clock menu more-arrow no yes mobile

Filed under:

Code Red Virus and DBR

If you've been paying much attention to computer security news lately, you have certainly heard about the Code Red virus. The news about Code Red has been somewhat obscured by the SirCam virus, which can be highly embarrassing, but is not yet as destructive as the Code Red virus. (We've filtered quite a few Sir Cam infection attempts, as well.)

One particularly nasty effect of Code Red is to place a root-exploit on the infected machine. This means a malicious person could use the exploit to gain privileged access to a machine. The comparatively good news is that the exploit is in a web server (IIS) as opposed to a more commonly used application. If you are running a windows machine and disable the web server, you are safe from this virus.

What is interesting is the epidemiology of this virus. Large sites running IIS have been quick to install security patches, so most of them are uninfected. The main sites for infection have been small sites and home users. People who are running NT and Windows 2000 boxes on broadband connections are infected in higher proportions than other demographics. They may not even be aware they're running a web server. The scariest aspect of this is that this describes a college network very well: As the students arrive and attach their machines to the network, they may not even be aware they are running IIS, and in the next wave of the virus, they could join the infected.

DBR has been victims of exploits in the past, those of you who were here in February, 2000, may recall when we were cracked via a hole in DNS to be used in the distributed denial of service attacks. Perhaps fortunately, this exploit required hands-on effort by the vandal, as opposed to the mindless attack of a virus.

In this case, DBR will not be broken by Code Red. We're running Apache on a Linux server, and this virus only infects Windows machines running IIS. Despite this, we've received 255 attempts to penetrate the DBR web server via the IIS/Code Red exploit, including 40 attempts in the last 12 hours.

To date, we're reasonably satisfied with the security of this arrangement. If you are thinking of running a web server from your Duke dorm room, we'd recommend this approach, and would suggest you contact the Duke University Linux Users Group for any assistance you may require.