

Not quite (3.00 / 1) (#19)
by fluffy grue on Fri Aug 10, 2001 at 01:21:18 AM EST

IPv4's address space is exactly 32 bits (though that doesn't mean that there's 2^32 valid IP addresses). Everything else you said is correct though.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Some IP are Reserved (none / 0) (#20)
by SEWilco on Fri Aug 10, 2001 at 11:14:32 AM EST

Some IPs are reserved. In theory, the address space is 32 bits. In practice, some IPs are not available for some uses and can be removed from the address space. You're both right.

[ Parent ]
"address space" (none / 0) (#22)
by fluffy grue on Fri Aug 10, 2001 at 01:25:06 PM EST

Address space refers to the range of addresses which can be represented, regardless of whether parts of it are reserved. For example, the 8086 CPU has a 20-bit address space, even though the IBM PC reserved 0xA0000 and up for memory-mapped I/O and the BIOS and such.

Conceivably you could have a network based on IPv4 which is detached from The Internet which uses all 2^32 addresses.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Transparent Proxy Caches (none / 0) (#23)
by Nurgled on Fri Aug 10, 2001 at 06:21:48 PM EST

Many, many ISPs these days have some form of transparent proxying which routes all requests on port 80 from their dialup, dsl or cable customers to an HTTP proxy, in a way that most 'normal' people don't notice.

A way to reduce the damage caused by ignorant people who don't realise that their Win2k box is running IIS would be to have these proxies drop any requests caused by Code Red or Code Red II and return a fake 404, or other error response. Since their scanning requests are in a predictable format, this should be trivial.

After the proxy server has got a bunch of dumb requests for a while, it should be reduced pretty much. In cases where they have proxies going inwards too, or other kinds of monitoring, they could do the same in reverse to prevent the scans from hitting their customers' systems in the first place.

This is within the ISP's power to do, and should cut out a large proportion of the infected boxen from the equation. Even if just home.com, AOL and SomePopularDSLCompany did it, it would be nice. Here in the UK, Blueyonder, NTL and BT can do it for their cable and DSL customers.

ISPs are just too damn lazy.



An Open Plea to Code Red II Watchers | 23 comments (22 topical, 1 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest Đ 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!