Jump to content
Compatible Support Forums
Sign in to follow this  
clutch

Getting probed by Code Red

Recommended Posts

Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new "parameters" field that I have never bothered with before. Well, the reason why I noticed is that there are a bunch of "N"s followed by a specific series of characters. In addition, all four IPs were IIS boxes (1 from Spain, 2 from The Netherlands, and 1 from South Korea), all four were looking for the same file, and all four passed the same amount of info (via the parameter string, I imagine). I just wondered how many others have been swept here.

Share this post


Link to post

I work at an isp, and today we were logging code red probes on our servers about every 15 seconds.... pretty insane...

Share this post


Link to post

Ouch. Still kinda hard to believe that so much havoc can be averted with a patch that doesn't even require a reboot (at least in Win2K anyway).

Share this post


Link to post

I got Win2k at home and grabbed that patch ASAP. I guess it's nowhere near as bad as for a server--which I have no clue how bad it must be for you guys.

Whew! Disaster avoided...for now. ;(

Share this post


Link to post

No reboot eh? You lucky bastard wink

 

I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot.

 

All with NT4 and Wink2SP2 I had to reboot.

 

The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8)

 

If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network.

 

/Toby

Share this post


Link to post

That's odd, Toby. I patched 5 servers running Win2K SP2, and none of them needed the reboot. Also, you will be getting an email from me.

 

smile

Share this post


Link to post

The patch requires at least SP1 and if you don't have that then you will need a reboot. However none of mine needed are reboot for just the patch.

Share this post


Link to post

Cool, I thought I was going crazy for a moment there.

 

wink

Share this post


Link to post

i downloaded and installed SP2 about a week ago ...

 

yesterday i downloaded the patch for Code Red and it says i dont need it >??

 

is that right ?

Share this post


Link to post
Quote:
Cool, I thought I was going crazy for a moment there.


Now it's me feeling like that, wondering why I had to reboot confused

I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now wink

Clutch you got mail...

Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway...


/Toby

Share this post


Link to post

Be warned! I too downloaded the Microsoft patch from their site the first day they offered it, but unfortunately, they came out with another one down the road because the first one didn't work. Go figure, here I was thinking, "Yeah, go ahead with your Code Red crap" and it turned out that I wasn't protected. Oh well. Just wanted to give a heads up!

Share this post


Link to post

i get over 200 hits a day by it on my megabytemike.com server... damn that thing to hell... but i hate IIS and dont use it so it h as not caused any problems yet except for the annoying norton antivirus popping up every 5 seconds "YOU GOT THE CODE RED WORM!!!!!" lol so annoying...

 

how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way. smile

Share this post


Link to post

Install the patch, then reboot. That should clear it out and keep it from coming back. In addition, if you are infected you are generating a ton of traffic and would be in fact, part of the problem rather than the solution.

 

Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot.

Share this post


Link to post

Here is a sample from my IIS 5 Log:

 

2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - -

 

Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log.

 

I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it.

 

I have installed all the patches and such.

 

TIA

Share this post


Link to post

That just means you are getting probed. If you use the IIS tool "URLScan", it will actually refer the incoming request against a set of rules, and will simply generate a 404 error and return that to the client.

Share this post


Link to post

Well, it appears that there's another automated tool for attacking web servers. Please look out for anything request is trying to get to the system directory. Atreyu and myself are getting pounded with the $hit out of nowhere, but URLScan has been canning all of the requests on my server.

Share this post


Link to post

I was looking through my logs yesterday and found some entries of an IP trying to GET /winnt/cmd.exe and such. It gave them a 404 error. I think that is because we have installed all our patches.

Share this post


Link to post

Yep, since 13 September we've been getting an insane number of these scans. This kind of thing:

 

2001-09-19 23:59:40 66.0.101.74 - xx.xx.xx.xx 80 GET /scripts/root.exe /c+dir 404 -

2001-09-19 23:59:40 66.0.101.74 - xx.xx.xx.xx 80 GET /MSADC/root.exe /c+dir 403 -

 

Got 40657 of them in just one day

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×