Code Red 
Author Message
 Code Red

Does anyone know the symptoms of a code red attack on a server only
running C55APS?

TIA
Drew

Sent using Virtual Access 5.51 - download your freeware copy now
http://www.*-*-*.com/



Mon, 19 Jan 2004 16:24:30 GMT  
 Code Red
Check Ben E. Brady postings about IIS security etc. in the Clarionet NG

Regards

JB

Quote:

> Does anyone know the symptoms of a code red attack on a server only
> running C55APS?

> TIA
> Drew

> Sent using Virtual Access 5.51 - download your freeware copy now
> http://www.atlantic-coast.com/downloads/vasetup.exe



Mon, 19 Jan 2004 20:39:23 GMT  
 Code Red
Unfortunately there is nothing in Ben's posting that describes exactly
what we can expect to experience while under a code red attack.

Both last month and now yesterday/today we are getting hit with DR
Watsons on the broker one after the other. And in the intervening weeks
we've not been able to find any cause except to theorize that its
related to code red attacks.

Just looking for answers
Drew

Sent using Virtual Access 5.51 - download your freeware copy now
http://www.atlantic-coast.com/downloads/vasetup.exe



Mon, 19 Jan 2004 17:23:27 GMT  
 Code Red
The best thing to do would be to download the Microsoft patch, apply it,
and reboot the server.  Then you'll be sure you don't have it.  One of my
clients has an NT LAN server with IIS installed but not setup.  They were
periodically getting everybody kicked off the network until we realized
they have Code Red.
HTH,
Brad Kunkel
Quote:

> Unfortunately there is nothing in Ben's posting that describes exactly
> what we can expect to experience while under a code red attack.

> Both last month and now yesterday/today we are getting hit with DR
> Watsons on the broker one after the other. And in the intervening weeks
> we've not been able to find any cause except to theorize that its
> related to code red attacks.

> Just looking for answers
> Drew

> Sent using Virtual Access 5.51 - download your freeware copy now
> http://www.atlantic-coast.com/downloads/vasetup.exe



Mon, 19 Jan 2004 23:46:25 GMT  
 Code Red
Drew,
It exploits execute permissions on the IIS directory structure.  It attempts
to fire a "cmd" or "command" statement on the URL and basically creates html
pages by piping or CATing them.  If you have been hit and review the logs
generated it can be intense on the server.  I have not tested the effects on
the EXE Broker.  If your interested I could probably dig up a couple of the
URL strings so that you can rule this in or out as a possibility.

--
bob brooker
SoftVelocity
"the fastest way to build database applications"
877-733-4555 - Sales
877-733-4556 - Customer Service
http://www.SoftVelocity.com
--

Quote:
> Unfortunately there is nothing in Ben's posting that describes exactly
> what we can expect to experience while under a code red attack.

> Both last month and now yesterday/today we are getting hit with DR
> Watsons on the broker one after the other. And in the intervening weeks
> we've not been able to find any cause except to theorize that its
> related to code red attacks.

> Just looking for answers
> Drew

> Sent using Virtual Access 5.51 - download your freeware copy now
> http://www.atlantic-coast.com/downloads/vasetup.exe



Mon, 19 Jan 2004 23:51:34 GMT  
 Code Red
Drew,

One of my client's servers got hit by Code Red on the first round two weeks
ago.  (He's running the ISAPI broker, though.)  The symptoms were as
described in the "Damage" section at
http://www.sarc.com/avcenter/venc/data/codered.worm.html.

In specific, the things I noticed were:
.  Internet usage was constantly trickling.
.  The whole system seemed to run slower than normal.
.  The system was unstable.  It was crashing, where normally it *never*
does.

HTH,
[L]



Tue, 20 Jan 2004 00:41:42 GMT  
 Code Red
Ditto. We put in the patches and no more trouble.

--

Steve Parker

Knowledge base: www.par2.com/cws/c5launch.dll/faqs/theFaqs.exe.0
Download Center: www.cwicweb.com/apps/c5launch.dll/d7.exe.0


Quote:
> Drew,

> One of my client's servers got hit by Code Red on the first round two
weeks
> ago.  (He's running the ISAPI broker, though.)  The symptoms were as
> described in the "Damage" section at
> http://www.sarc.com/avcenter/venc/data/codered.worm.html.

> In specific, the things I noticed were:
> .  Internet usage was constantly trickling.
> .  The whole system seemed to run slower than normal.
> .  The system was unstable.  It was crashing, where normally it *never*
> does.

> HTH,
> [L]



Tue, 20 Jan 2004 00:51:36 GMT  
 Code Red
Same here.  After applying the patch, all is clear.

You meant patch (not plural), didn't you Steve?

[L]



Tue, 20 Jan 2004 01:15:02 GMT  
 Code Red
Bill put on several security patches.

--

Steve Parker

Knowledge base: www.par2.com/cws/c5launch.dll/faqs/theFaqs.exe.0
Download Center: www.cwicweb.com/apps/c5launch.dll/d7.exe.0


Quote:
> Same here.  After applying the patch, all is clear.

> You meant patch (not plural), didn't you Steve?

> [L]



Tue, 20 Jan 2004 01:21:29 GMT  
 Code Red
IC.  It's easy to fall behind on the MS patch stream... <g>

[L]



Tue, 20 Jan 2004 01:53:40 GMT  
 Code Red
Drew,

Quote:
> Both last month and now yesterday/today we are getting hit with DR
> Watsons on the broker one after the other. And in the intervening weeks
> we've not been able to find any cause except to theorize that its
> related to code red attacks.

Code Red uses a buffer overrun - the server is sent a stream of data
larger than it can handle, and some of that data ends up in executable
code space. If the app broker is vulnerable to buffer overruns (I have no
idea) then in theory this virus or any other that uses buffer overruns
could cause a GPF. But since Code Red exploits a specific weakness in IIS,
I wouldn't expect even a successful buffer overrun on the app broker would
result in something other than a GPF.

Bob B, can you provide any information on how the app broker handles large
inputs? Is there any possibility of a buffer overrun exploit? Clarion's
relative anonymity might be a form of protection, but IMO it would be far
better to know that the app broker simply discards input data beyond a
valid length.

Dave

Dave Harms

In-depth Clarion articles, news, tips & tricks
Plus the Clarion Online Archives!
Clarion Magazine: http://www.clarionmag.com



Tue, 20 Jan 2004 01:14:17 GMT  
 
 [ 11 post ] 

 Relevant Pages 

1. Code Red worm and typed languages

2. C55aps10.exe Bombing every hour - Code Red?

3. Fun with httpd logs and code red

4. Nimda/Code Red Log File Entries

5. about code red worm and its offspring...

6. Code Red PITA

7. Code.Red

8. Code Red, Nimda; Test your knowledge! (HTML)

9. need code for red-black binary search tree

10. visual works 3.1 image has segmentation fault on 2.4 kernel (red hat 8.0)

11. GNU Smalltalk 1.6.1 on Red Hat 5.2

12. Red Herring (was: Bitten by dynamic typing...)

 

 
Powered by phpBB® Forum Software