Code Red activity??

[rycamor]

On my small group of FreeBSD/Apache servers (including my home development system), I found about 320 attempts to "infect" my server with the Code Red worm. This happened starting August 1, and is still happening now, Aug 3.

Heh... I'm not infectable... let 'em try! But anyway, I was just curious if anyone else has any home-grown statistics on these attempts. Just search your webserver access logs for any request that looks like:

193.251.57.189 - - [03/Aug/2001:02:26:17 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 321

The above string is the first infection attempt. It's the "default.ida" part that you should notice. If you are running an unpatched IIS and that file is on your system, you are asking for trouble. If you don't have that file, you will still see the request in your logs, but there is no threat.

Anyway, on a Unix system, getting numbers on this kind of log entry is really easy:

bash$ tail -5000 /usr/local/apache/logs/access_log | grep default.ida | wc -l

The

tail -5000[code] will output the last 5000 log entries from your log, while you pipe it to grep with | grep default.ida, saying you only want lines with "default.ida" in them, and then you pipe it to "wc -l" for a count of how many lines contained that word.

So... share your Code Red experiences :-(.

 

[sophisticate]

My IDS has caught 883 attempts so far. And this for a personal site. (-:

brendanc@icehouse.net

http://www.witheredpipedream.com

 

[rycamor]

Yeah, now my home (development) FreeBSD box alone shows over 375 attempts. It seems to be ramping up, and I see on Slashdot there is a new version of Code Red that tries to take over the command shell on the NT/2000 system. This is gonna be quite a fight.

IIS-ers, maybe it's time to reconsider your web server of choice.

 

[Cedium]

I had only 280 attempts
They can try to infect my Windows NT, I'm not running IIS

The last attempt to infect my server is : 08/05/2001 19:33:17 211.56.83.42

Cedium

 

[2ffat]

A new version is out that also drops a (known) trojan horse into the infected system. The trojan horse pubishes the C: and D: drives as web pages. See

http://www.microsoft.com/technet/security/bulletin/ms01-033.asp

for more information and another patch.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

 

[rycamor]

Now at 737 attempts on my home FreeBSD box. I notice that in keeping with the new structure of the virus, now almost all of the attacks are coming from the same Class C block as my DSL IP address, meaning a goodly number of Telocity users are infected. Ouch.

 

[gunthnp]

this is why you use open sourse software but at where I work we have had only two hits (it a scholl district) So long and thanks for all the fish.

 

[rycamor]

Just passed the 1300 mark. It seems the attempts are still escalating, and it's now almost all from my DSL IP block. I'm preparing a slightly nasty email to Tech Support there (Telocity--now DirectTV), because they have not even sent out one email to their users warning of Code Red.

 

[johnhoke]

1485 attempts and counting at my main site...
gak

517 attempts at a vhost on the same box (a personal test site)

298 attempts on my workstation

lol... silly script kiddies ---
John Hoke

 

[chiph]

TimeWarner RoadRunner here in Raleigh is being hit hard. The "traffic" light on my cable modem is on fairly solid.

I finally got tired of the logfile growing huge and turned my server off. I ought to put a flyer in all my neighbor's mailboxes telling them how to patch their NT/2000 machines, along with a subtle threat to toilet-paper their trees if they don't.
<grin>

Chip H.

 

[paulwood]

595 on my home/office cable modem here in UK, most hits from Europe, many from my ISP and from similar ip addresses (last three octets changed). Most of these guys shouldn't even be running servers!

 

[rycamor]

2664 attempts so far. It seems to be finally slowing down. I'm only getting one or two an hour now.

Yeah, most of these people shouldn't even be running servers, but either they want to play at being a webmaster, or they just don't know what's going on in the default install of Win2K which they borrowed from the office.

I have to give Microsoft credit :-( for much of this, though. Win2K defaults with just about every service turned on. I played with the developer's release of Win2K Advanced Server, and I couldn't believe the amount of services running. It really took a bit of experimenting to figure out what I could turn off and still have a useable system. I wouldn't dare put something like this unprotected on my DSL, though. I helped my father install Win2K on his cable modem, but I made sure I had every security tweak installed (after about 10 reboots...), and then I installed ZoneAlarm, which should be a required piece of software for anyone running any version of Windows on a cable or DSL network.

I'm wondering if anyone has done any real statistics on Code Red, to get an idea of how much internet bandwidth has been burned up. Even with 2664 attempts it seems relatively small from my side, since each GET request only uses about 390 bytes, (and then there are a few bytes for each 404 response). So a total of a little over a megabyte of my own bandwidth has been used up for all CR attempts on my system. Of course if you consider that each one of those infected computers is constantly hitting one IP address after another, it adds up.

chiph, got any hard numbers for us?

 

[paulwood]

According to my ISP the ARP traffic at their modem racks is normally around 30 per hour. With Code Red worms , this figure was observed at around 200 per second. They've now had to upgrade the capabilities to stop losing Ethernet frames due to resource allocation. I guess we get to pay for the upgrades at some point, one of the hidden costs >:-<

 

[rycamor]

I'm still getting timeouts, and DNS problems from my ISP. I finally had to use a friends DNS server, because Telocity's DNS was unreachable about 1/4 of the time. Can any network guru out there tell me: would Code Red be especially taxing to DNS because of all the reverse lookups from IIS server, etc...?