Slashback: Exactitude, Fortitude, Picnic

Slashback tonight with another assortment of corrections, amplifications, looks backward (and even looks forward to looks backward). In this last case, it looks like you may even get fed.

You mean we have to reprint all the invitations? Reader Ian Cowley wrote with a slight correction about the end of an era:

"Your article on slashdot.org about the billionth second of the epoch is sort of (but not entirely) flawed.

Yes, UNIX systems will report 1000000000 seconds at 01:46:40 on 9th September. Which of course means the 1 billionth number will be 01:46:39.

But, these systems do not account for leap seconds. According to TAI (international atomic time), the 1 billionth second since the beginning of January 1st 1970 will occur at 01:46:17 on 9th September 2001, as 22 leap seconds have been inserted since 1970 (the first was 1972, the last 1999).

So celebrations of the 1000000000th second should be at 01:46:17, whilst 01:46:40 can be reserved for celebrating 1000000000 displayed on UNIX system clocks."

Errr ... thanks. We'll just have to start at "Unix Day, Observed."

What price the capture and humiliation of virus spreaders? JayHerrick writes: "We have posted a small bit of JSP that reports the number of times our server has been queried for a 'default.ida' page. It's stylish, it's cool, and it'll probably get Pepsi all mad at us because we ripped the Code Red logo off one of the bottles." Equally stylish, despite the name, is a small tool named codeRedNeck, described by reader mindriot thus: "As CodeRed probes port 80 of a machine, CodeRedNeck first answers on that port and then goes silent, thus forcing the worm to wait until the connection times out." He advises: "Read the original idea by Tom Liston. Heise also has more on this."

Even More Auspicious dates. No matter which date you choose to mark it, Linus' little kernel-that-could is about to mark its tenth birthday. ikluft writes:

"The "Linux10" Linux 10th anniversary picnic and BBQ will be held on Saturday, August 25 from 11AM to 6PM at Sunnyvale Baylands Park in Sunnyvale, California. Details and directions can be found at Linux10.org. If you can attend, please use the RSVP form so the organizers know how much food and soft drinks to provide (only provided if you RSVP.)

Linux10 is being organized as a family event -- bring the kids. In support of that goal, it is also a no-media event. Linux and Open Source enthusiasts who work for the media may attend and participate while off-duty.

Linux10 will gladly link to other Linux 10th anniversary events. Let us know the URLs for those events."

Reader big_drew adds: "The event is free (food, softdrinks, cds -- sorry, no free beer, but byo is ok)" and says "If you can't make it out to CA, you can still get the t-shirt (profits will be used to fund the picnic)."

Anyone want to organize a picnic in the vicinity of Knoxville, TN? :) I can bring some pasta salad and watermelon.

Ten candles all around here, too. Simon Spero writes: "As noted in http://www.w3.org/History.html, today, August 6th, is the 10th anniversary of the first public release of the CERN Web Software."

Re:JSP Garbage

[Hard_Code]

People, the word is "timer". Sheesh, just update the statistics every few minutes...then it doesn't matter if people are hammering your server. Anyway, is PHP compiled down to anything? Because JSPs/Servlets are pretty damn fast.

Re:Much Easier...

[Pathwalker]

Why bother writing your own caching code when you can just let your Webserver do it for you?

With Roxen's cache tag, I just threw <cache minutes=15> </cache> tags around the cpu intensive parts of mine and let Roxen handle the rest.

I do have a cron job that parses the logs every 15 minutes, and updates the backend database. (I could have done that from the web page as well, but then my samples wouldn't be taken every 15 minutes).

Re:CR2 response

[loraksus]

nevermind that the pages are overwritten with "hacked by chinese".

Re:CR2 response

[IronChef]

Crack one IIS box, and you're a felon. Crack a million, and you're... some anonymous virus-writing guy that will never be brought to justice.

Re:Whats that mean for me?

[psychalgia]

shit, i woulda said that about the netscape one, but the browser "comingling" in KDE is sweet. I have always used GNome cuz thats what we have to program in at school, but KDE has some nice features (its fast as hell too) - if it would support half life, I would move everything there.

Re:CR2 response

[s390]

...start 500 lawsuits against the people who, by means of gross administrative irresponsibility, have machines which are running automated scripts which are attempting to gain unauthorized access to my machine...

One lawyer would do. And it might be interesting to try this. They did, after all, attack your system. Call it a reverse class-action.

Re:The Register---offtopic, I know, but ...

[unitron]

Yeah, no one would ever mistake 139800 for 139800.

1E9 party in Denmark

[cybaea]

according to this article on the BBC News web site.

Re:01:46:40 on 9th September

[Jaeger]

Universal Coordinated Time

If you have Perl on your system, this snippet will tell you exactly what time (localtime) the billionth second, according to Unix, will pass:

perl -e 'print scalar localtime(1000000000), "\n"'

I'm a little disapointed that the billionth second occurs the day after my 21st birthday. One day earlier would have been way cool...

JSP Garbage

Behold PHP:

<p><b>This webserver has been attacked by CodeRed 2
<font color="#ff0000">
<? $cr=passthru("grep -c XXXXXXXX /usr/local/apache/logs/access_log");
echo $cr;
?>
</font> Times</b>

CC

Re:JSP Garbage

[JediTrainer]

You might want to note that this can take long to run. I've had approx 1800 attacks on my machine, with a log file of about 55MB, and running this command right in the web page would make each request take about 10-15 seconds.

Multiply that by 1 request per second and you're toast. I'd suggest strongly that you use something else to generate your statistics OFFLINE, such as this excellent perl program which also generates quite a nifty, sortable report!

To the author of that, by the way, a warm thank you! I'm using it myself!

Re:JSP Garbage

[SLOGEN]

You may wish to be a little more clever than that, grep'ing the entire log-file every time someone invoked the script is not a good way to determine it you've been hit or not.

Proposition 1:The number of times your web-server is attacked is a compositional function of the log entries.

What prop. 1 tells you is, that to you may directly apply the "divide and conquer" strategy to the problem, analysing parts of the log-file seperatly and composing the application of your counting function to each part by the binary operator "+".

This tells you, that once you have visited a part of the log-file, you will never have to visit that again, so maybe your program should look something like:

1. Forward till the place I got to last in the logfile
2. Look at every entry after that, counting attacks
3. Add that to the current total (with a default value of 0)
4. Set the indicator to where I got to in the log-file
5. Print the total

Of course, you need to look out for synchronization in this version of the program, but it won't grind your server to a halt when 3-4 people press the "Number of code-red worms deflected" link at the same time

Re:JSP Garbage

[mcdurdin]

I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?

Re:JSP Garbage

[quartz]

Too complicated. And PHP is for wussies anyway. :-) Who needs logfiles? Real men write mod_perl apps embedded in the web server and intercept default.ida queries even before they can make it to the logfile. That way you can keep a separate customized log just for Code Red :-), and then you're free to do fancy reports w/o hogging the server.

Re:JSP Garbage

[ralmeida]

I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?

Send Bill Gates to that place...

Free as in speech, not beer

[Swaffs]

How could you have a free Linux party without free beer? Or is this just another attempt to get people to understand what the "free" in Free Software really means?

Re:01:46:40 on 9th September

[Coyote]

Which time zone? The one you're in. Its your computer that's going to tell you what time it is at 1:46:40

As in Chicago....

[Paintthemoon]

"Does anybody really know what time it is?
Does anybody really care?"

Linux Birthday Bash

[bendude]

Anyone interested in a Melbourne, Australia, Linux 10th anniversary picnic and BBQ on Saturday, August 25.

Having used so many flimsy excuses for a piss up, I think it would be a shame to let this one go.

Re:Linux Birthday Bash

[CurlyG]

Hell yeah! How about Flagstaff Gardens in the CBD if the weather's good?

Surely LUV would be willing to help, too...

Set This Code Red List Up, Too

[waldoj]

At www.waldo.net/misc/codered I set this up this afternoon. I've personally alerted the owners of several of these IPs, but I hope that the public viewing may lead to them disconnecting their machines. <fingers crossed>

Oh, yeah, I did it in PHP, of course. :)

-Waldo

Exactitude, Fortitude, Picnic...

[Nightpaw]

Did anyone else read that as the Slashdot-endorsed opposite of Fear, Uncertainty, Doubt?

Or am I on drugs?

CR2 response

[Kris_J]

I'd love a little Windows app that listens on port 80 and responds to any attempt to connect with code designed to use CR2's backdoors to disable the IIS service on the infected machine. Disable as in stop it and turn off the service completely. Thoughts?

Re:CR2 response

[s390]

Er, a bit dodgy if well-meaning. In many jurisdictions, using the CR2 backdoor at all would make you potentially liable for a cracking offense, no matter that you disabled a zombied server out of the best intentions for greater good. Unauthorized access is... felony.

Suppose the infected system provided suicide-prevention access, or battered-women's services, and your code shut it down completely, and someone got hurt, or dead - your little hack could get you in a major civil or even criminal hole that you'd regret.

Think twice before messing with anyone else's server, especially through any automated script. But that said - if you could shut down the worm, patch the server, remove the backdoors, and post a message to /var/log/messages to notify the admin - that _might_ be helpful and low risk. But you'd have to remain prepared to defend yourself and _prove_ that you didn't add a backdoor.

At minimum, you'd have to keep complete TCP/IP traffic logs for such interdictions for seven years or whatever the longest Federal, State, or Local statute of limitations requires. You'd also need to escrow these and all your code with your attorney immediately.

Visualizing a billion units of time...

[Speare]

Did I get my math right?

About a billion seconds ago, the first man walked on the moon. (~31 years)

About a billion minutes ago, the first man was said to have walked on water. (~1860 years, sorta close to the 0 CE mark)

About a billion hours ago, the first man walked through what we now call Europe. (~111600 years, homo sapiens in upper pleistocene)

About a billion days ago, the first man walks. (over 2.6 million years, a bit before the oldest known homo habilis)

About a billion years ago, the first multicelled animals form. (eukaryotes supplant prokaryotes)

About a billion decades ago, the Milky Way galaxy began to form.

Re:Visualizing a billion units of time...

[blang]

Extrapolating on that, we must expect something big to happen within the next billion milliseconds. Which is roughly 10 days from now. Anyone care to make a guess? And a billion my, micro, or microseconds after that(about 15 minutes), another major event will occur.

Re:Visualizing a billion units of time...

[Sloppy]

And about billion clock cycles ago, I was typing the word "typing."

Re:The Register---offtopic, I know, but ...

[s390]

Yeah, The Register has been unreachable since sometime yesterday, but I did get to it *once* during this time. Something fishy... Other networks have been, um... "indisposed" today. Instructions for disabling or patching IIS are flying around corporate nets.

Re:The Register---offtopic, I know, but ...

[WasterDave]

It's not what you think, they run on Linux - debian I think.

Dave

Another bash ?

[Fruny]

So it's Mel-Bourne again, right ?

How Code Red uses sockets...

[Scott+Robinson]

Umm, I hate to be the damper in evil plans for Code Red ...

... but according to incidents.org and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target. Specifically this means that if one thread is stuck waiting for a slow connection to a particular target, the wait will not slow down the rest of the threads from continuing their scanning function."

Any servers which "wait" are just wasting their own processor and memory.

Scott.

Re:The Register---offtopic, I know, but ...

[child_of_mercy]

yeah but their ISP might have put a silly firewall on...

try tracerouting or pinging bloody anywhere

of course the F***ing morons have left port 80 open.............. in most places, maybe not for El Reg

I send you this bill...

[Scratch-O-Matic]

Hi! How are you?

I send you this bill in order to have your advice.

See you later. Thanks.