Join 3,434 readers in helping fund MetaFilter (Hide)


How to anonymously get root access on a quarter million machines overnight
August 5, 2001 6:16 PM   Subscribe

How to anonymously get root access on a quarter million machines overnight In the past 24 hours the CodeRed II worm has been infecting IIS web servers with a speed equal to or greater than that of the original CodeRed. The original CodeRed infected what is thought to be all vulnerable machines, approximately 250,000 hosts, in under 24 hours. While CodeRed I was relatively harmless, CodeRed II installs a full Administrator-access back door shell that can be accessed via HTTP. This creates a very interesting situation, and with the techniques discussed in this paper opens a new potential door for mass system cracking.
posted by lagado (13 comments total)

 
Analysis of the new "Code Red II" Variant
posted by lagado at 6:24 PM on August 5, 2001


Don't forget that these machines are all actively broadcasting their presence to the world, also, by their continued scanning. If you have a web server on a hard-hit subnet (say, 24.x.x.x), your logs are most likely full of IPs of compromised machines trying to infect new hosts.

The backdoor is amazingly easy to use, and you can do just about anything with it. If you're nice, those things include alerting the owner of the system or shutting down IIS to prevent further damage. Another fun activity is searching peoples' machines for mp3s or other interesting files. The possibilities are endless!

My question is this: How did all of these machines remain unpatched? This was all over the news, so nearly everyone should know about it. I can think of two main reasons a machine would still be vulnerable: ignorance (i.e., the people don't know they're running IIS), or stupidity...
posted by whatnotever at 7:00 PM on August 5, 2001


whatnot--Much of the blame rests with Microsoft for their poor choices about what services to run as default. Some guy with a cable modem gets a copy Windows 2000 server from his brother in law and installs it on his pc. He knows it lets him browse the web, but he doesn't know that by default it has also installed an extravagantly outfitted and shockingly insecure version of a web server on his little peecee.

Is the worm writer off the hook? Nope, infact he's the only one acting out of malice and/or other selfish motives.

Is the ersatz sysadmin off the hook? Nope, he's running software that's over his head and endangering himself as well as others.

But still, Micrsoft could have prevented the lion's share of these occurences by making their installations default to having communication services turned off until the operator explicitly asked for them to be turned on. If someone can't figure out how to turn them on, then they probably aren't qualified to insure their safe operation.

From here forward it must be considered foolhardy and negligent to install an unpatched version of an operating system on a box with a live internet connection. Yes, this means that if you need to install on a box with a live connection, you must insure the your installation source is installing files that are fully up to date. Even then, communication services should default to off unless absolutely unavoidable circumstances preclude this, such as an installation pushed across a network connection (in which case if all communication services were turned off you wouldn't be able to control the box once you installed the operating system).
posted by NortonDC at 7:28 PM on August 5, 2001


Aha! I thought the "get" request looked different.
The lion's share of the requests my unix webserver is receiving in a vain attempt at exploiting this vulnerability are coming from DHCP given addresses on broadband suppliers.
I think we have underestimated the sheer number of maniputable systems that sit on fast pipes, administrated by people who are learning how to run IIS and other services in their house "cuz it's kewl." I'd expect a backlash of TOS action by ISPs.
posted by machaus at 8:05 PM on August 5, 2001


Aha! I thought the "get" request looked different.
The lion's share of the requests my unix webserver is receiving in a vain attempt at exploiting this vulnerability are coming from DHCP given addresses on broadband suppliers.
I think we have underestimated the sheer number of maniputable systems that sit on fast pipes, administrated by people who are learning how to run IIS and other services in their house "cuz it's kewl." I'd expect a backlash of TOS action by ISPs.
posted by machaus at 8:05 PM on August 5, 2001


sorry, something wacky was happening there with the site.
posted by machaus at 8:16 PM on August 5, 2001


Muh-hey, um CLEARLY this is the just vengeance of an omniscient and omnipotent God who will only bring about heaven on earth when all machines are cleansed of IIS and running Apache with the BURNING and the PAIN FOR netadmins and the FINAL CLEANLINESS! Say LINUX! Say Linux!

Sorry - sorry, shit, I thought I was on Slashdot for a moment there.
posted by GriffX at 8:21 PM on August 5, 2001


What about FreeBSD?
posted by gleemax at 9:06 PM on August 5, 2001


NortonDC: WTF? Microsoft is culpable because they didn't make their server software pirate-friendly? You've got to be kidding me.

Having IIS off on server SKUs by default would be of very little value. Starting a service (viz., IIS) is *trivial* -- keeping up with patches evidently isn't. Presumably, if someone has the server version, they have it for a reason (except your brother-in-law, of course :-)
posted by JasonSch at 9:30 PM on August 5, 2001


JasonSch-read what I wrote:
"Much of the blame rests with Microsoft for their poor choices about what services to run as default."

And, oddly enough, getting software from ones brother in law does not require piracy. What a naughty assumption. I'm shocked at you, positively shocked.

Yes, starting services is trivial. However it would keep the ignorant and apathetic from unknowingly running IIS, as they are prone to do now. Beyond those that run Server inappropriately, it would make it much safer to install the OS from unpatched installation sources by lowering the number of vulnerabilities, reducing the risk during the window between installation and patching.

Small steps that could have a dramatic impact during attack storms, like now.
posted by NortonDC at 9:48 PM on August 5, 2001


<pedant> You can't get 'root' access on a Microsoft box. </pedant>
posted by wackybrit at 9:50 PM on August 5, 2001


Yes, on Microsoft machines, the account is "Poor Bastard whose Management drank the Microsoft Kool-Aid under the mistaken assumption that world-class marketing goes hand-in-hand with world-class software design".
posted by websavvy at 10:07 PM on August 5, 2001


Norton, that site damned well will have an impact; it's listing sites which have been compromised with the backdoor. It's painting a giant target on them. That strikes me as being rather irresponsible.
posted by Steven Den Beste at 11:33 PM on August 5, 2001


« Older Chase for Skase over....  |  The next fad after scooters?... Newer »


This thread has been archived and is closed to new comments