This is an advisory notice to users of TiniHttpServer
regarding the recent Code Red worm.
This notice was first published on August 14, 2001.
Summary
Protective Action
Details
Further Information
Typical Impact
Internet Resources
If you have any questions or concerns not addressed by this notice or if you have any additional information that may be relevant, please do not hesitate to contact Smart Software Consulting.
The Code Red worm will not infect a TINI running TiniHttpServer. As the worm probes the web for additional servers to infect, however, it still might adversely affect your TINI if it meets all of the following criteria.
Your TINI is running a version of TiniHttpServer
older than 0.17.
NOTE: All TiniHttpServer users are encouraged to upgrade to the
most recent version, TiniHttpServer1.0
Your TINI is accessible from the Internet
Your TINI is running TiniHttpServer
TiniHttpServer is listening on port 80 (the default HTTP port)
You have not disabled TiniHttpserver's transfer log
You have not enabled TiniHttpserver's emailing of large log files
To prevent adverse effects from the Code Red worm, you must take at least one of the following steps. They are listed from most preferred to least preferred.
Enable TiniHttpserver's mailing of large log files
(most preferred)
Disable TiniHttpserver's transfer log
Configure TiniHttpServer to listen on a port other
than 80
Do not configure your TINI to be accessible from the
Internet
Do not run TiniHttpServer (least preferred)
TINIs running TiniHttpServer will not be infected by the worm. The Code Red worm only infects computers running unpatched versions of Microsoft's Internet Information Server (IIS). Since the worm spreads by probing random IP addresses in a search of vulnerable IIS installations, any program or web server, including TiniHttpServer, that listens on port 80 (the default HTTP port) can be probed by the Code Red worm. If you are running TiniHttpServer on port 80 on a TINI that is accessible from the Internet, it is quite possible that your TINI has been probed. The probing itself is not harmful. If you have not disabled transfer logging, each probe request will be logged to the transfer log, just like any other HTTP request. If your TINI is probed many times, your transfer log can grow faster than expected. If you have not enabled the mailing of oversized log files, the transfer log could potentially grow so large as to deprive the TINI of needed memory space thereby causing an out of memory condition and rendering your TINI useless.
If you have not disabled the transfer log, TiniHttpServer will log each probe request to the transfer log. An example probe request log entry looks like this...
10.234.56.78 - - [Sun Aug 05 23:04:48 GMT 2001] "-" 400 93 "" ""
The "-"
is normally where the HTTP
request itself is logged. The Code Red worm uses Unicode
encoding (%uxxxx) in the request URL. For better or worse,
versions 0.16 and earlier of TiniHttpServer do not handle
Unicode encoding in requests, so an exception is raised when
parsing the request and the request is considered invalid. If
you have enabled TiniHttpServer's server log, you will
see an entry in the server log (corresponding to the
exception) that looks like this...
com.smartsc.http.HttpException: Bad Request
Smart Software Consulting keeps a TINI running TiniHttpServer available on the Internet for demonstration purposes. The Code Red worm actively tries to propagate between the 1st and 19th of each month. Between August 1 and August 5, Smart Software Consulting's TINI had been probed 120 times. If the probe rate were to continue at a linear rate, a total of approximately 450 probes can be expected between August 1 and August 19. Each probe consumes approximately 70 bytes of memory. Thus, approximately 32 KB of memory could be consumed in August due to the Code Red worm. This represents 1/32 of a 1MB TINI's total memory or 1/16 of a 512KB TINI's total memory. The entire cycle could start over again on September 1, assuming some IIS servers are still vulnerable.
For a more detailed look at the Code Red worm, please see the following URLs...
http://www.cert.org/advisories/CA-2001-19.html
http://www.cert.org/advisories/CA-2001-23.html
If you have any questions or concerns not addressed by this notice or if you have any additional information that may be relevant, please do not hesitate to contact Smart Software Consulting.
Copyright © 1999-2002 Smart Software Consulting