CodeRed virus hits HARD

Rebel79 · 08-06-2001, 07:24 PM

Around 12:45 my location, Concord, CA, was hit HARD by the CodeRed version 3 virus. This is a different strain than the previous virii that hit the US last week. Version 3 is more widespread and is more powerfull because it allows the hacker to Remotely Control the infected Server. This virus infects Microsoft IIS servers running NT 4.0 & 2000.

Now what has not been released to the media yet, is that this virus INFECTS the CLIENTS! I have been tracking this all day and trying to stop the virus from spreading... about 1 hour ago we are able to separate our location from infecting other sites in our Company, however it was too late. Within 3 hours it had spread from California to Florida.

This virus infects the clients and has the PC run a port scan, looking for other IIS servers in its vicinity. Once it finds an IIS server, it infects it. The IIS server is infected and can infect clients that connect to it.

I know there are patches from Microsoft and Norton to clean the virus on the servers. I have yet to see a patch for our PC's.

For more info, go here: http://www.symantec.com/avcenter/ven...odered.v3.html

------------------
1994 Mustang Cobra
308ci, Vortech S-trim 11#, ported GT-40 heads, E-303 cam, FMS 1 5/8 headers, BBK Offroad H-pipe, 2-chamber flows, and several other goodies.
Rebel Racing. Home of Bay Area Mustangs

Fox Body · 08-07-2001, 12:30 AM

Thanks for the info.

-----------------------------------------
351W-powered 1979 Ford Mustang notchback
Stock 5.8L under 4" cowl, C4 w/ shift kit
Holley 750 cfm, Edelbrock Performer RPM intake
1 5/8" MAC shorty headers, Al driveshaft
2.5" Off road H-pipe, 2-chamber Flowmasters
Front: 225/60/15, Rear: 255/60/15 Eagle GT II
Weld wheels (15x6;15x8), 8.8" Rear w/ 3.55s
14 x 4” K&N air filter (getting the Xtreme setup someday)

"Red, thou art my companion. Hasten now your quickened metamorphosis to Green that I may conquer all who dare abide there beside me. May they be left thither behind burnt black." ---Fox Body

joe4speed · 08-07-2001, 12:38 AM

could this be why I'm getting hundreds of http port scans hitting my firewall every day?
It just started a few days ago. I always get attacks, but usually like 30 a day, now it's like 600 aday
------------------
Joe! 1988 GT, 167,000 miles!!! 13.58@105mph Check out my listing! Click here! Or my website:www.joe4speed.com
99 Ninja ZX-6R:10.32@135mph!
1993 Olds Eighty Eight LSS 16.40@88.8mph

[This message has been edited by JL1314 (edited 08-07-2001).]

dinomite · 08-07-2001, 09:02 AM

http://enclaved.com/

my friend has a tab on all the CR v1 and v2 hits he gets. the original sends a packet of "NNN"'s, v2 sends "XXX"'s (look at his logs). yesturday there were more hits (at least on enclaveds server!). its sad that the fix is so horribly simple.

one more thing, you'll notice on enclaved's site that most of the "XXX" strings are coming from *.home.com (@home cable service users). how odd.

------------------
90LX AOD Convertible: Lakewood control arms, FMS springs.
Best 1/4: 15.277@92.25 (2.27 60')
AIM: dinomite1, roadracestang
dinomite@softhome.net

[This message has been edited by dinomite (edited 08-07-2001).]

Capri306 · 08-07-2001, 10:28 AM

JL1314: very likely. This really sucks. Seems like it's always late summer when the worst of the viruses and worms hit. Heck, I'm still getting people Emailing me the SirCam worm (which Symantec upgraded to a level 4 worm!), so that makes me wonder exactly how many people have my address in their addy book! Being a 'Board moderator on a site this large, I guess quite a few. No problems yet though. Dan and I have exchanged emails about this; good thing he warned me to delete it! According to Symantec, SirCam is supposed to wipe your hard drive on October 16th. Ouch.

------------------
Capri306, Moderator, The Mustang Works Online
1979 Mercury Capri, 5.0L -- C4 -- 2.73
1987 Mustang LX Notch

Rebel79 · 08-08-2001, 02:54 AM

I have learned more about this virus.

It is attacking Win NT 4.0, Win 2k Pro, Win 2k Server, & Win 2k Advanced Server. You don't have to be running IIS to be infected either. With Win2k, Windows Setup installed Frontpage by default. Code Red will attack your computer if it has Front Page installed!

If you want to know more and how to see if your PC is infected go here.

------------------
1994 Mustang Cobra
308ci, Vortech S-trim 11#, ported GT-40 heads, E-303 cam, FMS 1 5/8 headers, BBK Offroad H-pipe, 2-chamber flows, and several other goodies.
Rebel Racing. Home of Bay Area Mustangs

08-06-2001, 07:24 PM	#1
Rebel79 News Editor Join Date: Apr 1999 Location: Concord, CA Posts: 2,101	CodeRed virus hits HARD Around 12:45 my location, Concord, CA, was hit HARD by the CodeRed version 3 virus. This is a different strain than the previous virii that hit the US last week. Version 3 is more widespread and is more powerfull because it allows the hacker to Remotely Control the infected Server. This virus infects Microsoft IIS servers running NT 4.0 & 2000. Now what has not been released to the media yet, is that this virus INFECTS the CLIENTS! I have been tracking this all day and trying to stop the virus from spreading... about 1 hour ago we are able to separate our location from infecting other sites in our Company, however it was too late. Within 3 hours it had spread from California to Florida. This virus infects the clients and has the PC run a port scan, looking for other IIS servers in its vicinity. Once it finds an IIS server, it infects it. The IIS server is infected and can infect clients that connect to it. I know there are patches from Microsoft and Norton to clean the virus on the servers. I have yet to see a patch for our PC's. For more info, go here: http://www.symantec.com/avcenter/ven...odered.v3.html ------------------ 1994 Mustang Cobra 308ci, Vortech S-trim 11#, ported GT-40 heads, E-303 cam, FMS 1 5/8 headers, BBK Offroad H-pipe, 2-chamber flows, and several other goodies. Rebel Racing. Home of Bay Area Mustangs

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
virus	429mustang	Blue Oval Lounge	19	07-29-2001 10:53 AM
Replacing convertible top. How hard is it?	Dark_5.0	Windsor Power	7	06-09-2001 09:01 PM
VIRUS ALERT!!!!!!!	82 GT	Stang Stories	3	06-01-2001 03:31 PM
VIRUS ALERT!!!!!!!	82 GT	Blue Oval Lounge	4	05-31-2001 06:49 PM

08-07-2001, 12:30 AM	#2
Fox Body Mustang Maniac Join Date: Sep 2000 Location: GA, U.S.A Posts: 2,266	Thanks for the info. ----------------------------------------- 351W-powered 1979 Ford Mustang notchback Stock 5.8L under 4" cowl, C4 w/ shift kit Holley 750 cfm, Edelbrock Performer RPM intake 1 5/8" MAC shorty headers, Al driveshaft 2.5" Off road H-pipe, 2-chamber Flowmasters Front: 225/60/15, Rear: 255/60/15 Eagle GT II Weld wheels (15x6;15x8), 8.8" Rear w/ 3.55s 14 x 4” K&N air filter (getting the Xtreme setup someday) "Red, thou art my companion. Hasten now your quickened metamorphosis to Green that I may conquer all who dare abide there beside me. May they be left thither behind burnt black." ---Fox Body

08-07-2001, 12:38 AM	#3
joe4speed He said Member...heh, heh Join Date: Sep 1999 Location: Jupiter, Florida U.S.A. Posts: 3,718	could this be why I'm getting hundreds of http port scans hitting my firewall every day? It just started a few days ago. I always get attacks, but usually like 30 a day, now it's like 600 aday ------------------ Joe! 1988 GT, 167,000 miles!!! 13.58@105mph Check out my listing! Click here! Or my website:www.joe4speed.com 99 Ninja ZX-6R:10.32@135mph! 1993 Olds Eighty Eight LSS 16.40@88.8mph [This message has been edited by JL1314 (edited 08-07-2001).]

08-07-2001, 09:02 AM	#4
dinomite The Dude Join Date: Feb 2001 Location: Arlington, VA Posts: 1,262	http://enclaved.com/ my friend has a tab on all the CR v1 and v2 hits he gets. the original sends a packet of "NNN"'s, v2 sends "XXX"'s (look at his logs). yesturday there were more hits (at least on enclaveds server!). its sad that the fix is so horribly simple. one more thing, you'll notice on enclaved's site that most of the "XXX" strings are coming from *.home.com (@home cable service users). how odd. ------------------ 90LX AOD Convertible: Lakewood control arms, FMS springs. Best 1/4: 15.277@92.25 (2.27 60') AIM: dinomite1, roadracestang dinomite@softhome.net [This message has been edited by dinomite (edited 08-07-2001).]

08-07-2001, 10:28 AM	#5
Capri306 Moderator Join Date: Sep 1998 Location: Grand Rapids, Michigan, USA Posts: 1,001	JL1314: very likely. This really sucks. Seems like it's always late summer when the worst of the viruses and worms hit. Heck, I'm still getting people Emailing me the SirCam worm (which Symantec upgraded to a level 4 worm!), so that makes me wonder exactly how many people have my address in their addy book! Being a 'Board moderator on a site this large, I guess quite a few. No problems yet though. Dan and I have exchanged emails about this; good thing he warned me to delete it! According to Symantec, SirCam is supposed to wipe your hard drive on October 16th. Ouch. ------------------ Capri306, Moderator, The Mustang Works Online 1979 Mercury Capri, 5.0L -- C4 -- 2.73 1987 Mustang LX Notch

08-08-2001, 02:54 AM	#6
Rebel79 News Editor Join Date: Apr 1999 Location: Concord, CA Posts: 2,101	I have learned more about this virus. It is attacking Win NT 4.0, Win 2k Pro, Win 2k Server, & Win 2k Advanced Server. You don't have to be running IIS to be infected either. With Win2k, Windows Setup installed Frontpage by default. Code Red will attack your computer if it has Front Page installed! If you want to know more and how to see if your PC is infected go here. ------------------ 1994 Mustang Cobra 308ci, Vortech S-trim 11#, ported GT-40 heads, E-303 cam, FMS 1 5/8 headers, BBK Offroad H-pipe, 2-chamber flows, and several other goodies. Rebel Racing. Home of Bay Area Mustangs