Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Code Red: Infection rate 2x July 20 instance

By kmself in News
Fri Aug 03, 2001 at 10:40:16 AM EST
Tags: Internet (all tags)
Internet

Checking my server logs (on a persistant dialup connection), I'm finding nearly twice the Red Code connection attempts this time round than the July 19-20 period. Comparisons with other users on debian-user and other groups tends to confirm the current infection rate is running about twice the earlier rate.


I'm posting this both as a notice, and to gather additional statistics.

Code Red leaves a request for 'default.ida' in server logs. Apache users can run:

grep 'default\.ida' logfiles | wc -l

...to get a quick-and-dirty connection count. If desired, you can sort by unique IP. As Code Red uses a random IP selection algorithm, connection distributions should be pretty uniform.

Timings appear to be pretty consistant, I'll try to post a graph if I can remember enough time-series stuff in gnuplot ;-) For current data, look to incidents.org.

I suspect this round may have been dismissed a bit too early.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
How do current Code Red hits compare with July 18-22?
o 16x 10%
o 8x 5%
o 4x 27%
o 2x 22%
o 1x 2%
o 0.5x 2%
o 0.25x 2%
o Inoshiro 27%

Votes: 40
Results | Other Polls

Related Links
o incidents. org
o Also by kmself


Display: Sort:
Code Red: Infection rate 2x July 20 instance | 32 comments (29 topical, 3 editorial, 0 hidden)
Numbers (4.00 / 5) (#1)
by kmself on Fri Aug 03, 2001 at 02:49:54 AM EST

I might add the raw stats. Given are 7/20 event, and 8/2. Exact dates vary by system.

  • My dialup: 21, 42
  • debian-user: ?, 47
  • Austrialian site: 50, 107

Cheers.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

More stats (4.25 / 4) (#4)
by swr on Fri Aug 03, 2001 at 03:31:38 AM EST

Okay, here's stats from a box I run...

  • July 19th: 19 (that's all for July)
  • August 1st: 14
  • August 2nd: 32
  • August 3rd: 0 (time is only 00:30 here)

That's quite an increase from the 1st to the 2nd. It'll be interesting to see how things progress over the next few days.



[ Parent ]
more data from my server (3.00 / 1) (#11)
by dze27 on Fri Aug 03, 2001 at 10:05:12 AM EST

Jul 19: 13
Jul 20: 1
Aug 1: 15
Aug 2: 35
Aug 3: 9 (so far this morning by 9:30 EDT)

"Luck is the residue of design" -- Branch Rickey


[ Parent ]
More compare stats for you (3.66 / 3) (#6)
by Rift on Fri Aug 03, 2001 at 08:02:09 AM EST

And a question : Is there some central place we can post (preferrably automated from the logs) a list of the sites that have hit us with this, so people can track the infection (not to help the admins - they should patch the box instead of checking to see if they've been hit) ?

  • 19/Jul : 66
  • 01/Aug : 55
  • 02/Aug : 85
  • 03/Aug : 15*

* 03 Aug as of 04:47 server time (GMT -7)

--Rift
A pen is to a car what a meteor is to a _____
Reporting addy (4.00 / 1) (#17)
by kmself on Fri Aug 03, 2001 at 04:50:18 PM EST

Unconfirmed, but following was posted to debian-user. Command should be on one line.

http://www.dshield.org/codered.html are collecting. You only have to:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

I can't resolve the host currently, though 'dshield.org' is registered according to a whois query.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

automated posting (5.00 / 1) (#26)
by h310ise on Sun Aug 05, 2001 at 06:41:52 PM EST

the new variant uses Xs not Ns. Might matter.

[ Parent ]
I have worse problems (3.50 / 2) (#7)
by DesiredUsername on Fri Aug 03, 2001 at 08:44:01 AM EST

I had 9 last time, 19 so far this time. So 2x seems about right.

But here's real problem #1: I didn't notice last time. This time it's like the whole internet has ground to a halt. Everything takes forever. Some sites are gone (geekizoid anybody?). Of course, part of this is due to my recent discovery of gnutella...

And problem #2: I suddenly realized last night--why am I getting ANY code red hits? I don't serve web pages to the Internet. Apache shouldn't see these hits, they should be stopped by my firewall. Then I realized that was because I was running the firewall once on the IP I got during my first connection. If I then hang up and connect again I have masq on but no firewalling. Duh. So I'm dumping the firewall script I downloaded and I'm going to make my own but more generic this time.

Play 囲碁
What do you mean". (2.50 / 2) (#8)
by Vladinator on Fri Aug 03, 2001 at 09:04:22 AM EST

You wrote "Some sites are gone (geekizoid anybody?). " We're still here. Come back and see us some time. Strangely enough, GiZ hasn't seen any Code Red hits.
--
LRSE Hosting
[ Parent ]
DNS? (3.00 / 1) (#9)
by DesiredUsername on Fri Aug 03, 2001 at 09:42:16 AM EST

Haven't been able to resolve you for at least 3 days. If you are up I'll try from another loc but it would be weird if your site was my only problem...

Play 囲碁
[ Parent ]
Soo...it's weird (3.00 / 1) (#10)
by DesiredUsername on Fri Aug 03, 2001 at 09:49:37 AM EST

I just tried an offsite DNS server and I got 63.89.124.213. My local DNS server goes right the root (no flames, I realize that's a no-no...don't worry, not much traffic) and it can't resolve you. Something's messed up and I don't think it's me...

Play 囲碁
[ Parent ]
DNS (3.00 / 1) (#15)
by priestess on Fri Aug 03, 2001 at 11:25:41 AM EST

My DNS at blueyonder has a different IP for www.geekizoid.com compared to just geekizoid.com

$ nslookup geekizoid.com
Server: phrs001o.blueyonder.co.uk
Address: 62.30.144.119

Name: geekizoid.com
Address: 63.119.143.196

$ nslookup www.geekizoid.com
Server: phrs001o.blueyonder.co.uk
Address: 62.30.144.119

Name: www.geekizoid.com
Address: 63.89.124.213

That looks pretty odd to me, but I get the same (and correct) DNS from lineone's nameservers.

Pre...........

----
My Mobile Phone Comic-books business
Robots!
[ Parent ]
Geekizoid (none / 0) (#19)
by Funky Fresh on Sat Aug 04, 2001 at 01:15:54 AM EST

Vlad, what's with the whole "Geekizoid is currently under DoS attack! You bastards!" thing?

[ Parent ]
When I wrote that... (1.00 / 1) (#24)
by Vladinator on Sun Aug 05, 2001 at 03:16:07 PM EST

We were still up. Since then, we were crushed by an ICMP flood, and UUNet pulled the plug. We will be back up, most likely tomorrow. Oh, and I'd just like to take a moment to say thanks to everyone, you've all been great through out this crisis. You know who you are. And to the people responsible for launching the flood - please grow up. Thanks.
--
LRSE Hosting
[ Parent ]
uuhh (3.00 / 1) (#12)
by mami on Fri Aug 03, 2001 at 10:32:05 AM EST

624 starting Aug1 5:11:39 end still hitting up til now...

I guess I have to read up on this thingy.

235 starting July 19th 11:31 ending July 20th 3:40

626 ... hmm

how to stop ? (3.00 / 2) (#13)
by mami on Fri Aug 03, 2001 at 10:44:20 AM EST

ok, that's bad. Other then shutting down web server, what should I look for. I haven't followed the story because I thought only Windows systems would be affected. Sorry.

Only windows machine INfected (4.50 / 2) (#14)
by priestess on Fri Aug 03, 2001 at 11:14:55 AM EST

Only windows machine are infected but every machine with an IP are affected.

Esentially the thing tries random IP's sending a long request to the webserver port (starting with default.ida) overflows a buffer and thereby infects that machine which goes on to do the same again.

Your Unix boxes won't be infected, and closing down port 80 won't have a very large effect on your bandwidth either. I'm guessing slightly but the request looks about half a K long here and I've been hit 49 times since Wednesday. If you can't handle a 25k hit on your bandwidth then my guess is you should have shut down the server a long time ago.

Pre..........

----
My Mobile Phone Comic-books business
Robots!
[ Parent ]
Thanks (3.00 / 1) (#16)
by mami on Fri Aug 03, 2001 at 01:13:19 PM EST

That's what I originally thought, but got confused. My connection could handle it so well that I even didn't bother so far to check it out, before the article of kmself showed up. I don't feel any slow down. On the other hand I don't need the webserver running either. Thanks again.

[ Parent ]
my hits (3.00 / 1) (#18)
by jbridge21 on Fri Aug 03, 2001 at 06:31:02 PM EST

jul 19: 24
jul 20: 1
aug 1: 18
aug 2: 23
aug 3: 19 (so far)

That looks to be more than double.

Code Red Hits (3.00 / 1) (#20)
by g1gsw on Sat Aug 04, 2001 at 11:53:36 AM EST

I have been hit by 52 different ip addresses since the 1st August and only had 2 last time on my dial up account.

Some increase (3.00 / 1) (#21)
by xriso on Sat Aug 04, 2001 at 03:39:44 PM EST

Times are UTC

Jul 19: 24
Aug 1: 12
Aug 2: 33
Aug 3: 29
*Aug 4: 68
* reported as of 19:48:49 UTC on my inaccurate comp clock.
The rise on Aug 4 is due to the second strain appearing
--
*** Quits: xriso:#kuro5hin (Forever)

It just exploded today (4.00 / 1) (#22)
by yebb on Sat Aug 04, 2001 at 08:34:10 PM EST

At about 1:00pm EST today it went nuts..!

[yebb@kidojo yebb]$ tac /www/logs/access_log | grep default.ida | grep 29\/Jul | wc -l
0
[yebb@kidojo yebb]$ tac /www/logs/access_log | grep default.ida | grep 01\/Aug | wc -l
14
[yebb@kidojo yebb]$ tac /www/logs/access_log | grep default.ida | grep 02\/Aug | wc -l
28
[yebb@kidojo yebb]$ tac /www/logs/access_log | grep default.ida | grep 03\/Aug | wc -l
33
[yebb@kidojo yebb]$ tac /www/logs/access_log | grep default.ida | grep 04\/Aug | wc -l
240
[yebb@kidojo yebb]$ date
Sat Aug 4 20:41:54 EST 2001
[yebb@kidojo yebb]$


Serious Increase (4.00 / 1) (#23)
by Nishiwan on Sun Aug 05, 2001 at 08:29:39 AM EST

19/Jul: 33
20/Jul: 2
22/Jul: 1
01/Aug: 18
02/Aug: 61
03/Aug: 64
04/Aug: 50
05/Aug: 24 up to 09:32 GMT

Dittos (none / 0) (#28)
by kmself on Mon Aug 06, 2001 at 02:12:37 AM EST

Not overwhelming my dialup, but 4.5 times the previous max daily traffic.


20 NNN 19/Jul
 1 NNN 20/Jul

20 NNN 01/Aug
22 NNN 02/Aug
17 NNN 03/Aug
15 NNN 04/Aug
14 NNN 05/Aug

22 XXX 04/Aug
92 XXX 05/Aug

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

SecurityFocus update, mutation, reporting address (4.00 / 1) (#25)
by kmself on Sun Aug 05, 2001 at 04:21:12 PM EST

Following was posted to BugTraq Saturday, 4 Aug. The worm's apparently mutating, new version installs a backdoor. Serverlogs can be sent to aris-report@securityfocus.com, see below for details.


Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT)
From: Alfred Huger
To: incidents@securityfocus.com
Subject: Code Red Revision

Evening all,

I had planned on sending out a thanks this evening to all of the contributors (in terms of logs) who came through on the Code Red (revision 2) surge last week. Regrettably it looks like I will have to wait due to a new variant or rather new worm on the loose.

As some of you know a new worm has been released into the wild which uses the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However, this is most likely not a revision of the initial Code Red worm but a new worm which simply uses uses the same entry point. It carries an actual malicious payload and has a number of other very interesting features. The SecurityFocus ARIS Team and eEye Digital Security will be releasing an in-depth writeup in the next hour or two with technical details as well as information about it's spread to date.

As opposed to filling the list with logs of attacks I will reserve the list for discussion of the worm's payload and features - after we post an analysis. So very shortly. Until then, it would be fantastic if you can send your log files to:

aris-report@securityfocus.com

Because we have caught this very early we plan on starting the notification process tonight. We sent close to 400,000 notifications against Code Red 1 & 2 previously - hopefully because we are on top of this our notifications now will help address the situation much, much faster.

If you would like to send offending IP data - Please send it in the following format:

IP ADDRESS DATE/TIME

Or something similar to this. Please ensure the information is contained to IP address and date per line as we do our notification automatically and our system needs to be to understand the los you send us.

We will be posting more shortly.

-Al


VP Engineering
SecurityFocus.com
"Vae Victis"


--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

Live attack results.... (none / 0) (#27)
by ckm on Mon Aug 06, 2001 at 12:18:52 AM EST

All,

I have live attack results for one of my domains here

Chris.

code red 'classic'+ code red 'new generation' (none / 0) (#29)
by sheedl on Tue Aug 07, 2001 at 01:13:59 AM EST

I'd say its scaling up a little, 'new generation' code red is getting way more attacks in this month

1440 infected systems this month tried my little box.

The code red NG uses the XXX as the passed parameter

64.136.33.124 - - [07/Aug/2001:12:43:23 +0800] "GET /default.ida?XXXXX

code red classic uses NNN

207.170.31.201 - - [07/Aug/2001:12:38:45 +0800] "GET /default.ida?NNNNN

Rather neat that I have root access on about 1000 boxes (grep for xxx rather than nnn), but my bandwidth usage is going up and up and up because of this crap.

guess who pays for bandwidth...

sigh.

lawrence.

Wow! (none / 0) (#30)
by Shalom on Tue Aug 07, 2001 at 01:43:16 PM EST

Sure glad I'm not running IIS :) Seems like a lot of people are.

My statistics went from about 30 per day on Aug. 2-3 to 300 per day Aug. 4-5 and now it's looking like 450 per day from Aug. 6 on. Geez!

Ouch (none / 0) (#31)
by CYwolf on Tue Aug 07, 2001 at 09:00:39 PM EST

25 hits in July, all first gen. Unless my log is cut off, or something.

Next gen made its first appearance August 4th.. so far I seem to have 1078 log entries for next gen in August, 1209 for both variants.


Fight back! (none / 0) (#32)
by Sax Maniac on Wed Aug 08, 2001 at 09:56:49 PM EST

I don't know if this will do anything, or if it's even legal. But it sure makes me feel better.

In the .htaccess file:

RedirectPermanent /default.hta http://goatse.cx/hello.jpg

You probably don't want to be trying to load default.hta off my website.
Stop screwing around with printf and gdb and get a debugger that doesn't suck.

Code Red: Infection rate 2x July 20 instance | 32 comments (29 topical, 3 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!