Code Red Self Test
What is the Code Red Worm? |
|
The Code Red Worm is a self-replicating piece of software that infects
IIS web servers by exploiting a well-known vulnerability, known as the IIS
ISAPI buffer overflow.
The worm, once infecting the host, will perform one of several different
actions, depending on the version of the worm involved, the language of
the system in use, and the value of the system clock. The worm:
- Scans the internet looking for additional servers that it can infect, (all
versions).
- Launches denial of service attacks against the White House's official Web Site. (original worm and a variant).
- Installs a backdoor accessible over the web (version II).
Code Red II
There are several known variants of the worm in the wild. The first were
limited in their damage because of a limitation in how they scanned for
new web servers to infect. The latest version, dubbed Code Red II, opens
a backdoor on your system allowing anyone access to your server, even if
you close the original hole that it exploited.
Why is this worm different? |
|
This particular worm is extremely aggressive in how it searches for
it's victim hosts. An infected machine searches the net for additional
IIS servers to compromise. For each host that it infects, the newly infected
host in turn joins all others in scanning, causing the rate of scanning to
grow exponentially.
Test Me Now |
|
If you are running your browser from the same system running your web server,
simply click the following button to determine if your system is
susceptible to the Code Red Worm, and if you are already
infected by Code Red II.
How Do I Stop It? |
|
The original worms did not do any damage to your system (other consuming
bandwidth and possible making you unpopular with other system administrators).
A simple reboot along with patching the security hole exploited would
solve your problem.
Code Red II
The latest worm is not so benign. While the second worm affects only Win2000
based systems running IIS servers, it does place a backdoor into the system
that essentially makes "cmd.exe" available for use through the web via two
different mechanisms.
A thorough analysis of the worm can be found
here.
Currently, the safest course of action is to completely rebuild
your system and to properly harden it by applying the appropriate
patches from Microsoft. This may seem drastic, but remember
- Your system has been vulnerable for some time with a problem that
others may already have compromised in ways not obvious.
- If your system was infected with any of the Code Red worms, it has
been actively screaming at any webserver it can find on the net that
your system is vulnerable because the worm on it is trying to infect
other systems.
The security bulletin issued by Microsoft that discusses the vulnerability
that these worms are exploiting is
MS01-033.