Hacking software , Free Hacking Tools, Hackers, Hacking program
MegaHackers.com
Code Red II Worm
The "Code Red II" worm exploits the same "buffer overflow" vulnerability identified in the previous "Code Red" Worm. Microsoft has published information and patch on this vulnerability in Microsoft Internet Information Server (IIS).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/...
When a web server become infected, the worm checks the default language of the system. If the language is Chinese (either Traditional or Simplified), it creates 600 new threads and sleeps for 48 hours, otherwise 300 and sleeps for 24 hours. These threads generate random IP addresses used to search for new web server to infect. When the original thread wake up from its sleep, it will cause the system to be rebooted. In addition, all threads check if the date is October or if it is 2002. If so, the system is rebooted.
The worm also creates a backdoor Trojan. It tries to copy %windir%\CMD.EXE to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.
It will allow a remote attacker to take full control of the web server by sending an HTTP GET request to run scripts/root.exe (default execution-enabled directory of the IIS web server) on the infected web server.
The worm create a Trojan horse copy of explorer.exe and copies it to C:\ and D:\. The Trojan horse explorer.exe call the real explorer.exe to masks its existence, and create a virtual mapping which exposes the C:\ and D:\ drives. This exploits the "Relative Shell Path" Vulnerability, it will run every time a user logs in. This payload have persistence even after a reboot of the compromised system.
Impact
Intruders can execute arbitrary commands within the LocalSystem security context on Windows 2000 systems infected with the "Code Red II" worm. Compromised systems may be subject to files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.
The widespread, automated attack and propagation characteristics of the "Code Red II" may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where "Code Red II" is running.
Windows NT 4.0 systems and Cisco 600-series DSL routers may experience denial-of-service as a result of the scanning activity of the worm.
Vulnerable System
Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed
Microsoft Windows 2000 with IIS 5.0 enabled and Indexing services installed
Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager, IP/VC 3540 Application Server (these systems run IIS)
Cisco 600 series DSL routers
Solutions
According to Security Focus, the steps to be taken in recovering from Code Red II are:
Download Microsoft's patch for your IIS Web server using this link
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/...
Disconnect your Internet connection to avoid infection
Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
Reboot your system to clear worm from memory
Apply the patch to prevent re-infection
Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
Reboot before attempting to change registry values
Remove any copies of root.exe from C:\inetpub\scripts\root.exe and D:\inetpub\scripts\root.exe
Reset registry values for
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
to enable system file protection to zero to enable system file protection
Code Red II sets registry values for remote Web access. If you have a default installation you do not require these keys and they may be removed or set to zero. If you use these keys you will need to reset them to your own values:
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d
Reboot your system
Reconnect to the Internet
There is a tool created by eEye that is able to scan up to 254 IP addresses at once and determine if any are vulnerable to the .ida "Code Red" attack.
Download the eEye Retina CodeRed Scanner here:
http://www.eeye.com/html/Research/Tools/RetinaCodeRed.exe
Before installation of the software, please visit the software manufacturer web-site for more details.
Related Links
http://aris.securityfocus.com/alerts/codered2/
http://www.cert.org/incident_notes/IN-2001-09.html
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99177&;
http://www.symantec.com/avcenter/venc/data/pf/codered.v3.html
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?...
http://www.hongkongcert.org/salert/english/s010719_worm_codered.html
http://www.hongkongcert.org/salert/english/s010726_codered_secondwa...
Source
CERT/CC
Cisco System Inc.
Mcafee
SecurityFocus
Symantec
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/...
When a web server become infected, the worm checks the default language of the system. If the language is Chinese (either Traditional or Simplified), it creates 600 new threads and sleeps for 48 hours, otherwise 300 and sleeps for 24 hours. These threads generate random IP addresses used to search for new web server to infect. When the original thread wake up from its sleep, it will cause the system to be rebooted. In addition, all threads check if the date is October or if it is 2002. If so, the system is rebooted.
The worm also creates a backdoor Trojan. It tries to copy %windir%\CMD.EXE to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.
It will allow a remote attacker to take full control of the web server by sending an HTTP GET request to run scripts/root.exe (default execution-enabled directory of the IIS web server) on the infected web server.
The worm create a Trojan horse copy of explorer.exe and copies it to C:\ and D:\. The Trojan horse explorer.exe call the real explorer.exe to masks its existence, and create a virtual mapping which exposes the C:\ and D:\ drives. This exploits the "Relative Shell Path" Vulnerability, it will run every time a user logs in. This payload have persistence even after a reboot of the compromised system.
Impact
Intruders can execute arbitrary commands within the LocalSystem security context on Windows 2000 systems infected with the "Code Red II" worm. Compromised systems may be subject to files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.
The widespread, automated attack and propagation characteristics of the "Code Red II" may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where "Code Red II" is running.
Windows NT 4.0 systems and Cisco 600-series DSL routers may experience denial-of-service as a result of the scanning activity of the worm.
Vulnerable System
Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed
Microsoft Windows 2000 with IIS 5.0 enabled and Indexing services installed
Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager, IP/VC 3540 Application Server (these systems run IIS)
Cisco 600 series DSL routers
Solutions
According to Security Focus, the steps to be taken in recovering from Code Red II are:
Download Microsoft's patch for your IIS Web server using this link
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/...
Disconnect your Internet connection to avoid infection
Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
Reboot your system to clear worm from memory
Apply the patch to prevent re-infection
Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
Reboot before attempting to change registry values
Remove any copies of root.exe from C:\inetpub\scripts\root.exe and D:\inetpub\scripts\root.exe
Reset registry values for
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
to enable system file protection to zero to enable system file protection
Code Red II sets registry values for remote Web access. If you have a default installation you do not require these keys and they may be removed or set to zero. If you use these keys you will need to reset them to your own values:
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d
Reboot your system
Reconnect to the Internet
There is a tool created by eEye that is able to scan up to 254 IP addresses at once and determine if any are vulnerable to the .ida "Code Red" attack.
Download the eEye Retina CodeRed Scanner here:
http://www.eeye.com/html/Research/Tools/RetinaCodeRed.exe
Before installation of the software, please visit the software manufacturer web-site for more details.
Related Links
http://aris.securityfocus.com/alerts/codered2/
http://www.cert.org/incident_notes/IN-2001-09.html
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99177&;
http://www.symantec.com/avcenter/venc/data/pf/codered.v3.html
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?...
http://www.hongkongcert.org/salert/english/s010719_worm_codered.html
http://www.hongkongcert.org/salert/english/s010726_codered_secondwa...
Source
CERT/CC
Cisco System Inc.
Mcafee
SecurityFocus
Symantec
Tags: hack
About
BOOKMARK
Groups
-
Hacking Softwares
6 members
-
Guidance cell
57 members
-
US Hackers
102 members
-
Hackers Union of India
138 members
-
MH Staff Room
7 members
Birthdays
Birthdays Today
Birthdays Tomorrow
Search Tags
hack
hacking
hackers
hacking software
free hacking software
hacking tools
hacking softwares
hacking software free download
software for hackers
software for programmers
tools for programmers
tools for hackers
free password hacking software
free hacking software download
hack hotmail
hotmail password hack program
how to hack facebook accounts
facebook hack codes
hack the mind
counter strike hack downloads
cell phone hack code
neopets cheats hacks
how do you hack someone's account on gaia online
hack a yahoo mail password
hacking program
hacking programs
computer hacking
hacking hotmail passwords
download hacking programs
gaia online gold hacking
videos
tricks
tutorials
tools
dish network
mobile phone
software
© 2009 Created by MegaHackers.com on Ning. Create a Ning Network!
