Code Red 2 cleanup; reporting..
Helu, Is there an effort abound that would allow for lists of verified 'Code Red 2' infected hosts to be reported for cleanup/mitigation? By known 'Code Red 2' infected hosts, I mean that root.exe has been found to exist on the host. Finding the contact information for a lot of these is proving difficult being that a fair amount of the infected machines are Joe Blow broadband customers. Anyone? .z
Is there an effort abound that would allow for lists of verified 'Code Red 2' infected hosts to be reported for cleanup/mitigation? By known 'Code Red 2' infected hosts, I mean that root.exe has been found to exist on the host.
Finding the contact information for a lot of these is proving difficult being that a fair amount of the infected machines are Joe Blow broadband customers.
Publishing such lists is IMHO not a good idea, as these hosts are vulnerable and publishing their addresses would only serve to let more crackers know where to go..
On Thu, 9 Aug 2001, Mathias K�rber wrote:
Is there an effort abound that would allow for lists of verified 'Code Red 2' infected hosts to be reported for cleanup/mitigation? By known 'Code Red 2' infected hosts, I mean that root.exe has been found to exist on the host.
Finding the contact information for a lot of these is proving difficult being that a fair amount of the infected machines are Joe Blow broadband customers.
Publishing such lists is IMHO not a good idea, as these hosts are vulnerable and publishing their addresses would only serve to let more crackers know where to go..
<--( SNIP )--> Helu, Yes, I think that your observation is obvious.. publishing lists of infected hosts is a bad idea. My question was asking if there was an unofficial mitigation process to notify the end-use and/or the providers involved for clean-up efforts. I don't want lists of infected hosts nor do I want to publish lists of infected hosts. Being that it is difficult to contact the end-user of a lot of the infected hosts, is there a discrete process in place for notifying the provider.. etc etc. If nothing is in place, great, I'll just throw e-mails to the end-users I can find and/or their respective NSP. If something is in place.. either unofficial or special contacts at the NSPs, great, I'll go that route. .z
Yes, I think that your observation is obvious.. publishing lists of infected hosts is a bad idea. My question was asking if there was an unofficial mitigation process to notify the end-use and/or the providers involved for clean-up efforts.
I'm not sure if this is what you are asking for, but SecurityFocus is operating a Code Red notification service: Date: Sun, 5 Aug 2001 10:50:22 -0600 To: bugtraq@securityfocus.com From: aleph1@securityfocus.com Subject: Infection Notification -------- If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format: IP ADDRESS DATE/TIME WITH TIMEZONE Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum --- Andrew McNamara (System Architect) connect.com.au Pty Ltd Lvl 3, 213 Miller St, North Sydney, NSW 2060, Australia Phone: +61 2 9409 2117, Fax: +61 2 9409 2111
On Thursday, August 9, 2001, at 03:40 , Andrew McNamara wrote:
I'm not sure if this is what you are asking for, but SecurityFocus is operating a Code Red notification service:
[...]
If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:
They've stopped doing this, as it appears every possible Code Red infection has been reported at least twice. ... if they ain't fixed by now, chances are pretty good they won't be fixed until someone causes the box to emit rude noises, blink feverishly, and eventually burst into flame. -rt
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly? -C On Thu, Aug 09, 2001 at 02:19:19PM +0800, Mathias K?rber wrote:
Is there an effort abound that would allow for lists of verified 'Code Red 2' infected hosts to be reported for cleanup/mitigation? By known 'Code Red 2' infected hosts, I mean that root.exe has been found to exist on the host.
Finding the contact information for a lot of these is proving difficult being that a fair amount of the infected machines are Joe Blow broadband customers.
Publishing such lists is IMHO not a good idea, as these hosts are vulnerable and publishing their addresses would only serve to let more crackers know where to go..
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
mike harrison wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
Spent nearly two days convincing someone who was managing a server that he was beating up machines all over the company. It finally took someone at close to VP level to get him to fix it. Last I heard, he was saying something on the phone like "Yes sir, you're right sir. Sorry sir." The thing that sucks is that he KNEW he couldn't be a problem, since he wasn't running IIS. I had the packet captures and obvious grabs for default.ida to prove it. Believe it. I have at least three verified, and that was using web server logs they'd hit, and ethereal running on the openbsd machine in my office, which sits right next to the local building router. [Yes, it's true. IRL, I work for Big Company X.] No, sorry, lots of people are not cleaning up machines. I'm still being hit at home by the same machines I got hit by when this first started, for the most part. Sure, some of them are gone, but some are sure still here. -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
Spent nearly two days convincing someone who was managing a server that he was beating up machines all over the company. It finally took someone at
Tonight, 20 minutes after openning up port 80 on a firewall to a server supposedly only running the latest CITRIX on Port 80 (why 80? Don't ask me?) and the high paid out of town consultants swearing they had applied the appropriate patches and were safe, they are now broadcasting out the latest CodeRed style worm. I got some nice sniffit captures from my Linux firewall though.. this morning will be interesting. I wonder how they like their crow served.
On Thu, 9 Aug 2001, Etaoin Shrdlu wrote:
No, sorry, lots of people are not cleaning up machines. I'm still being hit at home by the same machines I got hit by when this first started, for the most part. Sure, some of them are gone, but some are sure still here.
<--( SNIP )--> Helu, Yes, this has been my finding as well. Over a 72-hour period not a single machine on my long list of Code Red 2 infected machines has been patched ( meaning that root.exe exists and is GET'able ). Despite someone declaring that Securityfocus stopped their reporting service, I did forward on my list to them in the format they wanted for good measure. I have heard that some of the broadband companies have started filtering port 80 ingress, which seems like putting a Pooh Bear bandaid(tm) over a punctured artery... but nonetheless. I have heard from quite a few people using various broadband services, that the performance degradation they are experiencing from the amount of scanning being generated inside their networks is more than noticeable. This brings up another good question: Shouldn't these NSPs identify who these customers are, e-mail them and try to call them at home/work with patch procedures.. and after a non-response perhaps pull the plug entirely on the infected customer in question? I guess it would depend on the numbers involved, but it seems to me that this would greatly mitigate the performance degradation on their networks ( and others of course ). However, this brings up the issue of how the infected customer would apply the patches in order to regain service. It would be quite costly for the NSP to mail out CDs + instructions, and probably a waste of time ( people tend to throw CDs that come in the mail away without much thought ). I think an interesting solution to this problem, no matter how unethical would be to write a program that leverages the vulnerability to patch the infected machine. In fact, it surprises me that this hasn't been done. Thoughts? .z
"Christopher A. Woodfield" wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the root.exe? It isn't just sitting there in the open.... Another possibility if you actually did that and didn't get the shell is the (unlikely) event that the admin actually had forethought to limit the ACL's on their system directory and the worm couldn't copy the needed file (unlikely because someone who knows enough to do that would have already patched). Then "mike harrison" wrote:
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and unless a new hybrid worm has been released, it's just not possible. Also note that @Home is now blocking incoming port 80 connections. This will prevent further infections inbound on their (residential) network, but does nothing to prevent already compromised hosts from continuing to scan the rest of the net. This is the most likely reason for seeing scans that don't look like they are originating from IIS servers. The next most likely reason is that the worm has totally hosed IIS. Another possibility is having one public server connected to a LAN that then infects everything else behind it's firewall. At this point, you can't deduce necessarily deduce anything from an inability to connect on port 80 to an infected host. Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although @home maybe blocking incoming port 80 it is still allowing those connections which originate inside it's network to proceed. In the last few hours I have recieved numerous probes to port 80 on my home machine which have originated from within the @home network. So far all of the addresses have come from the Left Coast. While a few have come from WA and OR, most have been from San Diego (I'm in Orange County which is between San Diego and Los Angeles). Obviously this does not bode well for Code Red II ending any time soon since it is non-tech home users who are the least likely to patch their systems (or even know about Code Red vX. Maybe @home should limit outbound port 80 connections as well! :) Larry Diffey - ----- Original Message ----- From: "Mike Lewinski" <mike@rockynet.com> To: <nanog@merit.edu> Sent: Thursday, August 09, 2001 9:39 PM Subject: Re: Code Red 2 cleanup; reporting..
"Christopher A. Woodfield" wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
Did you telnet to port 80 and make a specific http GET request for the root.exe? It isn't just sitting there in the open....
Another possibility if you actually did that and didn't get the shell is the (unlikely) event that the admin actually had forethought to limit the ACL's on their system directory and the worm couldn't copy the needed file (unlikely because someone who knows enough to do that would have already patched).
Then "mike harrison" wrote:
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
I highly doubt this. The vulnerability is very specific to IIS servers, and unless a new hybrid worm has been released, it's just not possible.
Also note that @Home is now blocking incoming port 80 connections. This will prevent further infections inbound on their (residential) network, but does nothing to prevent already compromised hosts from continuing to scan the rest of the net. This is the most likely reason for seeing scans that don't look like they are originating from IIS servers. The next most likely reason is that the worm has totally hosed IIS.
Another possibility is having one public server connected to a LAN that then infects everything else behind it's firewall.
At this point, you can't deduce necessarily deduce anything from an inability to connect on port 80 to an infected host.
Mike
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBO3N41Fo9DaZGgGo0EQK3TgCgoo2yzZYbpRDVdRYc+7Mdf53ay+kAoOsO PQdP2JBODGI7E5+EoNul2f3k =2VE3 -----END PGP SIGNATURE-----
participants (9)
-
Andrew McNamara
-
Christopher A. Woodfield
-
Etaoin Shrdlu
-
Larry Diffey
-
Mathias K�rber
-
mike harrison
-
Mike Lewinski
-
Ryan Tucker
-
z@s0be.net