July 19, 2001
3:57 PM   Subscribe

Seeing weird things in your website logs today? This will explain it... Running IIS and haven't patched it in over a month? Go here. 13,000 servers have already been affected.
posted by machaus (36 comments total)
 
I love Apache!
posted by waxpancake at 4:01 PM on July 19, 2001


If you can't afford to patch (or don't trust the patch itself, as there are some reports coming in to BUGTRAQ that suggest it doesn't help) you can try creating a file named "notworm" in your C: drive root directory. I don't run IIS, but the advisory suggests that the worm stops if it sees a file named "c:\notworm". FYI.
posted by schampeo at 4:08 PM on July 19, 2001


this kind of weird,

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

not this
posted by machaus at 4:21 PM on July 19, 2001


the presence of the 'c:\notworm' file will stop it from attempting to spread itself to other hosts, but it will still deface local websites and partake in the ddos against whitehouse.gov tomorrow. i second the motion that the best patch for this is apache ;)
posted by bizwank at 4:24 PM on July 19, 2001




THIS HAPPENED TO ME AT WORK TODAY!

We were tooling around with the damn server trying to solve what was wrong. Went to windows update and their security update fixed the issue.

And I was just cursing the fact that it was a IIS server as well. This is my first week at my new job and was hoping they would be running Apache, thankfully some of the systems here are Apache and *nix based.

Microsoft strikes again.
posted by physics at 4:50 PM on July 19, 2001


Well, at the moment, whitehouse.gov seems to be just as snappy (and hideously designed) as ever.
posted by jjg at 5:02 PM on July 19, 2001


I've been getting very odd referrals lately. Sites that in no way link to mine, nor would ever have any reason to. Obscure articles on nuclear missiles on European news sites, for example. And articles on Beliefnet.com.

Anyone know what that's all about? It's just been happening this week, never before.
posted by Succa at 5:53 PM on July 19, 2001


I love MetaFilter. I was wondering what the weird string in my logs was all afternoon. It's nice that I was able to get the answer here. My hosting company runs Apache, so it looks like I'm ok.

I'm not clear on these kinds of attacks, though. The IP addresses that show up on my logs are IP addresses of infected hosts who are trying to infect the machine my site is on?
posted by idiolect at 6:04 PM on July 19, 2001


posted by jjg at 5:02 PM PST on July 19
I've been getting very odd referrals lately. Sites that in no way link to mine


IE bug, I'm told. the person has your window open and that other window open.

I'm sometimes appalled at what people read concurrent with the pocket....
posted by rebeccablood at 6:06 PM on July 19, 2001


Thanks for the post machaus, I had some entries for this in the default http log on my server (where entries that used the machine's IP address and not a hostname go) and was about to probe into what they might be.

That said, I'm running Apache as well.
posted by mike at 6:11 PM on July 19, 2001


www1.whitehouse.gov (198.137.240.91) is not doing well right now, but you wouldn't know that unless you actively looked... I guess the load balancing is kicking traffic over to the .92 address.
posted by machaus at 6:11 PM on July 19, 2001


People still use Windows servers?! And at least 15,000 at that! First Hotmail, now Windows. Next thing you know, you'll tell me that most people still use a dialup account over 56Kpbs.

Now that would be funny...

Hey, anyone else get the symbolic irony of a bunch of Windows servers attacking whitehouse.gov??
posted by fooljay at 6:18 PM on July 19, 2001


affecting printers, dsl and cable modems, etc. MSFT had an earnings announcement today, results: up 2. What is the psychological point to making an association between the Chinese and this exploit? Any ideas?
posted by greyscale at 6:43 PM on July 19, 2001


I noticed it today as it slipped through BlackICE (Suspicious URL noted, but not stopped), but I was already patched. Phew!

Nice to know exactly what's going on though, even if it's only going on to other people! :-)
posted by benzo8 at 7:41 PM on July 19, 2001


This is just like slashdot.org!
posted by ericost at 7:54 PM on July 19, 2001


Apparently the ip address for whitehouse.gov was hard-coded into the worm. So the admins just had to blackhole that address and point the DNS (or load balancing) at another valid one.

SEE! Another reason not to EVER hardcode ip addresses...
posted by smackfu at 8:10 PM on July 19, 2001


damn script kiddies.

::waits for jpoulos' response::
posted by lotsofno at 8:45 PM on July 19, 2001


Eh, it's not a script kiddy, anyway. The person who wrote this had to actually know something.

And greyscale, what do you mean "making an association"? The worm itself claims to be from China. Basically, it was (or was meant to look like it was) made by a Chinese hacker who doesn't like the US government all that much.
posted by whatnotever at 9:09 PM on July 19, 2001


Before a friend pointed out that this was a worm and not a direct attack on my server, I was regretting an earlier post.
posted by jasonshellen at 9:49 PM on July 19, 2001


Hey, check out this from our server log:

[15:51:52 +1000] "HEAD / HTTP/1.0"
[16:01:54 +1000] "GET /."./."./winnt/win.ini .php3 HTTP/1.0"
[16:01:55 +1000] "GET /....../autoexec.bat HTTP/1.0"
[16:01:56 +1000] "GET /..../config.sys HTTP/1.0"
[16:01:57 +1000] "GET /../../../../../../Scandisk.log HTTP/1.0"
[16:01:57 +1000] "GET /../../../../../winnt/repair/sam._ HTTP/1.0"
[16:01:58 +1000] "GET /../../../../config.sys HTTP/1.0"
[16:01:59 +1000] "GET /../../../autoexec.bat HTTP/1.0"
[16:02:00 +1000] "GET /../../../scandisk.log HTTP/1.0"
[16:02:01 +1000] "GET /../../windows/user.dat HTTP/1.0"
[16:02:02 +1000] "GET /..\..\..\winnt\repair\sam._ HTTP/1.0"
[16:02:02 +1000] "GET /..\\..\\..\\..\\..\\..\autoexec.bat HTTP/1.0"
[16:02:03 +1000] "GET /..\\..\\..\winnt\repair\sam._ HTTP/1.0"
[16:02:04 +1000] "GET /.nsf/../winnt/win.ini HTTP/1.0"
[16:02:08 +1000] "GET /_private/shopping_cart.mdb HTTP/1.0"
[16:02:08 +1000] "GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0"
[16:02:09 +1000] "GET /_vti_bin/fpcount.exe?Page=default.htm|Image=2|Digits=1 HTTP/1.0"
[16:02:10 +1000] "GET /_vti_bin/shtml.dll HTTP/1.0"
[16:02:14 +1000] "GET /_vti_bin/shtml.dll/nosuch.htm HTTP/1.0"
[16:02:15 +1000] "GET /_vti_bin/shtml.exe HTTP/1.0"
[16:02:15 +1000] "GET /_vti_inf.html HTTP/1.0" 0.013
[16:02:16 +1000] "GET /_vti_pvt/administrators.pwd HTTP/1.0"
[16:02:19 +1000] "GET /_vti_pvt/shtml.exe HTTP/1.0"
[16:05:17 +1000] "GET /cgi-bin/build.cgi HTTP/1.0"
[16:05:17 +1000] "GET /cgi-bin/cached_feed.cgi HTTP/1.0"
[16:05:18 +1000] "GET /cgi-bin/cachemgr.cgi HTTP/1.0"
[16:05:19 +1000] "GET /cgi-bin/cal_make.pl HTTP/1.0"
[16:05:20 +1000] "GET /cgi-bin/calender.pl HTTP/1.0"
[16:05:26 +1000] "GET /cgi-bin/cgiforum.pl HTTP/1.0"
[16:05:27 +1000] "GET /cgi-bin/cgiwrap HTTP/1.0"
[16:05:28 +1000] "GET /cgi-bin/changepw.cgi HTTP/1.0"
[16:05:29 +1000] "GET /cgi-bin/classifieds.cgi HTTP/1.0"
[16:07:27 +1000] "GET /customer/ HTTP/1.0"
[16:07:31 +1000] "GET /data/ HTTP/1.0"
[16:07:32 +1000] "GET /database/ HTTP/1.0"
[16:07:33 +1000] "GET /databases/ HTTP/1.0"
[16:07:33 +1000] "GET /db/ HTTP/1.0"
[16:07:34 +1000] "GET /dbase/ HTTP/1.0"
[16:07:54 +1000] "GET /girl/ HTTP/1.0"
[16:07:58 +1000] "GET /girls/ HTTP/1.0"
[16:07:59 +1000] "GET /hire/ HTTP/1.0"
[16:08:00 +1000] "GET /htdocs/ HTTP/1.0"
[16:08:01 +1000] "GET /html/snort2html.html HTTP/1.0"
[16:08:02 +1000] "GET /idea/ HTTP/1.0"
[16:08:03 +1000] "GET /ideas/ HTTP/1.0"
[16:08:07 +1000] "GET /image/ HTTP/1.0"
[16:08:07 +1000] "GET /images/ HTTP/1.0"
[16:09:16 +1000] "GET /phpgroupware/inc/phpgwapi/phpgw.inc.php HTTP/1.0"
[16:09:17 +1000] "GET /phpPhotoAlbum/explorer.php HTTP/1.0"
[16:09:18 +1000] "GET /piranha/secure/passwd.php3 HTTP/1.0"
[16:09:19 +1000] "GET /porno/ HTTP/1.0"
[16:09:20 +1000] "GET /ports/ HTTP/1.0"
[16:09:24 +1000] "GET /private/ HTTP/1.0"
[16:09:25 +1000] "GET /private/.htpasswd HTTP/1.0"
[16:09:25 +1000] "GET /program/ HTTP/1.0"
[16:09:26 +1000] "GET /programming/ HTTP/1.0"
[16:09:43 +1000] "GET /secret/ HTTP/1.0"
[16:09:44 +1000] "GET /secret/secret/add-user.shmtl HTTP/1.0"
[16:09:47 +1000] "GET /secret/secret/change-passwd.shtml HTTP/1.0"
[16:09:48 +1000] "GET /secret/secret/sql_tool.shtml HTTP/1.0"
[16:09:58 +1000] "GET /sex/ HTTP/1.0"
[16:13:45 +1000] "GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe?/c+dir HTTP/1.0"
[16:13:46 +1000] "GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+dir HTTP/1.0"
[16:13:47 +1000] "GET /null.ida HTTP/1.0"
[16:13:48 +1000] "GET /null.idq HTTP/1.0"
[16:13:48 +1000] "GET /NULL.printer HTTP/1.0" http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

...etc, etc

677 lines in total, all coming from a server with an IP address somewhere in China.
posted by ZippityBuddha at 10:16 PM on July 19, 2001


That's completely unrelated to the worm, as it's just a standard probe. What I find interesting in there, though, is that they search not only for vulnerabilities, but porn...

I can imagine somebody sitting down one day, writing a leet script, thinking, "If the server is secure... heck, it just might have free porn!"
posted by whatnotever at 11:59 PM on July 19, 2001


I find this amusing.

The worm uses vulnerabilities in Solaris to do most fo the work, and people will only talk about how IIS is the problem?

Of course, this only happens to you if you didn;t patch a KNOWN security problem that has had a patch out for more than a month.

Yeah, keep blaming MS.
posted by soulhuntre at 12:14 AM on July 20, 2001


That's a different worm, soulhuntre. This one is IIS only.
posted by whatnotever at 12:32 AM on July 20, 2001


Honest, non snarky question . . . what does Solaris have to do with this?
posted by alana at 12:38 AM on July 20, 2001


The worm uses vulnerabilities in Solaris to do most fo the work, and people will only talk about how IIS is the problem?

Uhhhh, yeah. Could you explain how a vulnerability in Solaris is causing a buffer overflow on Microsoft Internet Information Servers (IIS)?? Maybe I'm missing something...

Of course, this only happens to you if you didn;t patch a KNOWN security problem that has had a patch out for more than a month.
Yeah, keep blaming MS.


True. It is an old patch (in internet time anyway), but if it weren't for the constantly buggy and insecure IIS, would this be an issue? Microsoft software is generally, and has always been, insecure for a reason, and it's not because they are incompetent...
posted by fooljay at 12:39 AM on July 20, 2001


Shoulda been running FreeBSD
posted by fooljay at 1:00 AM on July 20, 2001


Damn it whatnotever, stop sneaking in like that, making me look as foolish as I am.
posted by alana at 1:16 AM on July 20, 2001


Here's the slashdot thread. It also has a tendancy to crash cisco 675 routers running an older version of CBOS. After noticing a constant stream of data coming from my box, I installed BlackICE and was surprised on the amount of http probes. Around 8pm last night, I had to reset the router a few times...looking forward to getting my update.
posted by samsara at 7:17 AM on July 20, 2001


Interesting. Around 11:30am yesterday we got hit with a different type of worm (thanks to slacking on the patch by yours truly) but Slashdot was thoroughly useless on the subject at the time. Looks like Code Red hit en masse later in the day, but anyone subscribed to ntbugtraq should've known about it three days ago when they first reported it.

I'll stop blaming MS when they stop coming out with patches for the various vulnerabilities that crop up on a daily basis. Continual patches are not indicative of a complete, secure, finished product, but that gets into the whole other discussion of buggy software. Can you tell I'm still bitter about TPTB switching from a Unix server to NT five years ago?
posted by evixir at 8:31 AM on July 20, 2001


Thanks whatnot - I got a little confised between the worms :)

"Honest, non snarky question . . . what does Solaris have to do with this?"

There is a worm that actually spreads mostly on Solaris (unixish) and uses those platforms to attack IIS servers.

Let's be honest. IIS/Windows is THE target environment. It has a huge bullseye painted on it and every two bit hacker with dreams of glory wants to take a run at it.

It does a great job, but you simply must stay updated.

Anyone who claims that it isn't the job of the admin to keep up with updates/patches is just not thinking this through.

What is most upsetting is the hypocrasy. Linux root exploits pop up all the time, and there isn't this kind of uproar - all you'll see is folks saying "dammit, if you can't stay current then your to blame".

And it's true.

A little intellectual honesty and consistency should not be too much to ask.

But all that goes by the wayside for a chance to take a shot at MS... it would be sad if it wasn't so funny.
posted by soulhuntre at 10:18 AM on July 20, 2001


As has been noted, this worm also has a tendency to crash Cisco 675 routers due to the 67x's mishandling the GET request. Gee whillikers, Mr. Wilson- that sure is BUGGY for Cisco to write their CBOS like that, crashable simply because another host sends a request to it! Because of course, it's completely unheard of for other software to also have problems. Why, I thought other companies' software is always completely bug free and without any problems or flaws whatsoever!

What we may be seeing here is not so much the flawedness of MS software, which does exist, but the attraction to hacking it in particular. Both because of market size and hacker dislike of MS and its success, MS software is often targeted for greater inspection than most software gets, which may be why so many holes are both found and then heavily publicized (these same folks aren't up late at nights finding ways to humiliatingly find holes in Linux, because that would disturb their precious pipedream about free software...). It's not dissimilar to the way that the most publicized diseases get the most funding and research. Doesn't mean the disease is an easy one to cure, or was the most dangerous or life-threatening, but rather that the "squeaky wheel gets the grease".
posted by hincandenza at 10:28 AM on July 20, 2001



Actually, CBOS didn't originate from Cisco...it was purchased to act as a broadband alternative to Cisco's IOS for consumer-end routers. Unfortunately, that came with it's share of problems and they have had their hands in the source code for some time. The IOS isn't nearly as buggy as it's been through many revisions over the years. I do get your point however.

As for getting my router updated, there's no way to get the update from Cisco as they do not allow direct updates, and my internet provider, Conectiv, can't support the new version because their equipment doesn't like how the new version works with NAT. It's the whole industry I tell ya...sheesh!
posted by samsara at 10:55 AM on July 20, 2001


This seems to have knocked out Interland MS servers too last night. I have been meaning to move my site to their Linux or Unix variant and this may have pushed me over the edge.
posted by vanderwal at 11:20 AM on July 20, 2001


Anyone who claims that it isn't the job of the admin to keep up with updates/patches is just not thinking this through.

Gawd, I don't think anyone is claiming that. But both Unix and Windows admins know who has the most exploits (which has to do with shipping the most buggy insecure software. Hint: It's not Unix). So the primary blame lies with the software maker. The secondary blame lies with the admins who refuse, are to lazy to, or don't know how to patch systems and do security audits.

What is most upsetting is the hypocrasy. Linux root exploits pop up all the time, and there isn't this kind of uproar

There are a few reasons for that, but mostly it comes down to, in my experience anyway, by and large, Unix boxes are tended to better than Windows boxes. Microsoft makes it easy for anyone to set up a server. If we only gave driver's licenses to professional race car drivers there would be a lot fewer accidents even though the speed limit would be 125MPH. Unix relative difficulty creates a hurdle for incompetence. That's not to say there are no incompetent Unix admins, there are just fewer of them percentage-wise.

What we may be seeing here is not so much the flawedness of MS software, which does exist, but the attraction to hacking it in particular. Both because of market size and hacker dislike of MS and its success, MS software is often targeted

I'll give you that second part. For sure, Microsoft makes its own bed. As far as the market share, that holds true for client software but not server software. The (second) problem is that many Windows servers aren't mission critical, so they don't have the level of auditing and security one would have on most Unix servers hooked to the Net.

heavily publicized

While Microsoft bugs are certainly talked about more in the media, it is typically because they affect client software and hence are more newsworthy for the masses. Surely, though, there is a bit of media momentum there as well...

I have been watching CERT et al for about 4 years and can tell you that there actually are more Microsoft bugs than any other individual platform. In this instance, you can't just say Microsoft vs Unix because Unix contains a whole host of individually developed OS's.
posted by fooljay at 11:59 AM on July 20, 2001


Oh one more thing. There are typically more Microsoft bugs because it is less mature code. The Unix base has had more than 30 years to cook...
posted by fooljay at 12:00 PM on July 20, 2001


« Older The Ugly American   |   Want to Live Rent Free? Get sick. Newer »


This thread has been archived and is closed to new comments