Getting probed by Code Red
This is a discussion about Getting probed by Code Red in the Windows Networking category; Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new parameters field that I have never bothered with before.
Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new "parameters" field that I have never bothered with before. Well, the reason why I noticed is that there are a bunch of "N"s followed by a specific series of characters. In addition, all four IPs were IIS boxes (1 from Spain, 2 from The Netherlands, and 1 from South Korea), all four were looking for the same file, and all four passed the same amount of info (via the parameter string, I imagine). I just wondered how many others have been swept here.
Participate in our website and join the conversation
This subject has been archived. New comments and votes cannot be submitted.
Aug 2
Sep 19
0
7 minutes
Responses to this topic
I work at an isp, and today we were logging code red probes on our servers about every 15 seconds.... pretty insane...
OP
Ouch. Still kinda hard to believe that so much havoc can be averted with a patch that doesn't even require a reboot (at least in Win2K anyway).
I got Win2k at home and grabbed that patch ASAP. I guess it's nowhere near as bad as for a server--which I have no clue how bad it must be for you guys.
Whew! Disaster avoided...for now. ;(
Whew! Disaster avoided...for now. ;(
No reboot eh? You lucky bastard
I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot.
All with NT4 and Wink2SP2 I had to reboot.
The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8)
If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network.
/Toby
I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot.
All with NT4 and Wink2SP2 I had to reboot.
The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8)
If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network.
/Toby
OP
That's odd, Toby. I patched 5 servers running Win2K SP2, and none of them needed the reboot. Also, you will be getting an email from me.
The patch requires at least SP1 and if you don't have that then you will need a reboot. However none of mine needed are reboot for just the patch.
OP
Cool, I thought I was going crazy for a moment there.
i downloaded and installed SP2 about a week ago ...
yesterday i downloaded the patch for Code Red and it says i dont need it >??
is that right ?
yesterday i downloaded the patch for Code Red and it says i dont need it >??
is that right ?
Quote:Cool, I thought I was going crazy for a moment there.
Now it's me feeling like that, wondering why I had to reboot
I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now
Clutch you got mail...
Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway...
/Toby
Now it's me feeling like that, wondering why I had to reboot
I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now
Clutch you got mail...
Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway...
/Toby
While we're in the subject of pathing..
Go this site and dowload the trail *NOW* !!
This is one of the best products I have ever used and I'll keep telling that to my boss until I get money for licenses
And no, I don't work for them
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
/Toby
Go this site and dowload the trail *NOW* !!
This is one of the best products I have ever used and I'll keep telling that to my boss until I get money for licenses
And no, I don't work for them
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
/Toby
Be warned! I too downloaded the Microsoft patch from their site the first day they offered it, but unfortunately, they came out with another one down the road because the first one didn't work. Go figure, here I was thinking, "Yeah, go ahead with your Code Red crap" and it turned out that I wasn't protected. Oh well. Just wanted to give a heads up!
i get over 200 hits a day by it on my megabytemike.com server... damn that thing to hell... but i hate IIS and dont use it so it h as not caused any problems yet except for the annoying norton antivirus popping up every 5 seconds "YOU GOT THE CODE RED WORM!!!!!" lol so annoying...
how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way.
how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way.
OP
Install the patch, then reboot. That should clear it out and keep it from coming back. In addition, if you are infected you are generating a ton of traffic and would be in fact, part of the problem rather than the solution.
Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot.
Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot.
Quick question....
This RED CODE just affect Windows 2000 Server? or the PRO as well?
This RED CODE just affect Windows 2000 Server? or the PRO as well?
OP
Short answer; it affects Pro as well. Long answer:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp
OP
Also, here is a tool for those that have been infected, but you should read the "CAUTIONS" section of this page. It points out that there may be other effects of these worms that may not be easily spotted.
http://www.microsoft.com/technet/treevie...ools/redfix.asp
http://www.microsoft.com/technet/treevie...ools/redfix.asp
Here is a sample from my IIS 5 Log:
2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - -
Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log.
I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it.
I have installed all the patches and such.
TIA
2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - -
Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log.
I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it.
I have installed all the patches and such.
TIA
OP
That just means you are getting probed. If you use the IIS tool "URLScan", it will actually refer the incoming request against a set of rules, and will simply generate a 404 error and return that to the client.
OP
Well, it appears that there's another automated tool for attacking web servers. Please look out for anything request is trying to get to the system directory. Atreyu and myself are getting pounded with the $hit out of nowhere, but URLScan has been canning all of the requests on my server.
I was looking through my logs yesterday and found some entries of an IP trying to GET /winnt/cmd.exe and such. It gave them a 404 error. I think that is because we have installed all our patches.
