Slashback: Exactitude, Fortitude, Picnic

Slashback tonight with another assortment of corrections, amplifications, looks backward (and even looks forward to looks backward). In this last case, it looks like you may even get fed.

You mean we have to reprint all the invitations? Reader Ian Cowley wrote with a slight correction about the end of an era:

"Your article on slashdot.org about the billionth second of the epoch is sort of (but not entirely) flawed.

Yes, UNIX systems will report 1000000000 seconds at 01:46:40 on 9th September. Which of course means the 1 billionth number will be 01:46:39.

But, these systems do not account for leap seconds. According to TAI (international atomic time), the 1 billionth second since the beginning of January 1st 1970 will occur at 01:46:17 on 9th September 2001, as 22 leap seconds have been inserted since 1970 (the first was 1972, the last 1999).

So celebrations of the 1000000000th second should be at 01:46:17, whilst 01:46:40 can be reserved for celebrating 1000000000 displayed on UNIX system clocks."

Errr ... thanks. We'll just have to start at "Unix Day, Observed."

What price the capture and humiliation of virus spreaders? JayHerrick writes: "We have posted a small bit of JSP that reports the number of times our server has been queried for a 'default.ida' page. It's stylish, it's cool, and it'll probably get Pepsi all mad at us because we ripped the Code Red logo off one of the bottles." Equally stylish, despite the name, is a small tool named codeRedNeck, described by reader mindriot thus: "As CodeRed probes port 80 of a machine, CodeRedNeck first answers on that port and then goes silent, thus forcing the worm to wait until the connection times out." He advises: "Read the original idea by Tom Liston. Heise also has more on this."

Even More Auspicious dates. No matter which date you choose to mark it, Linus' little kernel-that-could is about to mark its tenth birthday. ikluft writes:

"The "Linux10" Linux 10th anniversary picnic and BBQ will be held on Saturday, August 25 from 11AM to 6PM at Sunnyvale Baylands Park in Sunnyvale, California. Details and directions can be found at Linux10.org. If you can attend, please use the RSVP form so the organizers know how much food and soft drinks to provide (only provided if you RSVP.)

Linux10 is being organized as a family event -- bring the kids. In support of that goal, it is also a no-media event. Linux and Open Source enthusiasts who work for the media may attend and participate while off-duty.

Linux10 will gladly link to other Linux 10th anniversary events. Let us know the URLs for those events."

Reader big_drew adds: "The event is free (food, softdrinks, cds -- sorry, no free beer, but byo is ok)" and says "If you can't make it out to CA, you can still get the t-shirt (profits will be used to fund the picnic)."

Anyone want to organize a picnic in the vicinity of Knoxville, TN? :) I can bring some pasta salad and watermelon.

Ten candles all around here, too. Simon Spero writes: "As noted in http://www.w3.org/History.html, today, August 6th, is the 10th anniversary of the first public release of the CERN Web Software."

Re:JSP Garbage

[Hard_Code]

People, the word is "timer". Sheesh, just update the statistics every few minutes...then it doesn't matter if people are hammering your server. Anyway, is PHP compiled down to anything? Because JSPs/Servlets are pretty damn fast.

Re:Much Easier...

[Pathwalker]

Why bother writing your own caching code when you can just let your Webserver do it for you?

With Roxen's cache tag, I just threw <cache minutes=15> </cache> tags around the cpu intensive parts of mine and let Roxen handle the rest.

I do have a cron job that parses the logs every 15 minutes, and updates the backend database. (I could have done that from the web page as well, but then my samples wouldn't be taken every 15 minutes).

DUF - reverse FUD and beer for picnic

[horza]

Considering the number of Simpsons fans here, maybe be it should have been DUF (Declination, Unmasking, Food) which is also reverse of FUD...

Phillip.

Re:How Code Red uses sockets...

[vs]

They may be nonblocking, but each open connection will tie up system resources until timeout. There's only so much connection a machine can initate/accept.
I doubt that CR will ever reach the OS-imposed limit, but IANAE.

There's "IISReset"

[dave-fu]

But it requires admin/power user privs and the rootshells spawned run under webserver user privs, which is to say you can call it but it won't do much.
Word on the street has it that the first Code Red worm contained a buffer overflow of its own: querying a default.ida with an overflow string of 64K of garbage would crash it out. Doubt the newer varieties have the same problem, but then again, k1dd10t5 aren't known for their innovative coding style...

Code Red's mutating?

[dave-fu]

> post a message to /var/log/messages

Holy crap. It's affecting *nixes now?
Come on. Your average NT admin won't bother looking at the webserver logs, much less the event logs: the fact that their web servers are completely owned by the worm yet they're not doing anything is proof enough of this. Maybe a post to the _desktop_ would get through, but not likely. Log the IP and the attack and contact their ISP.
That's all I've been doing. Anything more and you can look forward to explaining to a bunch of lawyers why your eally weren't a Bad Guy.
Never forget that lawyers and plaintiffs have neither a sense of common decency nor common sense.

Re:I send you this bill...

[jonathan_ingram]

The payload is a random file from their computer, with the virus tacked onto the front. Remove the first however many (about 128K) bytes, and you get a peek into the world of an idiot that clicks on everything they are sent via email.

Sadly, nothing I've been sent by SirCam has been interesting.

Re:Am I the only one?

[pq]

Just wanted to know if I am alone.....

Yes, you are. It's a big cold dark lonely universe out there. :)

Re:CR2 response

[loraksus]

nevermind that the pages are overwritten with "hacked by chinese".

Re:01:46:40 on 9th September

timezones

Re:CR2 response

[IronChef]

Crack one IIS box, and you're a felon. Crack a million, and you're... some anonymous virus-writing guy that will never be brought to justice.

Washington DC Metro 10year party?

[X-Nc]

Anyone planning a celibration in the DC Metro area? Being disabled, I will not be able to make anything that more than an hour away from me.

Re:CR2 response

[Troed]

How can GET requests to a publically running webserver be a crime?

Please explain, then think twice whether you've ever http:ed to an IP without asking permission beforehand ... umm ... come to think of it, I've never asked the Slashdot crew for permission to GET an index file here ...

Re:call me relieved...

Hey, this calls for a new DSW measurement.

That's dick-size war, for those of you not in the know.

The new measurement will involve finding approximately when you started using Unix, then determining what the number of seconds was at that time, and divide by 100000000, and ignore everything beyond the tenths.

Using June '93 as an example, that yields a 7.4.
Anyone starting in on it now would be a 9.9.

Re:Whats that mean for me?

[psychalgia]

shit, i woulda said that about the netscape one, but the browser "comingling" in KDE is sweet. I have always used GNome cuz thats what we have to program in at school, but KDE has some nice features (its fast as hell too) - if it would support half life, I would move everything there.

Re:JSP Garbage

[M-G]

Can anyone explain why, when doing a grep -c for default.ida, I get exactly twice the number of reported results in my access_log than I do in my error_log?

Re:How Code Red uses sockets...

according to incidents.org and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target

I knew we should've listened to Steve Gibson on the dangers of non-blocking sockets!

Anonymous cowards couldn't hit the broad side of a barn.

Re:01:46:40 on 9th September

[Commander+Spork]

'Cheese Doodles' are a brand. Like 'Band-Aid's or 'Kleenex'

Re:Stopping Code Red II

Does anyone think that sending a shutdown command to an attacking machine is unreasonable? Any ideas on how to do it (my NT command line knowledge is minimal).

I'm sure there are legal implications. Anyway, the command is: shutdown /l /c /y /l == local machine /c == close all programs /y == don't ask stupid questions

Re:JSP Garbage

[SEWilco]

Maybe he just needs an excuse to get a faster system. Everything else is being blamed on Code Red...

Re:CR2 response

[s390]

...start 500 lawsuits against the people who, by means of gross administrative irresponsibility, have machines which are running automated scripts which are attempting to gain unauthorized access to my machine...

One lawyer would do. And it might be interesting to try this. They did, after all, attack your system. Call it a reverse class-action.

Re:JSP Garbage

PHP suxxxxxx

Re:CR2 response

[Jaysyn]

Hell, I'm still waiting for the class action suit against M$ for being the main reason/propagator of this Worm.

Jaysyn

Re:JSP Garbage

[UberLame]

Too complicated. And mod_perl is fir wussies anyway.:-) Who needs logfiles? Real men write their own modules in assembly embedded in the web server using self modifying code.

Re:CR2 response

[jfmiller]

Hypothetically, Couldn't a "virus" be writen in such a way as to disable the original and replace it with a server that sends thid "Fix" to anyone attemption to reinfect it? Sort of like a anti-Code Red worm?

Re:The Register---offtopic, I know, but ...

[unitron]

Yeah, no one would ever mistake 139800 for 139800.

CRIII spawns 300 threads.

[dave-fu]

600 if you're running a Chinese NT installation; not that you're not being a good Samaritan, but best case, you're tying up 1/300th of what it's trying to do for a while. Extrapolate this to a few hundred "chatty" Code Red boxes sending off a few hundred threads apiece (if you're on a broadband line, this is not so outlandish) and you're looking at potentially DoSing yourself.

Moe, gimmie a Fudd!

Moe: didn't they stop making that after a bunch of hillbillies went blind?

Re:sorry about the wrong implication ;)

[ozbon]

Call me a karma whore if you want, but I think it's good to see a slahdot mainstay responding to comments about him.....

Re:The Register---offtopic, I know, but ...

[ozbon]

And you didn't even notice the problem of "I are begging" (although that's kind of on-topic, considering the entire Jar-Jar method of "speech")

Gimp.

Re:01:46:40 on 9th September

Ummm... no.

The event is the billionth second from 1/1/1970 UTC - which will occur at the same time around the planet.

So instead of everyone partying as the zero-hour passes their time zone (eg - New Years) ... we'll all party at the same time, just different local times.

Re:Exactitude, Fortitude, Picnic...

Go to sleep already...

Re:JSP Garbage

[M-G]

Never mind....the 2x was a coincidence and threw me off....the original Code Red put a malformed header error in the error_log, whereas the new one throws a 404 and puts the default.ida in the error_log.

I'm still ingesting the first caffeine for the day...

Knoxville picnic

[jcampb12]

I would love to get something together in Knoxville, but I'm not sure who posted it (big_drew or should be timothy because of the non-italics).

Either case please feel free to call me (Jeb) at 368-5322, email at (jebc at c4solutions.net), or get more contact info at my company's website.

Always love to hear from some slashdotters in the area, and if you ever get bored (or for the picnic) we have a kegerator (sp?) at our office that we are always at downtown.

now I understand

[Teach]

Descending! Descending! I guess not everyone pictures that exactly the same way ;)

When I said descending I was thinking as in: "sort the following nine digits in descending order."

But then many ./ers apparently took it to mean "getting smaller over time." Although the more accurate word for that would have been "decreasing" or maybe "diminishing".

Let's have fun with definitions straight outta my brain!

• descending - higher things precede lower (usu. spatially, though sometimes temporally)
• decreasing - values getting closer to some minimum value over time
• diminishing - reduction in size over time

Anyway, I didn't mean to nitpick about the title. I just thought it was ironic that some folk complained about the title when it hadn't been mine.

Re:JSP Garbage

[beat.bolli]

I use MRTG with a tiny Python script to count the number of attacks. The results are here.

Re:JSP Garbage

Don't you want to look for default.ida to cover more bases? For instance about half the default.ida entries in my log are followed by lots of XXXXX's and the other half are followed by lots of NNNNN's. Which wouldn't show if you just looked for XXXX's. Or perhaps the NNNN's don't matter? Not sure?

Re:CR2 response

[MadAhab]

Why not? It could work in a country where burglars sue homeowners in slip-and-falls...

Re:How Code Red uses sockets...

[d3jp_]

Only the newer version of Code Red uses non-blocking socket connections, which means that waiting will still slow down the spread of the older variant of code red.

Correct me If I'm wrong ( and I know someone will) but, I think the only Code Red version that uses non-blocking sockets is the 'B' variant of version 2.

1E9 party in Denmark

[cybaea]

according to this article on the BBC News web site.

Re:I send you this bill...

[Talkischeap]

HA,HA,HA!

THANKS for that, I needed a laugh tonight.

That one is the first in a (so far) three part "series", I've recieved tonight, how about you?

By the way...

Just WAHT is the payload of that loaded attachment anyhow? I just delete them, and move on.

What's so special about this time?

Why are we celebrating 0x3b9aca00 seconds since the clock started?

Visualize a billion

[Hell+O'World]

This reminds me of a great way I though of to explain to people the difference between a million and a billion. Your billionth birth-second occurs when you are 31 years years old. Guess how old you are when you reach your millionth birth-second?

Party!

[genkael]

I think this event dictates a party with much beer.

Re:Party!

[mwalker]

Is that party as in beer, or free as in party?

Shit, I'm drunk already.

Re:Party!

That would have been funnier as: "Party as in beer, or party as in Republican." -1, US Centric.

WORD FP FP FP

i like omar from at the drive-in. first post. CHEERS

01:46:40 on 9th September

[Segod]

which time zone is this?

Re:01:46:40 on 9th September

[Jaeger]

Universal Coordinated Time

If you have Perl on your system, this snippet will tell you exactly what time (localtime) the billionth second, according to Unix, will pass:

perl -e 'print scalar localtime(1000000000), "\n"'

I'm a little disapointed that the billionth second occurs the day after my 21st birthday. One day earlier would have been way cool...

Re:01:46:40 on 9th September

[The+Minus+Man]

For the linux10 thing I would assume Pacific time, since it says it's being held in Sunnyvale, CA.

Re:01:46:40 on 9th September

[Coyote]

Which time zone? The one you're in. Its your computer that's going to tell you what time it is at 1:46:40

Re:01:46:40 on 9th September

[loconet]

FOR EDT it will be on: Sat Sep 8 21:46:40 2001

Re:01:46:40 on 9th September

[sideshow-voxx]

The time zone your computer is in.

Which means that for New Zealand the celebrations will begin hours before it does in the States.

Man, we're gonna be so drunk when you guys show up. We'll try to save you some Cheezles.

(You guys got Cheezles over there? Substitute whatever brand of cheese doodles makes you laugh the most)

Re:01:46:40 on 9th September

I'm a little disapointed that the billionth second occurs the day after my 21st birthday. One day earlier would have been way cool...

Look at the bright side...you'll be of legal drinking age when the billionth second comes this way.

Re:01:46:40 on 9th September

Cheesy poofs!

Re:01:46:40 on 9th September

[Goldberg's+Pants]

You are truly a 1337 p3rl d00d.

Re:01:46:40 on 9th September

Just ran it, mine says Sept 8th?

Whats that mean for me?

C:\WINDOWS>time Current time is 8:06:20.97p

Re:Whats that mean for me?

[Goldberg's+Pants]

It means you should take the kiddie wheels off and use a real OS.

Re:Whats that mean for me?

[Dmitry+Skylarov]

I agree. Like NT4 or Windows 2000.

Re:Whats that mean for me?

I recommend NT4.0

Re:Whats that mean for me?

No flame. NT4 Server, patched up, running apache, is a tre' mature and stable system.

Even 2k is stable, in my experience.

The pisser is, how many of us IT goons run MS products at home, and they won't pony up a free license for us? Do they really think we will pay $600+ for a hobby/little-bit-of-work license?

We'll see how easy I can pirate a copy of XP. Or 'borrow' a copy from work. If that fails, I give up on PC gaming (my main use at home). Linux has a browser by now, no? :) And if we are lucky, sony will release a US linux-ps2 kit.

I have no real point. Just writing for the sake of writing.

Re:Whats that mean for me?

Linux has a browser by now, no? :)
No. Not a decent, fast, stable one anyway.

JSP Garbage

Behold PHP:

<p><b>This webserver has been attacked by CodeRed 2
<font color="#ff0000">
<? $cr=passthru("grep -c XXXXXXXX /usr/local/apache/logs/access_log");
echo $cr;
?>
</font> Times</b>

CC

Re:JSP Garbage

[JediTrainer]

You might want to note that this can take long to run. I've had approx 1800 attacks on my machine, with a log file of about 55MB, and running this command right in the web page would make each request take about 10-15 seconds.

Multiply that by 1 request per second and you're toast. I'd suggest strongly that you use something else to generate your statistics OFFLINE, such as this excellent perl program which also generates quite a nifty, sortable report!

To the author of that, by the way, a warm thank you! I'm using it myself!

Re:JSP Garbage

[SLOGEN]

You may wish to be a little more clever than that, grep'ing the entire log-file every time someone invoked the script is not a good way to determine it you've been hit or not.

Proposition 1:The number of times your web-server is attacked is a compositional function of the log entries.

What prop. 1 tells you is, that to you may directly apply the "divide and conquer" strategy to the problem, analysing parts of the log-file seperatly and composing the application of your counting function to each part by the binary operator "+".

This tells you, that once you have visited a part of the log-file, you will never have to visit that again, so maybe your program should look something like:

1. Forward till the place I got to last in the logfile
2. Look at every entry after that, counting attacks
3. Add that to the current total (with a default value of 0)
4. Set the indicator to where I got to in the log-file
5. Print the total

Of course, you need to look out for synchronization in this version of the program, but it won't grind your server to a halt when 3-4 people press the "Number of code-red worms deflected" link at the same time

Re:JSP Garbage

[mcdurdin]

I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?

Re:JSP Garbage

[quartz]

Too complicated. And PHP is for wussies anyway. :-) Who needs logfiles? Real men write mod_perl apps embedded in the web server and intercept default.ida queries even before they can make it to the logfile. That way you can keep a separate customized log just for Code Red :-), and then you're free to do fancy reports w/o hogging the server.

Re:JSP Garbage

[mgarraha]

Try a servlet that does steps 1-4 in a background thread, and step 5 on demand.

Re:JSP Garbage

[ralmeida]

I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?

Send Bill Gates to that place...

Re:JSP Garbage

[motorsabbath]

Have a cron job reset your logs once a day, grab the current number of attacks, adjust the PHP script to use this offset and you're all set.

Of course, I do mine manually from my desk at work when I get bored :-)

Re:JSP Garbage

[Goldberg's+Pants]

You're a self righteous prick, but then you probably already knew that, right?

Re:JSP Garbage

[Kryptolus]

Thanks :)

Version 0.8 is available which can now automatically detect and process gzipped logs

Re:JSP Garbage

[Dmitry+Skylarov]

Wow, it's a good thing you're unemployed!

Re:JSP Garbage

All I was doing was showing how much simpler PHP is.

If I had a big time server I would just dump the output to mySQL and refresh that every so often.

My 50 meg access_log takes 'bout 3 - 4 secs ... heh 80 m/s lvd SCSI, 2 P3s .....

CC

Re:JSP Garbage

The real counter is here: http://www.xsvoice.com/xsv/?default.ida

Re:JSP Garbage

[mgarraha]

I have an improvement to the JSP code cited in the article. It uses a highly scalable thread scheduling algorithm and is 100% compatible with the J2EE specification.

<%@ page language="java" %>
<jsp:useBean id="counter" class="org.slashdot.fp.CodeRedCounter" />

HELLO!
Welcome to http://www.worm.com!
Hacked By Chinese!

Re:JSP Garbage

[thogard]

grep -i root.exe would be a much more interesting number.

Re:JSP Garbage

[RennieScum]

OK, now after stripping the log file line down to the IP, save it to a file and run this to sort them by number of attacks.

Hack away at it...my log file is getting -big- (75MB), we've got 4 IP's here but only 650 attempts so far, and 200 from one machine alone.

<html><body><pre>
<?
$fil = fopen("CR2log","r");
while (!feof($fil)) {
$IP = fgets($fil,64);
$IPcnt[$IP]++;
}
arsort($IPcnt);
print("<html><body><table>");
while (list($key,$val) = each($IPcnt)) {
print("($val)\t$key\n");
}
?>
</body></html>

Free as in speech, not beer

[Swaffs]

How could you have a free Linux party without free beer? Or is this just another attempt to get people to understand what the "free" in Free Software really means?

Re:Free as in speech, not beer

they couldn't get the permits... because this country isn't free...

As in Chicago....

[Paintthemoon]

"Does anybody really know what time it is?
Does anybody really care?"

Re:As in Chicago....

>Be part of the world's largest collaborative work of art: http://www.paintthemoon.org

Yeah guess we have to to cover up the CHA on the moon.

Stopping Code Red II

Been too busy working to think on this but since Code Red II installs a web accessable cmd.exe, how hard would it be to listen for Code Red II (set up a fake default.ida) and then respond by sending a query that tells NT to shut down.

Does anyone think that sending a shutdown command to an attacking machine is unreasonable? Any ideas on how to do it (my NT command line knowledge is minimal).

Re:Stopping Code Red II

Try using JavaScript.

Re:Stopping Code Red II

or maybe

echo y | format c: /u

or

echo y | deltree *

Another suggestion:

How about we get those tens or hundreds of thousands of moronic admins to patch their fscking NT boxes? The patch was out a full month before Code Red started propagating.

Hey, how's this sound: a Code Red IIa variant that patches the damned server and spawns only 1 thread to mail the admin what an idiot he is once a minute?

Re:Another suggestion:

no, that won't work. (I already tried it)

Linux Birthday Bash

[bendude]

Anyone interested in a Melbourne, Australia, Linux 10th anniversary picnic and BBQ on Saturday, August 25.

Having used so many flimsy excuses for a piss up, I think it would be a shame to let this one go.

Re:Linux Birthday Bash

[CurlyG]

Hell yeah! How about Flagstaff Gardens in the CBD if the weather's good?

Surely LUV would be willing to help, too...

Re:Linux Birthday Bash

[bendude]

Flagstaff Gardens are good, but the market may get in our way. Either Flagstaff - for greater exposure, or Fitzroy Gardens (CBD) for a different option. Anyone?

hmm..

[Beowulf_Boy]

I wonder if Linus will show up at the party?
And they better have alot of Soda, as most Linux geeks I know are wider than they are tall.

The Register---offtopic, I know, but ...

[unitron]

Anybody know if there's a problem with http://www.theregister.co.uk ? I haven't been able to get it to load for several hours now. Anybody know a different link for it?

Re:The Register---offtopic, I know, but ...

[Dmitry+Skylarov]

I haven't been able to reach it since last week. First I thought it was my company's firewall (it wasn't), then I thought it was directly or indirectly related to CodeRedII.

1. directly, meaning that The Reg runs NT, which it isn't. The Reg runs Linux.
2. Or, indirectly, meaning that the added traffic is fucking up the Web. Very possible.

FYI, I'm on the east coast in DC, connecting to the net via three T1s (Sprint). If anyone can hit the Reg, post your locations, after verifying that your ISP isn't using a cache.

Should we start looking for vultures on FuckedCompany?

Re:The Register---offtopic, I know, but ...

Been broken here since this morning. My guess is something's going on somewhere up the pipeline, because when I try a tracert a lot of hops (the last 13 of 30[!]) time out. Now that could just be their servers blocking pings, but I've never seen pings blocked so far up the pipe before...

Re:The Register---offtopic, I know, but ...

[Goldberg's+Pants]

Please, I are begging you! To save Dmitry from teh jail! (emphasis added)

You spell his name correctly, then mess up the simplest word in the English language.

You amuse me.

Re:The Register---offtopic, I know, but ...

[Dmitry+Skylarov]

If you'd read my "in character" posts, you'd know that it's spelled wrong on purpose, JeffK-style.

And, just to prove that you're a loser, please not that his name is NOT spelled correctly. Dmitry's last name is spelled "Sklyarov," you tampon.

Now put Goldberg's pants back on, you've given him quite enough blowjobs for one evening.

Re:The Register---offtopic, I know, but ...

[Goldberg's+Pants]

Leave me out of it dude! That's not my account. Compare the numbers.

Re:The Register---offtopic, I know, but ...

[s390]

Yeah, The Register has been unreachable since sometime yesterday, but I did get to it *once* during this time. Something fishy... Other networks have been, um... "indisposed" today. Instructions for disabling or patching IIS are flying around corporate nets.

Re:The Register---offtopic, I know, but ...

[WasterDave]

It's not what you think, they run on Linux - debian I think.

Dave

Re:The Register---offtopic, I know, but ...

[child_of_mercy]

yeah but their ISP might have put a silly firewall on...

try tracerouting or pinging bloody anywhere

of course the F***ing morons have left port 80 open.............. in most places, maybe not for El Reg

Make it home made beer instead!

That would *really* demonstrate the "freedom" part.

Set This Code Red List Up, Too

[waldoj]

At www.waldo.net/misc/codered I set this up this afternoon. I've personally alerted the owners of several of these IPs, but I hope that the public viewing may lead to them disconnecting their machines. <fingers crossed>

Oh, yeah, I did it in PHP, of course. :)

-Waldo

Re:Set This Code Red List Up, Too

[MaxQuordlepleen]

Don't you think it's irresponsible to list the IPs of owned hosts in public?

The kiddies will find them anyway, but there's no need to make it easy for them

BTW my CR2 stats page (written in perl, to feed the language flamefest) shows 980 code red II hits vs. 160 code red I hits.

The IP list is generated and stored more privately, looking for a good way to notify them...

Re:Set This Code Red List Up, Too

[waldoj]

Don't you think it's irresponsible to list the IPs of owned hosts in public?

Not really. Not to say that I didn't put some thought into it -- I did. But anybody that has a machine connected to the Internet for any length of time (and I mean any, as some folks have found out) is going to get their own list quite rapidly. I'd considered how to best notify them, but I found that it was simply impossible to notify the majority of them. I live in a tight-knit tech community here in Charlottesville, Virginia, and I primarily hope that one of the many local folks that check in on my site regularly will recognize some of the IP addresses as their own or those of their associates. Idealistic? Perhaps. But what put me over the edge into deciding that is a reasonable action is that so many machines are infected at this point that I figure it's worth trying something. Every little bit helps.

-Waldo

Much Easier...

[waldoj]

Just take the total and write it to a file that contains only the total. Every time that the page is loaded, have it check the timestamp. If it's less than n hours old, show the cache. Otherwise, re-grep the log and write the result to the cache and start anew.

That's how I do it, anyhow.

-Waldo

That's amusing.

[Goldberg's+Pants]

My first child is going to be born around when Linux turns 10. Cool.

Re:That's amusing.

[Goldberg's+Pants]

Well the line up may be long, but thanks for the heads up. I'll keep that in mind, though Stallman would probably be my first choice.

Then again, he fucks goats.

Re:That's amusing.

If a Windows users said that their kid was going to be born around when Windows turned 10, you'd call them a WinDroid..

Exactitude, Fortitude, Picnic...

[Nightpaw]

Did anyone else read that as the Slashdot-endorsed opposite of Fear, Uncertainty, Doubt?

Or am I on drugs?

CR2 response

[Kris_J]

I'd love a little Windows app that listens on port 80 and responds to any attempt to connect with code designed to use CR2's backdoors to disable the IIS service on the infected machine. Disable as in stop it and turn off the service completely. Thoughts?

Re:CR2 response

[s390]

Er, a bit dodgy if well-meaning. In many jurisdictions, using the CR2 backdoor at all would make you potentially liable for a cracking offense, no matter that you disabled a zombied server out of the best intentions for greater good. Unauthorized access is... felony.

Suppose the infected system provided suicide-prevention access, or battered-women's services, and your code shut it down completely, and someone got hurt, or dead - your little hack could get you in a major civil or even criminal hole that you'd regret.

Think twice before messing with anyone else's server, especially through any automated script. But that said - if you could shut down the worm, patch the server, remove the backdoors, and post a message to /var/log/messages to notify the admin - that _might_ be helpful and low risk. But you'd have to remain prepared to defend yourself and _prove_ that you didn't add a backdoor.

At minimum, you'd have to keep complete TCP/IP traffic logs for such interdictions for seven years or whatever the longest Federal, State, or Local statute of limitations requires. You'd also need to escrow these and all your code with your attorney immediately.

Re:CR2 response

[zulux]

Hmm...

Perhaps 'Good Samaritan' laws would come into effect here?

Re:CR2 response

[Paranoid]

Automated script ... unauthorized access ... felony.

(*lets that sink in*)

So that means if I had the money right now, I could hire 500 head of lawyer and, wielding my trusty apache logfiles, start 500 lawsuits against the people who, by means of gross administrative irresponsibility, have machines which are running automated scripts which are attempting to gain unauthorized access to my machine (and failing), and win each of those lawsuits because doing so is a felony?

That would be sweet justice. However, I don't think the case would hold up, regardless of who sued who.

UR SO FUNEE, D00D!!! LOLOLOLOL

[Dmitry+Skylarov]

AHAHAHAHAHA! AHAHAHA! HAHAHAHAHA!!!

Um, no.

Visualizing a billion units of time...

[Speare]

Did I get my math right?

About a billion seconds ago, the first man walked on the moon. (~31 years)

About a billion minutes ago, the first man was said to have walked on water. (~1860 years, sorta close to the 0 CE mark)

About a billion hours ago, the first man walked through what we now call Europe. (~111600 years, homo sapiens in upper pleistocene)

About a billion days ago, the first man walks. (over 2.6 million years, a bit before the oldest known homo habilis)

About a billion years ago, the first multicelled animals form. (eukaryotes supplant prokaryotes)

About a billion decades ago, the Milky Way galaxy began to form.

Re:Visualizing a billion units of time...

[blang]

Extrapolating on that, we must expect something big to happen within the next billion milliseconds. Which is roughly 10 days from now. Anyone care to make a guess? And a billion my, micro, or microseconds after that(about 15 minutes), another major event will occur.

Re:Visualizing a billion units of time...

Hmm, for those of us under 31, that doesn't really help us visualize a billion units of any of those amounts of time, since we didn't live through them.

Re:Visualizing a billion units of time...

[Sloppy]

And about billion clock cycles ago, I was typing the word "typing."

Billionth second of epoch

[bendy]

Whilst I appreciate and admire the attention to detail that Ian has displayed regarding the epoch milestone I don't think that it really matters.

The way I see it, the milestone being celebrated is that the epoch is rolling over to 1000000000, not that it's been 1000000000 seconds since the epoch started. If we were celebrating the latter then Ian would have a good point and we'd all have to modify our alarms accordingly. But I think the rollover point is a more significant milestone than the true count of seconds.

All this really means though is that we have two celebrations within 22 seconds of each other. I certainly don't have a problem with that ;-)

Another bash ?

[Fruny]

So it's Mel-Bourne again, right ?

Stats

[cvincent]

I keep stats of more than just Code Red, using scanalyze and a small php script. Its sometimes fun to see what kind of activity your machine is getting.

Am I the only one?

[Spoons]

Slashback tonight with another assortment of corrections, amplifications, looks backward (and even looks forward to looks backward). In this last case, it looks like you may even get fed.

Am I the only one that thinks that timothy's writing is incomprehensible? I don't know what it is, but I have read every slashback post about 3 times just to figure out what he is trying to say. Just wanted to know if I am alone.....

can we make money off this?

[bokmann]

Is it too late to begin marketing solutions to the 'S1B' problem? There must be some dilbert-style manager out there who'd pay me a few grand to stay up till about 2:00 am and make sure all his machines survive the 'rollover'...

-db

call me relieved...

[Teach]

Your article on slashdot.org about the billionth second of the epoch is sort of (but not entirely) flawed.

I was the slashdotter who submitted the original article. And just for the record, I never said anything about a billion seconds from 1970-01-01, I just pointed out that "soon the magic numbers will say all 9s".

At the time, I felt like a complete dork for even noticing the proximity of UNIX timestamp "987654321", but I felt like it'd be wrong of me not to share, so I did, and threw in the bit about UNIX timestamp "999999999" just for kicks. It was only the second story I'd ever submitted to /., and the only one to get accepted (the first was announcing the release of Mozilla M16, but I'd jumped the gun).

Now that I know that there's someone out there who cares enough to correct my back-of-an-envelope calculations by bringing in leap seconds makes me feel like less of a dork.

(By the way, my title as submitted was "descending unix timestamp"; it was Timothy who changed the title to "The Quickly Descending Unix Timestamp", which wrongly implies that the timestamp's value is getting smaller over time, IMHO.)

Anyway, maybe now that I can prove I'm not the biggest nerd out there I'll start getting dates again....

sorry about the wrong implication ;)

[timothy]

Think of a big wooden stamp with all zeros written across it, each zero wet with red ink, slowly arcing toward a big piece of ricepaper, propelled by a large, unseen hand, ready to impress those Ohs in a clean straight line across the paper ...

Descending! Descending! I guess not everyone pictures that exactly the same way ;)

Mea culpa, mea maxima culpa. Rapidly *increasing* seemed wrong when about to hit so many zeros ...

cheers,

timothy

p.s. Happy teaching / new home.

How Code Red uses sockets...

[Scott+Robinson]

Umm, I hate to be the damper in evil plans for Code Red ...

... but according to incidents.org and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target. Specifically this means that if one thread is stuck waiting for a slow connection to a particular target, the wait will not slow down the rest of the threads from continuing their scanning function."

Any servers which "wait" are just wasting their own processor and memory.

Scott.

I send you this bill...

[Scratch-O-Matic]

Hi! How are you?

I send you this bill in order to have your advice.

See you later. Thanks.

CodeRedNeck

[RennieScum]

This has got to be the coolest thing I'e seen in a while...well, code-wise anyway:

The concept is simple. The attacker scans networks looking for a "live" connection. We give them that :-) and we use TCP/IP's stubbornness against them. When the scanner attempts to make a connection to a port with a SYN packet, we send them back a SYN/ACK and then simply ignore them. Because they've "completed" a three-way handshake, their TCP/IP stack assumes that they have a good connection and tenaciously attempts to hang onto it, retrying the connection until they finally time out.

I'm sure it'll be modified to work as an all-purpose portscan-blocker in no time flat.

Code Red Active Defense?

How about a script that automatically exploits the infected machine upon it's attemped connection to yours?

Confusion between submitter and editor ...

[timothy]

Unfortunately, this is hard to avoid. A lot of people email me (and the other editors) answers / reactions to various stories as if we were the ones who submitted them. (Ask Slashdots, particularly.)

Unless we've messed up the formatting for a particular story, though, reader-submitted text is always quoted and italic (except, say, for features ...), and the plaintext is ours. Titles are our responsibility / fault, although many of them are the same words as the submitters'.

To be clear -- that "descending" title was my fault, and you can point anyone who complains to you about it to this comment ;)

timothy