Contents Computing at Cornell Home Page Site Index Search
Contents About: Services Policies Security News Help For: Students Faculty Staff Technical Support Providers CIT Contact List 		 
Computing at Cornell Security
 

About the Code Red Worm (July 20, 2001)

The "Code Red" worm -- or a close variant that behaves similarly -- has been active on the Cornell network. This worm spreads by exploiting a vulnerability in Microsoft IIS (Internet Information Server), in both versions IIS4 (NT) and IIS5 (Windows 2000). See CIT's web page on Securing IIS.

For a detailed description, see CERT® Advisory CA-2001-19.

A patch for this vulnerability was released on 6/18/01, and is discussed in Microsoft Security Bulletin MS01-033.

History and Actions Taken

On 07/19/01, Cornell Information Technologies noticed that a number of hosts were generating a large amount of web traffic (not web servers answering requests). Further investigation showed that these hosts were all running IIS.

Most of the infected computers did not show all signs of the Code Red worm as described in the advisory. In particular, neither the characteristic logfile entry nor the file C:\NOTWORM were present. Nevertheless the infected computers were engaged in the DoS-type scanning described for this worm.

In order to contain the spread of this worm, we had to block all outgoing web traffic (not web server replies!) at the campus border.

We will continue to monitor network usage and block servers that exhibit the described pattern. Please note that these blocks only prevent the affected hosts from viewing remote web pages; they do not affect their ability to serve web pages.

When hosts are blocked, notification will be sent to the registered network administrators. Please contact the Network Operation Center (255-9900 or noc@cornell.edu) for further information.

IIS is installed on many Windows 2000 and Windows NT computers without the explicit knowledge of the administrator. If you have any Windows computers under your administration, please check whether IIS is running. If you need to run IIS on that particular server, please make sure that it is properly configured and patched.

Detecting Whether IIS Is Running

In Windows NT 4.0 or Windows 2000, press Ctrl-Shift-Esc. This will bring up the Task Manager. Click the "Processes" tab. If you see inetinfo.exe in the list, you are running IIS or some component of it (such as FTP, SMTP, etc.).

Under Windows 2000, you can see the list of installed components by going to "Add/Remove Programs" in the Control Panel and selecting "Details" for "Internet Information Services".

In Windows NT 4.0, this is part of the Option Pack and the components that are installed can be determined by going into "Windows NT 4.0 Option Pack Setup" under the Programs menu.

Disabling or Removing IIS

To disable the web server, run the "Services" control panel. In Windows NT 4.0, this is in the Control Panel. In Windows 2000, this is under Administrative Tools in the Control Panel (or under the Administrative Tools menu).

Stop the "World Wide Web Publishing Service" and set it to "Manual Startup" or "Disabled".

Optional: You can remove IIS if you don't need to run any of the IIS components (Web, FTP, etc.). This can be done in "Add/Remove Programs" under the Control Panel. For assistance, please contact the HelpDesk (255-8990).

Patching IIS

If you need to run IIS, you need to install the following patches to protect your server from these attacks.

First, update IIS with the patch described in Microsoft Security Bulletin MS01-026.

Then go to the Windows update, which should update the index server vulnerability -- http://windowsupdate.microsoft.com/. This REQUIRES using IE 5 or higher.

 

From: Thomas Braun, Systems & Network Infrastructure Security


Security Issues for Network and System Adminstrators

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: July 24, 2001