| About Us |
| News |
| Alerts |
| Events |
| Services |
| Resources |
| Report Incidents |
| Incident Statistics |
| Security FAQS |
| Training |
| Vacancies |
| Links |
|
NISER > Alerts > MyCERT Advisories & Summaries > MSA 029.072001: MyCERT Special Alert - "Code Red" Worm
MSA 029.072001: MyCERT Special Alert - "Code Red" Worm Warning, Current Activities and Advisories Original Issue Date: 20th July 2001 We are currently seeing many malicious traffics on many networks, thus we would advice you to take security measures to ensure all your systems are patched and secured. Some extensive exploits are seen on Windows IIS server (Windows NT and Windows 2000. There have been reoccurring incidents due to failure to completely follow the hardening procedures for Window platform. However, Microsoft hotfixes and patches are fast deploying, due to the frequent �discovery� of loopholes, thus system administrators, are required to keep current on the patches. More information are available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp IIS 4.0 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iischk.asp More Microsoft Security Tools and Checklists are available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/tools.asp We are also highlighting other releases of advisories which we think are relevant and in abundance among local computers. CODE RED WORMEeye calls it .ida Code Red Worm, SANS calls it Code Red worm and CERTCC call it �Code Red� worm. Currently, as we publish this, MyCERT, NISER has received a growing number of reports on Code Red Worm attacks and probes among Malaysian host as well as foreign host, and we are seeing HEAVY scanning on many networks. These had caused networks to go down in a few organisations due to DDoS effect. Network administrators are advised to monitor logs within network and to identify those traffics that are originating from internal host, indicate that host has been compromised. The host MUST be patched to refrain it from becoming a contributor. The attack is very difficult to be stopped since it tunnels through port 80, which firewalls normally allow through. The Code Red Worm is rapidly spreading among IIS servers on the Internet and this calls us to issue this preliminary document to alert all Microsoft IIS administrators to patch their machines. We would like to stress this again � The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files:
The Microsoft Bulletin on this issues is posted at: According to SANS Institute, two hundred thousand systems may already have been infected. If you are unsure whether yours is one of them, please patch and power off. The current worm seems to disappear when the machine is powered down, but you will be quickly reinfected if you are not patched. Our analysis also discovered that after the patches, the probes on the ISAPI udp ports will still come into the network. Thus removal of the �.ida� and �.idq� files if they are not required to run any of your application, is strongly recommended. Updates of this worm will be posted as more information come in at: Those using IDS and Firewalls are advised to update your signature files and firewall rules to ensure that your system will detect and block such traffic. OTHER JULY 2001 ADVISORIES19 July 2001
10 July 2001 - "Serious" Vulnerability In Check Point Firewalls
Checkpoint Advisory: http://www.checkpoint.com/techsupport/alerts/rdp.html Patch: http://www.checkpoint.com/techsupport/downloads.html 5 July 2001 - Oracle Patches High Risk Security Hole in 8i
Advisory: http://www.pgp.com/research/covert/advisories/050.asp R.Azrina R.Othman Malaysian Computer Emergency Response Team (MyCERT) & National ICT Security and Emergency Response Center (NISER) Last Update July 20, 2001 |