Slashdot Mirror
Code Red Worm Spreading, Set To Flood Whitehouse
Slow Internet service due to all those extra packets of malice may not be the worst effect: As sp1n writes: "It appears that due to the way the worm formats its HTTP request and the semi-random way it seeks out vulnerable systems, it is also causing Cisco 67x DSL routers, widely deployed by Qwest, using firmware prior to 2.4.1, as well as some others, such as 3Com LanModems, to crash -- recoverable only by a power cycle. I have yet to see any news outlet cover the affect this is having on DSL service. Qwest's Interprise networking department confirmed they are receiving reports from all 14 states in their territory. Some routers running pre-2.4.1 firmware are crashing even though the web admin is disabled. This has become a huge support nightmare for every ISP in the region."
% grep NNNNN access_log | awk '{print $1}' | sort | uniq -c | sort -rn
1 ztm-mzt-28a1.mxs.adsl.euronet.nl
1 ppp-202-115.33-151.iol.it
1 pop3.startel.com.my
1 playfactory3.vistec.com
1 nszx104.136.szptt.net.cn
1 edmserv01.isotechnika.com
1 dhcp-11.nwcyberbase.com
1 deano.phonemedirectory.com
1 bl82.net-uniao.com.br
1 adsl-208-191-122-190.dsl.snantx.swbell.net
1 61.182.241.39
1 216.124.78.239
1 210.15.27.65
1 209.209.49.32
1 209.202.148.68
1 207.13.28.227
1 203.239.173.59
1 199.184.67.216
> and Qwest couldn't care less about security with respect to home users, so they've never bothered to offer fixed versions of CBOS.
If you're serious, then that's a level of neglect for your customers' safety-- allowing the product you sold them to be contaminated by a vicious worm which will cause your router to engage in an illegal act (a denial of service attack) without your consent-- that sounds to me like it could be legally actionable.
As in, anyone harmed by this (a qwest customer, or to a certain extent the government's sysadmins & anyone who becomes collateral damage of the DOS) could probably make a case that Qwest was criminally neglegent in making no effort to fix a known problem for its customers. You could claim that at the first release by cisco of the buffer overflow fix, Qwest should have given their customers explicit instructions for fixing the overflow thingy. (Question: Does Cisco's contract with Qwest merely give Qwest the right to redistribute firmware updates to its customers, or does it actually *require* Qwest to redistribute firmware updates to its customers? If the latter, could Cisco sue them for breach of contract?)
How valid is this reasoning? Could one *do* that? If so, it should be done. Something needs to be done to beat sense into large corps that don't understand end-user security is crucial..
18 attempts in the last 10 hours, from 18 unique hosts.
This sounds like my week with my 675. I've upgraded to the latest firmware, closed everything I can think of, and still someone out there knows how to lock up the beast.
You my friend, are obviously not a sys admin. for anything important anyway. why dont you do some research and read up on microsoft's track record for patches and things. there is a VERY good reason why many gov't nt4 boxen aren't allowed over sp3. personally im wary anytime i install a microsoft patch, especially on a critical server.
142.227.39.2
193.251.178.127
203.204.4.213
206.180.128.146
207.66.19.35
209.22.205.204
210.115.18.137
24.18.224.133
4.33.152.150
62.146.24.76
63.112.194.17
63.142.134.26
63.203.134.235
63.88.72.200
63.98.133.131
64.168.40.82
64.50.49.130
65.28.65.17
to one IP and
12.111.132.147
128.238.127.22
148.244.216.50
194.106.234.124
194.152.243.97
195.59.76.4
200.207.47.146
202.105.85.110
204.158.147.136
204.255.234.74
205.205.235.162
209.227.86.114
210.193.10.98
210.65.220.53
211.169.1.10
211.183.6.63
211.205.212.237
211.74.106.49
213.82.202.98
213.96.76.215
216.220.37.11
216.25.149.163
217.4.234.208
217.80.104.42
24.187.243.149
24.42.174.215
24.43.30.232
38.204.62.100
62.161.101.214
62.26.105.242
65.80.199.41
66.37.213.247
66.6.206.227
to another almost next to it.
This makes it look like (to me) the source address is also involved in selecting target addresses...
Which begs the question -- is it "right" to create a sploit that connects back to the attacking machines and "patches" their system so that it is fixed.
It's a conspiracy. Everyone will hit the whitehouse.gov site to see if the alleged worm affected it, and in doing so, we have all been duped into participating in a DDoS attack on the site. Rather clever, actually. Proclaim the effect to create the cause.
Sure you can. Register for Cisco Connection Online, almost any integer will work for the contract number. After you are logged into the CCO, you can download updates for any Cisco product. The firmware updates for the 600 series are here. Whee!
Yep, I got a lot of them on both my cable modem box and my server.
/var/www/group/logs/access_log | wc -l
/var/www/otg/logs/access_log | wc -l
On the server:
[root@nova logs]# grep NNNNNNNNNN access_log | wc -l
34
[root@nova logs]# grep NNNNNNNNNN jes*access_log | wc -l
18
[root@nova logs]# grep NNNNNNNNNN trav*access_log | wc -l
20
[root@nova logs]# grep NNNNNNNNNN
18
[root@nova logs]# grep NNNNNNNNNN
19
---
Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.
I'm right behind you. I've been wanting to leave when I heard about the RIAA (or whoever it was) making resturants pay to play the radio (rebroadcasting copyrighted music without consent or some shit like that).
Cool! Thanks for the info. A grep through my own logs showed a lot of similar traffic. Time to start the whois' on those ips!
... on a potential future target, if you ask me.
Be interesting to hear the analyses about this one when it's all over.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Count me in.
We should take a lot of weed with us.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
bah-dumpsh!
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Speak for yourself.
I'm using hash oil for fule in *my* tent!
Pollution never looked so sweet.
But seriously: where do we start? I wanna get off this chunk of rock. It hurts my ass.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Almost any integer, eh?
None of my int's are good enough.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
You're right. The worm just attacks anything with a webserver looking for an unpatched IIS. The Cisco units have an old bug where any URL with a ? in it will hang the whole unit.
webserver less than twelve hours after the problem was discovered
Well referencing a patch that was actually released over a month ago does count as a less than 12 hour response time I guess...
http://www.qwest.com/dsl/customerservice/csco675up s.html
p s.html
http://www.qwest.com/dsl/customerservice/csco678u
Sounds great, but no BBQ in the space station.
*cough
Whoa - just checked the logs on my humble linux box (behind a cable modem) and I've had about 25 hits on 'default.ida' today. Looks like a unique IP every time.
Jeez, if this is coming to my obscure neck of the woods... gonna be a hell of a night for W's IT staff...
hmm... could these dialup victims be using Win98's 'Personal Web Server'? It's just IIS 3.x.
Wonder if that's vulnerable.
I noticed this yesterday in my logs as well as some other strange requests that looked like somebody trying to break in.
Say, here's an idea... machines which request URLs like this have already been cracked and may still be vulnerable to the hole that the worm exploits (or does the worm patch this hole after exploiting it?). Somebody could take control of the cracked machines in the same way that the worm did and once inside introduce an antidote that eliminates the worm and patches the vulnerability. This could even be set up as a cgi script so that these cracked machines can be automatically cured.
It's a nice thought, but probably not worth the effort. Somebody would be bound to get upset by this good samaritan hacking and sue. It would also be too tempting to have the IIS "patch" that the antidote delivers be Apache (and OpenBSD for the ambitious).
-----
Free P2P Backup, Windows & Linux
Turtle, bah. I call mine a slug. My wife hasn't run out on me but she is mad at me for some reason.
last night I experienced a similar problem on my machine. Someone had been using various proxies to proxy through my machine to various pay for click type sites. I quickly put an end to this by commenting out modproxy in my apache config. Whether this is related I don't know. One thing is for sure though. the rise of lame people is happing at an exponential rate. It will only continue to get worse from here. :\
-Moose
well, well, I just checked my logs. I have been scanned by lamers for this heh.
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 273
This showed up in my logs. I'm pasting it unadulterated seeing as I've found like 20 copies of it anyways so the script kiddies already have it.
207.68.188.44 - - [19/Jul/2001:15:15:30 -0400] "GET
How many of those who check whitehouse.gov to see if it's down will then check to see if they can get there through dot org or dot com, and think that what's at dot com is a "hacked" version of the dot gov?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Be sure to check out the inaugural address link.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
'Course I'm not browsing whitehouse.gov at -1.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
UTC == Universal Coordinated Time. The letters are scrambled to appease the French. (just like ISO == International Organization for Standardization)
Probably windowsupdate is run on a server farm - one server was hacked, and when you hit refresh the load balancer sent you to another server that wasn't.
:)
Or maybe you were just unlucky
With Dubya in there now, for all intents and purposes it *is* whitehouse.com!
Yeah, today sucked for us as well... About 8:30-11:00 AM we got seriously slammed by all this.
;)
Looking through the logs is jaw-dropping. In a couple hour span, 3 of our machines (desktop ones at that, not main servers) got hit by no less than 21 unique IP addresses (combined). If each of our boxes is just 1 of the 100 that were also attacked, the magnitude of this is truly alarming.
One thing to know about the Win2K patch from Microsoft is that you have to at least have Service Pack 1 installed. Bare Win2K servers won't let you install the patch, so be ready with Win2K SP1 or SP2...
Good luck to those of you who are having to cope with this. On the bright side, this is great fuel for campaign to convince the boss we should be using Apache...
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
Odd, I've gotten about 14 now. One is from Korea, but the others are USA;with Road Runner the most.
Interesting.
what versions of cbos does this affect? i was thinking of upgrading mine to 2.4.1 a few days ago... now might be a good time to do it.
---
and msft called linux anti-american!
---
I went to windowsupdate.microsoft.com today, and the worm thing came up, I saved a screen shot :)
www.wss.net/winupd.jpg
*has this feeling of a slashdotting comming on*
Who said I wanted so many AC's.... the truth is, its real. :(
I'm totally surprised that anyone didn't know this. Isn't like the second site everyone is told to go to? I use it a a classic example of how easy it is to accidently get to a porn site.
Actually, you can do what you say only on a NT 4 IIS (default) installation: there the IIS runs as SYSTEM and can modify files. ;-) the IIS runs as a user that can't "patch" itself or overwrite "interesting" system files.
On 2000 and on system where some non-stupid admin did the initial installation (but not maintenance
Ciao,
Rob!
AniToolBox! An Open Source animation program!
Just noticed, that since about 11:30 CST this morning, our bandwidth usage for our Internet links has been huge. We're looking at transparent proxy, which blocks the invalid HTTP request that the worm puts out.
Wouldn't matter anyhow. The code in the URI string is just a bootstrap. The worm itself lives in the request body (which doesn't get logged).
Completely agreed, and I didn't mean to come off as an MS apologist. Maybe I'm just having flashbacks from the era when you had to wade through the FTP site to find any of this stuff.
--
Business. Numbers. Money. People. Computer World.
This site lets you search for MS patches by product name and applied service pack. A hellava improvement over Microsoft's previous patch search.
Two words of warning:
1) W2K SP2, like all SPs, did not include all of the previous hotfixes. You might need to reapply some after applying the service pack. I think this particular exploit is one of those.
2) For W2K, you need to search under both "Windows 2000" and "IIS 5.0" to get all the patches.
Happy hunting!
--
Business. Numbers. Money. People. Computer World.
The stuff they say about certain HP printers is true too. We have a HP LaserJet 4000N, and it's been going down all day. The secretary (who's since gone home) has been confused as all else as to why the printer keeps giving some strange error. I'd guess that all HP's that use the same internal network spooler will have the same problem.
Hmm, I thought something like 50% of web servers out there ran Apache. That sure doesn't sound like a monopoly in web servers to me. If this worm used Apache instead (not that it necessarily could), then we'd all be fucked that much worse.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
You mean " /default.ida?(bunch of Ns)%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3% u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a" ?
My plan is to pimp before they realize I'm a jackass. Hit 'em hard and fast.
By definition, this worm is spreading from boxes administered by non-"know their shit" NT admins, because if they knew their shit, they'd have already patched the hole.
Your right to not believe: Americans United for Separation of Church and
Well, sure. But my point is that those RedHat patches weren't distributed on a limited-distribution or need-to-know basis by RedHat, they were made well known to pretty much everybody and were available on the public site. A lot of security bulletins (although not all I imagine) even become headlines on LT and thus are in a little slashbox for me on the side. There's a lower activation energy for getting RedHat security updates.
There are plenty of admins that don't know their shit, but it sounds like in this case Microsoft could give them a break or two to help them to get their shit together, and ultimately help the rest of us 'net denizens who suffer through this IIS packetstorm.
Your right to not believe: Americans United for Separation of Church and
The original post was pointing out that these should be part of Windows Update too. Maybe "need to know" is a little strong, but this thread (see above) has pretty well explored that all of the patches are not in all of the places. So if you find one place with Windows patches, and you don't know the exact patches that you need, you might think you've found the mother lode and stop looking before you find the patch site with what you really need.
Bottom line: if you sell Windows as "so easy to administer, you can hire a guy right off the street!", you have to make it really really really easy for those admins to keep up with security. As this whole story makes clear, there are a lot of admins who haven't been.
Your right to not believe: Americans United for Separation of Church and
That's like every Slashdotter sending every line
in Debian source tree to whitehouse.gov.
One line at a time!
CNet's latest update claims MS has acknowledged
that some of its servers were unpatched and thus
infected.
Here is the hall of shame of IP's from my Apache logs:
:-)
66.80.40.178
202.30.107.77
134.155.40.49
195.65.218.213
206.153.53.106
66.121.57.63
132.178.148.167
131.174.228.6
24.91.116.188
200.202.120.59
62.48.11.31
24.214.66.226
208.11.51.150
63.194.235.102
208.139.198.171
62.17.151.141
195.85.182.18
211.53.214.76
If your IP is on that list, you might want to patch it... Or better yet, switch to Linux and Apache...
Set your routers to block all traffic to port 80 for your printers.
Actually, 4pm PST is 12am GMT. PST is GMT-8. Mountain Standard is GMT-7.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
That is irrelevant. PST was what was referenced, and is the subject of this thread, not PDT.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Tempting, but I block cookies whenever I can. If you bring some beer and steak, I'm there.
Visit me on #weirdness on the Galaxynet.
so, obviously you've never installed Win2k SP2.
Can you interfere worms such as this by changing system/software clocks? Could a crafty craker proggy writer create some kind of independent time record to avoid such tampering affecting his effects?
> Quite many seem to be coming Taiwanian or other Far-East countries such as Thailand.
Makes it kinda hard to distinguish it from the usual flood of spam, eh?
--
Sheesh, evil *and* a jerk. -- Jade
That seems like there are quite a few little buggers running arround out there.
-- these are only opinions and they might not be mine.
because most likely you get one hit in error log and one hit in access log.
-- these are only opinions and they might not be mine.
I noticed some of the "default.ida" accesses in my Apache server, too.
We can't do too much to fix the remote servers, but reporting it to the owners can't hurt.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
*raises hand*
I'll bring the engineering textbooks. Gotta be better than having a sacrificial burning...
Why yes, I AM a rocket scientist!
This is acutally the "Press DOS attack." You get some security expert to claim that a worm is spreading all over the internet and will attack X site at 5pm. Then everyone who reads the story will go see if the site is down at 5pm. And of course since everyone is hitting reload to see when it is down, the site gets flooded and goes down while the virus/worm never exsisted!
-- Virtual Windows Project
Let's just grow it up there. Seeds good to eat, use the oil to power the rocket motors, and make our clothes outta the fiber. Hell, other than a few miscellaneous vegetables, we'd have all we need to survive in one plant.
--- It is not the things we do which we regret the most, but the things which we don't do.
Just a couple days ago my IP changed (lease expired) so I had re-entered my port 80 mapping to my linux box through my 675 this very morning before going to work. Glad to know I got it done just in time to keep my 675 working.
--- It is not the things we do which we regret the most, but the things which we don't do.
I thought the analysis said the worm references the .91 address. DNS right now resolves to the .92 address. So no problem.
Yeah, but even if the patches were made available and lots of security notices were sent to users, people would still be too lazy to install them.
The best way would to run an update daemon which would automagically install security patches every night without user intervention. Something like using cvsup & make world with freebsd without having to build from source.
Cnet now says 100,000 servers infected.
At my company (small midwest ISP), I could feel the effects at around 10am CDT. A couple servers run by customers were infected and were sending out a *constant* stream of requests to random servers trying to infect others.
Oof.
FOR THE LOVE OF GOD, FIND GET YOUR Tee Ball at the White House INFORMATION BEFORE IT'S TOO LATE!!!
Karma: Excer..ex...excellahhh...realll good (mostly affected by drinking not done in moderation)
root.exe was left from the solaris worm that went around about a month and half ago. You guys have been hacked for a while. Scan your logs for entries that have "cmd.exe" in them and you'll find when you first got smacked.
I can't imagine that they didn't think as hard about security as Apache or Linux for example.
i'm not bashing microsoft here, but the windows3.1/95/98/nt/etc os's originated from dos which is a single user operating system. there were no concerns made with respect to security when dos was originally placed on the market. because of the application base dos had the various windowsxxx's that have come along had to be backwards compatable with dos programs. as a result you have this pseudomultiuser platform that implements security as an afterthought. see for example this article about windows xp.
on the other hand linux is based on unix, which microsoft trashes for being 30 year old technology, but this technology has had 30 years to iron out alot of the security issues. unix was also designed with multiple users in mind which affects everything from file access to memory allocation.
so in essance linux, via unix, has had alot more thought put into security than microsoft. as a result of linux being open alot of the security issues can be addressed by its users. because microsoft is closed the poor iis administrators have to sitback while their boxen are DOS'ed and wait for a patch to arrive. its sad really.
use LaTeX? want an online reference manager that
-- john
If you're router/firewall's linux, you can do this:
/sbin/route add -host 198.137.240.92 gw 127.0.0.1 dev lo
That will dump all of that traffic into space, and it will never hit your outbound ethernet card.
I presume similar things are possible on just about every piece of routing hardware out there.
--
Aaron Sherman (ajs@ajs.com)
I've got the same thing in my Apache access logs.. 17 unique hosts sent it. Haven't noticed any side effects or problems on Apache or Linux yet (I know this is an IIS worm, but it's best to be cautious).
It does show up how many people cannot be bothered to set up reverse DNS though. THe only likely problem is wastage of bandwidth.
So THAT's what it is.. Starting around 3 hours ago, my home desktop machine has been getting about 50 of those. One very 3 minutes or so.. And my machine is just on a random ADSL IP. This thing must have spread REALLY wide!
http://www.incidents.org/diary/diary.php
"In the 3 hours between 12:00 EDT and 15:00 EDT our class-b was targeted by worm probes from 186,034 unique source IP addresses. That is not a typo: 186,034 hosts in 3 hours. On the plus side it seems to have plateaued as of 14:00 EDT."
just got my cbos updated (thanks for the link!). one caveat - it says to use xmodem. didn't work for me. google returned only questions, no answers. so i tried ymodem, which worked. hopefully this helps at least one minicom and 675 user.
Monopoly leads to !security & !stability
/Dread
Reg
I ask because of an interesting tidbit my girlfriend slipped from her work. She does tech support for the university I'm at; apparently the upstream bandwidth figures have been sort of loopy the past few days, showing regular, repeating bandwidth spikes every hour or two. I'm not much in the know otherwise, but I do know that there are A LOT of unsecured NT boxes running around here. (Wannabe geeks in the dorms installing warez'd NT for some reason)
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
I am also a qwest.net customer, but I seem to have evaded the Cisco 675 lockup problem. I am guessing that this is because I have port 80 forwarded to one of my computers, which is running Apache. So far today, I've seen 22 hits from this worm in the Apache error log.
Tony Jeffries
Sounds about right.
grep default.ida access_log | wc -l
Gives me about 24. Anywhere from every 5-15 minutes or so, from all over the world. It's really interesting.
--
Shaun Thomas: INN Programmer
Read: Rabbit Rue - Free serial nove
Microsoft, in their infinite wisdom, seems to have moved the patch so that people can't download it. Anyone know where it is now?
"It take 9 months to bear a child, no matter how many women you assign to the job."
Why? No one who reads /. uses Microsoft products...oh wait...nevermind...
"It take 9 months to bear a child, no matter how many women you assign to the job."
Apparently that link has been a moving target, although it looks like Microsoft has settled on the location you've posted...for now.
"It take 9 months to bear a child, no matter how many women you assign to the job."
Are all servers set to UTC?
"It take 9 months to bear a child, no matter how many women you assign to the job."
Alas! my comment descends into karma hell anyway. The /. gods frown down on me...
"It take 9 months to bear a child, no matter how many women you assign to the job."
The patch is availible here
Not any more it's not.. Looks like Microsoft have started responding, probably moved it more prominent..
Wonder when the 'Red Menace' spin from Mr gates sympathisers in the Gvt. will start.
EZ
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
There ought to be a (-1, Pun) moderation available...:-)
20 January 2017: the End of an Error.
I don't know about strange shellcode, but you made me curious...I browsed the log for my personal webserver (Apache running on LFS) and saw a suspicious request for /default.ida at 16:49 PDT from a site in Taiwan. Searching for that request on the rest of the webserver log (going back maybe a year or so at this point) turned up 21 other requests for the same thing, all earlier today. The requests were coming in from around the world...but the last one was from Taiwan and the two before it were from Red China. These last three requests were within one hour of the beginning of whitehouse.gov's problems. /default.ida sounds like something one might request from an IIS box (instead of /index.html, they usually use /default.htm as the homepage)...would this have been a probe from the punks who pulled this stunt?
(FWIW, other countries that appeared in the log are (in the order they appeared) South Korea, Canada, Japan, and Germany. Several American sites were also on the list (many of them on cable-modem or DSL connections).)
20 January 2017: the End of an Error.
Don't forget we are speaking about Windows machines here, and those are notoriosly bad at managing such "advanced" concepts as timezones. Just whitness the bi-yearly mess that occurs whenever we switch daylight savings time. Windows machines usually run their clock in local time, and have no such concept as location-independant UTC time.
Holy %#!+ my logs are full of those... no telltale /bin/sh in the junk so it looks like I'm safe. :)
The government cannot take down Microsoft, but Microsoft can take down the government...
*ponder*
Right, so, who wants to build a space station with me and leave this BS behind? I'll bring cookies.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
kapow!kapow!
:)
p.s. if I have shot someone I don't know, sorry
- - - - -
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
scared me at first.. reboot fixes it.. but it comes back..t .asp?url=/technet/security/bulletin/MS01-033.asp) patch.. should clear it up.. I hope, anyway. (-:
upgrade your service packs/critical updates and then run this (http://www.microsoft.com/technet/treeview/defaul
So that's why my DSL router was crapping out every 10 minutes or so this afternoon, after several months of continuous uptime. I knew it couldn't be a configuration problem (there's only so much configuratin' one can do to those things.)
After reading about the trouble Slashdot ran into with their Cisco routers, and the tongue lashing they got for rebooting it without understanding the problem, I'm glad I powercycled it anyway. It did solve the problem, until I got hit again.
While I was rebooting the "turtle," as we call it, my girlfriend, Anne, for some reason got really upset, started crying and moved out. Really odd.
I don't need large brains to have a good time.
Jul 20 17:40:02 legend kernel: Packet log: input DENY ppp0 PROTO=6 148.243.173.8:50401 210.55.125.189:80 L=40 S=0x00 I=31495 F=0x4000 T=237 (#22)
(etc)
I have 60 hits from this in the last 16 hours, on my miserable dialup in the small backcorners of the internet..
Where can we see it? Is that too much to ask?
... and on my humble DSL connection...
/var/log/apache$ grep 'default\.ida' * | wc -l
30
lets do a quick grep in the logs ;)
.. ;)
# grep default.ida * | wc -l
5630
woops
according to that artical:
5. Each worm thread checks for c:\notworm
-If the file c:\notworm is found, the worm goes dormant.
-If the file is not found then each thread will continue to attempt to
infect more systems.
Can anyone verify that?
Out of curiosity I checked whitehouse.com. If anyone is working the evening shift like me, don't go there from work unless your employer has an very lax internet use policy. In other words it's one of those "Mature Audiences" sites. Just so ya know.
I don't run IIS, but I've been seeing odd things in my logs. It took me a sec to check security focus and learn what it was. Here is an except of a log file so you if see similar you know what's up.
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"
65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET
The thing on security focus indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here.
Wheeeee
I don't think this has anything to do directly with the routers. It just happens that the exploit used also affects certain cisco routers (through a well-known bug). It's not attacking the cisco os, the routers just happen to get hit in the crossfire between the infected IIS machines and the target IIS machines.
Jason
===========
This email from the security focus list:
The guys at Eeye have a good overview here.
This is basically just the usual buffer overflow attack that's had a patch available for a month, and by following best practices shouldn't be an issue at all. The really interesting thing is where the guns being gathered are pointed: at whitehouse.gov. Should be an interesting night!
Jason
Dick Cheney: SOMEONE SET UP US THE WORM!
George Bush: MAIN SCREEN TURN ON!
George Bush: IT'S YOU!!
Li Peng: YOU HAVE NO CHANCE. MAKE YOUR TIME.
Li Peng: HAHAHAHAHA
I had about 15 of these in my logs.
I have notified those systems that I could. I suggest everybody else do the same to help reduce the impact.
some karma... and kinda lukewarm about it.
They're wrong, it doesn't stop the problem. I did this back when the vulnerability was first announced by Cisco, and I double-checked that it was stored in nvram (which is what #2 does). I still crashed. Changing the port number to something unpredictable is the best I've come up with.
--
314-15-9265
Cisco's vulnerability report (read the date!) says that 2.4.1 is OK.
My ISP is recommending 2.4.2, but I don't know why.
It's all academic to me, because I haven't found a place to download either.
--
314-15-9265
There is common belief that disabling the web interface will prevent this. It's not true; mine's been disabled every since this was first reported a year ago and I still got hit. The problem is that "set web disable" prevents the web server from fiddling the router config, but doesn't actually stop the server from parsing input from port 80, which is what locks up the box.
An improved workaround is to disable the web-admin interface and change its port number with "set web port 53496" (replace with some random port number). At least that'll stop it for the near term.
Long term you need to get updated firmware, but of course Cisco won't distribute firmware directly to customers, even though they have public announcements of the existence of bugs and bugfixes. To actually get the firmware you have to get it from your DSL line provider (Qwest, in my case), and Qwest couldn't care less about security with respect to home users, so they've never bothered to offer fixed versions of CBOS.
--
314-15-9265
I liked your Bobo page, very amusing. I think you need a little work on the PR however. Bobo is maybe a good name for a dog who's not too bright. You would probably do a lot better renaming it to "the Cannihilater" or something with a similar ring.
We heard about it last month and patched our servers within a few days.
Last time I checked, we were still up.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
We got hit by this, too, although we found it and contained it withing 10 minutes of being infected. The solution is to make sure you've got service pack 2 for Win2K, THEN download the critical updates from Windows update, and reboot. The worm will be gone from memory, and the hole patched. SP2 supposedly contains the patch, but it doesn't work, so you have to install SP2 then the critical update available from Windows Update.
Also, we discovered that all the infected machines had had a file "root.exe" placed in the root dir and the inetpub/scripts directory. Anyone who got hit might want to check for that too.
Of course, the simplest solution is to not run IIS...
You can find the packets trying to get you in your web log by looking for a request that looks like:
/default.ida? + A number of letter "N"'s + a series of escape sequence like characters
This buffer overflow was first reported a couple of days ago.
-Moondog
"I've left that out to make it harder for script kiddies"
... wrong.... ... HEAD"
As if the script-kiddies would know what to do with that string.
The whole thing is availible on bugtraq anyway and if they are scriptkiddies they've seen everything they need there about 2 days ago.
"I can think on my feet you... you...
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
Perhaps this is why the patch is not on windows update. Fixed now though.
There have been quite a lot of posts on NANOG about this already, and depletion of memory on Cisco routers causing them to crash.
--
Smegma.
20 lines now, about one coming every 15 mins.
Quite many seem to be coming Taiwanian or other Far-East countries such as Thailand.
I swear, hackers did it!
---------
---------
Swearing is the crutch of inarticulate mother fuckers.
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNN ...
There are tons of N's (can you say buffer overflow?) and then stuff after the N's. I've left that out to make it harder for script kiddies.
-ted
I've got 26. Definitely unique IPs as shown by .*$//g" | sort -u | wc -l
grep default.ida apache_access.log | sed "s/
-no broken link
--------------------------------------
That is rather amusing!!! :-)
;-)
Of course, all of this havok is just funny when you sit behind an OpenBSD firewall, running on a stackguarded version of Linux.
~Religion is O.K., as long as it gets you laid.
and how is this different from slashdoting washington.gov to oblivion ?
The latest version available from Qwest is 2.4.1. The latest from Cisco is v2.4.2.
-core
Right, but which file? There are two for the 675 listed in the table on that site.
-core
Ahem.
It is now open source. Though it doesn't seem to be gpled yet, I'm most certain that the author was merely meaning to get around to it any day now.
So what's this to you? Well, instead of merely complaining about it, you can help! I'm sure someone here can update it to check dns, and, heck, maybe even set different targets! ;]
Hmmm. Maybe I should be posting this anonymously. What if.... /. is crazy enough to do redesign this worm to point at someone they don't like.
Nah. No one on
Are they?
... but really, what would have been helpful to many IT readers would have been the link to the Microsoft bulletin and patch download in the /. article.
Ceci n'est pas une sig.
While I don't disagree with your bug report, I want to point out that at 5PM PST, it offically becomes July 20th on GMT. Unless the attack begins on the 21st, I'm still assuming whitehouse.gov will be inaccessable tonight :-)
Doh!
Hasn't it been well past that time for years?
No, UTC is UTC is UTC, everywhere. Any servers that will attack will attack in 48 minutes - 5:00PM PDT.
Doesn't matter. UTC is Universal Time Something. It's the time before the time zone offset is applied.
It's not the RIAA or MPAA, but you might like these IPs:
207.46.123.13
207.46.152.122
207.46.153.9
207.46.171.237
207.46.171.61
207.46.171.68
207.46.173.25
207.46.175.96
207.46.186.252
207.46.187.123
207.46.196.55
207.46.196.58
207.46.203.39
207.46.227.38
207.46.230.64
207.46.239.116
207.46.239.117
207.46.239.44
207.46.252.139
207.46.28.158
Each of them has hit default.ida on one server I'm watching. From what I can tell from whois -a, 207.46 is all Microsoft corp! They can't even keep up with their patches.
(btw, on this same server I'm seeing a new unique IP default.ida hit every second)
I presume you arte, of course, insane.
.oO0Oo.
did you not noticed that windows update has been hit.
I'll set my OS to auto update itself and install the updates and rely on no-one ever compromising the update server or the DNS/Proxy of my ISP.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Humm... July 17th ZDnet reports the worm and that Microsoft haven't received any complaints - http://www.zdnet.com/zdnn/stories/news/0,4586,2789 405,00.html
Now CNet says it's spreading nicely...
Wonder who got the story right and who jumped too early.
perform a "netstat -n"
If you see MANY outbound connections to port 80, you have a problem. This is the only way I can figure out how to detect infection.
kill_9_1
NT sysadmins who know their shit are on Microsoft's Technical Bulletin list. Because these are hotfixes, they don't go on the public site, because they're 'install only if it fixes a problem you actually have.'
Vintage computer games and RPG books available. Email me if you're interested.
Yeah. It's not at all like that ramen.worm; didn't find many unpatched redhat boxes. Oh, wait.... It's not clueless NT admins, it's clueless admins. Idiocy is platform-agnostic.
Vintage computer games and RPG books available. Email me if you're interested.
it attacks 198.137.240.92 not www.whitehouse.gov
that is, it doesn't need to reference the dns server (i was hoping to just add an entry for whitehouse.gov to our dns server since i dont have access to the router side of things)
-f
-f
www.blackant.net
Started at 11:00 A.M.
-- the computer doesn't want any beer, no matter how much you think it does. NEVER, EVER feed your computer beer.
....can't it be the RIAA's and MPAA's webservers?
Sigh. Windows IIS: It's like walking around with a handfull of twenties and giving a loaded gun to any criminal you meet.
I hear that. I'm willing to bet MS's reputation, and IIS's with it, would be improved if they stopped this farcical notion of security and admitted, just like us Apache nuts, that tweaking is required for a secure(er) server.
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
No wonder we are flooded with calls today. FUCK!
What, me worry?
Fat-fingered the patch location. Here it is.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
We have been dealing with this all day at my job (colo/hosting). Apprently, it's totally memory resident, so a reboot should clear it. However, its really spreading like wildfire. Also will hang Cisco 675s and 678s, so if you have one of those routers (cable/dsl), disable web access. Also is hanging HP printers with web frontends. The traffic alone is choking some of our smaller routers. The patch is availible here.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Port 27374 is usually used by the SubSeven trojan (Windows). I've heard of at least one opportunistic worm that actively seeks out SubSeven-infected machines and uses the trojan to install itself, but it most likely isn't related to Code Red. I've had pretty good success at using Google to look up strange port numbers caught by my firewall; doing a search like "port 27374" (including the quotation marks) usually pulls up enough information in the first set of hits to tell me what I'm dealing with.
---
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Actually, I'd tend to say that the rise in number of lame people is growing at a rate proportional to the number of people adopting Windows as a "standard". Oh, wait... that IS exponential growth. ;( :)
Hmmm.... makes me want to hit somebody over the head with a pengiun.
Well... interesting. I have the same types of requests that other people have been reporting showing up in my server logs... /. ??? /. get slashdotted? By a bunch of M$ products, no less! :)
But what happens if this worm suddenly turns its wrath onto our favorite site,
Could
That's all well and good, but I have cookies disabled... how about some of this stuff?
Wow. Same here. Time to do some email.
Half of the webmasters will probably be clueless and accuse me of attacking them.
Of the 22 IPs that felt me up, only 3 were "real" domains. The rest looked like ISP users.
So far, there have been 19 scans of my firewall from different hosts today alone, all for port 80.
I don't run a webserver, and basically nobody has my IP, so it has to be scans from this worm.
This is gonna be huge when it goes off. I guess I'll just enjoy the fireworks.
---
Can you imagine a MOSIX cluster of these?
Can you imagine a MOSIX cluster of these?
And I wondered why my little apache running on almost unknown site got so much hits today with strange shellcode...
Microsoft Outlook: Making the Goodtimes virus real.
Rather strange. I actually saw this today. It was on TV. http://explorer.msn.com/intl.asp was displaying the same thing. Either the Chinese are just going crazy releasing a worm, and hacking Microsoft today, or Microsoft forgot to patch one of its own servers with its own security patch.
I've been chatting with a friend via Jabber now for an hour or so and he's kind of losing his mind 'cause somebody "cracked" one of the IIS servers where he works. I'm guessing the sysadmin is away and he's looking after the machine right now, going through the logs and stuff trying to figure out what happened. I've been helping him, but I'm inept when it comes to IIS. (I'm an apache-fiend.)
/. and there it is -- a Chinese worm. Damn you, Chinese worms!
So here I wander over to
That'll teach my buddy's sysadmins to watch for those patches. Which is really good advice for everyone, 'cause according to the article, not many people did pay attention to this one.
J
More info here
The information about the whitehouse.gov attack was wrong. (Well - its still up :)) In fact the attack is going to start tommorrow, july 20th.
Here is the snippet from bugtraq:
Thanks to Eric from Symantec for tossing us a note about the worm being Date
based and not Time based.
We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based on a
date (the 20th UTC) which is tomorrow.
If the worm infects your system between the 1st and the 19th it will attempt
to deface the infected servers web page or try to propogate itself to other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed from
the infected system.
Any new infection that happens between the 20th and 28th will most likely be
someone "hand infecting" your system as all other worms should be attacking
whitehouse.gov. If for some reason you are infected between the 20th and the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.
The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.
The worm has a timeline like this:
day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep
Presumably, this could restart at any point in a new month again.
Also, some stats for the attack:
Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so
Remember, each host can be infected multiple times, meaning that a single
host can send 410MB * # of infections.
We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.
If there are 300 thousand infections then that means you have (300,000 * 410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm "works
as advertised" then the fact that whitehouse.gov goes offline is only the
begining of what _can_ possibly happen...
Could be worse...he could have said, "Not now dear, I need to slap the monkey."... ;)
I just want to take over the world...Why does that automatically make me EVIL?
Fear not ol' Darwin. I just put your e-mail address on every known spammers list. Now just sit back, relax and wait 'til the penis extension offers come in.
No need to thank me...
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
It's been done.
(It's a link to information on RTM's worm, for those who don't feel like clicking the link.)
Hang on a minute. It wasn't Bush that we leaving stains on blue dresses. Got your presidents confused?
That doesn't fix the problem with the DSL modems but should avoid the trouble with shutting down the white house. But isn't George heading to Italia soon?
-AD
the June 18th hotfix *DOES* cover this vulnerability
A belated reply, but - I repeat, the June 18 hotfix does NOT necessarily prevent infection. This is not necessarily due to a problem in the patch itself, it's quite as likely that some (bleep) IT guy failed to reboot after applying the patch or some such similar idiocy. But the point remains that even M$ shops that apply all the released patches can still get caught out.
And those selfsame IT guys would believe that they were immune. (And yes, I have known about what the SecurityFocus site has to say about it since the day they posted the vulnerability. But I don't run the IT department.)
Liquor
Liquor
Sanity is a highly overrated commodity.
What about the name? Did it really come from China, or is this a sensationalist exaggeration?
---
https://www.accountkiller.com/removal-requested
I got a little worried there for a sec!
I'm still worried!
Write your congressman. I want to see using a Microsoft server being treated as an act of criminal negligence, like drunk driving.
Haven't we all had enough of this bullspit?
My own webserver had been hit by several thousand of these attempts. When I got Slashdotted for putting up pictures of Bobo, it was bad. But this worm has been saturating my DSL with HTTP GET requests.
Fire and Meat. Yummy.
http://perlpimp.com/exp.txt
It's just like HP refusing to write Linux drivers for their scanners. Those Chinese crackers are in bed with Bill Gates! I say let's boycott their products until they start supporting OUR OS!!!
It's not really about monopoly.
I we sure it's a mistake? I hope somebody can get their hands on a reverse DNS lookup of the IPs this RNG generates with the default seed. It may be a purposefully chosen number that attacks its [i]real[/i] target(s) while everyone laments the impending fall of the completely useless whitehouse.gov.
I'm surprised that they don't make the attack list public; while those at the top are probably already up $hit creek sans paddle, those further down may not yet realize just how screwed they truly are. A quick script that runs down the list and sends an e-mail to webmaster@, admin@, whatever@ each ip address effected would probably save millions in lost bandwith and business downtime.
---
This must be bad. I had to reload the page before any FPs showed up!
--
You are being MICROattacked, from various angles, in a SOFT manner.
(It's a link to information on RTM's worm, for those who don't feel like clicking the link.)
That's the original version; I've got an updated version (lighter bandwidth, typo fixes, etc.) available at http://www.snowplow.org/tom/worm/. I'm going to be quite hard to get in touch with for the next two months, but if you have any questions, feel free to ask and I'll get back to them as soon as I can.
Tom Darby
Obliteracy: Words with explosions
Yes, the June 18th hotfix *DOES* cover this vulnerability. If you read the articles on a real security news source, you will find that the fix for the "Code Red" work is Q300972, issued on... (wait for it)... June 18th.
---
nuclear presidential echelon assassination encryption virulent strain
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
Whitehouse would be /.'ed even before the the worm kicks in.
/. effect.
Beware of the
I wonder if its a parody put on by the real W :)
The Lottery:
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
So have to say "Yeah, right. Grow up moron."
Let's see some logged in users backing up your story, ok? And all you Anonymous Cowards, get a login for crying out loud.
"You may all go to hell and I will go to Texas"
Sen. Davy Crocket to US Congress, Nov. 1, 1835
Quoted:
It looks like the "Code Red" worm has the added side effect of crashing Cisco (675/678) DSL CPEs running any CBOS prior to 2.4.1. The GET it sends looking for IIS servers hardlocks any modem with the web management interface enabled.
CBOS v2.4.2 is unaffected. Also, turning off the web interface with 'set web disabled' also prevents the crashes.
This found at securityfocus
You mean DMCA. You probably wouldn't know what it stands for, so it isn't surprising that you got it wrong.
I found a couple of these in my access_log:
/default.ida?NNNN ...(many N's)... NNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78 01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 "-" "-"
:)
x.x.x.x - - [19/Jul/2001:23:45:44 +0200] "GET
There were several from different IPs.
So is this the virus trying to infect my Apache server?
Don't blame the script kiddies for this one. It's the infected IIS machines that are trying to attack you. I had an IIS box at work get hit with it today. I was curious if my web server at home would be impacted. Needless to say when I got home I had a pretty full access_log with quite a bit of the .ida attacks. Just for fun I decided to visit some of these IP's. Web servers. This worm is beyond the capabilites of a script kiddie. Now, in a few weeks when we see repeats and variations, those will be the kids.
'Same speed C but faster'
While this isn't quite as impressive as the combination Windows/ Linux binary viruses that will execute and spread on and across either platform, it is another interesting twist. This one takes over the embedded OS in the Cisco routers and uses them as a platform for invasions of Windows 2000 servers.
Even Slashdot wants to hide some things
I was going to go to bed, but I think I might stay up and watch and see if eveything goes to hell. But from where? What more can you see other than your own connection slow down? Anyone have any suggestions?
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
Quote from second CNET article: Marc Maiffret, chief hacking officer of eEye: "If this goes along what it's looking like, parts of the Net will go down." He noted, though, that the code could have an error that causes the worm "to screw up and not work right." no wonder
I can confirm this... I'm a Qwest user with the Cisco675 router/ADSL modem with 2.2 firmware. My connection has dropped 3x today already, requiring a simple power off-on to re-establish the connection.
I haven't been surfing heavily today but there is a noticable slowdown from time to time.
Microsoft doesn't put most security patches on Windows Update. They have a Corporate Windows Update (http://corporate.windowsupdate.microsoft.com), but it's basically just another download site... it doesn't automatically tell you what you need or install it for you.
n /notify.asp), but since they obviously have the Update technology down pat, I don't know why they don't have a version of Windows Update with *all* the hotfixes, not just the "consumer-friendly" ones. It would certainly make setting up new machines easier... instead of downloading and installing twenty files, you should be able to just go to their site and have it do the work for you.
Not that keeping up to date on patches is very difficult (subscribe to their Security Bulletin at http://www.microsoft.com/technet/security/bulleti
They haven't really changed Windows Update since it was introduced with Windows 98 - they've really dropped the ball... Redhat's up2date and Ximian's Red Carpet are both quite a bit better than the current implementation of Windows Update.
--
Convictions are more dangerous enemies of truth than lies.
Convictions are more dangerous enemies of truth than lies.
- Nietzsche
Yeah, but for each one you have to click through 3 times just to get the file. Which means:
a) it's really annoying, and lots of people just won't bother, and...
b) it's really easy to miss one or two
And there's no real way to check (there's a dinky little script available somewhere that'll check for IIS patches, but it's buggy and hard to find).
The Corporate Windows Update site makes them easier to download, but it takes weeks for patches to be put up on it after they've been released, and there's no real way to match them with the associated Bulletins (to know if they need to be re-downloaded, if you've missed any, etc.) And it doesn't allow searching by Service Pack.
In this case, Microsoft's system is just sloppy and unprofessional. There's absolutely no reason for this to be such a pain other than Microsoft isn't putting enough money and attention into its support structure.
Sure, they now allow Patches to be joined together so you only have to reboot once for multiple patches and they allow you to search by Service Pack, but those are baby steps that should've been done years ago... patches today should be instantly updated over the web and shouldn't require reboots in 99% of cases (for all IIS patches, it should just shut down IIS, update the files, and restart). Microsoft's behind the curve, and if I was a corporate system admin, I'd be tempted to switch to Red Hat just because they have a much better update structure.
(For instance, with Red Hat, you type up2date, it launches a graphical wizard which automatically tells you what you need updated, downloads, and installs them. It's like four mouse clicks to completely update your system to latest versions of everything on it.)
--
Convictions are more dangerous enemies of truth than lies.
Convictions are more dangerous enemies of truth than lies.
- Nietzsche
While I was working for the feds,
:-)
I met a worm they called Code Red...
And Code Red hit 100K hosts,
And every host had 3 infections
And every infection had 100 threads
And every thread sent 100k
And every k had a thousand bytes [*]
And every byte was sent in 1 packet
And every packet had a 40-byte header
Headers, packets,
Bytes, k,
Infections, hosts and threads...
Once every month, just to piss off the Feds.
[*] 1024 just doesn't scan well.
I'm a bloodsucking fiend! Look at my outfit!
Hehe, I feel the same way. I sysadmin a large reserach site, and of course, we run Apache. I checked our web logs, and sure enough, it's full of default.ida?NNNNNNN.... requests. Things are so boring around here...
We don't have a state-run media we have a media-run state.
But I could have sworn that Microsoft software was safer out of the box than linux. I just can't find the paper where they explained it. Oh well. I'm sure you remember the post.
There's no way they could have let something like this happen with their knowledge. I have faith in Microsoft. They've always made my life easier.
- Relativistic? That's barely Newtonian!
Fortunately, a trace of the sources indicate that the servers involved are being shut down pretty quickly by their admins.
One alarming aspect is the number of these probes that are obviously coming from servers connected through PPP dial-up accounts.
I wonder how many people have installed IIS on PCs running IIS and don't even know it's running?
News With Attitude
Bind.
Not Meta-modding due to apathy.
"NT sysadmins who know their shit are on Microsoft's Technical Bulletin list."
For a fix this important, MS should use a less rarified environment.
Responding to a newly discovered security hole, Microsoft today released a patch to its Internet Information Server webserver less than twelve hours after the problem was discovered.
Brian Behlendorf of the Apache foundation and Theo deRaadt, OpenBSD project leader, expressed envy. "We wish we could get out patches that fast," commented Behlendorf.
"I'm actually amazed," said deRaadt. "Microsoft is usually so unresponsive. Of course, OpenBSD tries to prevent these kinds of problems in the first place."
You'll never see that reported on /.
Sorry, couldn't resist. Actually Apache, OpenBSD, and the guys who make them are great. (And hopefully have good senses of humor.)
Secession is the right of all sentient beings.
a new Internet worm that takes advantage of a security flaw in Microsoft software
Is this even worth mentioning? I mean, really! Don't all worms take advantage of security flaws in Microsoft software? Why can't someone write a worm to take advantage of Apache for a change? All of these Microsoft servers being compromised are making me jealous. If only I could afford a license of Win2k Server, then I could participate in the excitement as well...
some day....
-Ryan, with the unoriginal sig
For system administrators who have not patched their systems, now would be a good time, said Microsoft's Culp.
So why aren't these patches available on the windows update webpage? I'd think most of the NT boys out there don't even know you can download post SP hotfixes from microsoft. Of which there was over 230 last time I checked.
MS'es WinUpdates site could really be leveraged here.
Because people don't take as good of care of things they didn't pay for. :-)
Power to the Peaceful
I thought that said whitehouse.com! I got a little worried there for a sec!
---
------
Sig
Why is it that 99% (if not 100%) of the viruses are written for (against) M$ products? Is it because every hacker is targetting M$ or is it because everyone *knows* the M$ code so well? I can't imagine that they didn't think as hard about security as Apache or Linux for example.
---
hm.. i've had one of these too, but mine where slightly different ......, GET, /error404.asp, 404;http://www.worm.com/default.ida?.....