CODERED: am I just lucky ?

CODERED: am I just lucky ?

Post by Vince C » Sun, 12 Aug 2001 05:13:08



Hi all,

Just a question on CODERED which I suspected it hit (but didn't
infect, and that, I am not quite sure of my explanation; that's why
I'd like your comments) my server. It has an ISDN dial-up to the
Internet.

Lately I noticed my server, an SB S4.5 SP6a, became slower
and slower. I also found my internet services were stopped
periodically. I read the posts in that newsgroup and I immediately
applied the security patch since those problems, as I read, were
caused by CODERED worm. Now it is working as well as in the
very beginning of its story :-).

I expected some clue of the attack (such as the backdoor that
the worm leaves in the registry and the /scripts, as I read from
the description f-secure made on the worm) but I didn't find any
of them: no root.exe in /inetpub/scripts, no registry altered...

I wondered if I kept a more or less secure server because IIS
services are running under a specific account, which I didn't
grant any rights at all... Am I right when I say the worm cannot
gather administration rights since its attack will only run under
that specific account ?

If so, it could explain why there was no root.exe copied: IUSR_xx
has no rights at all (not even read access) on my hard disks
but in the inetpub folder. Nor has it rights to read nor write into
the registry. Indeed I spent a lot of time checking the server
security and users rights after setup.

I also setup inet folders not the standard way: they are not located
in C:\inetpub but in another folder structure on another drive. I
supposed that also saved me from being infected the clever way ;-)
as I know some viruses may be real dummies as well (besides I
though CODERED could not be very large since it takes profit
from a buffer overflow and the buffer might not be that large, so the
worm, I thought, had to make assumptions)...

What do you think ? do I have cleverly secured my system or am
I just lucky for my system is a French version of SBS ? I just
wonder.

Thanks a lot for your remarks and comments. They are welcome.

--

Vince C.

 
 
 

CODERED: am I just lucky ?

Post by Al William » Sun, 12 Aug 2001 06:37:25


There are several versions of CodeRed.  The first few either hooked into
your web site ("Hacked by the Chinese") or caused your Proxy/IIS services to
shut down -- they did not modify anything important on your system as it was
all done in RAM (a reboot cleared it).  The latest versions (CodeRed II I
think its being called) actually cause damage and trash some files, in some
cases making a reinstall your only option (this is the one that leaves the
root.exe file).

Simply applying the MS SP6a followed by MS01-026 & MS01-033 will protect you
from all versions.  Note that you could also do SP6A followed by the new SRP
(Service rollup package -- SP7 by any other name ;-)) and that would bring
you up to date on all your patches.  Note that I haven't actually applied
the SRP yet, still waiting for the correct time and to hear any feedback on
it.  Anyone?

--
Allan Williams
Harding Instruments
Edmonton, Alberta, CANADA


Quote:> Hi all,

> Just a question on CODERED which I suspected it hit (but didn't
> infect, and that, I am not quite sure of my explanation; that's why
> I'd like your comments) my server. It has an ISDN dial-up to the
> Internet.

> Lately I noticed my server, an SB S4.5 SP6a, became slower
> and slower. I also found my internet services were stopped
> periodically. I read the posts in that newsgroup and I immediately
> applied the security patch since those problems, as I read, were
> caused by CODERED worm. Now it is working as well as in the
> very beginning of its story :-).

> I expected some clue of the attack (such as the backdoor that
> the worm leaves in the registry and the /scripts, as I read from
> the description f-secure made on the worm) but I didn't find any
> of them: no root.exe in /inetpub/scripts, no registry altered...

> I wondered if I kept a more or less secure server because IIS
> services are running under a specific account, which I didn't
> grant any rights at all... Am I right when I say the worm cannot
> gather administration rights since its attack will only run under
> that specific account ?

> If so, it could explain why there was no root.exe copied: IUSR_xx
> has no rights at all (not even read access) on my hard disks
> but in the inetpub folder. Nor has it rights to read nor write into
> the registry. Indeed I spent a lot of time checking the server
> security and users rights after setup.

> I also setup inet folders not the standard way: they are not located
> in C:\inetpub but in another folder structure on another drive. I
> supposed that also saved me from being infected the clever way ;-)
> as I know some viruses may be real dummies as well (besides I
> though CODERED could not be very large since it takes profit
> from a buffer overflow and the buffer might not be that large, so the
> worm, I thought, had to make assumptions)...

> What do you think ? do I have cleverly secured my system or am
> I just lucky for my system is a French version of SBS ? I just
> wonder.

> Thanks a lot for your remarks and comments. They are welcome.

> --

> Vince C.


 
 
 

CODERED: am I just lucky ?

Post by Vince C » Sun, 12 Aug 2001 17:21:15


Thank you Al. That seems a bit clearer to me. So if I understood
the attack I got was caused by the "harmless" form of the virus.
Just one more question: I put audit on and I noticed IUSR_XXX
made a (rejected) attempt to access the SC Manager object, as
I read in the event log. The latter attempt was the only one and
dated 18th July this year. Could it be an attempt from the worm
to hack my system ?

Vince C.

------



There are several versions of CodeRed.  The first few either hooked into
your web site ("Hacked by the Chinese") or caused your Proxy/IIS services to
shut down -- they did not modify anything important on your system as it was
all done in RAM (a reboot cleared it).  The latest versions (CodeRed II I
think its being called) actually cause damage and trash some files, in some
cases making a reinstall your only option (this is the one that leaves the
root.exe file).

Simply applying the MS SP6a followed by MS01-026 & MS01-033 will protect you
from all versions.  Note that you could also do SP6A followed by the new SRP
(Service rollup package -- SP7 by any other name ;-)) and that would bring
you up to date on all your patches.  Note that I haven't actually applied
the SRP yet, still waiting for the correct time and to hear any feedback on
it.  Anyone?

--
Allan Williams
Harding Instruments
Edmonton, Alberta, CANADA


Quote:> Hi all,

> Just a question on CODERED which I suspected it hit (but didn't
> infect, and that, I am not quite sure of my explanation; that's why
> I'd like your comments) my server. It has an ISDN dial-up to the
> Internet.

> Lately I noticed my server, an SB S4.5 SP6a, became slower
> and slower. I also found my internet services were stopped
> periodically. I read the posts in that newsgroup and I immediately
> applied the security patch since those problems, as I read, were
> caused by CODERED worm. Now it is working as well as in the
> very beginning of its story :-).

> I expected some clue of the attack (such as the backdoor that
> the worm leaves in the registry and the /scripts, as I read from
> the description f-secure made on the worm) but I didn't find any
> of them: no root.exe in /inetpub/scripts, no registry altered...

> I wondered if I kept a more or less secure server because IIS
> services are running under a specific account, which I didn't
> grant any rights at all... Am I right when I say the worm cannot
> gather administration rights since its attack will only run under
> that specific account ?

> If so, it could explain why there was no root.exe copied: IUSR_xx
> has no rights at all (not even read access) on my hard disks
> but in the inetpub folder. Nor has it rights to read nor write into
> the registry. Indeed I spent a lot of time checking the server
> security and users rights after setup.

> I also setup inet folders not the standard way: they are not located
> in C:\inetpub but in another folder structure on another drive. I
> supposed that also saved me from being infected the clever way ;-)
> as I know some viruses may be real dummies as well (besides I
> though CODERED could not be very large since it takes profit
> from a buffer overflow and the buffer might not be that large, so the
> worm, I thought, had to make assumptions)...

> What do you think ? do I have cleverly secured my system or am
> I just lucky for my system is a French version of SBS ? I just
> wonder.

> Thanks a lot for your remarks and comments. They are welcome.

> --

> Vince C.

 
 
 

CODERED: am I just lucky ?

Post by Steve Foste » Mon, 13 Aug 2001 22:43:29


Just for the record, the SRP is NOT sp7 in all but name. The SRP is the
"Security Rollup Patch". It only includes security-related patches (released
since sp6a and upto its' release), not all patches and has to be applied on
top of sp6a.

If you add/remove any components from NT subsequently, you will need to
re-apply sp6a and then re-apply the SRP.

If the SRP *was* sp7, you wouldn't have to do this - you'd just re-apply it
on its' own.

Steve Foster


> There are several versions of CodeRed.  The first few either hooked into
> your web site ("Hacked by the Chinese") or caused your Proxy/IIS services
to
> shut down -- they did not modify anything important on your system as it
was
> all done in RAM (a reboot cleared it).  The latest versions (CodeRed II I
> think its being called) actually cause damage and trash some files, in
some
> cases making a reinstall your only option (this is the one that leaves the
> root.exe file).

> Simply applying the MS SP6a followed by MS01-026 & MS01-033 will protect
you
> from all versions.  Note that you could also do SP6A followed by the new
SRP
> (Service rollup package -- SP7 by any other name ;-)) and that would bring
> you up to date on all your patches.  Note that I haven't actually applied
> the SRP yet, still waiting for the correct time and to hear any feedback
on
> it.  Anyone?

> --
> Allan Williams
> Harding Instruments
> Edmonton, Alberta, CANADA



> > Hi all,

> > Just a question on CODERED which I suspected it hit (but didn't
> > infect, and that, I am not quite sure of my explanation; that's why
> > I'd like your comments) my server. It has an ISDN dial-up to the
> > Internet.

> > Lately I noticed my server, an SB S4.5 SP6a, became slower
> > and slower. I also found my internet services were stopped
> > periodically. I read the posts in that newsgroup and I immediately
> > applied the security patch since those problems, as I read, were
> > caused by CODERED worm. Now it is working as well as in the
> > very beginning of its story :-).

> > I expected some clue of the attack (such as the backdoor that
> > the worm leaves in the registry and the /scripts, as I read from
> > the description f-secure made on the worm) but I didn't find any
> > of them: no root.exe in /inetpub/scripts, no registry altered...

> > I wondered if I kept a more or less secure server because IIS
> > services are running under a specific account, which I didn't
> > grant any rights at all... Am I right when I say the worm cannot
> > gather administration rights since its attack will only run under
> > that specific account ?

> > If so, it could explain why there was no root.exe copied: IUSR_xx
> > has no rights at all (not even read access) on my hard disks
> > but in the inetpub folder. Nor has it rights to read nor write into
> > the registry. Indeed I spent a lot of time checking the server
> > security and users rights after setup.

> > I also setup inet folders not the standard way: they are not located
> > in C:\inetpub but in another folder structure on another drive. I
> > supposed that also saved me from being infected the clever way ;-)
> > as I know some viruses may be real dummies as well (besides I
> > though CODERED could not be very large since it takes profit
> > from a buffer overflow and the buffer might not be that large, so the
> > worm, I thought, had to make assumptions)...

> > What do you think ? do I have cleverly secured my system or am
> > I just lucky for my system is a French version of SBS ? I just
> > wonder.

> > Thanks a lot for your remarks and comments. They are welcome.

> > --

> > Vince C.

 
 
 

CODERED: am I just lucky ?

Post by Al William » Tue, 14 Aug 2001 22:41:47


It should be a service pack, but you are right it is not.  The only reason
it's not is MS said they weren't going to do a SP7 (much to the chagrin of a
lot of people).  Then all this code red stuff broke out and rather than
contradicting themselves they invented this "SRP".
--
Allan Williams
Harding Instruments
Edmonton, Alberta, CANADA


> Just for the record, the SRP is NOT sp7 in all but name. The SRP is the
> "Security Rollup Patch". It only includes security-related patches
(released
> since sp6a and upto its' release), not all patches and has to be applied
on
> top of sp6a.

> If you add/remove any components from NT subsequently, you will need to
> re-apply sp6a and then re-apply the SRP.

> If the SRP *was* sp7, you wouldn't have to do this - you'd just re-apply
it
> on its' own.

> Steve Foster



> > There are several versions of CodeRed.  The first few either hooked into
> > your web site ("Hacked by the Chinese") or caused your Proxy/IIS
services
> to
> > shut down -- they did not modify anything important on your system as it
> was
> > all done in RAM (a reboot cleared it).  The latest versions (CodeRed II
I
> > think its being called) actually cause damage and trash some files, in
> some
> > cases making a reinstall your only option (this is the one that leaves
the
> > root.exe file).

> > Simply applying the MS SP6a followed by MS01-026 & MS01-033 will protect
> you
> > from all versions.  Note that you could also do SP6A followed by the new
> SRP
> > (Service rollup package -- SP7 by any other name ;-)) and that would
bring
> > you up to date on all your patches.  Note that I haven't actually
applied
> > the SRP yet, still waiting for the correct time and to hear any feedback
> on
> > it.  Anyone?

> > --
> > Allan Williams
> > Harding Instruments
> > Edmonton, Alberta, CANADA



> > > Hi all,

> > > Just a question on CODERED which I suspected it hit (but didn't
> > > infect, and that, I am not quite sure of my explanation; that's why
> > > I'd like your comments) my server. It has an ISDN dial-up to the
> > > Internet.

> > > Lately I noticed my server, an SB S4.5 SP6a, became slower
> > > and slower. I also found my internet services were stopped
> > > periodically. I read the posts in that newsgroup and I immediately
> > > applied the security patch since those problems, as I read, were
> > > caused by CODERED worm. Now it is working as well as in the
> > > very beginning of its story :-).

> > > I expected some clue of the attack (such as the backdoor that
> > > the worm leaves in the registry and the /scripts, as I read from
> > > the description f-secure made on the worm) but I didn't find any
> > > of them: no root.exe in /inetpub/scripts, no registry altered...

> > > I wondered if I kept a more or less secure server because IIS
> > > services are running under a specific account, which I didn't
> > > grant any rights at all... Am I right when I say the worm cannot
> > > gather administration rights since its attack will only run under
> > > that specific account ?

> > > If so, it could explain why there was no root.exe copied: IUSR_xx
> > > has no rights at all (not even read access) on my hard disks
> > > but in the inetpub folder. Nor has it rights to read nor write into
> > > the registry. Indeed I spent a lot of time checking the server
> > > security and users rights after setup.

> > > I also setup inet folders not the standard way: they are not located
> > > in C:\inetpub but in another folder structure on another drive. I
> > > supposed that also saved me from being infected the clever way ;-)
> > > as I know some viruses may be real dummies as well (besides I
> > > though CODERED could not be very large since it takes profit
> > > from a buffer overflow and the buffer might not be that large, so the
> > > worm, I thought, had to make assumptions)...

> > > What do you think ? do I have cleverly secured my system or am
> > > I just lucky for my system is a French version of SBS ? I just
> > > wonder.

> > > Thanks a lot for your remarks and comments. They are welcome.

> > > --

> > > Vince C.