The Code Red worm has worked its initial magic, and yet again, the Internet survives. But there are variants of the original worm coming, and the best way to protect your organization is to apply the appropriate patches now. That’s what is happening here at TechRepublic, even though we believe we’ve dodged the first bullet.

In this article, we’ll look at the Code Red worm and how TechRepublic was affected, and we’ll describe our response. We’ll also provide a few other links you may find helpful in dealing with the Code Red worm and its variants.

It ain’t over ‘til it’s over
According to the CNET article “Code Red stopped—for now,” about 300,000 Microsoft IIS 4.0 and 5.0 servers were infected with the Code Red worm, which was programmed to send a flood of traffic to The article also mentions Cisco’s acknowledgment that the Code Red worm affected Cisco 600 series DSL routers, requiring them to be restarted before they would continue to forward traffic. Cisco has released a fix for the problem.

CERT Incident Note IN-2001-08 says that the Code Red worm exploits a buffer overflow feature in the IIS indexing server DLL. It then uses a random number generator to create other IP addresses to attack. If the host’s default language is English, it will also modify Web pages to include “HELLO! Welcome to http://www/! Hacked by the Chinese!”

The CNET article states that the Code Red worm will try to infect other computers again on Aug. 1. In newsgroup discussions, an eEye Digital Security employee is reporting a variant of Code Red that drops the Web page deformation and adds a random attack time generator to the worm code.

To prevent IIS servers from being exploited by the worm, network administrators should apply the patch as soon as possible. Take a look at this Exterminator column to pick the right patch for your system. You can read more about the issue in the July 2 installment of John McCormick’s Locksmith column.

Some basic prevention is worth pounds of cure
Here at TechRepublic, we seem to have avoided any infection through a few basic security measures and a little luck. The lucky part of the equation is that the front end of our public Web site is hosted on UNIX-based Sun Microsystems Solaris servers, which are not affected by this particular worm.

The second part of the equation is that common sense dictates that firewalls and routers protect our intranet.

“We don’t have port 80 allowed [in] on any of our routers,” said Lori Hyde, a system administrator at TechRepublic.

Hyde forwarded an e-mail warning about the worm to IT Director Troy Atwood early on July 20, when servers across the country began feeling the effects of the worm. Atwood happened to be toying with TechRepublic’s Outlook Web server at the time.

“We were having issues with that particular server for a while before this, and I didn’t see any signs of the worm,” Atwood said. “I searched my logs and couldn’t find anything unusual, so I went out to Microsoft and got the Code Red patch and installed it.”

He commented that the timing of the worm’s proliferation couldn’t be better from the attacker’s standpoint, because of the Baltimore train wreck and fire that melted fiber-optic cables that are part of the East Coast Internet backbone. That disruption was already causing a lot of network flakiness that could disguise the worm.

For your reading pleasure…
If you’re interested in learning more about this particular worm, these links offer more technical detail about what to look for in your logs and how the Code Red wormworks . 

From the National Infrastructure Protection Center warning:

And from the BUGTRAQ security mailing list:

Here’s a great tool called CodeRed Scanner, which checks to see whether the Code Red worm has hit your systems:


  • Have you been affected?

    Did the worm get to your IIS servers? What about your routers? Are you prepared for the inevitable next round? Join our discussion and tell us what you’ve experienced.