The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the file idq.dll.
We knew about this vulnerability from the problems last month and a Microsoft patch for Code Red and another patch for the related NT Shutdown Worm had been installed on two of the three APCUG servers hosted at Online Site Services but for some reason we could not get it to go on the server hosting the web sites (which was the most important one).
Thanks to the assistance of Van Dorsey from Client1st and Robert Morris from Managed Information Systems of Oklahoma I was finally able to get it up by late Friday evening, August 3, and spent the rest of the weekend getting the other UG WebSites which APCUG hosts back up.
That was bad, but could it get worse? Yes.
In the process of getting Front Page to work a period of time elapsed between the installation of new Front Page code and the reinstallation of the various Service Packs and Hot Fixes which we had installed to provide protection from Code Red / NT Shutdown. During that window of vulnerability someone was able to use the Code Red or NT Shutdown vulnerability to sneak in a Backdoor Trojan (InetPub/FTProot~ntsecure.exe) which totally flooded Murray's T1 connection with traffic, presumably trying to infect someone else. It is total stupidity on Microsoft's part, but anytime anyone installs a Microsoft Service it is vital that all service packs and hot fixes be reinstalled.
Murray installed Symantec's AntiVirus software on our server and using it was able to isolate, quarantine, and remove the Trojan, and he re-installed SP6a and the hot fixes. Unfortunately for some reason Microsoft Update kept saying we had an additional critical fix package which was needed, and we installed it, and it said we still needed the critical fix package.
Peggy Ireland, APCUG Vice President, informed me that Microsoft would give free service to Code Red related problems I was able to put Murray in contact with Microsoft tech support, who helped us determine that we really were secure from Code Red / NT Shutdown, and he put us in contact with a tech from the Microsoft Update staff who recommened we install IE 5.5 (we were on IE 5). The critical fixes Microsoft Update wanted were unrelated to IE, but I did as he suggested, and rather than saying we needed a fix from Jan 2000, and fixes from April, June, and July 2001, Microsoft Update just said we needed the April, June, and July fixes, and when I applied that package, it was then happy with the April and June fixes, and just wanted July again. July patch was the Code Red (033) patch, but we had determined that we did not have the module that Code Red was looking for (idq.dll) and a fix to Microsoft Udate is scheduled for Aug, 29 which should make it no longer insist on sending us that patch. We manually installed both the 026 and 033 hotfixes, and the 15 August 2001 Cumulative Patch, so we feel reasonably safe from Code Red. I just wish Microsoft Update would agree with us, and also that their Security Hotfix Checker (Hfnetchk.exe) did not indicate there was still a problem.
I am able to report better success with the Tulsa2 server. Thanks to the help of VanDorsey, who assisted me on the initial Code Red stuff, we were able to free up over 5 gig of old messages in Post.Office relieving that server of its running out of space problem, while still leaving Post.Office operational (and able to support ListCaster).
For more information on the Tulsa Computer Society click here