NISER > Alerts > MyCERT Advisories & Summaries > MSA 029.072001: MyCERT Special Alert - "Code Red" Worm
MSA 029.072001: MyCERT Special Alert - "Code Red" Worm
Warning, Current Activities and Advisories
Original Issue Date: 20th July 2001
We are currently seeing many malicious traffics on many networks, thus we would advice you to take security measures to ensure all your systems are patched and secured. Some extensive exploits are seen on Windows IIS server (Windows NT and Windows 2000. There have been reoccurring incidents due to failure to completely follow the hardening procedures for Window platform.
However, Microsoft hotfixes and patches are fast deploying, due to the frequent �discovery� of loopholes, thus system administrators, are required to keep current on the patches. More information are available at:
We are also highlighting other releases of advisories which we think are relevant and in abundance among local computers.CODE RED WORM
Eeye calls it .ida Code Red Worm, SANS calls it Code Red worm and CERTCC call it �Code Red� worm. Currently, as we publish this, MyCERT, NISER has received a growing number of reports on Code Red Worm attacks and probes among Malaysian host as well as foreign host, and we are seeing HEAVY scanning on many networks. These had caused networks to go down in a few organisations due to DDoS effect. Network administrators are advised to monitor logs within network and to identify those traffics that are originating from internal host, indicate that host has been compromised. The host MUST be patched to refrain it from becoming a contributor. The attack is very difficult to be stopped since it tunnels through port 80, which firewalls normally allow through.
The Code Red Worm is rapidly spreading among IIS servers on the Internet and this calls us to issue this preliminary document to alert all Microsoft IIS administrators to patch their machines. We would like to stress this again �
THOSE RUNNING MICROSOFT IIS, PLEASE PATCH YOUR MACHINES!
The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files:
According to SANS Institute, two hundred thousand systems may already have been infected. If you are unsure whether yours is one of them, please patch and power off. The current worm seems to disappear when the machine is powered down, but you will be quickly reinfected if you are not patched. Our analysis also discovered that after the patches, the probes on the ISAPI udp ports will still come into the network. Thus removal of the �.ida� and �.idq� files if they are not required to run any of your application, is strongly recommended.
Updates of this worm will be posted as more information come in at:
Those using IDS and Firewalls are advised to update your signature files and firewall rules to ensure that your system will detect and block such traffic.OTHER JULY 2001 ADVISORIES
19 July 2001
Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below.
10 July 2001 - "Serious" Vulnerability In Check Point Firewalls
A hole has been discovered that allows outsiders to snoop inside networks that are protected by Check Point Firewalls. The vulnerability exploits the fact that RDP packets traverse Check Point firewall gateways. Representatives of CERT/CC called the problem serious.
5 July 2001 - Oracle Patches High Risk Security Hole in 8i
Oracle acknowledged a buffer overflow problem in the "listener" component of its database. The attacker who uses the vulnerability can read or change any information in the database. Oracle issued a patch
Malaysian Computer Emergency Response Team (MyCERT) &
National ICT Security and Emergency Response Center (NISER)
Disclaimers and copyright information
Last Update July 20, 2001