Users offer tips on foiling Code Red
 
|
|||
 | |||
|
Code Red, the nasty virus that spread to some 250,000 host machines a couple of weeks ago, could begin another assault around 8 p.m. EST today, according to an alert from the FBI and the Computer Emergency Response Team Coordination Center. And systems administrators are taking no chances.
For those that do find the virus, which affects Windows NT and 2000 servers running Microsoft Internet Information Server (IIS), the easiest way to get rid of the problem is to reboot the infected machine. Because Code Red resides only in memory, it will be purged when the system shuts down. Once the system is rebooted, users should install a patch from Microsoft that fixes the vulnerability Code Red exploits. The proper patches can be downloaded from:
Windows NT Version 4.0:
www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Directions for installing the patch and other information on the virus is also available from Microsoft at:
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
Anyone running IIS should install the patch listed above.
Bud Nelson, a reader of Network World's Security and Bug Patch Alert newsletter, says he found the virus on one of his extranet servers and followed the steps above to rid and protect his machine from future attack. But he adds, "I am thinking about removing the network cable tonight."
Greg Missman, owner of SecureTips.com, provides the following tip to make sure the patch from Microsoft is properly installed:
Look in your event log for an entry like this one (this is an NT IIS5 Enhanced log):
2001-07-20 21:22:03 216.68.15.61 - 120.195.68.58 80 GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 190(Note: The line will be continuous in the log file.)
This means your IIS server logged a request for default.ida with the underrun data. If you look right after the data ends you will see a space and 2 sets of numbers. "200" is the code for "OK" and "190" is the size in bytes sent to the remote host.
A "200" response on this request is very bad and means you either have not applied the patch or applied it wrong. Reapply it, then cut and paste the information from the log (everything after GET) into your own browser pointing it to your own site. You should get a "414" code after the request in your log stating that it errored and your server blocked it.
All the hype about Code Red could turn out to be just that - hype. But the steps for protection are relatively easy, and as the saying goes, "Better safe than sorry."
Related Links
