Slashdot Mirror
Code Red! All Hands to Battle Stations!
We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.
Right, I'm not a laywer.
/our/ Internet (parts of) will become saturated (for perhaps only a limited time) but the overall effect will strike all (thru degraded service), especially those who don't even run Microsoft software, and those who ensure their networks aren't open to this worm (the attack's a little harder to combat since it saturates your lines).
:)
But, 5 million (who cares, it's lots) IIS servers installed world wide (according to one of those articles). Now, those Terms and Conditions (EULA) says that Microsoft still 'owns' the software, even more so with their new licensing policy (with XP etc), so if they still own and control the software, surely they are responsible that on one day in the not too distant future
IIS is a kind of polution. It's ruining the Internet for the rest of us.
And it's Microsofts fault (be its engineers, or more likely its massive marketing force)
Join with me! Lets Embrace and Extend Microsoft dodgy wares off the face of the internet and make the world a nicer place to be
OK enough of that. But surely this is somewhere near the mark, if some legal types where to look into it.
I work tech support, and get shit loads of moans when some little thing goes work, I get moans of "I'm loosing X thousand every hour" or some other zero tollerance bullshit. What's the net worth of loss that this little baby is going to unleash... and you bet, not one person will say anything (except the *nix zellots) and currently, Microsoft abandons all responsibility.
Am I right, or what ?
Is the Code Red Worm under the GPL?
I want access to the code, dammit!
Unless you need to use Index Server of course!
Such a proposal would lead to the death of free software.
A big proprietary software corporation like Microsoft, with billions of dollars of cash on hand, could easily afford to carry out such a recall. But any time such a recall was ordered for a security flaw in a free software project (which typically doesn't have as much cash on hand as Microsoft), it would probably be the end of the project. In fact, it's unlikely that anyone would bother starting a free software project in the first place, with the enormous risks of an expensive recall.
Be careful what you ask for -- you might just receive it.
I just checked my home server today and I was hit 20 times by the worm on the 19th, but it doesn't matter because I run linux and apache. Just shows that we were right all along, M$ sucks, linux and apache rocks!
I thought it might be useful to clarify a few things.
:-)
-- The CERT/CC has issued 3 advisories on the general area of Code Red
and the related vulnerability in IIS.
http://www.cert.org/advisories/CA-2001-13.html
http://www.cert.org/advisories/CA-2001-19.html
http://www.cert.org/advisories/CA-2001-23.html
CA-2001-13 describes the vulnerability, and was issued shortly after
Microsoft's bulletin on the problem.
CA-2001-19 describes the first appearance of Code Red, and CA-2001-23
describes the expected impact of Code Red in August.
In our original advisory (13) we said
"Imapct: Anyone who can reach a vulnerable web server can execute
arbitrary code in the Local System security context. This results in
the intruder gaining complete control of the system. Note that this
may be significantly more serious than a simple "web defacement."
In the first description of "Code Red," (19) we said:
"The "Code Red" worm is self-replicating malicious code that exploits
a known vulnerability in Microsoft IIS servers (CA-2001-13).
"The "Code Red" worm attack proceeds as follows:
"The CERT/CC encourages all Internet sites to review CERT advisory
CA-2001-13 and ensure workarounds or patches have been applied on all
affected hosts on your network.
"If you believe a host under your control has been compromised, you
may wish to refer to
Steps for Recovering from a UNIX or NT System Compromise"
In the third advisory (23) we said:
"Our analysis estimates that starting with a single infected host, the
time required to infect all vulnerable IIS servers with this worm
could be less than 18 hours. Since the worm is programmed to continue
propagating for the first 19 days of the month, widespread denial of
service may result due to heavy scan traffic.
"As reported in CA-2001-19, infected systems may experience web site
defacement as well as performance degradation as a result of the
propagating activity of this worm. This degradation can become quite
severe, and in fact may cause some services to stop entirely, since it
is possible for a machine to be infected with multiple copies of the
worm simultaneously.
"Furthermore, it is important to note that the IIS indexing
vulnerability that the "Code Red" worm exploits can be used to execute
arbitrary code in the Local System security context. This level of
privilege effectively gives an attacker complete control of the
infected system."
I feel confident that I haven't overlooked the phrase : "the internet
will cease to exist." Indeed, I'm rather confident the Internet will
continue to exist through August. September is another matter
entirely.
At this point in time (7:02 PM EDT, 7/31/2001), I personally
anticipate that the worm will begin spreading again within a few
hours, and that we'll reach saturation (all vulnerable, reachble
servers compromised) within 96 hours. I further expect that the number
of vulnerable machines will be substantially smaller this round. The
question is, by how much.
Shawn Hernan
Vulnerability Handling Team Leader
CERT/CC
Are you kidding? IIS runs less than 25% of the net's web servers, and what percentage of those do you think have the time mis-set? This sounds like the percentages in a *BSD is Dying troll.
Uh, it does. On Windows Update it's referred to as the Indexing Service patch, but it's there and automatically installed as part of the Critical Updates section.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
The /REALLY/ sad thing is that patching a web server APPLICATION requires you to REBOOT the OPERATING SYSTEM!
I was basing my comment on what the previous poster said about rebooting, I haven't used the Code Red patch, because I don't run Windows.
So don't complain at me, I'm not the one scheduling reboots of servers.
USENET old timers are used to people claiming the net will die. "Emminent death of the internet predicted!" But it keeps not happening.
/. ID is lower than the real Bruce Perens'.
But it makes Slashdot because 1) it has to do with Microsoft 2) it's a followup story 3) someone in a tie wrote it so it must be true. But that suit just trolled you better than theElectron.
The real Threed's
--Threed
From the company reps lips: "Cocaine has never been an added ingredient in any Coca Cola product."
/added/ ingredient, though it certainly tagged along as part of their coca leaf flavoring. It was later replaced with caffeine, but Coca Cola still has a grandfather clause allowing them to import "denatured" coca leaf extract.
/. ID is lower than the real Bruce Perens'.
Technically, they're right. It wasn't an
Anyway, that's where "Coke" as dual use street slang came from.
The real Threed's
--Threed
What about the Lion (Linux BIND) worm?
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
Just wondering...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
Carolyn Meinel is, in a nutshell, a flaming idiot. It's a credit to her social engineering skills that she managed to get Scientific American to publish her nasty fluff - and a discredit to SA.
http://www.dis.org/shipley/cpm/http://www.shmoo.com/mail/cypherpunks/may99/msg00
http://www.landfield.com/isn/mail-archive/1998/No
Wooo! Just do the following search on google: "Carolyn Meinel" site:attrition.org
...She's made about as many friends in the security community as Bill Gates would at a LUG meeting.
Exocet Industries - Taking over the world, one computer at a
Also, you could limit the outgoing bandwidth, or disable outgoing pings. You could even write an anti worm program, which gets updated worm attack patterns from some website, and looks at every outgoing web request for possible matches. Further, apache and linux run on different hardware, and apache runs on non-linux operating systems too, making apache much less homgenous an entity than IIS. And finally, the average linux user is much more likely to upgrade their operating system for security reasons that your average windows user.
By the way, Apache is free as in speech, too, which is why I like it (well, that and the fact that I can pronounce "apache" easily; it's not a tounge twister like "IIS").
Yes, I'm still a junky. Are you still a bitch?
A Windows machine running forever? Please.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
It's pretty much a balance of quantity vs quality- ./ has a new (but quite often lame and stupid) article to read every hour or so, while K5 and .5e the articles are much better, but less quantity. I can't stop but keep checking ./ every couple hours, but the others are something I only check once or twice a day.
Just waiting for something to get better. Either here or them, some reason to keep or stop going here.
Don't worry about the Internet...
What Internet?
*CRASH*
That Internet... It's OK, have a cookie. (Or maybe "Have a Code Red Mountain Dew")
You forgot to include your ... tags....
and that is relevant to system administration in general, or security specifically, how?
*cough*Mono*cough*
*cough*DotGNU*cough*
People will only get the hint when compelling alternatives are produced.
right
apart from the network traffic which the isp should regualte anyway what does this do ?
infects IIS servers but they run under 40% thats right UNDER now if apache had a whole like this then the world would be in for a shock !!
but I dont belive that this could do anything except give credance to the admins who pull plugs out of walls when they are labeled
"MIS webserver (win2000)"
fankly fools damn fools and microsoft IIS administrators
sorry but how can this bring the world to an end ?
"life finds a way " -> "randomness protects the internet"
regards
john jones
I thought, why not write a servlet/JSP/cgi/whatever that detected an inbound hit from a Code Red infected server, and responded by using the same vulnerability to turn around and turn off the worm on the offending box?
Like I said, probably illegal...but a cool concept, I think. If I had the time I might put a servlet together, but I don't, and it's probably too late for today's attack anyways.
Regards,
-BK
Chemical Blog
It's "viruses", not virii.
--
Mod up a post Rob doesn't like and you'll never mod again
Except all of my IIS boxen use Indexing Services. Wierd. . .
And was asked when they could re-boot the boxen, a fairly strong indication that they hadn't installed a routine security patch until I asked about it. . .
Luckily, Cringely gave me an idea for a quick fix: since our Maintenance Window on the boxen is 0-dark-early in the morning, and the worm hits at 0000 GMT tonight (8 Eastern, 4 Pacific), TURN YOUR NT/2000 boxes back a day, and then reboot early tomorrow morning, and re-set your date to the correct one...
Of course, if they'd listened to me and used Apache, we wouldn't be having this problem...
My boss has just told our head of technical support to download the patches.
I said to our head of technical support "We don't need no steenkin' patches!"
Running Apache on Linux has turned out to be the right choice!
riiiight. Apache needs no patches
The tooth fairy will protect you.
I was thinking that since the hole this virus exploits allows it to exicute any code it wants why not alter the virus to install the patch from M$?
The way I see it any system that is still vunerable will always be. The people running those systems are not paying attention and will never install the patch themselves. But since this worm is so good at finding those systems why not use it to force an update?
The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison
I thought he was just going to point out Apache.
Or well, what the hell, ANY web server that is not IIS.
All kinds of people will see that as being just as bad, because replacing IIS would force them to use non-MS software, require some training (I'm available!), roll out new/updated servers, etc etc...
Better do rigorous bug testing before releasing such a "benevolent worm". I hear Morris originally planned something else for his worm, too :-)
Seriously, it won't be a proper solution anyway because any future mutations are bound to be disk-resident (and thus immune to reboots). They might even rely on a reboot to do serious damage, given Window's unwillingness to write to files (like, say, MSVCRT.DLL) while they're in use.
Capitalizing occasional words like that always reminds me of Robert McElwaine. "FULL and COMPLETE dissemination is ENCOURAGED..."
dave
I've heard several talk show hosts over the last couple of days read the press releases about code red infecting all these MS servers.
They invariably follow it up by saying, "Yeah, I got about 200 copies of code red in my inbox yesterday asking for my advice, but I was smart enough not to open them."
Geez.
load "linux",8,1
Let's look at it this way, someone took a bug that existed in a product and exploited it in a way that made it very clear that it was being exploited. Result: MS publishes a patch. If they were really mallicious they'd make a much more subtle attack that MS wouldn't be so quick to recognize and fix.
As for the horrible things that this will do to us, let me ask you all this: would you rather have an attack like this one that will slow things down, and maybe even shut down a few web sites, or would you like to have someone exploit web servers to get your credit card number?
As a consumer I'd rather do without [insert favorite e-commerce site here] for a while than have to deal with someone stealing my information off of a web site.
Both happen, both get some publicity, but the one that industry cares about is the one that everyone is up in arms about.
Dear Slashdot moderators:
Thank you for warning us of such a problematic issue THE DAY IT"S SCHEDULED TO GO OFF!!!!! Not to poke any sarcasm your way or anything.
I'm sure I'm not the first one to have pointed out the IIS second-wave yesterday:
2001-07-30 19:28:56 'Code Red' Worm might be coming back (articles,microsoft) (rejected)
But, don't you think that putting out the word yesterday, when we already had stories out, would have reminded those sysadmins lax enough to "worry about it later" to get on the ball and patch their servers?
Just curious
hmmmm?
I don't think much will come of this. Cringley is an idiot. His comments that as long as there's one server with a broken clock the worm will always be with us is stupid. There are loads of viruses in the wild that continually spread but are harmless because the software they infect has been patched and/or anti-virus software continues to keep them at bay.
I have been getting calls from people all day asking why I haven't sent out a warning about this worm. The problem here is that the media has hyped this up and the average joe doesn't understand that it can't infect their Win9x desktop so everyone is freaking out.
I doubt that much will happen. I lived through Y2K and the Internet gold-rush. Things online are rarely what they seem.
----------------------------
Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.
To get a good idea of just what he does know you might want to read his book "Accidental Empires", which IMHO is a pretty good look at the history of the microcomputer revolution.
You should be able to get a copy cheap from half.com.
A worm like Code Red doesn't care if the final host is "destroyed" because it launches all of the attacks from cracked Sun boxen. This way you always have a staging area from which to launch the attack
(B) + (D) + (B) + (D) = (K) + (&)
Back before I knew what I was doing, a Linux host I had up on the net got hacked by the Ramen worm. BIND has got to be the closest open source product to IIS with respect to massive numbers of vulnerabilities that give "immediate root access" to quote SANS.
I feel UNIX/Linux will always beat Microsoft hands down because of chroot jails. If you chroot Apache or BIND running as a non-privileged user and they get cracked, the cracker will have nothing more to fark with than the individual service they cracked. Not to downplay the severity of that situation, but at least they won't get root access on your box. Furthermore, if you script nightly overwrites of the directories hosting those services from protected locations, the hack won't be long lived.
Add to that web programming that uses protected connections to Java servlet engines (i.e. Tomcat listens on localhost-only), and you can easily and frequently rebuild your websites the moment Tripwire detects that something has changed.
And so long as Linux and UNIX run neck-and-neck in vulnerabilities, I have no interest in running a commercial UNIX. And no, BSD is not an option for me so long as I wish to run commercial (or even current) apps. I found out last night that FreeBSD is just now getting Java **1.2** in Beta. Forget about Jakarta Tomcat and Cocoon. Gimme a break. Looks like BSD is best for static HTML or perl CGI.
--
Steve Jackson
Intelligent Life on Earth
There's a difference between web servers and web sites.. I've been searching and searching but I can't find the article right now.. I recall reading a recent /. article linking to Netcraft, but I can't seem to locate it.. anyway, here's the gist of it.. now follow me here..
1/4th of the world's web SITES run under IIS on 2/3ds of the world's web SERVERS. And the opposite is true for Apache.. 2/3ds of the world's web SITES (the 62% you always hear about) run on just 1/4th of the world's web SERVERS. In short, IIS (or its admins) are not very good at virtual hosting (running more than one totally independent website on one box), while one beefy Apache box can host 50 or 100 different web sites.
Again, TONS of vulnerable servers host a small portion of the Internet's web sites (and can cripple the net with traffic), while the VAST MAJORITY of the world's web sites run on far fewer servers running non-vulnerable Apache servers.
Imagine if Sourceforge ran on IIS? That would be one way to get a free co-lo! Open a project, get a free server all to yourself! At least until they figure out how to add a second virtual domain to the server they gave you.
--
Steve Jackson
Intelligent Life on Earth
Perhaps I should have said BIND and Sendmail together give IIS a run for the money in the vulnerability list. :)
:)
At least there are viable secure alternatives to Sendmail in Qmail and Postfix. With BIND, you can reduce the privileges, but you really need to chroot jail it. I didn't want to go TOO long on the post, so I chose to bash BIND the hardest
And just a reminder: click here for the ten worst and most abused vulnerabilities.. lisitng BIND *and* Sendmail holes.
--
Steve Jackson
Intelligent Life on Earth
Service Pack 6 knocked out email for 5,000 users of NTWS at my company because MS decided to ship out a patch that forced the logged in user to have **Admin** privileges just to use TCP/IP. Lotus Notes? Dead in the water. IE? Shot. Logins? Nope. Drive mappings? Forget it.
Didn't we test it? Of course we did. Unfortunately our "user" accounts were also domain admins, so it didn't appear in our extensive testing.
That was a bad day at the office. We definitely regretted finally getting software delivery working under CA TNG (another pain in the ass software manufacturer).
--
Steve Jackson
Intelligent Life on Earth
News.com says:
Despite Web site postings that said "Hacked by Chinese," a Chinese network safety official says that the fast-spreading Code Red Internet worm was probably not made in China.
I'm inclined to agree. This is simply someone who wants to forcibly make their political views known through a worm. Probably the best way of going about it these days, but I certainly dont condone the method.
You CAN use Pine for windows, you know...
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
OK...so we agree that MS' IIS is at fault for this worm. A bug in the software is a 'bad thing'.
However, ALL software is buggy. Repeat, ALL.
How many patches have been made for Apache or Perl or ProFTPD or ftpd?
Dozens...
Microsoft has done what they have to do, take the public beating and made a patch available.
If Apache were a company, would there be the same outcry if this worm affected it? Probably not, because, outside of the Redmond campus, Apache is not reviled and hated.
Calls for a class action suit and legal recourse are totally opposite of what should be advocated on this forum...since when is litigation the answer? (Ask Dmitri...)Why not contact the companies affected and offer your services in promoting a BSD or Linux?
Like Taco implied a few weeks ago, bashing is out; promotion is IN!
Learn
To
Use
The
Break
Tag
Troll.
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
This was covered in Cringely's article. They don't want to start acting like the bad guys.
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
Please... According to various security lists that I receive, once the worm goes into its dormant stage it does NOT wake up again. However, the risk is from new variants of the worm, or crackers finding a way to reactivate the dormant worm. Anyways, if people haven't patched their boxes by now (and they should have done it at least one month before Code Red erupted when MS released the security bulletin, even longer if you follow their IIS security checklist), I don't know what we should do with these people. If you don't patch your boxes, they will get compromised. How much time did it take to compromise the Honeynet project's Red Hat default install, 13 minutes or something? Not just an MS problem folks, it's a stupidity problem
We run IIS servers. We keep said IIS servers patched. We have had no probs with code red. Keeping our boxes current has turned out to be the right choice
Thanks for wasting heaps of my time Exocet! I found this Carolyn Meinel bitch very morbidly fascinating. : ) Kinda like when people come out to see traffic accidents, hoping to see some guts on the road, etc.
Some of the stuff at http://www.attrition.org/shame/index.html was really funny.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
My point is that if people don't use the tools already availible, why would the take the time to opt-in to this program?
Because they could 'opt-in' once, and let the holes take care of themselves, rather than opting in seperately for each hole found.
With the number of holes in MS products, it's easier for a typical, poorly educated NT Administrator to opt-in once and have the problems fixed automagically, then to keep reading BugTraq, locating, downloading, and applying fixes, and justifying his salary (and the server downtime) to his boss.
"values of beta will give rise to dom!"
According to one of the articles, Microsoft is looking for new/improved ways to distribute security fixes to broken systems. My suggestion, with some qualifications, would be to distribute fixes through the identified security holes.
Just as attacks like "Code Red" take advantage of security holes to place priveledged code on vunerable systems, Microsoft could package hole-fixes into packages that prowl the internet looking for exposed systems. If the package (call it a 'worm') discovers a system with the appropriate hole, it enters the system, and replaces the faulty software with a patch.
Now, lest Microsoft be accused of unleashing attacks against exposed systems (beneficial attacks to be sure, but attacks none the less), the worms would only approach systems that have subscribed to this as a service. Additionally, each worm would inform the Administrator of the system (through email, or some other messaging service available in MS products) that an exposure has been discovered and a patch has been applied.
Of course, there would be an element of trust necessary here. The worm must also give the Administrator some sort of assurance that its changes are beneficial (we don't want attacks masquerading as patches), so there has to be some sort of confirmation/activation/deactivation process available to the Administrator, but I'm sure that, if Microsoft is serious about it's commitments (and it's revenues), this can be adequately worked out and implemented.
"values of beta will give rise to dom!"
An old April Fools joke come true?
*** Attention ***
It's that time again!
As many of you know, each leap year the Internet must be shut down for
24 hours in order to allow us to clean it. The cleaning process, which
eliminates dead email and inactive ftp, www and gopher sites, allows
for a better-working and faster Internet.
This year, the cleaning process will take place from 12:01 a.m. GMT on
Feb. 29 until 12:01 a.m. GMT on March 1. During that 24-hour period,
five powerful Internet-crawling robots situated around the world will
search the Internet and delete any data that they find.
In order to protect your valuable data from deletion we ask that you do
the following:
1. Disconnect all terminals and local area networks from their
Internet connections.
2. Shut down all Internet servers, or disconnect them from the
Internet.
3. Disconnect all disks and hardrives from any connections to the
Internet.
4. Refrain from connecting any computer to the Internet in any way.
We understand the inconvenience that this may cause some Internet
users, and we apologize. However, we are certain that any inconveniences
will be more than made up for by the increased speed and efficiency of
the Internet, once it has been cleared of electronic flotsam and
jetsam.
We thank you for your cooperation.
Kim Dereksen
Interconnected Network Maintenance staff
Main branch, Massachusetts Institute of Technology
Sysops and others: Since the last Internet cleaning, the number of
Internet users has grown dramatically. Please assist us in alerting
the public of the upcoming Internet cleaning by posting this message
where your users will be able to read it. Please pass this message on
to other sysops and Internet users as well. Thank you.
Only the dead have seen the end of war.
What would really amuse the hell out of me is if someone were to write a Worm that went out to IIS servers and patched them for the idiots who are too damned stupid to do it themselves.
Alternatively, someone should write a Worm that takes down the machine entirely and leaves a helpful note to the admin explaining to them how to take his or her head out of their arse (i.e. patch the system or run less exploitable software).
"Everything you know is wrong. (And stupid.)"
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Any offroad tire should (and do) handle that just fine. Either Ford uses crappy road tires(probably) or Firestone tires are shit(probably true also).
Either way, it looks to me like they're both to blame.
(ok, now mod me offtopic)
Sticking feathers up your butt does not make you a chicken - Tyler Durden
First good thing to come from an internet-wide virus attack, the company I "work" for has <I>finally</I> decided to switch from NT/IIS to Linux/Apache!
WOOHOO!!
sorry to nitpick, but you statement about companies attempting to keep their computer systems up to date was just a bit too much.
I know of way too many large companies that are just now upgrading from Win95 to Win2000 (they skipped NT4 and Win98).
Large companies don't like to upgrade, and when they upgrade, lots of machines at a time are left unmaintained by the systems people because they're busy configuring the new machines and fielding requests by the new users who can't find their bookmarks and such.
Or take a clue from the OpenBSD project, and audit their code, and fix all of the buffer overruns, and other problems that have plagued them in the past, and are usually repeated the same way throughout the code base.
Your friend does know he can get CF for Linux, right?
Now, while he might as well take the time to learn PHP anyway, it's not like Allaire/Macromedia has been ignoring the Linux market.
Is this post not nifty? Sluggy Freelance. Worshi
Buddy, have you read the most recent Netcraft Web Server Survey, released barely two days ago?
And another thing, the reason why Linux is not infected is because it didn't have that silly buffer overflow.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
Surely that should be:
a. Take your machine offline
b. To rid your machine of the current worm, reboot your computer.
c. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
d. Take your machine back online
Otherwise there's a chance you'll be reinfected between rebooting and upgrading.
--
I also patched my IIS system years ago by upgrading to Website Pro (formerly O'Reilly, now Deerfield) from Bob Denny.
www.big-box.com - Covering the world, one community at a time
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
To quote Marc Maiffret, "We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface web pages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit even further."
If you want to blame someone, blame eEye; for once, a journalist isn't to blame. I'll content myself with wagging an accusatory finger at the braindead moderators who dumped points in your lap.
Easy does it!
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Best practices dictates that you uninstall any unneeded services: you install a vanilla (OS of your choice) server and point it to the internet, it's gonna get rooted in no time; the Honeynet Project has shown this to be (perhaps not statistically) true.
The service may have been exploitable, but the VAST majority of websites weren't even using it and as such should have removed the script mappings (and DLLs, for the truly paranoid).
Of course, IIS patches do a fine job of restoring script mappings behind your back, so maybe you have a point after all?
Easy does it!
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
File it under bad idea: you release it, you're liable. Unless you can test every NT/Win9X installation and every piece of hardware it talks to between here and the ends of the earth and verify that it's OK and verify that the operators have OK'd your entry to their systems, you're hanging yourself out to dry.
Which is to say it's a dumb idea, but not a horrible one, so if someone else wants to, uh. Go ahead or something.
Easy does it!
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Not the entire internet. Only 25% of the web uses IIS servers. The rest is mostly Apache.
Frankly, if all of the IIS servers disappeared off the web tomorrow, I wouldn't shed a tear. None of the sites I care about would be affected.
I have written a truly remarkable program which this sig is too small to contain.
Or perhaps he means... (horrors!) .NET!
Subscription software would mean that the latest versions/patches would automatically be sent out to everyone. Grandma's web server will have sparkly clean software.
The line for the license exam starts to the right. Put down that keyboard and get in it.
Edith Keeler Must Die
When there was a problem with the gas gauge on my car, I got a call from the dealer that sold it to me. The manufacture had issued the advisory because they didn't want customers stranded without gas due to faulty readings. They told the dealers and the dealers told their customers. That's usually how a recall works, although for serious ones the media usually gets involved.
So then why can't MS contact the VARs who sold/installed NT/2000 server and have them run through their customer list and advise them of this recall in the same fashion? Really, the only systems at risk should be the ones that are pirated.
At every company I have worked at, there is no one single person responsible for "all things NT" and so as a result, it is very difficult to make sure that everyone is on top of the latest update and that it is pushed down to all the servers without interrupting production systems. So patches are basically a "when time permits" activity for whoever remembers to do it. I don't say that's right, but that's reality and I wouldn't be surprised if patches are forgotten because sysadmins are busy getting some users e-mail recovered.
Now, if some IT manager got a call warning them that their servers were vulnerable, he or she would issue the order and it would get done. If you leave it up to the sysadmins, you are really counting on them being through and I've known people who are MSCE and know they should patch systems but simply don't have the time becasue they can't make their bosses see its a Sev1 issue when compared to the MQSeries rollout.
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
With one key difference...with open source software people are capable of theoretically fixing it themselves. Which means it is much easier for end users to accept responability.
MS is closed source so when a problem is discovered, you can't just alert everyone and be done with it. You have to go to MS, get them to fix it, then issue the alert.
One solution to the Firestone mess was to remove the Firestone tires and replace it with some other brand, a brand that could then be used in the quasi-inflated state Ford recommended. But what if only Firestone tires worked on Fords? Then you would HAVE to wait for Ford to re-engineer and re-distribute tires, during which time you would either have to drive around in an unsafe condition or not use their Explorer (ha, that analogy is closer than I thought).
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Firestone argues that the cut-rate crappy tires would have been fine if they hadn't been deflated to 25psi from the factory-spec 32psi...they still maintain that it was this deflation that caused the tread separation, not the manufacturing.
In all likelihood it was probably a combination of both but how much? 80/20? 70/30?
-JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Seriously. Compare this diaster to the Ford/Firestone mess:
A) Ford decides to ship vehicles with partially deflated tires.
B) MS decides to ship products in their least-secure state with every service running.
A) When this causes problems, Ford blames Firestone for not making tires that can handle it.
B) When this causes problems, MS blames system administrators for not being smart enough to patch their system.
A) The end result is that many people died because Ford passes the buck to Firestone and Firestone passed it right back to Ford.
B) The end result is that many servers are going to be knocked offline because MS passes the buck to sysadmins and sysadmins pass it right back to MS.
In my opinion, someone should force MS to take responability for issuing a product recall...just like in any other industry. That means they much contact their dealers and their dealers must contact their customers and get it patched. Obviously this is serious enough to warrant that kind of attention and MS can surely afford it.
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
In the Netherlands my university (Technical University of Delft) is actually scanning ALL their IP# themself for the vulnerability and will filter all hosts who are vulnerable.
;-) )
The owners offcourse will be informed they are vulnerable and should fix their system(s).
I know it's a lowsy job, but I think it's a good start !
( one could say they are probably generating more network traffic during this scan than the worm would do but okay
Anything is possible given time and money.
Jesus, You'd think the world is going to end the way all three major newspapers in my home town have "CODE RED" splashed across their front pages.
Correct me if I'm wrong here, but as of 00:00 utc, Code Red goes into "propogation" mode, the real trouble won't start until the 20th of next month when it starts hammering the world wide web.
Typical media, blowing things out of proportion (again)
This happened over a month ago. This sounds like Code Red but everybody keeps saying it was created on 7/17. Did I get it early? Or is this something else?
Hollow words will burn and hollow men will burn.
Second, In less then three days he got his Linux system running? Didn't he tell you had his NT/ISS system up before lunch the first day?
Hollow words will burn and hollow men will burn.
Don't think that just because you're running a Linux distribution that you're safe from worms.
I would really like to see this sentiment taken to heart by admins of any OS. All holy wars aside, no system is 100% secure unless it's disconnected from the internet, WAN/LANs, modems, or any other communications device... including drives that can use shared disks.
Whatever happened to the paranoia that drove the development of tighter security in Linux? Do all the alpha-geeks, gurus, and wizards truly feel this safe when they know that other alpha-geeks, gurus, and wizards with the same knowledge have turned to the dark side of the force?
I know MS bashing is a blast, and it furthers the cause of the Jihad, but at what cost? Every single person who tangled with Lion, Ramen, or even the Internet Worm of '88; then proceeded to denigrate MS here today makes the community look exponentially more idiotic.
We should be discussing ways to resolve and prevent this, and similar instances of, malware. I haven't seen one suggestion to contact admins of infected machines. It's simple enough to do. Look up the owner of the offending IP and send an email or make a phone call. The way MS bundles all of their products, if an inexperienced user (not admin) has installed WinNT 4 server by themselves, they may very well have IIS installed and not even know it. A phone call to their admin could get the problem fixed, which is a damn sight better than whining about how Truly Evil ol' Bill really is.
Ah, but anyone with the intelligence to download and install Apache for win32 and read the necessary documentation, is also intelligent enough to download and install a decent operating system to run non-win32 Apache on.
#exclude <ms/windows.h>
So all that needs to be done is make sure that every machine running a Microsoft Operating System is powered off, and the world is safe.
(And maybe once people realise that the world is safe when there are no MS boxes running they won't bother to power them back on ;-)
#exclude <ms/windows.h>
I saw that series too.. I was struck more by how much of an ass he is than his relative intelligence. More of a Steve Jobs than a Gibson.
Linus has,in fact,grown,and explosively-JonKatz
The problem is that every patch that Microsoft makes, installs DLLs that breaks something else.
I've worked as a SysAdmin for government before, they usually want to do about 2 weeks to a month of testing on a test machine before they'll actually install it on a production server.
I can't wait until 7pm when all the MS servers go down, and companies start making decisions to migrate to *nix based OS's running Apache!
Maybe then MS will decide to put some quality into their work
#1=turn off unused services even iff you turn off index server you can still be infected.= \=\=\=\=\=\
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\
Let's see. Here at work we are up to NT service pack six and IE 5. If you factor in all the other programs that change dlls and what not, MS junk has lots of variants. (That's why software does not always work on MS platforms. Hell, I've never had an MS box that acutally did everything it was usupposed to, but that's another story.) The only thing thats been consistent is low quality and poor security. Why fix bugs when there is a competitor to trip up?
Friends don't help friends install M$ junk.
The flaws will be more obvious to poor users. Who needs source code to break machines? You find responses faster by sending ugly junk to a running machine. Source code is better for fixing things.
Oh that subtle and complicated peice of work that is MS. More complicated than the space shuttle, able to deliver Active Desktops, Adverts and other trash to you by clever scripting language that has full root access right from your word processor. Bloaaaty 500MB footprint of MSIE, cool!
Friends don't help friends install M$ junk.
Yeah, you never hear the real truth - that Cisco runs the Internet.
-----
PGP Key ID 0xCB8FF658
In today's Sydney Morning Herald:
Hey, nice to know that Microsoft http servers are now running over half of the Web. I guess the stats at Netcraft which put MS at less than 26% are just wrong, huh?
-----
PGP Key ID 0xCB8FF658
Yes, we should stop reverse engineering bugs that can clog up the net and focus all of our energies on "WindowsKnockOff v. 0.237".
Someone to feed my family for me.
Web Surfer: What happen?
ISP: Someone set up us the Code Red worm.
Tech Support: We get signal.
Web Surfer: What!
Tech Support: Main screen turn on.
Web Surfer: It's you!
Code Red: How are you gentlmen!! All your IIS server are hacked by Chinese. You are on the way to destruction.
Web Surfer: What you say!!
Code Red: You have no chance to survive make your time. Ha ha ha ha....
Ceci n'est pas une sig.
Anyone else remember all the hype about Y2K that never ammounted to anything?
The expression is "I could NOT care less." Think about it.
Mr. Cringley states in his article that 7:00 pm Eastern time is Midnight (or 2400) Greenwich Mean Time. We are are on Daylight Savings Time so it is actually 8:00 pm Eastern and 5:00 pm Pacific time before the fun begins. Use your extra hour wisely!
Linux distros ship with a lot of other services active which are often vulnerable to remote root exploits - lpd, wuftp, samba - but the apache vulerabilities are few and far between, and generally only allow something silly like a directory listing. Products using Apache such as the notorious Matt's Scripts are more likely to be vulnerable and might be widely distributed enough to be a problem.
But if you're talking solely about linux boxen being problematic, they already are with those non-apache vulnerabilities, and every time someone at my work brings up a redhat box, within 24 hours it's been hacked and 24 hours later we're getting email from people complaining about port scans from that box.
The best solution is to disable servers and include firewalling by default. I was delightfully surprised that RedHat 7.1 asks to set up firewalling during the install. Finally!
-f
-f
www.blackant.net
Euhm, sorry, but you're wrong
/dev/null it's gone to the heavens, bye bye packet, holding a ceremony with flours and a coffin, things like that.
/dev/null would have been linked to the internet, people would get some really weird packets from me :)
Really, once it hits
If
-- Socrates
Yeah, and next thing is that the backbones will do routing if you try to use an encrypted link to www..com I like my internet non-contaminated. traffic shaping is _not_ an option --Socrates
The Internet is much more diverse these days.
Come on, if you get a hit again, or even if it's your first time getting hit with the virus, You really deserve it. For starters, there has been so much media coverage on this worm that I hardley know anyone who hasn't heard about it. And secondly, if it's your job to admin these servers, WHY THE HELL HAVN'T YOU PATCHED IT YET!!! My servers were correctly patched before even the first wave came through. Someone must not being doing what they are being paid to do. Come on people, it only takes a few minutes a day to go to microsofts website and check for updates.
Use they pseudo random number generation (all infected servers check exactly the same IP addresses) -->with less effort you could just run all the IP addresses sequentially.
Encode the target IP statically
don't they just simply use one of the many DDOS BOTS available if the only purpose is flooding.
Wasn't the hackers code : "Do it once, do it good" ?
It just looks to me like a 'gotten out of hand' toy, prematurely released on the internet...
Milalwi
The biggest security problems are the "install everything" idea and the "default password idea". If, for example, my desktop machine was cracked and all my mp3s erased because I was running bind (no, i'm not), I would feel pretty stupid. We need the users to take the time to read the documentation (which has to be there) to be able to only install what they need.
Also, default passwords on anything that can be a gateway to system access - such as the default password on certain Red Hat servers that cause a problem a while ago - have to go. Even Mandrake Linux, which is made for new users, asks for passwords instead of saying "you root password is wordpass. If you ever find the time, you just might want to think about changing it, but it's ok if you don't".
Another thing computers need in their default install is more security. Why don't consumer operating systems come with firewall installed by default? Zone Alarm is an excellent firewall that I used on Windows that stealths the system (in fact, unless you specifically allow a program to act as a server, it will not even respond to incoming packets attempting to open a connection). It also asks you for permission to allow each application to access the internet, and uses checksums to make sure it's still the same program. The users also need to know more - yesterday my dad got asked to allow "scam32.exe" to access the Internet, and said yes. Although frequent updates (for those who can do it) would allow the program to detect known viruses and slow the infection rate, it's very hard to set up an automatic security system (of course, there is always the option of default-denying based on a list of known safe applications, but that would have to be a well-maintained and large list to satisfy all the users).
---
btw, sorry for the bad paragraph spacing. Slash doesn't seem to understand that I want two line-breaks!
---
They that quote Benjamin Franklin on liberty and safety deserve neither.
I agree with you that he does actually say some useful things (I wouldn't run a firewall if it weren't for the GRC), but after reading some things against him I have come to agree with them at least a little - for example, from vmyths, "Translation: antivirus software could no longer save the world from evildoers as of 1992.". Also, they go on to say ""Nearly impossible to detect." "Alarming capabilities." "The game is forever changed." "Amazing and staggering." "Completely incapable." "Fundamentally a dead end." Gibson mastered the art of trigger phrases at least nine years ago.". This is something that is very obvious if you read something he's written - the first time I went to GRC, I wasn't sure it was real because his writing style looks like it's stolen straight from spam. He is doing everything possible to get his readers' attention, and it seems to be working, which is a bad thing if he starts spreading delusions.
---
They that quote Benjamin Franklin on liberty and safety deserve neither.
This isn't flamebait, it's truth and understanding. I would've mod'd this interesting, myself.
Ahh, Only if I hadn't used all those mod points on the Xena story... Sigh.
Of course this doesn't (like the original author claimed) make VoIP impractical or too suspectible to fluctuations on general Internet traffic rates, but perhaps it could cause some problems. But... that's something companies have to deal with whether viruses exist or not.
--
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
Wonder if sendmail has lost its position as number one Intruder Service, then? :-)
--
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
Commercial companies make backup copies of their databases on regular basis. This means that while financially losses are big (big bucks DB admins get paged to restore stuff from backups), the content losses are likely to be at most as severe as results of hardware failures (which do happen... even with sophisticated raid systems etc).
Also, unlike ignorant end users, companies (their admins) usually try to keep their systems up-to-date, and are likely to be less vulnerable to attacks. Even though as targets they are more visible, and probably more lucrative, too, they are much better prepared against threats than your regular Joe Sixpack.
Up until now, we have delt mainly with simple scripts whose workings are obvious.
I don't want to flame you here (you did say you are not a security expert), but usually worms are not just simple scripts (nor even non-word viruses); on unix-systems they may (and have) been scripts to be more portable, but there isn't anything simple in them either.
As to email being required... for decades (since first worms were created, early 80s?) worms have been able to use other network connections than email. That's the case with CR; variety is good for viruses and worms. Spreading using attachments is easy (some might say lame...) way to spread, but bit too obvious. Easy to implement, though, which is why it has been a popular approach.
I guess I just disagree with doomsday prophecies like this. Even though I don't want to appear like a MS-bashing zealot, I must say that Microsoft is now paying for putting security related issues on rather low priority for years. There's a lot that have been done by other companies and organizations (Java-security model by Sun, xBSD code inspections to build reasonably secure server OSes, etc. etc); Microsoft just didn't think potential risks were big enough. They have been proven wrong... and hopefully have started paying more attention.
--
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
Well, I probably should have clarified that I mean security patch - type upgrades. And yes, on work station - side, things get pretty obsolete. But for servers, although (large) companies dislike upgrading to new versions, they do usually apply the patches as required. Or perhaps that's only for the ones that are more mission critical than others, my view may be bit distorted. I'm sure mom and pop - ISPs are different from Fortune 500 dinosaurs.
--
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
You know, I'd love to tell someone there's a vulnerability in their system, but I'm truly afraid of the consequences. You know, if you own a store and someone walks by to window shop while your closed, and just happens to move the door to the point of realizing it's not locked, and then they inform the police or yourself, you're grateful. You're grateful someone decent enough to tell you noticed it before someone with malicious intent did. Yet, whenever someone does the internet equivilent, FUD explodes all over the place. For some reason on the internet, if you have knowledge of something evil, then you are pre-determined to use such knowledge in a bad away. And like I said, I agree with your opinions 100%.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
Bingo.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I Infect Servers
Internet Immobile Soon
For those readers in the United States, that is 7:00 PM Eastern and 4:00 PM Pacific time on Tuesday, July 31.
Does that mean readers in the United States wouldn't have been able to work the time out and everyone else could? Or Cringely thinks there are only 3 timezones - Eastern, Pacific and GMT?
try to make ends meet, you're a slave to money, then you die
You would think Scientific American would have learned from that experience (I imagine they got a fair amount of negative feedback from it), but apparently they didn't.
Well a friend of a friend of a friend told me
Good mfences make good neighbors.
It seems they have the IP addresses of the infected machines. So the routing tables of backbone providers could be updated to block those IP addresses. I think that might prompt the owners to patch their machines, disable IIS or whatever.
So what's the problem here...its just like rbl-ing a spam host.
1000s Warcraft Gold while you sleep
Maybe they could buy Apache instead. Or perhaps just licence the Windows version for bundling purposes. This has just got to be bad publicity. "The web server that ate the internet."
My boss has just told our head of technical support to download the patches.
I said to our head of technical support "We don't need no steenkin' patches!"
Running Apache on Linux has turned out to be the right choice!
Hacker: A criminal who breaks into computer systems
"Information wants to be paid"
The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems. "The protection of the Internet requires a partnership with the government, private companies and the public as a whole," Dick said.
Kinka like letting the wolf guard the henhouse, don't 'cha think? What's next -- Gotti running the Secret Service?
> The general public, for the most part
> can do nothing to stop this. It is sysadmins
> and those running servers who need to pay
> attention.
Actually, one of the problems is that it is indeed "Joe General Public" who's running many of these servers. They do a full install of NT or W2K on their home or office PCs, or got their machine with the full OS pre-installed, and don't realize that IIS is included and running.
Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently.
.NET platform that would allow Microsoft to automatically download these kinds of patches to you?
Has anyone considered that maybe Microsoft released this worm in an effort to convince everyone to go to their
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
I wonder how long before MS et. al. start distributing their virus fixes in the form of self-replicating antiviruses. That seems the quickest way to defeat this sort of thing.
The problem I see is that so many sysadmins are programmers who can't hack code or worse. Take the 'sysadmin' where i work, he's the best friend of the ceo (no previous experience) and spent hours trying to get code red off 4 servers. it's that sort of incompetence that lets these virii propigate in the first place.
fear is the mind killer
Everything from asthma to zymotic diseases will be blamed on them.
Ready the missle defenses! Beware the commie horde!
Hey, it's very popular, and is illegal. Why don't we confront this like some countries confront drugs. Make them legal and tax the hell out of them.
:)
The government should tax the people that are "using" code red to "access" whitehouse.gov. We all know that, like the lottery is a tax on people bad at math, this will be a tax on stupid admins.
Free consulting since you are too stupid to RTFM -- Remove the extention mappings for all DLLs that you aren't using.
When I hear the word 'innovation', I reach for my pistol.
See recommendation #1 above. :)
When I hear the word 'innovation', I reach for my pistol.
Maybe you should check that the survey you link to counts *domains* and not *servers*. For example, www.microsoft.com has 50 webservers but is only counted once, while local yokel ISP hosts 50 lightly trafficked customer domains on an old Sun and is counted 50 times.
The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server
IIS has had a history of reliablity problems and is more likely to be used in corporate sites and in loadbalanced configurations. But that means that the *server* count is more like 50/50 (although Netcraft charges for per-IP data.)
When I hear the word 'innovation', I reach for my pistol.
yeh or choose to install a 'kde workstation' and unselect any gnome related items.. then when its all done, type startx and low and behold you end up in gnome.. why in the world would you want your kde workstation to start in gnome..
I don't always agree with Gibson, I think he's off-base concerning raw sockets, but the Register is way out of line in saying that he predicted severe consequences for the Internet. In reading Gibson's advisory I see no such thing. In fact at the end of the the advisory Gibson says:
"Please note that neither in the above communique, nor elsewhere, have I ever made any dire predictions for the worm's effect on the Internet. Others have, but I am skeptical. I believe that the Internet can easily handle the "replication probing traffic" generated even by millions of simultaneously searching and reproducing IIS worms."
The rest of the advisory is here.
The Register has lost my respect, but then it never had much of it to begin with.
I agree with you wholey on this. If some threatens the US way the govt should be able to say fix it or you won't be able to use it. However I have to say this about the worm: If MS knew what they were doing in the first place these security holes would not exist. This is like what the third or fourth IIs buffer overrun hole. You would have thought after the first one was found MS would have seen if others existed. I am just wondering, might these "holes" be intentionally left there as back doors to systems so that MS can get into them. Just some food for thought.
"Success is not the result of spontaneous combustion. You must first set yourself on fire." -- Fred Shero
Given that the security hole is a known problem, why not write a worm which finds unpatched servers and patches them? Yes, you would want to be sure that you're not unleashing some new death, but it would seem to be a simple way to catch all the lame admins who don't bother to install the update...
Yeah, unless you work for a company that is gung-ho M$, then you don't really have a choice other than quit your job.
"Sometimes the most intelligent statement is the one that is left unsaid"
I was talking to a professor who was a theoretical conspiratist back in the 70s. He claims that the Coca-Cola company was paying kickbacks to the Columbians and to street dealers to push the name "coke". It had the same degree of edginess at the time.
--
Try to go to Google groups and you'll see. It's gone
Lovely conclusion, but your premise is quite flawed. It's called vigilante justice, and it's rarely defensible.
Fight the bastard off, but don't kill him unless you want legal trouble.
I have seen this idea before, but it's worth mentioning again. Wouldn't it be possible to write a variation on the code red worm that goes around patching IIS servers instead of infecting them? If this thing infected 250,000 computers in a day (or whatever it was), why not distribute the patch the same way?
At least IIS servers would shrink its market share.
I know some IIS ISPs which are down with the web servers.
Jon Katz will go off on it....then die.
Doh! What is the answer! Enquiring minds want to know! And how could the cure possibly be worse than the disease(which he says could "bring the internet to a complete standstill and we all go back to watching TV")? What could possibly be worse than DoSing the entire net to the point of unusability? Damn you! Tell us!
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
Just another reason not to use Microsoft, and of course keep up to date on your patches.
At one point The L0pht (now @stake - www.atstake.com) said to a Congress Committee that they could take down the Internet in half an hour. Maybe this is what they meant.
Those silly hackers.
It's so stable that the same errors / bug / problems keep on comming back again and again.
It's a question of puttung out a product prior to it being ready just to get market share and fixing the problems after the fact.
DRM? No thanks, I'll just get it somewhere else...
You know, I just happened to think, how screwed with this be if the worm also targeted MS so that people wouldn't be able to get at the patches...
Meanwhile I'll stick with OpenBSD...
credo quia absurdum
So, I guess what Cringely is telling us is that, once a month the interent is going to start flying off the handle without reason, and be incapable of being worked with... so, in otherwords, the 'Net has reached puberty and is going to have be "pms-ing" at the end of every month. (Until everyone gives up on IIS that is.) I guess this is what they mean when they talk about worms being "biological" in their spread!
credo quia absurdum
It's the downside of the increasing accessability of servers. On the up side, pretty much anyone with a tiny bit of knowledge can put up a server for the small business LAN. So they benefit from the network without having to pay a sys-admin. On the downside, they don't have a sys-admin to keep their system worm-free.
I don't think we'll see the total end of this problem until MS sends out a snail-mail CD to everyone with an NT license that says in big bold letters Put this CD in all your servers and let it patch them!
credo quia absurdum
but I'm unable to get my yahoo email account to work. Other than that, no big problem. from my understanding only nt/2000 is at risk, the fixes are readily available, and all you have to do to stop it is reboot your server/pc. Is this really as bad as they are saying?
You can patent the possition, not "copyright."
:)
is this just too-late media hype, or is there another variant out there now? I though the origional Code Red was timed to go off last week?
Best Regards, Nick
Patch IIS with Apache guys!
fortune: You die cold and alone
I didn't know there was a soft drink called White Lightnin'. I was thinking about the beverage Merle Haggard sang about in Okie from Muskogee, the same kind Robert Mitchum ran in Thunder Road. I think Mitchum sang the Ballad, too. I just remember white lighnin' and mountain dew being euphemisms for moonshine whiskey. There's a silly song about mountain dew that's innocuous enough for kids to sing as a campfire song. I thought the hillbilly ad campaign was pretty corny; it's remarkable that they've been able to reposition it as something that people who consider themselves cool would even consider drinking. (It's not too bad with Cruzan's Pineapple Rum)
Man, you must be older'n God if you can remember when Mountain Dew had the hillbilly ad campaign, positioning itself as some kind of White Lightnin'. When I tried to describe it to my friends, they thought I was hallucinating. Maybe they'll bring it back with some kind of tie-in with that other Yahoo. Haven't had a chance to try Code Red yet. I judge most liquids on how well they mix with rum.
All kidding aside, 'tis a shame that half of the Windows side of the Internet shall be beaten down for a while.
Sarcasm aside, I have nothing to say.
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
the internet is made to route arround troubble, and if this includes every unpatched iis box on the planet then thats ok.
Every internet user has had outages at some point, but this just makes it a outage for everybody at the same time, it might take a day or two to get over the slowdown but no biggie.
i've used a 28.8 modem before and it isn't THAT slow really.
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
can they be sued for that ?
Closed source software has once more proved that the user (customer) gets the bill, in more way than one. W32+NT software is full of holes and bugs, with a lot of them being exploitable by l4m3 viri-kiddies, but in my opinion this worm is just the beginning. Holes in open-source software are easilly discoverd during beta-testing and, thanks to the community, these are quickly dealt with, giving a strong and sturdy product/project.
Closed-source projects will always have problems, if only because two people see more than one, and 5000 people see more than 10.
In my (not so humble) opinon, closed-source servers should be banned from the net, not legally (that would limit freedom), but by word of mouth. Products like IIS will create millions in damages (although it may be exagerated), and Microsoft should be sued for damages. Let them take responsibility for their flawed product, and be an example for all porely created closed-source software, hyped for profit. Make Microsoft pay for their problem, as getting hard cash back is the only way to hurt a capitalistic company.
Sue 'em for damages, make them learn the hard way...
This sig is intentionally left blank
Actually, one of the problems is that it is indeed "Joe General Public" who's running many of these servers. They do a full install of NT or W2K on their home or office PCs, or got their machine with the full OS pre-installed, and don't realize that IIS is included and running.
Who buys a new PC with an OEM version of NT or 2k Server preinstalled? Last I checked, IIS wasn't even available for Workstation/Professional.
Oh yeah, and PWS (personal web server) doesn't use the index server so Code Red can't hit it.
What really scares me about all this is not Code Red itself. Ok, so it reproduces like "I Love You" on PMS, big deal. What really scares me is that most media reports state, "The virus infects Microsoft IIS, and therefore the Internet is doomed". Thus, in the public eye, Microsoft IS the Internet.
You may rant and rave about how Apache is better than IIS, but the battle has already been lost. Most people cannot even concieve the very idea that anything other than Microsoft could be running the Internet. Thus, it is quite probable that eventually Microsoft will in fact run every computer on the Net - since the alternatives will dwindle into complete obscurity.
>|<*:=
I love the smell of Karma in the morning
is here.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
And through all of this, Microsoft comes of looking like the poor victim, instead of the purveyor of swiss cheese software.
A virus that infects a computer and installs the patch for itself.
This of course assumes that all of the IIS machines do not yet have the patch to fix the vulnerability. Its MS's fault that there is a problem in the first place but the people running these servers should have applied the patch by now (maybe they should bill the time to MS). All of this is hype.
-- residents of the glass house
Let's get drunk and delete production data!
Remember to use Occam's Razor.
Let's get drunk and delete production data!
They stuck me in an institution, said it was the only solution, to...protect me from the enemy, myself
Check out Apache::ASP, Sun Chili!Soft ASP or even better move on over to PHP using ASP2PHP.
Hm, well, our server logged 22 attempts since 1 Aug 2001 19:48 UTC, with a noticable ramp at 2 Aug 2001 05h UTC. No attempts in the last 2 hour though (2 Aug 2001 10:30h UTC). Compared to the 30 attempts 19-20 Jul, it is at least something to make you think. Besides all attempts were coming from different IP addresses. Most of the logged IP addresses run IIS, so I don't think it is the eEye stuff.
Due to publicity, everyone thought, "Oh no, Code Red!"
It turns out a contractor dug through one of Verizon's major fiber optic cables. Surprisingly, some cell phone connectivity was also out (along with Sprint and AT&T long distance).
Low tech beats high tech yet again!
I mean, we already know that all these systems are vulnerable to that attack, so just send out a white-hat virus to remove the Code Red virus, patch the security hole, propagate itself to "N" other infected systems, and then quietly go away. Problem solved. Now get busy and start coding...
Methinks the soft drink companies paid the programmers to develop the worm and name it Code Red.
I always thought internet advertising would bring down the net, but I didn't expect something of this magnitude.
IIRC, everyone was forewarned (see here and here) last time!
But masters, remember that I am an ass: though it be not written down, yet forget not that I am an ass.
I just read an article on somewhere.excite.com that says "For infected computers, turning the machine off and then on gets rid of the worm but does not provide immunity from future infection".
There's so much hype about the "National security concerns" over this virus, and how it may "melt down the internet" (cough cough, BS)... Well duhh... How about organizing a group of potential worm feeders and shutting them all down @ once? Obviously this is not the best solution, but I don't see any sites recommending this as a group-effort.
Actually if the "1337" government people are trying really hard to get common folks to get the patch so that the virus won't spread more, and if they can't do it, this is at least a humble shot that they can give at stopping the spraed.
mcgrof
But seriously I did and now I can sit back and laugh at these silly MS Security Bulletins. Just another event that will cause Microsoft alternatives to gain popularity and notice. :)
=-=-=-=-=
=-=-=-=-=-=-=-=-=
Oh bother.
"The Internet has become indispensable to our national security and economic well-being," said Ron Dick, head of the National Infrastructure Protection Centre, an arm of the FBI. "Worms like Code Red pose a distinct threat to the Internet." Duck and cover.
Ask me about my vow of silence!
Or maybe they read the part in the original advisory where the eeye folks mention that they took the name from the bottle o' Dew in the room:
The degree of schadenfreude amongst the Linux zealots here today is really rather nauseating. No doubt you patch your Linux boxen every time there's a new buffer overflow in something that comes with every distro? (yeah yeah, only people who DO patch will reply... the point is, lots of others WON'T be patched & up to date.)
Running a box is a fulltime job. Outlaw hobbiuest computers, I say ;)
--
No -- I read Cringely every time it comes out. Why? Because he knows what he's talking about. Even if most of his stuff is stretched theory, I believe that he has some very good points, and that sometimes it's not the mainstream "guru's" who are right. As for Steve Gibson, I listen to him too. He learned to use IRC from a god damn RFC, which just makes me laugh forever, but in an age where 1% of the computer population even knows what an RFC is, I think I'll stick with him.
Seeka
I agree M$ is not the problem "pre se". ...
The point is that non-MS admins tend to keep their systems upgraded with more frenquence then MS one's.
It's all about culture. MS seems (IMHO) to cultivate the "Do it couse it's easy, even if you don't know anything about it" posture. THAT is the base of our programs.
Of course, some may say that rWin interface is Virus oriented, but thats another matter entirely, if we conside that a patch that would have stopped CodeRed was avaliable 2 months or so before the worm started spreading...
What we really need is to patch the admins
---
morcego
Their spin is this: we'll show the MS name 100 times a minute, and act like every computer in the f world is running microsoft software.
Maybe it's just something that Brian Williams character came up with.
Get your Unix fortune now!
Sometimes the cluelessness of people writing software at Microsoft astounds me, but then I look at the cluelessness of the users, and it's even worse. With a combination like that, we're lucky the Internet exists at all anymore.
Even Slashdot wants to hide some things
When did they start supporting IIS in windows update? Was it recent? I checked a couple of months ago and I still had to manually download the patches. -ted
It seems you can only get IIS 5 patches on windows update. IIS 4 is comming though.
Microsoft could actually fix all this crap by having windows update support IIS patches! Why MS would go through the effort of developing windows update and have it not support IIS baffles me!
seems to me i remember reading somthing about the nipc being in trouble, so it wouldnt really surprise me if they were to do a lot of hollering just to get themselves noticed and keep their jobs.
"Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently."
...)?
So they're going to provide upgrades^H^H^H^H^H^H^H^H patches at more locations?
"The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems. "
Defence networks secured by MS (and others
Well, the FBI might as well give up counter-intelligence, 'cause the 'farners' already have easier access. Who needs cumbersome Dead Letter Boxes when you have MS.
Hmmmm.
-Shaunak.
"Really, once it hits /dev/null it's gone to the heavens"
/dev/null(duh).
Actually, when I said they don't cease to exist, I was referring to his/her idea of re-routing them to servers in China, not
-Shaunak.
"Can't the backbones do some routing thing and reroute traffic to the targetted address to /dev/null (Or better yet, someplace in China?)"
Well, yes. They can (I hope I'm right), but then the data packets DO NOT CEASE TO EXIST. They still move around, and EAT BANDWIDTH. Besides, getting enough backbones to do this is logistically painful.
-Shaunak.
and the worm is no longer effective?
Well, uh... that wasn't smart on the part of the virus creator(s). This is Windows we're talking about here. How many of these machines aren't rebooted daily anyway?
Perhaps, the virus should attack when one of these boxen crash, instead. That would cause quite a bit of action, no?
Insert obligatory Microsoft joke here.
The way I see it, since a patched IIS server is no longer vulnerable, ...
[I'll spare all ye a comment.]
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
Then don't send 'em, you - ermh - raging idiot.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
As for code-red reinfecting everything at the crack of August, nobody honestly knows. It may happen, it may not. But without someone like Gibson with the foresight to explore the (admittedly farfetched) possibility of what may happen if we don't secure these systems, chances are much higher they WON'T be secured, and we may be totally unprepared for what, if much/anything, does happen. Stitches in time, and all that.
--
Caveat Emptor is not a business model.
--
Caveat Emptor is not a business model.
This suggestion may be either dorky or rash: Could someone engineer an "anti-virus" to patch all the unpatched IIS servers in the world? It could spread itself like the Code Red virus, but then it could unload the Code Red virus and/or install a patch on the affected server to close the hole. This should be possible in theory, because the security hole allows full access to the computer.
You forgot your ... tags. (Look it up on-line at Webster's).
Ah. But with Unix/Linux, it's just that much easier.
Warning: Your ignorance is showing. I'm pretty sure Apache "owns" the biggest share of the pie...
Anyone who has read (eg.) the Maguire/McConnell books should realise that MS probably makes as much or more effort than other s/w companies to write software well (unless disproved by some inside information ...?!)
While stopping short of saying "let those without sin cast the first stone", I wonder how many of those rubbing their hands in glee at this latest MS problem actually follow best practice themselves in design, coding, peer-review and test of their own applications ? or open-source ones ?
Come on guys (m/f) - let's get professional. Hate the bugs, certainly, but LEARN from experience - as I hope MS does.
So where does this virus say Code Red?
Because if the coder named it Code Red than it's
not from China. Code Red is that yummy American
caffiene booster drink stuff that kids are drinking these days.
~ If I were a missionary I would copywrite the position
I have splendiferous net access at work. Consequently, my home machine is an Apple II+ on which I run an old terminal program to access my Unix shell account. Now then, what's all this Code Red business? :-)
The coolest voice ever.
To infect your computer with code red, please contact your local Microsoft Representative who can assist you with what licensing you require to legally operate code red on your server. It operates on a NCDL license (numbers of coffees drunk license).
-- Stop listening to that rock. http://www.nuenergy.co.uk
I guess it's a hell of a worry in some ways... but to be realistic... The internet's not gonna cease to exist... maybe for a wee ehile would it be slowed.. but no...
-- Stop listening to that rock. http://www.nuenergy.co.uk
This is the funniest thing I've read on /. for a long time. Mod this up, please!!!
I'd like to dip my balls in that.
"Estimates by Netcraft, an Internet consultancy based in Bath, England (http://netcraft.com), indicate that some 20 percent of all Internet Web servers run on IIS. As that site tracks some 28 million Web sites, the implication is that there are at least four million vulnerable IIS servers out there. "
That's twenty percent, and it's just an estimate, but goood enough just to get an idea.So, what are you waiting for?
Many of the infected servers aren't really being used at all. They are still showing their default Microsoft homepages and are simply running as a service under Windows NT. In those cases, the people on whose computers IIS is running probably don't even know they have a web server.
It seems to me that this is a potentially larger problem with most distros of Linux. Quite often a default installation package will include Apache, which is happily installed and activated without the user being actively informed how to care for it. I know for a fact that this was true for RedHat 6.2, though more recent distributions of RedHat have fixed this. Since Apache is free (as in beer), while IIS is not, more Linux users generally have Apache than Windows users have IIS.
How vulnerable is Apache to an attack of this sort? And, furthermore, could there be a more prudent way to distribute Apache? (Such as with a disclaimer? Or only by specific request?)
Toronto-area transit rider? Rate your ride.
Windows is stable... and easy to write for. Apparently, you love writing junks everyday.
The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.
Maybe that's the problem.
Stick it to The Man!
My Karma was at 49, then they switched to words. All that work for nothing!
It seems that all the recent viruses require
you to be running outlook or IIS.
When will virus writers turn their efforts
towards open source OS's?
*sigh* back to work...
our network Internet Protection Office has a very apt saying: Convienience is never sacrificed for security...
-Hell hath no fury like that of a woman scorned for
I suppose you'll never know when only around 50-100 people have ever seen the source code. M$ takes alot of shit for its mistakes which I disagree with... we shouldn't chastise M$ for buffer overruns (linux has alot too) but rather for the fact that they take forever getting a patch out there. Part of the blame also lies on windows "users", because unlike the linux community they're not exactly all about fixing something that doesn't necessarily look broken.
can't sleep slashdot will eat me
It would seem to me that if the govt is allowed to quarantine a small town due to some disease, etc... then they should be able to tell some dumb sysadmin to either A)Get rid of the worm or B)Disconnect the machine from the network. I understand that certain privacy, rights groups would throw a fit but this is important. The internet is way too important to how we live now (although I don't believe this worm is nearly as crippling as the media has been portraying), and we need to protect it. Seriously folks, think about it... say Bob has ebola and the govt tells him he not only can't leave his house, but has to go live in a bubble. Do you think the Human Rights organizations would bitch??? So why should it be different with a sick computer... ps- I, too, have some issues with the govt telling me whether my computer could be on or not... however I would never have the worm long enough to do any damage, and would be responsible enough to accept the fact that I was a fuck up. Interesting question: If this thing does start to rack up damage $$$, who is responsible: the virus writer, or the virus users???
can't sleep slashdot will eat me
Obviously I was referring to vulnerability to the Code Red Worm. I think we've all established that IIS has more holes than pumice.
And regarding the other reply, I again was only referring to the exploit that Code Red was taking advantage of. Wasn't that what the topic of the thread about anyways?
I thought pointing out the shoddy design in some one's Intellectual Property was illegal according to the DMCA. Is Washington breaking their own law?
---===[end sarcasm]===---
William Burroughs:" Word is Image. Image is Virus".
Code Red is actually a mind virus. Because of it's physical components, it is now on the brains and tongues of the computer literate, the government and the media. It was designed by the Pepsi Corporation to embed the idea of Mountain Dew into minds, and thereby increase sales. I refuse to buy Code Red Mountain Dew. I will not be brain hacked.
friends don't let friends teleport drunk
If this is a FUD campaign, it could be a part of the old political strategem - "Create the problem. Let people suffer. Attack a scapegoat, and offer a solution that happens to fortify your postion." Who who would better know how to exploit an M$ security hole . . .M$!
friends don't let friends teleport drunk
sort of like how a computer becomes unusable if you move the start bar to the top and on autohide? har har.
In the 'cease to exist' linked article, there's a quote:
"Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently."
Obviously they can't write software that doesn't have security holes big enough for the Hindenburg to fly through... so why not write a PATCH that exploits the same HOLE and repairs it, and destroys the worm, then deactivates itself after a month? At least that way, it catches and repairs the hole on all the machines whose sysadmins aren't paying attention.
JH
Any connection between your reality and mine is purely coincidental.
Unfortunately, by over hyping this, the FBI and all the powers that be have created a really serious situation where - when nothing happens *today* - people will just dismiss it as another Y2K.
One of the anchors said as much. It does not matter that Code Red will not have the full impact until the 20th, and it does not matter that most of the facts in the story that was aired were plain wrong. What matters is that most of those watching are going to think that nothing major happened, that it was over hyped and will stop beliving the warnings.
The over-reaction of the Feds and everybody else is going to be another case of the boy who cried wolf.
Samer
The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it. Waiting for the other shoe to drop. . .
No need to wait ... http://www.g7.utoronto.ca/g7/summit/2001genoa/dotf orce1.html
Annoy a politician today - THINK! In part reads: the DOT Force has examined in depth the challenge of bridging the digital divide and harnessing the power of information and communications technologies (ICT) and global networks to assure opportunity, empowerment and inclusion for all. The DOT Force has analyzed the underlying causes of the digital divide, the poverty-reducing and empowering potential of new technologies, and the complex mix of strategies, policies, investments, and actions required to create digital opportunities for all while addressing key development imperatives.
I agree I have seen lots of mainstream media attention about this worm that kills the internet and ends the world I have not seen one article about how poor quality products leave themselves over to exploitation and that prehaps, maybe the large company that has made millions of dollars off this product (and others) should be held responsible for thier mess. When somebody builds a substandard bridge and it falls over and kills 20 people they get in trouble... A substandard webserver isn't worth a mention?
Name an MS application which installs and configures IIS and doesn't warn you about it in one of those screens which administrators would *never* not read completely (after all, that's what users do, right? They complain their PC is broken and, yes, there was some sort of ominous-looking warning message, but they don't have time to read that stuff.).
I agree there. (use it to play with PHP) But even Apache themselves discourage Win32 on the "open net" due to it not being as mature. The only other prob is the ASP extensions - is there an Apache mod to do this ?
Think somebody is making money out of all this hysteria? This sounds like another apocolypse prediction.. first, Y2k... this was for sure going to end life as we knew it.. now this...we have new situation at hand... smaller in scale but just as important...
With all this hype its bound to be a disapointment. The internet will "not cease to exist" and makes you wonder who actually benifits from all this....
we dont even have time to breathe before our next apocolypse prediction anymore, they are coming one after another...
what is nailchipper?
NT
though i wouldn't say trying to start a panic--unless it's a rush to purchase a subscription or visit their advertisers.
/.'s summary that the web as we know it will 'cease to exist,' so what if M$ and people who stake all their data on it have to learn something new!?.
i've already commented here on the assertion in
Cease to exist?
/.ers i've known can see past it. This problem has an elegantly Darwinian element to it, no? Only the most stable servers and subnets will survive, if worse comes to worst.
this sounds like the kind of sensationalist teasing for which most cities' local TV news productions are known and despised, and most
You mispelt "Part of the reason Windows virii are so widespread...." Ahem, misspelled. Since IIS has LESS marketshare then Apache one would expect... than, not then.
--
Aaron J. Shaver
http://aaronshaver.com/
Anyone seen CNN's story about all this? They have a nice rendition of the virus: An evil sperm trying to break through the monitor to infect the innocent virgin IIS system. Beautiful. Personification at its best.
Celebrate Steak and a Blowjob Day!
Nope, infact the number is much higher in this case. You are probably close on the number of "normal" web servers, but the problem pointed out in the article was not with administered corporate/personal sites. Instead the problem is with people who are using WinNT /Win2K and have IIS installed running as a service but may not even know it.
Check back next month to see Apache hit >70% on the Web Server Survey.
I doubt it will have that much impact, as much of the damage comes from domains such as rr.net and home.com.
501 Not Implemented
"The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems." Now, there's a nice cheery thought!
If anything, I'm surprised the media isn't paying more attention to SirCam - they could sound all serious and say "It's a violation of your privacy because it sends all your personal crap all over the Internet", then follow that story with an ad for MSN Internet Service.
*****
There are many people in this country who, through no fault of their own, are sane.
Does anyone know how/where I can get my computer infected with Code red? I mean I think it'd be cool to throw my small amount of bandwidth in with the DESTRUCTION OF THE INTERNET!! (Does this sound like a really bad movie to anyone?)
Somehow I have my doubts that the internet will "cease to exist"... then again...
Find Escorts, Strippers, Massage Parlours, Swingers
..guess the name/contents of the first Code Red worm variation and win a prize (you did something close to this for Dmitry, come on!)
My guesses:
Code Pink worm:
-Infects IIS servers that have females for sysadmins
-Displays the message: Welcome to http://www.pinkyandbrain.com ! Hacked by perverts!
-Solution: take the windozer machine and put it on the fridge
Code Green worm:
-Infects IIS servers that have nature-friendly sysadmins
-Displays the message: Welcome to http://www.TreesWithWorms.com ! Hacked by trees!
-Solution: Pouring water on the machine that as the IIS server
Code "1m 50 313373 th4t 1 3v3n d0nt kn0w c0l0rX" worm:
-Infects IIS servers that have sysadmins that were once skript kiddies
-Displays the message: Welcome to http://WankWankWank.313373rTh4nJ00.aol ! Hacked by chinese! (skripts kiddies are too leet for changing the msg Hacked by chinese)
-Solution: never play with yourself EVER again.
And so on and so on..
A witty saying proves nothing. -- Voltaire
(nevermind the previous post, I forgot to log in..)
Actually, when you look at this coverage, it's pretty scary. Not Code Red, but the FUD and scare tactics that are coming out of "official" sources. The FBI clearly needs something to bolster its severely tarnished credibility re tachnical issues, the White House always needs something dire to distract the public away from what it's really doing and Microsoft stands to lose more credibility if it gets identified as the weakest link(tm). That line about the Internet being crucial to national security is the kicker - that could be the excuse that the government needs to reinforce DMCA as a means of restricting and re-structuring the net to make it "secure", meaning to make it a tool for propogating the party line and Microsoft software. Like I said, scary.
From my point of view all this fuss appears to be beacuase the intial attack targeted US govermental web sites, it ain't no W32.Sircam.Worm@mm after all...
GCM d+ s+:+ a- c++ U? P! L E-- W++ NM+ V PS- PE+ Y+ PGP- t 5+ X?+ R+++$ tv+ b+ DI++++ D---- G e
You forgot one! They might do it by .. hm, incompetence...
Free Dmitry
Eh? You're getting queries for your web server from multicast addresses? Interesting.
--
And you know what? He's right. The fact that 13-year-old kid with "off-the-shelf" script-kiddying tools can cultivate an army of bots and anonymously attack any site he wants is a very large flaw in the world of computing and deserves a lot of attention. Scare tactics, while somewhat repugnant, are effective, and Gibson sometimes uses his powers for good as well as evil.
All the articles I've read about Code Red seem to be carefully avoiding pointing the finger at Microsoft.
A statement like "Microsoft IIS servers run less than 25% of the Web, but the congestion created by the attack could affect all servers" would be accurate, informative, and make it clear that the problem is caused by a minority of systems. It would also make PHBs think twice about implementing IIS.
How do we get this message out to PHBs everywhere?
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
Don't think that just because you're running a Linux distribution that you're safe from worms. Anybody running portsentry or snort can tell you about how many times per day they get a portscan on their system looking at port 111 (rpc.statd). Linux is not a magic bullet; it takes discipline to keep up with the exploits no matter what operating system you use to connecto to the net.
Hey! No need to be sorry for speaking the truth.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The string & tin-cans currently used on the backbones and trans-atlantic link might be a cool hack, but they are a little short on bandwidth for serious use. It's got to the point where those who built the Internet in the first place have had to jump ship, and start from scratch, just to get the necessary bandwidth.
I -hope- that the failures are major enough that QoS technology is deployed, not just decorated. I -hope- that delays become bad enough that terabit pipes become the norm, not just a pipe-dream. I -hope- that this scares ISPs and corporations into enabling ECN, IPSec and possibly even IPv6.
It is only in times of adversity that technology really changes. We have an adversary, we HAVE to defeat it, and that means we HAVE to change.
IMHO, viruses, trojans, etc, are evil. But in destroying their evil, we have the opportunity to rid ourselves of some of our own.
This probably sounds a sick way of looking at things, but the fact is, we HAVE the means to prevent Code Red. We have, for many years. It's because system admins have always argued that it's not worth dealing with threats -before- they happen, that we're in the situation we're in.
Inertia is mankind's second-greatest enemy. (Jerry Springer narrowly beats it.) Damned is the person who does nothing, because they couldn't do everything. This entire fiasco could well give the impetus needed to overcome that inertia.
On the other hand, I'm inclined to think that everyone'll just panic, but do nothing, and actually be over-run. Needlessly and stupidly. But, then, that's people for you.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Mind you, I collect all sorts of odd things. One time, I was into collecting comms software. I had over 30 for the PC.
Another time, it was MUDs. I had practically every MU* server on the planet. (LP, MudOS, Pernmush, Tinymud, Tinymush, Pennmush, Ubermud*, Tinymuck, Abermud, Circle, LambdaMOO, etc)
*Ubermud was the first truly distributed MUD system. Processes could migrate between the Uber servers freely, provided the necessary database entries existed. It was truly ingenious for it's time, and nothing more recent really compares.
Of course, *Trek games were great for collecting, too. XTrek, Netrek (Bronco, Vanilla, KSU, et al), the briefly-lived Paradise development line, etc.
Compilers and interpreters are cool, too. That's one reason I'm fluent in something like 10 computer languages, and am OK in about 7-8 more.
Of course, collecting has its down-side. You need a LOT of disk space, a LOT of time, and a LOT of bandwidth. The stuff will never be worth the tens of thousands of dollars that stamps, or other "physical" collectables, will fetch in time. And they require active steps to preserve. A teddy bear, if stuffed in a box in the attic, will usually do ok for 40-50 years. Netrek, on a 3.5" floppy, would be lucky to last a tenth of that time. Even if there was still anything that would read it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Considering the nature of this thing, when it went dormant, probably most people just forgot about it. It doesn't really need to spread again, since it's still out there all over the place.
This is not really all that different from an average virus-- it spreads for a while, activates, causing a lot of damage and panic and such, people panic for a while, it deactivates and spreads some more.
The people who are all worried about it coming back repeatedly should be at most disappointed that it doesn't just kill itself after a month. But there's no reason they should expect it to.
In fact, this is still less of a problem than an old-style virus: it order to stop those, you had to get a clever program to catch and disable this code. With Code Red you merely have to patch or replace IIS and it stops being an issue.
I'm still getting
"Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks"
spam in my mailbox...
This newswire article quotes various people in China claiming that obviously the worm didn't come from there because Chinese servers aren't getting infected, and besides, the worm is just too complicated for an individual to create. The reporter bought it. Had he bothered to do some research, he'd have known that the worm is coded to only infect English (US) language servers, and in all likelyhood it was coded by a (Chinese?) teenager with too much time on his hands.
(Well, okay, it does run on the non-English servers, but it doesn't deface them...)
Perhaps the fact that this guy got modded to 3 with such baseless "logic" is an indication that there are some xenophobic moderators around? Guys, mod this misguided moron down!
My point, had you bothered to think about it, was that the reasons given for why the worm couldn't have originated in China were obviously wrong, and had the reporter been competent enough to do a modest amount of research he'd have seen that.
Sometimes the obvious answer, namely that the worm really was written by a lone cracker in China, really is the right one, no matter how un-politically-correct it is. However, we don't really know, as I indicated with "(Chinese?)". I'm just curious why the reporter's mainland Chinese sources felt it necessary to dispense obvious misinformation. It's probably just a reflex action from a lifetime in one of the more brutal Communist dictatorships.
Great title. If you'll hurry up with that screenplay maybe we can get Robert Urich as the title character and it can be the "Tron" sequel.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Actually MSNBC (the cable channel, haven't looked at the web site) just had someone on explaining this who didn't do too badly considering the audience he was trying to explain it to, and they even put up a graphic showing which *Microsoft* products were vulnerable. They forgot the "We're a joint venture of..." disclaimer, though.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Here's a link to the story of its creation (Mountain Dew) in Knoxville, Tennessee (I'd always heard that it was started in western North Carolina) from an AC's reply to another post of mine.
http://metropulse.com/dir_zine/dir_2000/1039/t_sec ret.html
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Being a Mountain Dew drinker since they had a hillbilly on the bottle, I tried Code Red out of curiosity and don't see how anyone could stand to drink an entire bottle, much less copious quantites of it, and wouldn't trust any work done by anyone who did. It's that bad.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
another story to add to the mounting piles of crap that /. editors have been posting lately.
/.
I have found that by going to other sites I am getting better coverage than
I have been an advocate (and even annoyed that people were complaining about the journalism here) but this is getting ridiculous.
Repeat posts, The Onion like garbage, etc is all getting to me.
Clean up the act boys.
Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.
Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.
So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.
ASP2PHP exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.
Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.
Got time? Spend some of it coding or testing
...after all, they've given up on Microsoft DNS for themselves, and MSN's outsourced web hosting includes Apache. There's nothing to stop them from telling Apache to lie about who it is, and use something like ChilliSoft for their own web services, and after that it's not such a big step (remember Apache's licencing) to MS-Apache. Then they can explain that they outsourced development in order to be able to focus on .NET, can't they? (-:
Got time? Spend some of it coding or testing
Got time? Spend some of it coding or testing
We should petition Microsoft to Open Source IIS, purely as a matter of self defence.
Got time? Spend some of it coding or testing
I agree about stability of Win2000 - it's a lot better on my laptop, but I still manage to crash it occasionally (most recently when launching Outlook). I don't remember ever managing to crash a Linux or Solaris box.
If these putzadmins can't or won't patch the holes, then a "white hat" virus can use the same holes to apply the patches.
I'm not endorsing it, just making a prediction. (But it does have its elegance.)
--
I can see the fnords!
you dont have to run unix to run apache the win32 port is dreadfully easy and comes with lots of docs
I run it when I want to be quick and dirty on an NT box with the win32 port of perl for CGI so that webfools can get to grips with things rather than screw up my systems
regards
john jones
/.
When NT came out, it was supposed to be based on code stolen from the VMS system, which has truly phenomenal stability - equaled only by a few linux kernels. The advertising, and the legions of MS-shills in userland (who at that time were gunning for OS/2) gleefully proclaimed that NT was stable enough for the enterprise.
I tested NT extensively and found that 3.51 was basically stable enough for user desktops - it crashed about as often as a Macintosh. But the computer press behaved exactly as they do today in regards to W2K - "It's uncrashable! Rock-solid! No more BSOD!" ranted the pundits.
When 4.0 shipped, suddenly the previously "rock solid" NT 3.51 was not a stable platform - you had to upgrade to 4.0 to get the exact same empty promises and gleeful raving. My tests showed no phenomenal improvement, however.
So, perhaps W2K is really stable and wonderful and all that nice warm fuzzy stuff. But, fool me once, shame on you; fool me twice - shame on me. I won't be buying W2K because I have known working alternatives from sources that have not abused my trust.
--Charlie
PS - HP (vendors of the unbelievably horrible HP-UX) were advertising Windows NT using the word uncrashable only a year ago. Just now a quick search on Google turned up numerous instances of this egregiously fraudulent claim... are W2k's promises likely to be any different?
--CTB
I'm getting irritated on this one, too. My userbase is only just into double figures, but I've had something like 20% of them ask me if they have to do anything to their machines to guard against this. On this scale it's only an irritation - but it's daft.
If they'd only prefixed the bulletins with a simple rider that this only affects website operators (to word it for the users, remember) and that home PCs are fine, this would be better. Users wouldn't be panicking for no good reason, we'd all have a more peaceful world.
Why can't people think harder?
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
I suspect this is the cure.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
No, he really goes off on the off-clock machines.
As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.
I don't know WHERE he gets that idea. As long as ANY machines still have the work and ANY machines remaine unhardened, we'll still have this problem.
BAD JOURNALIST! NO BISCUIT!
-- IANAEG - I am not an elder god.
I just cracked the advanced *32-bit* encryption scheme used on Microsoft IIS with my hi-tech Pentium processor - even with the logic bug. Boy did it heat up my apartment doing all those calculations - I have the AC on and it's the dead of Winter here in Siberia! I found out this *top secret* information from the source code about what IIS stands for:
No, he's a proponent of promoting Steve Gibson. One year it might be polymorphic viruses are going to kill all our computers, the next Linux is going to kill the internet.
As The register pointed out, if the clock is misset so that it's in infection mode, then it's just going to find that the servers it infects AREN'T in infection mode, so the whole mis-set clock thing is a red herring.
Come on, I wouldn't believe anything Chinese officials say, but I definitely wouldn't believe anything any Worm-author would like me to believe either.
If I were a nerdy Slashdot-reading Worm-writer I would probably think it a good idea to frame the Chinese. And start my infection spree by attacking some Chinese servers first. Next time he'll try Saddam or Milosevic (I heard those stupid Dutch gave him a computer in his cell).
Why the White House? Simply because it makes for a more visible target, publicity is what these guys are after.
Of course it could be the (a?) Chinese, but it could be anyone else on the planet with the necessary skills.
Regards,
Xenna
Disclaimer: The fact that I have a Chinese girlfriend does not influence my opninion in the least. And, no, it wasn't me.
--
OTOH, almost every Unix box on the net has Perl these days, so, except for some bootstrapping code, it could be network independant. Also, compilers (and cross-compilers) are more prevalent.
Become a FSF associate member before the low #s are used
"Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all. "
s/Apache/Sendmail and Robert T. Morris did it over 10 years ago.
Become a FSF associate member before the low #s are used
You know it and I know it, and I am certain that most people here on /. know it, too.
I tend to wonder if these "viruses" we have been seeing are merely "shots across the bow", so to speak. I mean - why hasn't a virus as you described come out yet?
Most of the source code to these viruses is available for free, if you know where to search.
It is obvious that MS products are buggy, full of holes to exploit, and rarely patched - not to mention that users of the systems tend to be lazy and ingnorant about security precautions - constantly clicking to see the next naked Brittany Spears image - so why haven't we seen true chaos yet?
Worldcom - Generation Duh!
Reason is the Path to God - Anon
Actually, I probably am good enough to do this under Windows - but I hate M$'s business practices, and their software is shit.
I am a Linux "convert" - I run SuSE Linux 7.2 at home, currently learning Perl. At work I do VB and Java coding. I have seen the code of the ILoveYou virus - it is dead simple. I am certain these other "viruses" are similar in scope. I am aware of various virus coding sites, and I keep up from time to time on the "underground" - side hobby of mine.
I could probably patch together such a "virus" as described, and even release it without leaving behind a "trail". The only thing keeping me from doing anything like this is that I know ultimately it wouldn't benefit anybody, not even myself - and would be unlikely to affect Microsoft, either. All it would cause would be anger, lost time, and money. So why do it? Of course, all of these other viruses out there do the same thing - so someone either is really fucked up in the head, or there must be some kind of motive.
Boggles me...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
When the Morris worm hit, around 10 years ago (IIRC), it was on all the major newscasts, and on the front page of many papers.
Best Slashdot Co
With any luck, this will just wipe Microsoft servers off the map. Check back next month to see Apache hit >70% on the Web Server Survey.
When people make statements like this;
The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.
and then call this worm,
the largest ever dangers to the Internet.
and then go on to state
Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.
When are people going to put the pieces together and start holding the people that choose Microsoft and maybe even Microsoft responsible for these things?
Of course this is only a pipe dream. There are too many people out there willing to believe Microsofts propoganda.
Maybe you should check out the figures at Netcraft's Survey. Apache runs on over 63% of the web servers out there and MS IIS is only on 20%. I would bet that most of those Apache servers are running BSD, Linux or Solaris. The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server, so companies deploy more of them for their websites. Look at Microsoft's own attempts
[EDITOR] "Cringely, you useless fuckhead! Its deadline! Just make something up, 90% of your readership is so clueless, they won't know the difference. Ignore the 10% who have a clue, they won't bother reading our site for much longer."
... cringely.com in an instant.
:-)
Although he mostly misses the point, especially about how any single unpatched server will somehow relaunch CodeRed every month, I'll agree that port 25 probes are on the increase here. But as more and more machines are patched, the problems and reinfections from this particular worm will eventually become lost in the noise. I am looking forward to new, better written nasty IIS worms over the next few months.
It can be retargetted from whitehouse.gov to
Thanks for the idea. Now, which bit is it that makes CodeRed attack forever? And which bits to change the target?
the AC
[too much karma interferes with your tantric energy, time to troll]
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
(Use the Preview Button! Check those URLs! Don't forget the http://!)
/. on another screen.]
Doh! Port 80. Self-LART applied.
[obPitifulExcuse: was working on sendmail/procmail/qmail/postfix/dns interaction on one screen, watching port 80 probe counts coming in on another screen, and reading
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Shut down the internet?
No more X-10 popup ads!
No more AOL kiddies!
This just might be the Internet Clean Up day we have been needing for a while.
Patrick,
:)
:)
I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all
I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.
I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated!
--
Steve Jackson
Intelligent Life on Earth
Besides, don't think of it as a virus, but rather "natural selection" in the digital world :)
"And now you shall learn the secret of boot to the head"
i am really looking forward to midnight uct tonight -- it's a code red party!
we'll have all our packet sniffers running full tilt and plan to laugh and laugh at all the losers running iis! die! die! die!
nobody
parturiunt montes, nascetur ridiculus mus
The government has turned down the prospects of creating a counter-worm, but any decently-experienced assembly programmer with sockets experience could just disassemble the current worm, make a number of changes, and release the worm on a time-skewed box. A really crafty assembly programmer could even keep the binary size of the worm the same, so in case the worm has some self-check mechanism, it won't notice any difference. I personally wouldn't mind seeing this fire fought with fire - Let the anti-worm run its course for a month, and then have it destroy itself. That would wipe out the vast majority of the code-red virus.
It is a really rash and dangerous tactic, but considering the scenario that a number of people are expecting from this worm, are there really any other effective options?
.... um, i lost you after "0110100001101001".
"Old man yells at systemd"
Say no to software patents.
Hey, even after the dot-bomb crash of 2000, the software engineer's job market is still roaring. Just look around, I'm certain there are enough Linux-friendly employers in your area too.
This kills me -- install Redhat, choose the custom option, then DE-select "Web Server."
Run through the rest of the install, and... tada, apache was installed anyway.
The only reason that Microsoft gets away with this is the technical ignorance of the news media.
The only good weather is bad weather.
That's the sort of damned pedantry up with which I will not put.
(STR)
--
These 2,000 IIS servers are ones with broken clocks. They have no idea what the date is, so they are still in infection mode. The only good news here is that these machines never know to turn from infection to attack, either.
If the clocks are set wrong and the machines are currently in infection mode, the machines will switch to attack mode when the clock says to. Does he really think you can have a computer with a "broken clock" that literally means it doesn't increment time within at least a few percent of the correct rate?
Modify the Code Red code to install the IIS security patch and reboot the system...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Can't the backbones do some routing thing and reroute traffic to the targetted address to /dev/null (Or better yet, someplace in China?) You can do a lot of cool stuff as a backbone provider. I remember one time when an MCI engineer accidentally routed all their traffic through one router in Mexico...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Michael, how on earth can you justify linking the phrase (the entire internet will) "cease to exist" to the article Washington sounds alarm over "Code Red" worm virus, when the article itself says or implies no such thing?
You might as well link the phrase "alien attack imminent" or "Elvis seen in Redmond" - it has as much to do with the story as your title suggested. Of course, most people won't read the story, they'll just remember the catchy phrase that "the internet might cease to exist" - how exciting! - and that they read it first on slashdot.
Code Red is a pretty serious situation as it stands; we don't need to mislead people while we talk about it.
TomatoMan
-- http://frobnosticate.com
Did you read the article, or just get offended that UNIX and NT were mentioned in the same sentence?
Maybe you should read it before you get huffy. It contains generic steps for establishing and reviewing security policies, and then a methodical approach to recovering control. They add this useful link to all of their security advisories dealing with topics relating to the possibility of system compromises.
TomatoMan
-- http://frobnosticate.com
--
Free Mac Mini
All these news agencies rave about the more effective variants out there. Does anyone actually know whats been changed other than the random number gen?
I think you can be infected even with index server not running. The .DLLs are still used by IIS. At least I think thats what I read somewhere.\ =\=\=\=\=\=\
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=
Judging from the apparent lack of action by IIS sysadmins on this campus (or perhaps they're just procrastinating) I'd suggest a significant percentage of machines are still unpatched.
So my guess is the curve will start faster this time, but reach a lower peak (because surely somebody has to have applied the patch).
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
Other than that, quite an interesting article ;)... I wonder who they'll have write the "more in-depth" article referenced at the bottom of the article. Speaking of which... quick poll.. how many of y'all read that far to see that section? ;) (yes, the only way I got this so fast is by reading the article yesterday... if you subscribe to happyhacker@yahoogroups.com, you got this yesterday).
-- Is "Sig" copyrighted by www.sig.com?
-
First it has a propagation period in which it spreads using 199 threads (we got improve on the code red thing some way).
-
Next phase starts at a synchronized moment (using some web available Atomic Clock) and reboots Windows.
Ideally all Windows machines with unpatched IIS in the whole world would be down for a couple of minutes - that should flush the little bugger..."I don't want to flame you here (you did say you are not a security expert), but usually worms are not just simple scripts (nor even non-word viruses); on unix-systems they may (and have) been scripts to be more portable, but there isn't anything simple in them either. As to email being required... for decades (since first worms were created, early 80s?) worms have been able to use other network connections than email. That's the case with CR; variety is good for viruses and worms. Spreading using attachments is easy (some might say lame...) way to spread, but bit too obvious. Easy to implement, though, which is why it has been a popular approach. " Thanks for not flaming me, it's appreciated. I expressed myself badly - I didn't mean they were simple to code. What I ment was that once people see things like ILOVEYOU or Melissa in action, it's fairly simple to devise countermeasures and alert people what to watch for. What I'm afraid of is something that isn't so easy to watch for or warn people to be on the lookout for. Despite the obviousness of the attachment viri and the repeated warnings, a lot of damage was done. My school had to shut down email for a while during a couple of the outbreaks. Something more subtle yet just as universal would be scary. "I guess I just disagree with doomsday prophecies like this. Even though I don't want to appear like a MS-bashing zealot, I must say that Microsoft is now paying for putting security related issues on rather low priority for years. There's a lot that have been done by other companies and organizations (Java-security model by Sun, xBSD code inspections to build reasonably secure server OSes, etc. etc); Microsoft just didn't think potential risks were big enough. They have been proven wrong... and hopefully have started paying more attention." I didn't really mean to sound like a doomsday prophet - I don't actually think what I described will come to pass. What I am saying is that there appears to be no fundamental reason it can't happen, if some nut takes the time and effort. That means we have to think more carefully about how we impliment the next generations of network and computer technology. We don't even want a remote chance for something like this to exist. Sort of like nuclear bombs - I don't think anyone would actually launch one, but you still want to make sure you can respond if they do. As for Microsoft, I'm quite sure they are going to pay more attention, but at this point I'm not sure what they are going to do about it. There are already so many computers out there that have to be fixed and maintained, fixing their new stuff won't do a whole lot for quite a while. People use what works, and whatever it's faults Windows 95/98/Me does work for a lot of people. So they will be reluctant to fix bugs, because there is always the chance that it will break something. Also, Microsoft only keeps selling new version of their OS by adding more features. That is often at odds with security, but they need to make money. It's a problem.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Which sez "Repent, the Internet Will Collapse in 8(crossed out) 7 Days". So, CodeRed is the Internet's crisis dujour. Has anyone noticed that the Net seems beat the odds makers every time? Meanwhile, the SciAM article is unreal. Talk about paranoic speculation and exagaration. "The only remedy is total isolation". C'mon. It's the same as always, don't use outlook, and don't open unknown attachments. And, don't use windows unless you have no better choice. In terms of net traffic, yeah, that's a bummer, but hardly a show stopper. The Internet will be bogged down as thing waxes, but it'll go away. There is one point the SciAM article makes that is worth paying attention to: the need to get ready for the next one. So far, no one has written a worm designed to launch denial of service attacks against backbone routers. This type of attack could be very dangerous. However, it would require a lot knowledge about the current architecture of the Internet, and a good understanding of the TCP/IP protocols. Luckily most of the script kiddies out there haven't read David Comer's series on TCP/IP, but it's only a matter of time before we get someone knowledgeable and malicous.
This cracks me up!
The BBC had their ActionMan Nick Bryant on the scene at the RipTech Computer Center in Washington with a camera crew and a live saterlite link up. They are T+ 4 hours, and the conversation goes a bit like this:
Nick: Well, computer expert, whats happning?
Expert: Well, actually, nothing.
Nick: Do you think it's over-hyped by the media
Expery: Um, well... Yes...
Check the article or the RealVideo
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
At least they had the balls to mention the evil M$ empire and their flaky server/services. ABC was a gelded wonder this morning and didn't mention any of the following words in their "the sky is falling because of the Code Red worm" hysteria:
- Microsoft
- Internet Information Server (IIS)
- Windows NT
- Windows 2000
Any layperson who was hearing about this issue for the first time would think that there was something malicious out there just disrupting the Internet in general, but they wouldn't have a clue about how, or why. And listening to spoo-brained dullards muse about who was responsible or where the worm came from was a joke.What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line
- "Just reboot the machine and the worm will go away."
I watch both the "Free" as in "through the air" and "Pay" as in "Holy crap they raised my cable bill again!? Damn Icehole sucking bastiges!" news services, and the lies of ommision coming from the free side are shameful.And what really sucked was listening to the newsreader/MC lie repeatedly about how he broke his wrist (hey, that isn't news!).
It all just goes to prove that it's not about news, it's about entertainment...and dodging the pit of lawyers large corporations have while giving Joe Public his morning brainwashing. Ahhh...lemony freshness.
Personally, I think the worm was the right thing to do. It exposed a closed-software tendency to create backdoors into a long-duration service which would permit government/M$/and anyone who knew about the weakness to exploit it.
Sysadmins are supposed to be smart people. What M$ has done is screw a couple hundred, maybe even tens of thousands of them. What I'm waiting for is an even bigger backlash at the Sysadmin level, where the words,
- "We're not going to deploy on Internet Information Server because it has no security and there's no accountability for it from the vendor."
will be commonplace and more and more server farms will silently shift to *nix and Apache, and all those M$ developer subscriptions (useless firehoses of CD's and nifty binders to hold them) will silently wither away, and M$ zelots will not have their marketing mail answered and will endure mono-syllabic responses to their phone calls from smart people who have a right to be royally pissed. If there's no accountability, then why bother with a pay-to-play solution?I look forward to the day when M$ server products are reviled for the exploits they are. Sure it may take a while, but somewhere out there right now several clever people are enjoying themselves, having made at least a partially successful run with this last worm, and will probably have the code for an inline resolver to use with the next worm.
Every new form of media has it's own Requirimento
I think that Bush should just sign an executive order making it legal to take out any machine trying to infect you with CodeRed, on the grounds that it's self-defense (of other innocent standers-by, obviously). Just like if I see a rapist attacking a lady at the bus-stop, I can probably legally kill him. We should be able to do the same thing re: CodeRed.
It wouldn't last too long, in that case.
What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line "Just reboot the machine and the worm will go away."
Well, the worst thing about all of this hype is that it's not being directed towards fixing the root problem -- the fact that IIS ships with WAY WAY too much stuff turned on by default.
My guess is that 99% of the people infected by Code Red didn't need Index Server running in the first place. So, they'll patch (or worse, reboot) and go on their merry way. Until the next bi-monthly (not much of an exaggeration) Index Server bug is found in which case they are screwed again.
Repeat for FrontPage, Internet Printing, Remote Data, and all of the other mostly unused crap that out-of-box IIS has. The correct security advice should be:
1) Turn all of this stuff off if you aren't using it. (And if you can't figure out how, turn the web server off and get the hell away from it.)
2) Patch only if you need the affected software.
When I hear the word 'innovation', I reach for my pistol.
IP telephony doesn't need the internet - just an IP network.
Carriers build their own IP networks so they can control / monitor traffic and guarantee QoS.
---
Yes, you are correct.
And let us not forget those fly-by-night operations that use the internet to lob calls overseas for cheap rates meanwhile escaping regulation as a telephone carrier.
---
According to the Yahoo story, Code Red was named after a soft drink prefered by programmers...
Excuse me? The Code Red drink hasn't been around long enough to be prefered by programmers... don't you think it's far more likely to say that 'Code Red' was chosen simply to make people think it's more dangeous than it really is?
They also blame the thing on the Chinese... sure, if a virus made to doS the White House puts text saying 'Hacked By Chinese' on your screen, you're going to believe it? Just like all those guys on Counter-Strike servers a few months ago talking about Wang Wei were really Chinese, too...
Journalists are so -gullible- when they're trying trying to start a panic...
And lead us not unto insecure NT boxes. For it here in the fertile ground of evil that thy demon seed takes root. We, the Children of Linux, ask only that you keep our Linux safe and secure. And that you limit thy wrath to the unfaithful heathens of NT. Amen, brethren.
Frylock: That's not a toy!
Master Shake: You say that about everything you own. You should own toys. They're fun.
Except that last time, (as I understand it) the infection window was relatively short before it kicked over into attack mode. Also, due to the Cisco problem, the infection time is a bit of a DoS attack itself.
I don't expect doom and gloom (especially with the page defacement and probes making it easier to identify compromised hosts), but I do expect it to be at least a little different from last time.
"The Internet has become indispensable to our national security and economic well-being," said Ron Dick, head of the National Infrastructure Protection Centre, an arm of the FBI. "Worms like Code Red pose a distinct threat to the Internet."
You think things are bad for hackers now, wait until all the clueless masses start seeing the Internet as a battlefield - you only have to say 'National Security' in America to get the public inspired to goto war, whatever the cost... god help us.
"hacked by Chinese" oh brother - might as well say "hacked by the godless communist hordes out to destroy the american way of life and enslave you! Defend America from the Red Menace!"
What laws will the Plutocrats pass now in order to defend the Internet from life outside their precious economy. I am personally not that alarmed with trojans or worms. The world can live without the internet - our desire to have zero random variations in all things (our lawns, our parks, our workplaces the internet), removing all acts of fancy/folly and chaos (in a good sense) has shaded our eyes from the important goals. So what if the Internet shuts down for a few days?
Frankly, the world needs a little random excitement... Much in life is arbitrary, a game if you will, lets not get to serious about all this, try and think about this in a more situationist manner.
Not that it makes much difference, but there are two Robert X. Cringley people in the world. Cram (no, I'm not going to use his real name) wrote the column for InfoWorld for years, then broke away from IW and IDG and took the name to new heights.
Meanwhile, back at InfoWorld, another member of the staff has picked up the monikor and writes it.
That doesn't invalidate your statement, though, that his infamy is due more to who he knows than what he knows -- but the PBS Cringe does know quite a bit on his own. (I used to work with him.)
Remember the next time you hear about a virus and see a vendor offering a free fixit, that the link to download that fixit is on the same page with an ad for their virus protection. No free deed is done without some small ulterior motive on the net or anywhere else.
In the case of the worm, every time MS offers a patch, you're deeper in their hooks, when you should instead be finally fed up and refuse to operate with such irresponsibly assembled solutions. Only when you've pushed MS to produce something that can be thought of as secure, or gone over to Apache will you be out of the Code Red cycle. No Apache is not free of holes, but when they appear I see a much stronger effort in that group to hunting it down and telling everyone that they had better upgrade NOW.
Yes, it might not be a simple thing to have to go and recompile Apache vs downloading the next patch and rebooting, but think about what you buy for that convenience. Just because something is cheaper doesn't make it better, and I'm not just talking about $$$.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
And of course we all know what this means. Unreal Tournament will be practically unplayable over dsl.
--
For all those Slashdotters who don't have access to webserver logs and therefore can't see the Code Red worm searching for victim hosts, check out this dynamically created view of my log file. For legibility, a reverse lookup is done on the incoming visitors.
The party should start shortly after 8:PM Eastern time tonight.
Fire and Meat. Yummy.
Nothing terrible will happen.
The Internet will die
Cowboy Neal will die
Please note that I said think not wish
Someday, they might nickname this catastrophe, " Y2K-2! "
Donate background CPU time to fight cancer.
I would love to see hailstorm and .net fail. I also miss the days of CompuServe and dialing bbs's. I find receiving any information that I need on the Internet difficult. It's cluttered and way too big. The search engines only look for words and key phrases and not content. The reason AOL is so popular is that everything is organized. Sure its slow and unreliable but the productivity is incredible. With the web you have to search and know where to look.
Anyway, I highly doubt this will happen. The backbone may become saturated but UUNet definitely can deal with this. Even if the Internet pauses or even goes down, you can always reboot the routers. After the Internet connection is idle for a certain period of time the NT servers will assume its down and stop sending packets out on the web.
http://saveie6.com/
No, let's make that, "When are people going to get the hint that, despite the conveniences, relying on one entity for the managemente of data or other assets is not good for anyone."
-- Geof F. Morris
I wonder why?
I cannot [nor do I possess the patience to] count the number of desktop users who have demanded that I install the patch on their machines before it "hax0rz the white house gibson" and gets them put in jail. They seem more worried that the virus will drown the Net and cause their multiplayer game of Hearts to be interrupted.
Thankfully our Content-O-Matic server is in the clear. No one writes decent viruses for the DRDOS Http Daemon anymore. A shame, really.
Now after they've finished, there will be nothing left!
What an accolade! :o)
--
Avantslash - View Slashdot cleanly on your mobile phone.
In a not-so-unprecidented show of FUD, the government is finally getting the the boogey man they so desparately need in order to swing public opinion toward the side of deepening regulation of the internet.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
If there are so many web masters out there who refuse to protect themselves, perhaps someone knowledgeable could take it upon themselves to write a worm which installs the patch to close this security hole.
Volunteers?
What do you mean they cut the power? How can they cut the power, man? They're animals!
I was talking to someone today, and they mentioned that one their web servers (IIS) was hax0r3d and defaced, to which I replied, "I hope the sys admin looses their job for that". The guy was astonished and actually asked why! Good Lord, has it really come to that? He thought it was ridiculous to fire someone over a hack, cause "that kind of thing can't be stopped". Is it really that hard to install publically available patches? Is it really that much of a pain to keep up with security bullitens?
The Navy (or Airforce?) actually turned off their servers to avoid this! If the sys-admins of our armed forces are so fucking stupid as to NOT apply patches immediatly, is there any hope?
Burn Hollywood Burn
Let me recount two very important facts before everyone starts jumping all over Microsoft.
1) If you had followed the security checklist for IIS 4/5, you would not be vulnerable. The checklist instructs you to go over the server mappings and remove any that are unnecessary, including the one for Index Server.
2) If you were on the Microsoft Product Security Bulletin mailing list, you would have gotten a notice back in early June about this, downloaded the patch, and installed it. Thus, you would not be vulnerable.
This is not a case of Microsoft shipping something insecure by default (although such a case can be made for other issues in the past). This is a case of the most common programming mistake made by C++ programmers the world over: a buffer overflow. Buffer overflows have been found in every single OS currently in use, which includes Linux and *BSD. Some have even been root exploits.
Please... go to http://www.microsoft.com/technet/security/
There are a number of checklists, tools, and downloads that can be used to harden any IIS webserver to the point that it is virtually uncrackable. Of course I must add the virtual part, because there is ALWAYS a chance that ANY system connected to ANY network can be compromised. There is no such thing as 100% security; we can only get really close.
I now return you to your regularly scheduled zealotry.
-- russ
Natural != (nontoxic || beneficial)
I love the smell of Karma in the morning
--CTH
--Got Lists? | Top 95 Star Wars Line
IMO. DMZs with good firewalls, monitoring outbound as well as inbound... Laws mandating it. Switching to Linux is not the answer, as much as I like open source, because it too can be attacked (just not as easily, and the same user problems could exist there as well). Good firewall design is the only way, and I think that anyone with internet server of any kind should use some sort of firewall. at least for monitoring...
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
Yes, I always new Microsoft would destroy the internet one day! Either by incompetence or by... incompetence (what else?). :))
I can't figure out all this chicken little/sky is falling media coverage (well hey its yet another SCARY Internet story, but still). CNN had an article that kinda made me chuckle. It was a story on ISS founder and "worm splattering" "worm hunter" Chris Klaus. It talked about how the 'patch may not hold' What a great thing to be telling everyone. If a new version of the worm hits and spreads liek wildfire, it will be due to a new vulnerability I'd expect. Amazing how mainstream media tries to cover situations like this.
As for the real threat, I expect there will be a large # of infections tonight/tomorrow. Why? Just look at the analysis at CAIDA They found that the majority of servers infected were from domains used primarily by small businesses and residential users (@home, etc) While many of these will have patched themselves, I'm sure many just restarted when problems arose and the problem went away - problem solved. I mean that's standard MO with a Microsoft OS - if it starts acting strangely, reboot.
The good news is, perhaps ISPs have been able to put plans in place to try and block the worm from spreading. Only time will tell.
Don't get me wrong - I think publicizing this issue is a good thing. But I expect that the problem will not be as awful as the media is trying to protray (Internet slowdown, websites knocked offline, etc)
Of course on the flip side - we know that the patch won't be applied to every IIS server out there - what will be done and by who to track down and irradicate the remaining servers that are still infected or are being re infected day after day? I'd expect hte ISPs but given the service level of many DSL and cable providers - you haev to wonder if they'll all pursue this diligently unless the courts get involved (yuck)
Top Most Bizarre/Disturbing Error Messages
What's really sad is that this kind of 30 second 'news spot' does it for the majority of people. Most could care less what the details are these days. And not just on tech related news, I'm talkin' 'bout all sorts of news: political, social, worldwide, etc. Needless to say, here's just one more reason why I'm changing all my really confidential and important stuff to Linux, and I don't give my allegiance to any one large, bloated, political party.
You chuckle, but it actually says in the MSDN docs that the Windows NT family suffers from the "problem" that it doesn't fall over or have to be rebooted as often as Win9x. When applications crash out and leak memory, you don't get it back, so you really should encourage users to reboot every few days.
I put my hand on my heart and swear that this is true.
If you were blocking sigs, you wouldn't have to read this.
If there's one thing our media has taught us, it's that no technical problem takes more than 60 seconds of random typing on a laptop to solve, as long as there are enough A list stars, guns and blowjobs involved.
If you were blocking sigs, you wouldn't have to read this.
The Entire Internet uses IIS??
[alk]
If I didn't know any better, I'd think Code Red and similar viri are the product of conspiracy put into place by pointy-heads of management-types to keep us from our Constitutional right to goof-off ! !
healyourchurchwebsite.com - WWJB?
Darn ! If I would have known this issue was going to recycle, I would have modified some old Y2K tripe with "Code Red" stuff, bought some time on some religious broadcasting network and made beacoup dollars peddling fear to survivalist-types.
healyourchurchwebsite.com - WWJB?
Yes, they both have some weaknesses, and yes, the aforementioned common practices apply to both. And yes, there are both good and bad system admins working on both UNIX and Windows boxes. My complaint is the simple juxtaposition of listing UNIX first in what is a uniquely IIS fault. It gives one the incorrect impression that UNIX may somehow need to be improved to make up for the Code Red attack.
Truthfully, the article is so full of "If UNIX else if Microsoft" clauses that if were an object under my control, I'd split it into two articles: one for securing UNIX and one for securing Windows.
has it occurred to anyone that this guy is a closet hacker himself? like the old saying, the criminal returns to the scene of the crime...what better way of getting attention? write a virus, talk about how terrible it is on TV, watch it die, lather, rinse repeat. Jboy
Umm. ColdFusion server runs on linux. Sure, you can't use studio, but the lack of a text editor's not necessarily a reason to abandon the platform. The docs are all HTML, install in windows, copy the docs over.
What I propose is a GPL'd shell/python/perl script that "grep"s the apache/thttpd/whatever access log for "default.ida" requests, and logs the requesting site name/ip to a file. Sort | uniq this file for good measure, then send a friendly message to the webmaster at this site, stating at least the following points:
Running this a few times a day, and keeping track of the sites that we've mailed already to avoid duplicates, should give semi-awake (i.e. reading mail, but not patching their system regularly) IIS admins some friendly help.
What do you think?
Apparently this guy saw it coming.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I hate to criticize .NET since I am by no means the expert on the subject. Think about if .NET actually succeeds. Every PC, PDA, cell phone, and dog collar will be running a Microsoft OS and accessing its data over .NET. What happens when the .NET version of Code Red comes out? What then? All my data is wrapped up in .NET. Everything I do is on a server somewhere but the wireless .NET is too bottlenecked for me to get to it. It's a sign of things to come. Companies put many $$ into Microsoft software and constantly have to upgrade to keep a virus from systematically destroying their entire network. When are people going to get the hint that despite all their propoganda, Microsoft is not good for anyone.
There is no reasonable defense against an idiot with an agenda
:wq
I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).
They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?
- j
Other than that, quite an interesting article ;).
-- Is "Sig" copyrighted by www.sig.com?
A class action against Microsoft would be appropriate, in that it is a defect in a Microsoft product that made it possible. The class action should be led by non-Microsoft users impacted by the problem, so EULA issues are irrelevant.
Where's the plaintiff's bar when you need them?
Don't forget, Steve Gibson is the guy who managed to make a 13 year old kid in a chat room, writing code that opens a socket, sends a few IRC commands (the hardest being the Ping/Pong set) and accepts a few commands sound like some sort of Big Black Voodoo Priest, sitting upon a throne carved from human bone, piecing together zombies from heaps of human corpses and sending them out to do his evil work.
Vintage computer games and RPG books available. Email me if you're interested.
There are a few points of interest here:
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
then at least I would know that it didn't apply to any of my servers. Instead, I have to read through a few paragraphs of crap before it gets to the "IIS security flaw" line.
Analogous to real virii and worms, Those that destroy their host too quickly dont spread.
Those that dont spread die off.
Making a system unbootable doenst destroy the data on the harddrive. But if the data on the harddrive is destroyed- the admin will reboot.
The computer is now offline and the worm gets no more opportunities to spread.
A common way to overcome this is to set a logic bomb: have the worm set a cutoff date after which it becomes destructive. The problem with this approach is that it allows people time to patch their systems.
A good compromise would be to make the system unbootable immediately- with a boot loader that wipes the harddrive. Then set a logic bomb with a cutoff date after which data gets deleted.
Its tricky though. A good twist may be to rearrange some dll's in the filesystem- to cause patches to fail. Also setting up a backdoor vector for reinfestation. Then at least 3 subtly different versions would have to be released simultaneosly.
Its a lot harder than it sounds. And not worth it really.
... and a card with our Condolences to mark the death of his "child".
As the previous writer clearly stated, and you clearly missed, this is just not the case with IIS. Since IIS has LESS marketshare then Apache one would expect Apache to have this kind of problem and not IIS, but it doesn't (All of which the previous poster stated).
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for
You mispelt "Part of the reason Windows virii are so widespread...."
Which you would have partially correct, but mostly wrong. W2K is MORE stable than previous Windows, yes, but no where near as stable as the traditional Unixes. Windows API could NEVER be described as stable since upgrading Windows almost always breaks something important (my CD burner, for example, which works in OS X, but not WinME). This is the reason many people are still on NT4 SP3/4. If they move up to SP6 or W2k, something important breaks. This is a big reason why Windows is taken down so much. The other part you addresses with the "easy to write for" comment. VB is easy to learn (compared to Unix scripting) and can be learned on a desktop machine before one begins coding for IIS. You can use VB for all sorts of things, including scripting the breaking into of systems, so that some 9 yr old on AOL can breaking into WIndows machines all day long...
Burn Hollywood Burn
Media here told the public Code Red would infect all computers. They simply ignore the fact that Code Red infects only IIS 5 server.
A local lead moron - the president of Hong Kong Computer Society, a branch of British CS, told the public that in order to protect yourself from virus, we all should update the latest virus signature and do not swith on computers. I'm sure all their members would feel shame of their president's cluelessness.
Scott Adam is right, idiots, morons and clueless people are defining the reality.
Turn a non-tech hobby into your career.
--
[baptiste@surfboard httpd]$ tail -f access_log | grep .ida
136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280
136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280
Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart
Top Most Bizarre/Disturbing Error Messages
Turns out that this signature is probably from the eEye CodeRed scanner to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
Top Most Bizarre/Disturbing Error Messages
If the Internet Ceases, then society will regress to the point when you can only create pr0n from whatever scraps you can find in the dilapidated ruins of New York City.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.
www.lucernesys.comHorizon: Calendar-based personal finance
IIS: It Isn't Secure.
.NET later. That one's a very good reason. If the world DOES jump on .NET bandwagon would you like to stay behind( don't think '.NET port to Linux')? Could be very bad for business. On the other hand, if .NET doesn't work out, you can always jump to Apache.
.NET.
But no, really I can tell you why IIS is still a choice as a web server, and also I'll tell you why it is so insecure.
(WARNING: As Always, IMHO).
IIS is still a choice because:
a) You can teach virtually anyone to perform simple administration on an IIS server.
b) You don't need to use a command prompt (no, it doesn't really scare people, they just tend to believe it's such a fuss to make things work.)
c) It comes with Windows 2000/NT (if you had a choice to 'Run Your Very Own Web Server(R) while running MS Office and games, without having to boot to another OS, what would you think would be better?).The fact that It's There(r), is also extremely important;otherwise, people who had to use a Windows server would use Apache for Win32 instead.
d) It's a breeze to install and enable (incorrectly of course;there are plenty of configing and patching you can do on IIS to make it safe/er, but no-one seems to bother:'Who whould try to hack ME?')
e) It means that it'll be easier for you to migrate to
Now, why IIS is insecure:
a) Do you remember how long it took Microsoft to realise the Internet was going to be the next big thing? That hurt them. Sure, they did release a web server (their lamest ever --IIS 2.0), but it was behind its time.IIS 4.0 was their first proper attempt, and while it worked, Microsoft had a lot to learn about security. They had to release patches constantly to help the poor early-adopters (nobody new it was going to be so open), which unfortunately, were quite a lot.IIS continued to grow, as it fitted the bill as a method to extend businesses with a Windows/NT infrastructure to the Internet. So, now we have 20% of the Internet, running IIS.
b) IIS is also insecure because 50% of it's sysadmins are idiots. 50%, not all of them, not none of them. 50% . Now, if you pushed a *nix sysadmin to run IIS (you would have to push real hard though), you would get a web server (being configed and patched correctly) which would totaly evade most (if not all) of the IIS hacking frenzies and DoS attacks of the past 2 years. Including Code Red (the MS patch for that buffer overflow buf was published a few months ago.The wise IIS sysadmins noticed.).
c) Remember, IIS is young. It's about 6-7 years old, but it wasn't taken seriously since Windows NT 4.0, 4-5 years ago.As with Windows 2000, the time for IIS to become a proper,feasible solution is longer than that. And isn't Apache much older (please enlighten)?
And how will IIS become secure?
IIS 6.0 will be the first IIS to be reasonably secure, IMHO of course. Because it will incorporate all the fixes until now (quite a lot, shouldn't they be running out of bugs?) , but most importantly because it will patch itself (that's what I heard anyway).
Now for your opinion: Will IIS 6.0 be a proper web server? Think about it and don't reject it: There wasn't a single reason to consider it if you were happily running the latest version of Apache, but now there is:
Think, think, and then post. And please correct me if I'm wrong.Thank you.
Oh and some things I'd like to point out, because some people get it wrong:
a) When you install Windows 2000 OR WinNT 4, it won't install IIS.Not even with full install. You have to install it separately AFTER the OS installation is complete, so people know when it's installed.
b) The Internet won't cease to exist, and this isn't a conspiracy by Microsoft (probably).
There is no such thing as 'world peace'.
Cringely tells us that the true threat is servers with mis-set clocks
No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.
I got the following mail from MS yesterday. (The ironic part is I initially was suspicious because the subject line was in all caps -- how rude!)
l easeID=30833
l easeID=30800
. asp?
url=/technet/itsolutions/security/topics/codeptch. asp
l t. asp?
url=/technet/security/bulletin/MS01-033.asp
The following is a Security Bulletin from the Microsoft Product Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
-----BEGIN PGP SIGNED MESSAGE-----
The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?Re
Step-by-step instructions for these actions are posted at
http://www.microsoft.com/technet/treeview/default
Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/defau
Because of the importance of this threat, this alert is being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
Talk about FUD - here's a quote, from Scientific American, no less: "Imagine a cold that kills. It spreads rapidly and indiscriminately through droplets in the air, and you think you're absolutely healthy until you begin to sneeze. Your only protection is complete, impossible isolation,"
WOW! That sounds awful! Run for the hills!
But wait - imagine that a vaccine for the cold has been available for months. You could get vaccinated just by logging into a website.
Oh, and once you're infected, all you need to do is take a nap (ie. reboot) and you're healthy again.
What a load of scare-mongering. SciAm should know better.
I suspect this is the cure.
Best Slashdot Co
If any Mozilla developers are listening, I have a request. I'd like a version which displays a visible icon everytime I log onto a IIS server. Then, if I double click the icon, it could list a selection of 'counter measures' such as CodeRed which I might deploy. These might use a plug-in architecture and be downloadable from sites using other browsers.
Thanks for listening.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Perhaps this could be a monthly competition. Assuming, of course, that anyone can get through the infection storm to post to it.
Oh, and I'd like to propose a name for the inevitable next worm that just won't die - The Lazarus Worm. Cool, eh?
Why then is this threat suddenly everywhere?
They're FUDing the Net!
The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.
Waiting for the other shoe to drop. . .
Can you think of a better marketing ploy to make your soft drink sound hip and edgy and get the name plastered all over the media? This could be even better for free publicity and name recognition than the Verizon strike.
Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say.
Sorry, but Apache mostly runs on *nix systems... anything from Linux to Solaris to FreeBSD.
Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all.
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for.
Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread.
-- russ
Natural != (nontoxic || beneficial)
Gimme a break.
Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.
It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.
Opus: the Swiss army knife of audio codec
While I'd agree that he may be overly paranoid, I do share the opinion that the internet is extremely vulnerable right now, although not necessarily for the reasons he states.
I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.
We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.
Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?
The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.
Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
At 5:15 AM.
In the morning.
From my mother.
She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.
I informed her that this was unlikely, and went back to bed.
I demand a million helicopters and a DOLLAR!