Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Code Red and OS X firewalls Internet
Recently I started seeing lot of activity in my Apache logs. For those that don't know, they are at /private/var/log/httpd (access_log and error_log). The code was:
63.82.46.11 - - [07/Aug/2001:04:06:38 -0700] "GET /default.ida?
XXXXXXXXX...snipped...XXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27
[Editor's note: Carriage returns inserted, and repetitive "X" characters snipped, to aid readability; this will appear as one line in your log].

If you're seeing this then it's not a threat to your system. It's someone's machine running windows NT 4.0 with IIS 4.0 or 5.0 enabled, Windows 2000 servers, or betas of XP with the Code Red worm running on their box. This probably means they don't know about it and it doesn't hurt us except it bloats your access logs. The information on it can be found at
http://www.cert.org/incident_notes/IN-2001-08.html

I have a question. Is there a way to set a deny rule for this with ipfw. Anyone?
-j
    •    
  • Currently 2.00 / 5
  You rated: 3 / 5 (3 votes cast)
 
[3,734 views]  

Code Red and OS X firewalls | 26 comments | Create New Account
Click here to return to the 'Code Red and OS X firewalls' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
IPFW
Authored by: cardmagic on Aug 08, '01 01:54:54PM
First of all, there is no need to block it. Since you don't use Microsoft IIS, it does absolutely no harm to you. What you see is much like a ping command, the worm is doing two things at once: 1) if the remote host responds to the HTTP command, it inoculates that system, 2) if the remote host does not respond it forgets about that host and moves on. Anyone that is not running IIS just sends back a 404 Not Found command, as if someone was trying to go to a web page on your server that wasn't there. Second, as I said before, the worm sends an HTTP command to port 80. If you want to firewall anything to prevent these 404 Not Found errors because of the Code Red worm, all you have to do is firewall port 80, aka your web server. Of course, doing that means that the outside world wouldn't be able to access your web server at all, so you may as well just shut it down in the Network Preferences for that matter. So, if you want to stop your web server from being asked for documents that do not exist (god forbid!), simply shut it down. In summary, CODE RED DOES NOT AFFECT ANYTHING APPLE WHATSOEVER, there is absolutely no reason to do anything to your computer in response to it! -Lucas http://www.rufy.com/

[ Reply to This | # ]
Snort
Authored by: jasont on Aug 09, '01 07:29:52AM

Yes Lucas, I know it's not a threat to my system. I said so in my original post, but it can't help to let people know not to worry. The reason I'm trying to do this is because I'm sick of my Apache logs getting bloated. I'm going to try installing snort with flexresp and see if I can just kill it by content filtering. There's a lot of variants out now and there's the eeye test as well. I'm averaging 8 per hour if I set my server up on a new static ip that's never had a server on it. The new version is worse because it only looks outside of your address range 12.5% of the time and it's only going to increase. What are you averaging?
-j



[ Reply to This | # ]
IPFW
Authored by: cardmagic on Aug 10, '01 02:59:06PM

Bloated? If 8 entried/hour "bloats" your apache logs, why are you running apache at all, it seems like absolutely nobody is using it. In the 7,829 lines of my log, 20 of those are 404s from Code Red and 79 are 404s in general. And this is my home computer/developer computer, not my main server.

Another way to look at it is that one line of error from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 20 time 450 bytes is Zero. And since logs are generally used as data for statistics making programs, all you have to do is find the percentage of 404s that are from Code Red (in my case it is 20/79 which is about 25%) and keep that in mind while looking at the general statistics.

-Lucas
http://www.rufy.com/



[ Reply to This | # ]
Recent data
Authored by: cardmagic on Aug 10, '01 03:32:49PM

Woops, those where old logs, here are the numbers since April 4th:

18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red

Summary:
Code Red takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 20 kbytes of my hard disk space
About 0% of my hard disk space

Any questions?

-Lucas
http://www.rufy.com/



[ Reply to This | # ]
IP address in the log entry
Authored by: sjonke on Aug 08, '01 04:13:37PM

Does the IP address at the beginning of these log entries indicate the IP address of the infected machine? If so then I could potentially contact some of the ones that are showing up that have a local IP address (local to work). I.e. not ingore these, but respond to them.



[ Reply to This | # ]
IP address in the log entry
Authored by: cardmagic on Aug 08, '01 05:47:10PM
Yes, the IP is the IP of the infected machine and yes it would be courtious to contact them about being infected. -Lucas http://www.rufy.com/

[ Reply to This | # ]
Also entries with NNNNNNNNNNN...
Authored by: sjonke on Aug 08, '01 04:59:00PM

I see lots of those XXXXXXXXXXXX... entries, but also some with N........... For example:

66.89.136.70 - - [08/Aug/2001:09:58:02 -0400] "GET /default.ida?NNNNN...[snip]...
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 326

What does that indicate if anything?



[ Reply to This | # ]
Also entries with NNNNNNNNNNN...
Authored by: aarle on Aug 08, '01 06:47:51PM
The entries with NNNNNN instead of XXXXXXXX in them are from the original version of Code Red, which became active again on August 1.

The XXXXXXX entries are of a newer strain of the worm, which apart from using a large number of X's to force the buffer overflow in IIS (instead of N's) doesn't seem different.

As for warning infected parties about their infections: there are so many that it becomes a bit of a chore very soon.
I thought about writing a quick PHP script that parses the IP adres of the server making the request, and then sending a mail message warning of their infection to abuse@the_offending_ip_address but still haven't found the time yet.
It would be trivial to write such a simple script, name it default.ida (the file the Code Red worm tries to access on your server), put it in the server root, and change /etc/httpd/httpd.conf so that ".ida" files will be recognized as PHP files (to make sure the script actually gets executed).


[ Reply to This | # ]
Asking and telling
Authored by: sjonke on Aug 09, '01 10:23:20AM

I contacted one of the people and sure enough they had Code Red. Turns out that they were unaware that they were even running IIS.

Anyway, I figure I can automate this via an AppleScript. Our network ops have a web page where you can find out the owner of a particular local IP address, including email address. So, I could use Web Miner to do the query and get the result, then tell Mail to send an email to them. It's too bad the nifty OS X application "File Monitor" does not let you trigger an action, either AppleScript or a shell script, when it spots particular types of entries. Is there any thing that would do this for Unix? I can run AppleScript from a shell script, so that would work too.



[ Reply to This | # ]
trim the logs
Authored by: moyashi on Aug 09, '01 11:29:40AM

OK, checked mine too. M$ !!!! and hackers, thanks.

I know this is really lame and should be looking for this on my own but would somebody please kindly point me in the right direction on how to "trim" my acess and error logs.

I would really appreciate it.

Also, since I'm requesting help has anybody made an email responder script to notify the infected host?



[ Reply to This | # ]
trim the logs
Authored by: moyashi on Aug 09, '01 11:35:51AM

Ok ... here something I found for a php solution wonder if it'll work????

http://www.hotscripts.com/Detailed/11415.html



[ Reply to This | # ]
trim the logs
Authored by: cardmagic on Aug 09, '01 12:37:27PM

First of all, that PHP script is not necessary, way too much of an overkill actually since CODE RED DOES NOT AFFECT MACINTOSH. Second of all, you couldn't get it running on Mac OS X because you need IP Tables which is a Linux firewall tool, not BSD!

-Lucas



[ Reply to This | # ]
thanks
Authored by: moyashi on Aug 09, '01 06:33:38PM

Thanks for saving the trouble. Last night before going to bed I was wondering about that. IP Tables that is.

Although Code Red doesn't necessarily affect my computer it has in another sense. I've noticed hard drive creep. Slowly and steadly the access_log is filling up which takes up space.

Thanks for your reply. I probably would've played with the script and found out the hard.



[ Reply to This | # ]
Hard drive space
Authored by: cardmagic on Aug 10, '01 03:03:12PM

One line of error code from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 100 time 450 bytes (about 44k) when in perspective of a 30Gb, or even 12Gb) is Zero. If you don't think you can spare an extra 44k of disk space, I think it is time for you to get a new computer.


-Lucas
http://www.rufy.com/



[ Reply to This | # ]
Hard drive space
Authored by: moyashi on Aug 10, '01 03:41:38PM

Ok, so it's not that then. Thanks.

How about this then. I open access_log up with pico and it complains that file has long lines and there are now 65571 lines total in my log.

Sure, my question might be outrageous for those more experienced than I am and I probably should open files with a different type of editor that allows scrolling versus control-V or control-Y to page down or up. I should even get myself a book to study more about my system, this I all agree with. I'm not even really complaing that I'm missing some drive space. I just mentioned drive creep and how I can cut down on my log and save space. I should have also mentioned that I would like to reduce the "length" of my log. sorry.


So, let me re-ask my question. How can I cut down my log's "length"?


I prefer using pico since it's a little more unix than let's say textedit would be and therefore reminds me that I'm editing files that are part of the system.



[ Reply to This | # ]
Hard drive space
Authored by: cardmagic on Aug 10, '01 04:00:02PM

To cut down on the space it takes, (which is completely minimal, therefore giving you a trivial amount of hard disk space) just delete the log.

-Lucas



[ Reply to This | # ]
Data from actual logs
Authored by: cardmagic on Aug 10, '01 03:36:35PM

Here are numbers from my home/development computer since April 4th:

18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red

Summary:
Code Red alone takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 24 kbytes of my hard disk space
About 0% of my hard disk space
Less than 0% of my worries

Any questions?

-Lucas
http://www.rufy.com/



[ Reply to This | # ]
Data from actual logs
Authored by: moyashi on Aug 10, '01 03:47:09PM

Wow! 1.9 meg file.

May I ask, why keep it so long?
What editor do you use to view it?

Thanks for the information.

Actually, it is interesting to see such stats. I'm not being sarcastic or anything just that being a "regular" mac user for years and having no real unix/bsd experience this type of information does provide insights into the system I'm using.

Thanks.



[ Reply to This | # ]
Data from actual logs
Authored by: cardmagic on Aug 10, '01 04:02:25PM

I keep it so long because I like the statistics, the bigger the log, the better acuracy of the statistics. I use Analog (freeware) to process the log files:

http://www.summary.net/soft/analog.html

-Lucas
http://www.rufy.com/



[ Reply to This | # ]
Data from actual logs
Authored by: moyashi on Aug 11, '01 10:23:37AM

thanks cardmagic. I appreciate it.

Sounds like a good idea just to have that script running to check my box every once in a while.



[ Reply to This | # ]
How to tell where the attacks are coming from?
Authored by: Kris2112 on Aug 10, '01 07:37:49PM
In the apache access_log on my OSX Server, all of the code red entries have the same ip address as my server. How do I tell where the attack is really coming from?


[ Reply to This | # ]
submit your logfiles
Authored by: jimr on Aug 11, '01 03:29:08AM
Code White (idea)
Authored by: LouieNet on Aug 19, '01 07:28:22PM
jimr wrote:
if I knew more about the backdoor that the worm opens, I would write a script to shutdown each of the offending servers.

Heh. I was just mentioning an idea to my co-worker a couple of days ago that we can get a similar vius to infect and apply security patches to servers susceptable to Code Red, then go and infect oher servers. He thought we could call it Code White, then asked whether the end justifies the means.

In this case, I thought so. :)

Later,
Louie

[ Reply to This | # ]

Enable Mail?
Authored by: Anonymous on Oct 13, '01 12:21:29AM
How do you enable mail in the terminal? I get this error when I try to use it
/etc/mail/sendmail.cf: line 81: fileclass: cannot open /etc/mail/local-host-names: Group writable directory
-THX

[ Reply to This | # ]
Filtering
Authored by: jasont on Aug 12, '01 01:27:39PM

If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.

So:
SetEnvIf Request_URI "^/default.ida" IDAREQ
CustomLog "/private/var/log/httpd/access_log" common env=!IDAREQ

You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.

-j

[ Reply to This | # ]
Filtering
Authored by: jasont on Aug 12, '01 01:38:01PM

If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.

So:
SetEnvIf Request_URI "^/default.ida" IDAREQ
CustomLog "/private/var/log/httpd/access_log" common env=!IDAREQ

You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.

-j

[ Reply to This | # ]