I know the Code Red Worm has been beat to death but....

[Psychoholic]

... due to the fact Symantec upgraded it to a level 3 I thought I would bring it to everyone's attention since I have seen very little information about it here. Any administrators here should already know of this threat and I would hope they would have taken the necessary precautions. I am aiming this more at the home or small office administrator who may not be aware of the potential threat or how to protect themselves.

You can go here for information about the virus and for a utility that you can use to determine if you are vulnerable to the threat.

You can download the patch here.

This virus can be removed by simply rebooting the computer but you need to apply the patch to prevent being infected again.

If you have any questions post them below or PM me.

 

[SaturnX]

Thanks for the head's up, yeah my cable company just called about 5 minutes ago to tell me to get the patch if I'm running Windows 2K or NT, which I am, 2K that is.

--Mark

 

[MGMorden]

Actually if you're not running the IIS webserver with the indexing addon then you don't need to bother with the patch (regardless of if you're running NT/2k or not).

 

[Psychoholic]

That's not entirely correct MGMorden. While it is true if you're not using any of the services associated with IIS and indexing it won't apply, much of it is started in a default installation. You would have to disable them to prevent the machine from being vulnerable. Many of the users I targeted at the start are not aware of this.

 

[n0cmonkey]

The worst part is that this is an OLD vulnerability. Everyone daring enough to run IIS should have been patched BEFORE this worm got released.

 

[Psychoholic]

True n0cmonkey, that's why I targeted it at the smaller/home administrators. If there is a full-time administrator that hasn't done so yet he should hanging his head in shame right about now.

 

[n0cmonkey]

<< True n0cmonkey, that's why I targeted it at the smaller/home administrators. If there is a full-time administrator that hasn't done so yet he should hanging his head in shame right about now. >>



I could give you a list of a few HUNDRED sites that scanned us looking for the vulnerability. So HUNDREDs of small/home/large corporation admins did NOT do thier jobs. Same can be said for the ramen worm (for all you linux zealots saying that linux is more secure than windows in ALL situations, OpenBSD is vulnerable to neither ). This is why I have a job

 

[spyordie007]

same here, on the 19th (the height of the first round of infections) my firewall recorded hits from over 50 differant ip addresses with requests over port 80, lucky for me I installed the patch

 

[n0cmonkey]

<< same here, on the 19th (the height of the first round of infections) my firewall recorded hits from over 50 differant ip addresses with requests over port 80, lucky for me I installed the patch >>



Only 50?

 

[Psychoholic]

I'm safe and secure. The only thing I can't figure out is why my site's home page contains the phrase &quot;Hacked By Chinese&quot;.

 

[n0cmonkey]

mmmm Apache
fsck poisonb0x!

 

[n0cmonkey]

mmmm Apache
fsck poisonb0x!


EDIT: Just saw on the news that this worm is making a come back. So I guess that is why the severity is increased. Looks like I will have plenty of logs to look at over the next few days :/

 

[Psychoholic]

Here's a scanner that tests IP ranges for the vulnerability. There is also some more information on the virus itself if anyone is interested.

 

[Psychoholic]

dp

 

[spyordie007]

<<

<< same here, on the 19th (the height of the first round of infections) my firewall recorded hits from over 50 differant ip addresses with requests over port 80, lucky for me I installed the patch >>



Only 50? >>


Yup, only 50, I must have one of the IP's that it favors less than others, or maybe just lucky...

 

[n0cmonkey]

<<

<<

<< same here, on the 19th (the height of the first round of infections) my firewall recorded hits from over 50 differant ip addresses with requests over port 80, lucky for me I installed the patch >>



Only 50? >>


Yup, only 50, I must have one of the IP's that it favors less than others, or maybe just lucky... >>



We had THOUSANDS including our client's machines... That was the first night

 

[iLoveDivX]

will win xp users be affected?

 

[Psychoholic]

<< We had THOUSANDS including our client's machines... That was the first night >>


n0cmonkey, maybe you got lucky. Here's an excerpt from the site I linked to above.



<< At the time of writing this document (July 19th, 3:00pm), we have had reports from administrators that have been probed by over 196 thousand unique hosts. This leads us to believe that this worm has infected at least 196 thousand computers. >>

 

[spyordie007]

<< will win xp users be affected? >>


if XP has IIS 5, ... yes

 

[Psychoholic]

iLoveDivX, I don't have any active computers running XP right now but it's my understanding it has been corrected in XP. However I would verify this with someone more familar with security holes in XP than I.

 

[n0cmonkey]

<<

<< We had THOUSANDS including our client's machines... That was the first night >>


n0cmonkey, maybe you got lucky. Here's an excerpt from the site I linked to above.



<< At the time of writing this document (July 19th, 3:00pm), we have had reports from administrators that have been probed by over 196 thousand unique hosts. This leads us to believe that this worm has infected at least 196 thousand computers. >>

>>



I didnt count them all, so I cant be sure as to exact numbers. But we have some big address space clients that seem attractive to script kiddiots Anyhow, it was bad.

 

[n0cmonkey]

double duplicate :/:/

 

[n0cmonkey]

duplicate :/

 

[spyordie007]

what's that, i must have missed it monkey

 

[Psychoholic]

At least I know I wasn't the only one having a problem.