Slashdot Mirror
Code Redux
I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.
Yeah, yeah I know 'boxen' is plural.
I was typing too fast and my "any Win boxen" became "a Win boxen"...
I was:
Front page: click on "site map"
Site map: click on "Policies"
Policies: click on "What is the AT&T@Home Cable Internet Service Subscriber Agreement?"
What is the AT&T@Home Cable Internet Service Subscriber Agreement?: click on "Leased Modem Subscriber Agreement"
It's right there in 9(b)
-no broken link
Code Red will only slurp down 12868 bytes.
Don't do it - the 'net has enough stress on it with 5.9 million IIS running hosts trying to infect everything in site without you transmitting a bunch of zeroes.
Yes, so I had similiar thoughts, but Daniel Lawson taught me better. (Thanks Daniel BTW.)
How did you automate that? My shell kung fu is weak.
Or do you just have a lot of time for copy/paste?
FWIW I manually did about 40 IPs the other day. Similar ratio.
It's all the arp requests from all the Code Red
probes for non-existant IP addresses.
tcpdump -i eth0 -n
(or whatever your external ethernet interface is).
I was seeing 2000/minute ARP requests on Monday,
don't know what it is now...
I agree. <imo>Anti-virus software companies are in the business of protecting against viruses; of preventing a large number of users from being compromised by the same code. They are not interested in the kind of security that would prevent script kiddies or social engineers from gaining access to your computer, and so they rate viruses by the amount of damage they cause, rather than rating security holes by the amount of damage they allow. I suppose they do this to be consistent with their stance that "the viruses are the enemy".</imo>
By the way, did anyone else think it was strange that CERT listed anti-virus software companies, and only anti-virus software companies, in the "vendor information" section of their advisory about SirCam? They could have easily targeted
The shareholder is always right.
I wonder how far it can be pushed? My server on @Home dishes out almost 3,000 pageviews per day. (!) I'm starting to get worried. I need a backup plan in case they pull the plug on me.
Additionally, since alot of the colleges in Ohio have site license deals with Microsoft so that students can get the OS for cheap (or even free), there were just enough people figuring that 2000 must be better than 95, simply due to the numbers, to cause us a bit of aggravation.
Of course, out of those people, most probably don't have IIS installed, but I've come across just enough people who install random things they don't need to say that the problem, while small, certainly isn't insignificant.
I know i'll be switching. I don't pay 80 bucks a month to just surf the net on verizons terms. I do use my DSL for work, VPN, testing websites and personal pages.
Is there anything "We" can do. The terms of service specifically state it is up to the END user to do all necesseary functions to protect HIS data. Verizon makes no gurantees of service so how can they modify the service?
I wish i could get a class action for something.. they're limiting email to verizon.net emails only, filtering access.. what next?
Has anyone also noticed that Win2K comes with (and installs as part of the IIS "Group") an SMTP server ... gee ... any bets what the next round of expoits might target? :)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
All well and good, I guess. But what of the day when people don't see your white hatting as such? Then someone will come out with a variant of your white hat hack on Code Red and, instead of having it hit the patch, will have it install something really nasty on the box, making it look like they're white hatting.
Yes, this could be done now--infect a box, then have it hit a second virus that slams the box after the DDoS is done--but it would be more elegant after someone started to white hat Code Red.
-- Geof F. Morris
True, this will tell you if you are *infected*, but it doesn't tell you if you are *vulnerable* (but not yet infected).
AT&T @Home hasn't cut off port 80 where I live yet (Palatine IL, the NW Chicago 'burbs). A quick grep of my Apache logs shows that I got hit 499 times yesterday with requests for 'default.ida'. Just over 1200 times since this thing broke started.
What really annoys me is that I just inherited responsibility for maintaining code for a print server product we sell. Code Red is knocking these things off the net left and right (buffer overflow processing the URL, I suspect) and customers are screaming. Oh, and did I mention that since inheriting the code I haven't even been able to get the fscking debugger to run yet!?
Why anyone would leave a printer sitting wide open on the wild net is beyond me, but apparently it's not acceptable to just tell the customers to put it behind a firewall where it belongs...
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
That's exactly what I would say to the thousands of sysadmins who still insist on running Sendmail and BIND. Code Red on IIS reminds me a lot of the Morris Worm on Sendmail...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
A good portion of them have probably been unattatched to the network, or will be brand new machines just for school.
This may be insightful, but how many of these people will ACTUALLY be running a vulnerable web server? Only those that have installed IIS with Windows 2000! I am willing to bet that this number is negligable among college students, especially those with new computers. Those computers will most likely be running ME, which is less expensive and is more suitable for home/student use.
Those students running Win9x or ME are NOT VULNERABLE from Code Red or CR II and those running NT4 are NOT VULNERABLE from Code Read II. This kind of FUD is what makes people panic. We don't need it in the news and we especially don't need it on Slashdot.
----- rL
Just look at the information - if after the infection your mp3s and Word files are still there, and still seem the same as they were before, you have little damage. Sure, you might have to wipe and reinstall the OS, but your _data_ wasn't damaged, and you can pretty easily verify that.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I tried it out. This is what appeared in the log.
/scripts/root.exe?/c+dir+c:\ HTTP/1.0" 404 286 "-" "-"
/NULL.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX=X HTTP/1.1" 404 284 "-" "-"
- 216.201.108.18 - - [08/Aug/2001:19:29:45 +1200] "GET
- 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET / HTTP/1.0" 200 1948 "-"
"-"
210.zz.zz.zz 216.201.108.18 - - [08/Aug/2001:19:29:46 +1200] "GET
- 216.201.108.18 - - [08/Aug/2001:19:29:48 +1200] "GET / HTTP/1.0" 200 1948 "-"
"-"
(I've snipped by IP BTW.)
It looks like it is testing for:
* Code Red 3 backdoor (found on all good Windows 2000 systems)
* A web server
* The ida overflow
* A web server (again)
By the way: The Code Red scans went dead yesterday morning on MediaOne.net (at least the 66.* where I am). It looks like they're blocking all connects on port 80 now.
Liberty in your lifetime
I gotta say this worm is really amazing. You can watch it's growth in your log files. Mine roll over daily and you can see the file sizes increase day by day. On Aug 1 I had an 8k log file. The 2nd I had a 12k one. The third was 32k the day after that was 64k. Today it was up to 192k so far and there's still another 2 hours till the log file rolls over.
Like sex? Read and write about it! Indecent Blogging
Polish Telecom, the biggest ISP down here, also announced that they will block traffic from 'infected' sites. Trying to connect to whitehouse server is taken as a proof of infection.
:wq
I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.
I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.
The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."
You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.
While out and about looking for the latest Code Red statistics, I found this link to a Code Red Self Test which is supposed to tell you if you are vulnerable, and if you have been infected.
I don't know if it works, I don't have a Win boxen to test it on...
AT&T's residential broadband division (MediaOne) has cut off port 80 across their network
Seeing as how HTTP runs on port 80, how are outgoing HTTP connections (i.e. web page pulls) supposed to proceed across the network? Given that frontends to mail, newsgroups, and file transfers are increasingly HTTP-based, they might as well just schedule total network downtime during Code Red attacks.
Will I retire or break 10K?
What they should do is scan for people running IIS webservers and cut them off. Leave the Apache users alone!
Besides the load of the spread (which is probably made signficantly better by having the worm mostly scanning on it's own subnet) CodeRed2 is quite benign.
Yes, it does open a remote root exploit, but the servers that got infected were already wide open due to the default.ida hole. Sure, it's easier now, but since there are simple exploits for default.ida already, any script-kiddie worth the name could already have walked straight into these computers.
In truth, I figure that the people who have made most use of this exploit has been geeks who would ordinarily never break into systems, but have been made curious about where the worms are coming from (of course, _I_ would never do such a thing... really...)
I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.
Maybe because they don't! You are thinking in terms of security hole. With a virus it is different, you are more concerned about data loss.
A virus can inflict low damage, ie: print a message on the screen that you are stupid, or a high DAMAGE rate of deleting your whole hard drive. Medium is a good measurement of this one, as it only has the POTENTIAL for data loss.
You can block incoming and outgoing http connections separately. eg. if a SYN packet is going from an outside address to an inside address, and the port number is 80, block it. But don't block anything else.
I recieved an email today from road runner (aka time warner cable) regarding the "VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED". For the intrigued, here's the letter:
------
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributeable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the Internet community to address this virus. Thank you. Road Runner Security
P.S. Please, do not reply to this message
--------
Well, gee, if the whole "internet community" is at work at resolving the issue, I can rest easy. But then again, they only say no to worry if you're running Windows 95, 98, ME or MacOS. Well, I'm running Linux and NetBSD, so I guess I should be worried, eh?
--
#nohup cat
To specify more specifically for the people misunderstanding this poorly worded post, port 80 is not completely block. Only the _INCOMING_ connections to port 80 are block, so only people running webservers are infected. Because I currently run a webserver using Apache under Linux on my MediaOne cable modem, I am currently on hold on the MediaOne tech-support line attempting to get port 80 unblocked.
"The group gathered around the dinner table then managed to get a copy of the worm and began disassembling its code"
Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA? I think that those at this conference should be held accountable.
I work for a rather large cable modem provider in the callcenter. We are getting inunduated with calls about the code red virus. Especially concerning hyper-active activity lights on cable modems. It's been like this ever since sunday. I must admit, we are very close to blocking port 80 as well, since we don't allow web servers anyways. oh well, I start my new job next monday.
@Home's AUP specifically says "no servers". Also, they've always blocked port 137, so the tools are already installed. Yet they still haven't blocked port 80, even though each IP is getting hit approximately every other minute.
or the worm has a sleeping behaviour pattern. Please review the following message from the Securityfocus Incidents Archive (the message was sent 30 minutes ago)
and I'm on @home's network. I like the program 'etherape' to sit and watch the requests come in and then browse to the IP's to see JoeBlow's homepage.
/etc/httpd.conf it's not really that hard.
really, do these home users PAY for IIS? of course not, would you? If you're going to use software free, use free software!!!
I can't imagine that anyone who administers servers for a living hasn't already patched againts this. Thus I think most of this Code Red comes from home users windows boxes with pirated software. I wish MS did pursure those people because we'd have a whole lot more Linux users if that was the case. ( I guess that's why they don't)
a note to IIS users:
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Here in Fairfax, our cable modem dropped out around 6pm Sunday night; it came back up after about an hour, but ever since then, I've had faster speeds on dial-up.
The phone system reports that SirCam has taken out their email servers, and that Code Red [I|II] is causing serious performance problems. They expect to have it done by tomorrow - except that today, when I called, they no longer are saying that, merely begging users to patch their systems.
Phone tech support is turned off, at least in my wanderings in the phone system.
Anyone else having these problems?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Well I'm on @Home and I'm not sure if this has to do with Code Red or not, but my cable modem light indicating bandwidth use has been flashing pretty much CONSTANTLY since Sunday or so, even when the computer was off!
I know it's more than port 80 hits, because there's not a constant stream of them in my log file, and I don't even run the web server most of the time. I get plenty of them when it does run, but it's got to be more than that.
Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...
For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.
Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.
Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".
Okay, if you're going to use the archaic, tongue-in-cheek unix-guru term "boxen," at least bother to learn that its denotation is plural.
And now back to your regularly scheduled worm discussion.
Oh, come on. You say that it doesn't erase your entire harddrive. Rather, it tells the entire net "Hey everyone! I am an infected computer, you can run any command you want on me!".
For example, my web log (and everyone else's web log) has the hostnames or IP addresses of dozens of infected systems. It would be a trivial matter for me (or anyone else) to now erase the hard drives of any of these machines, or just to browse through the entire hard drive and take what I want and trash the rest.
Or even better: use the back door to install a new Trojan that will still be present even after the owner applies Microsoft's patch.
Code red is so profligant (because it require no user intervention to spread), that a new machine installation will likely be hit by it in 10 minutes or less, which of course, is less time than it takes to patch it, which of course means that until you patch it, the remote exploitation is free to install anything else it wants until you close the hole, so you're going to be left with a zombiefied machine unless you install and patch with from an airgapped machine, using a local copy of the patch. I doubt most people do that.
So even with the patch up and available, the problem is far from solved. I bet the number of zombie machines out there surged 10fold today, many of which are on high speed corporate bandwidth, instead of the more meager cable modems with severely crippled upstream access.
It's going to be a rough year.
If @home blocks my port 80 i'll be quite pissed.
My ISP (www.dsl.ca) specifically allows you to run servers - and even rents a static IP. Then, one day recently, they surprised me by firewalling all outgoing SMTP. Of course, this coincided with a BIND change on my nameserver, and so when my mail spool started to fill up, my first assumption was that I'd killed the reverse lookup! I spent an hour or so trying to figure out how I'd gone wrong, but I didn't think I did. Finally, I contacted 'em about it. They just shut it off because there were too many spammers and they didn't want to do a mass-mailing, which would become a tech support nightmare ("uhh... this port 25 thing, do I need it?").
Anyway, I'm started to get really annoyed by Code Red II. My webserver log file is full of IIS crap. I hold Microsoft responsible for marketing a faulty product.
Yes I'm lame, I'm running IIS (patched) on my cable modem.You are lame, for sure. You know, it's really not that much work to set up an old 486 or something with FreeBSD and NAT, add Apache from the ports collection, and laugh at all the IIS lusers. Please ditch IIS; I'll provide a helping hand if I can.
Fire and Meat. Yummy.
We won't see something that destroys hardware last too long, because destroying hardware doesn't promote the expansion of the virus. Something that slows you down but doesn't kill you outright is far more likely to stick around long enough to get spread. Code Red, Code Red 2, and other "worms" are far more virus-like than most "viruses". Melissa, SirCam, and the like are merely trojans. They require users to interact with them. Code Red, Code Red 2, and the original Internet Worm replicate of their own volition and go out and find other infectable systems so they can repeat the process. Sounds a lot more like a biological virus to me.
No patch for Alpha NT4 machines. I had to remove Indexing, no big deal, but damn virus even hit Alpha cpus.
Then Symantec's done lost their minds. Remote root/shell access is the worst thing that can happen, because after that you're basically at the mercy of the cracker until you've sanitized the machine again. Complete destruction of the disks is nowhere near as bad as having someone who can eavesdrop on every password on your machine or steal any data he wants or alter any data he wants.
What, do you think they plan to ever turn port 80 back on? Trustworthy one, aren't ya?
Wow, that's kind of weird considering the traffic ended at EXACTLY 9AM for old pages I used to host on that server. And wow, someone couldn't get to my resume that day, and emailed me about the problem they had. Very odd. I don't have a problem if they are going to block it for whatever reason, but at least admit it in the Agreement. I just want it for personal use...
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
AIDS infects others for many years, and then kills its host. Such a strategy is certainly feasible with computer viruses and worms. Some suggest that the only reason they haven't done that yet is that virus writers want the instant gratification of seeing their work on the front page news.
I'll bet that it gets strictly enforced from now on, killing all the fun even for people like me who run Apache on OpenBSD.
grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l
139
Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with
I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.
I guess the big question is this: do you root their box before the first interview or after?
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Well, all viruses are not this kind...
Look at Ebola: it can spread like crazy trough the air and it kills its host in less that a week. In this case, the only solution is contention.
Let's bet: how much time do we have left until we have to create compounds around "infected" portions of the Internet...
Nobox: Only simple products.
It's been already shown that Code Red will not bring the Internet down. And it was never very much of a mortal threat to the majority of the users out there, because those are not running IIS (or any http server, for that matter). And until the more recent versions, the worm was not even a menace the files in the infected system (the recent versions, by installing a backdoor, would allow for a malicious invader to do a lot more damage).
The kind editor should also remember his math and Netcraft nice figures. IIS installations represent some 25% of the servers out there. Most of those are already patched by now. Even when they were not patched Code Red got only 6-7% of them (considering 4 million servers/250 thounsand infected).
Code Red is certainly a local problem in networks where it finds a nice ecologival niche. Cable modem networks are likey to suffer due to their archtecture and their own flaws. Other networks will suffer down the road.
But the main point is that this particular the worm is out of the way for nmost of us (if it ever was in the way) and will only affect the bandwidth locally.
It is almost time to reduce its risk rating to low.
Yes, pre-existing worms disappear and no worms of that variety can infect, but in the few minutes of life it had on your system, CodeRed had full access to download other, newer, unpatched, programs that otherwise would be unable to get onboard.
I reiterate, the only safe path is to install on an airgapped machine, or on a well secured LAN. But if you have to download it from the internet, there is a chance that *anything*, not just CodeRed, will be hiding somewhere by the time you patch.
We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.
One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.
On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.
-A non-productive mind is with absolutely zero balance.
- AC
Amerist A'Toll
"What are dreams when we are but the dreams of dreamers yet to be born?"
Yes - check the athome.* newsgroups for more details...
Basically the new, "improved", Code Red is scanning close-by IP addresses, thus trying to find machines that may not even exist, or which are turned off at the moment. In this case, the @home gateway sends an ARP broadcast packet trying to find the IP address in question. This broadcast traffic causes the "activity" light to blink constantly... In my area, there is no performance degradation, though (yet).
Myself I might be tempted to do
s \ All+Users\Desktop\PATCH+YOUR+IIS.txt
root.exe?/C+echo+Do+it+>+C:\Documents+and+Setting
perhaps with a little more explaination than "Do IT".
Ad in classifieds: Pandora's Box (no box) $5
24.0.0.203 - - [07/Aug/2001:02:19:23 -0400] "HEAD" 400 - "-" "-"
24.0.0.203 is authorized-scan1.security.home.net, the machine which has been scanning for NNTP servers on port 119, ever since @Home got threatened with the Usenet death penalty.
This is the first time @Home has ever scanned my web server. It seems odd that they're sending an invalid request, although this can distinguish between Apache and IIS. Apache will treat this as HTTP/0.9 and will not send back an HTTP header on it's error page, while IIS sends an error page with full headers.
@Home has never blocked ANY port in my area, including 137-139 (I'm on Cogeco@Home). I've connecting to my home computer from university over those ports, and sucessfully transferred files. The modems are capable of simple firewalling, as any DOCSIS modem should be (I've connected to my modem through SNMP and set up some firewall rules, to block connections on port 1214 - my brother was hogging all my upstream bandwidth by using Morpheus/Kazaa).
I'm still gettings tons of hits from Code Red, but I don't really mind. I find it interesting to look through my logs and see the different versions of the worm. Among hundreds of Code Red hits, I have 3 interesting ones. Instead of saying "GET /default.ida?XXXXXX"..., they are just "XXXXXX"..., with the exploit code on the end. Does anyone know what this is? The first hit was around 12:30am last night.
I'd just hope they'll have more imagination with their hacks. "Hacked by chinese" WTF? Spending all that time devising a crufty virus, and that's all they have to say? What a complete waist of human effort. Blackhats wearing diapers?
-- Another senseless waste of fine bytes.
It is very emberassing for Microsoft to be responsable for the biggest true worm (as opposed to email worms which can be blocked at a small number of points) in internet history.
It is well known that Microsoft could easily crush Symantec. Almost all of Symantec's products fill holes in the Windows Family Line that do not exist in other operating systems. According to reports that I have read, the Windows XP betas have, firewall software, remote access software, older operating systems have also hurt the viablity of Symantec products.
It is clearly in Symantec's best interest to ensure that Microsoft does not add to many of these new features, and when it does to water them down or license Symantec technology. It would be very easy for microsoft to include a powerfull firewall system based on one of the BSD firewall systems. But instead they have included a weak fire wall that most security consciuos users would find lacking. Microsoft Scan Disk and Defrag are also both examples of code that have been watered down. The code for defrag is even licensed from symantec.
In the past, companies that have made Microsoft look bad have been crushed. Symantec does not want to suffer the same fate
Remote Linux install, anyone?
If programs would be read like poetry, most programmers would be Vogons.
My report on this shows that I'm getting hammered quite a bit. Over 2500 attempted attacks, which is eating quite a bit of bandwidth. And yes, I'm on cable.
My thanks, once again, to the author of the wonderful Perl program which generated this (link available on site).
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Granted I have 3 Class C blocks at Exodus, but since 00:00:01 PST on Sunday I have seen 107,581 port 80 attempts. They currently seem to running at about 45/minute.
Chris
-- I need more coffee. It's Monday. There is no such thing as enough coffee on a Monday.
I know I'm askin' for it, but I couldn't resist:
/home/httpd/html
/dev/zero default.ida
:-) (And people say PPPoE has no value.)
cd
ln -s
I'm only a 128k ISDN, but with compression, I can push over a T1 worth of zeros
[root@gateway rothwell]# grep default.ida /var/log/httpd/access_log | cut -f1 -d" " | uniq | wc -l
1595
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
6 of our machines at work got infected over the weekend. I was under the impression that our web guy had been keeping them up-to-date, but 5 were inside our NAT (infected by the 1 that was outside). I was under the impression that the ones inside the NAT would be ok. Bad assumption.
The bandwidth it used was so bad that it completely wiped out our ability to get out via HTTP. We could ping, get and send mail, but we couldn't browse at all. I had innoculated my home machine, and it wasn't until this morning, when we received a notice from our ISP accusing of massive port scanning of port 80 that I made the connection. I went around the office and, even after 5 of the 6 machines were innoculated, we still couldn't get out via HTTP. It wasn't until the 6th was innoculated that we could get out.
Our line is a 768/512 DSL (I believe those are the numbers), and it amazes me that a single machine infected could cause so much trouble. This is pretty disturbing.
Mediaone has closed off port 80 inbound? WHY? The new version of the worm (the person responsible took the shellcode from the first two variants...yes, that's right, "CodeRed II" is really the third iteration) first checks to see if the machine is running a Chinese or Taiwanese version of Win2K. Ah, yes....it only works against Win2K, since that's the only offset it carries. I don't think that people need to take more action towards securing things a good bit better, but this is a reaction that does not consider the nature of the threat.
For your security, this post has been encrypted with ROT-13, twice.
How many people do this? Standard policy at most places is probably just to install/patch and then assume everything is rosy.
The CNN.com story about this makes no mention of AT&T's woes. Wonder Why?
It because they're one of CNN's biggest sponsors. The online video coverage of the story is even preceded by AT&T commercials :). Now THATS Irony!
Here's the Video . . .
I've already seen at least one site sending out automated 'a host in your network may be infected' notices by putting up a CGI script in place of vulnerable IIS binary, and using the ARIN database to try to guess who controls the network that the attacking host resides in.
I only received the warning message because it guessed wrong :-)
I do not deploy Linux. Ever.
(Note: calls work fine; it's just directory information that you cannot get.)
-- @rjamestaylor on Ello
Hasn't hit any of our servers but I keep getting the w32.sircam worm in my email all day. I reply to them all with easy to comprehend AOL language... "You've got worms."
I ran a test on the 1597 unique hosts that have attempted to infect my web server recently.
321- 20.1% - "Under Construction" default blank page
0- 00.0% - "too busy"
1093- 69.4% - cannot connect
183- 11.4% - some web page
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Free Mac Mini
My agreement stated it was unsupported, but not against the rules. This was also cleared up by contacting Mediaone(You just can't run any off of a undistributable list of prohibited servers)
Slashdot is currently fucking up my submissions, claiming junk character posts, duplicate posts 22000 hours ago and what not. Sorry if this appears twice somewhere...
:) Things would have been so much easier if this was indeede remote root.
On to what I wanted to say:
While the executable is called root.exe, it's far from a remote root.
"Unfortunately" (well, if you want to do anything with root.exe at least), recent IIS versions are running as some IIS user with very few privileges. It did use to run as "system" (meaning - more power than the administrator), but it doesn't anymore.
My attempts at shutting down machines attacking my Apache box by running various "net stop" commands etc. were futile. The IIS user simply doesn't have the privileges to shut down the system.
I suspect one could create the equivalent of a fork bomb in a very minimal executable - then write the executable to the remote machine in a number of HTTP requests, and finally get the attacker to stop simply by executing the fork bomb.
But I haven't gotten around to trying this just yet
I've had to reboot my cable modem recently every night to restore connectivity. My ISP just sent out an email saying the CISCO cable modem that I'm using hammered by Code Red.
0 1-08/0078.html
/DMZ cannot be reached directly from the Internet, but it "trusts" Host B, on the hostile Internet.So when Host B is infected, Host A gets it too, and starts spreading the infection deep into the LAN.
Here?s the quote ?With the Cisco 67x series, as well as HP print servers, 3Com switches, and almost all other embedded web server applications, the worm causes a buffer overrun which causes the device to lock up.?
Is this really true? It seems pretty unlikely that almost all embedded web server application have a buffer overrun. It seems possible that a few devices do.
Anybody have more info?
Well Cisco has put out a advisory for 'unpatched' 6xx DSL modems.
see:
http://www.cert.org/advisories/CA-2001-19.html
However, the Cisco problems are not the same as the MS buffer overflow, but are triggered by the CR scanning nevertheless.
I have seen several mentionings of other types of equipment, there seems to react badly to CR scanning.Probably because it is "easy" to give a piece of equipment an IP address and a web-server for remote mangement. But most of this equipment was designed to operate inside a nice and friendly LAN, serving well-formed requests. Of course, not all embedded web servers suffers under the CR scanning,and those who are, are probably affected by reboot requering memory leaks, caused by high load.
The scaring truth probably is, that security, as usual, wasn't high on the list when all those devices was designed.
Security is hard to design and maintain, but also hard to sell to costumers.
Sites running transparent proxies, (from MS-proxy, MS-ISA?, Cisco, Squid, etc), may experience severe resource depletetion if infected. See http://archives.neohapsis.com/archives/bugtraq/20
Other products using "embedded" MS ISS are affected too.
What is thoughprovoking about CRII, is its spreading algorithm, favoring IP addresses close to the infected host. This is of course much more effecient than random numbers, but also seems make it easier for it, to infect hosts _inside a LAN_ on "misconfigured" networks:
Host A on the inside LAN
And in my experience, hosts and equipment inside the LAN, is rarely patched and tied down with the same vigour as Internet hosts.
It is of course bad nework design that allow this to happend, but a lot of sites are nevertheless configured that way, because it makes things easier.
Perhaps we can run this command to open the link to the IIS patch for these idiots. I couldn't fight the curiosity any longer, so I installed a webserver on my box just to watch the logs, and I've gotten well over 100 hits in the past hour and have found quite a few of my fellow RR members have been r00ted. Now if only I could figure out how to embed useful commands in the HTML so I can try to help some of these folks out.
Something's been bothering me about all the people criticizing the IIS admins for being too lazy to apply a month-old patch. Personally, I admin an IIS server that didn't have the patch applied, but Code Red didn't affect it. Why not? Because when I set up IIS in the first place I followed the security checklist. Unmapping .ida and other unused server extensions was right there on the list. Any decent Microsoft weenie should have done the same. If you're not stupid in the first place, sometimes you can get away with being lazy.
You might have more chance to get hired if you changed
cat file | grep pattern
into
grep pattern file
[grin] That's actually what it's running; I'm not crazy and I don't want to melt down my server with the extra command and the pipe overhead. I took a little ...uhh... artistic license and used cat and then grep on the page because, based on the number of Slashdot visitors who are still running Windows, it seems more self-explanatory.
My reasoning? I don't know what percentage of those people are actually running Linux/UNIX servers. Most UNIX newbies could figure out what the cat does, and the pipe is the same as from DOS. And then, in that context, I don't think it would take a rocket scientist to see what grep does. However, grep on its own would look a little unclear.
My focus group was my two roommates, both reasonably conversant with Windows and DOS (one of them has an original copy of DOS 3.3 still sealed in the box), no previous experience with UNIX of any sort, or the allegedly mind-blowing command prompts. The closest they've ever come to a shell is configuring a POP mail client. [grin]
Yes, it appears to be inelegant. On one hand, the display version is in the very traditional UNIX model of a small, specialized and portable tool for each task, so in that sense, it's the preferable way, it's elegant in context. But, anyone who has ever written a script and watched top would cringe at it because it's a brute-force programming technique, almost as bad as a bubble sort. I don't claim to be a programmer, let alone an inspired one, but I certainly value efficiency.
Okay, am I out to lunch? Does it work? I thought it through; after all, this is a first impression of me. Maybe I'll put a link off it with an explanation of why I chose to display the command that way.
Fire and Meat. Yummy.