Hotmail Servers Shut Down by Code Red

An Anonymous Coward writes: "SF Gate has this story about Code Red taking down some of Microsoft's Hotmail servers. That's funny." So is Code Red a problem yet? Meanwhile my sircams have stopped, except for 2 people who mail me a hundred or more a day. Thank god for filters, but if I had a monthly bandwidth cap, I'd be pissed.

Re:Microsoft to be the target of (more) lawsuits?

[Chester+K]

Well, here we have a gold-plated example of a fatal flaw in a piece of commercial software, coupled to a lax attitude towards fixing it, that has without question resulted in the loss of Actual Money by a great deal of people. One would think then, that IS Managers across the world would be queuing up to sue Microsoft and recover their costs.

Sue Microsoft because your sysadmin is too lax to install a security patch that came out almost two months ago?

Yeah, that'll work.

another article on hotmail infection

[treebeard77]

Dave Farber's mailing list passed along Microsoft's Hotmail Is Red Hot From Worm from Newsbytes

BSD

[Crewd]

I bet Microsoft is wishing they left those hotmail servers on BSD. If I remember correctly, they started moving from BSD to Windows 2000 just about this time last year...of course that was after an unsuccessful try in about the 97/98 time frame....

Crewd

Re:BSD

[bmajik]

No.

The "back end" is a bunch of Sun E4500's.

The vast majority of freebsd machines are now running w2k.

Re:BSD

*SD is dying

Yet nother crippling bombshll hit the eleaguered *BSD community when last month IDC confirmed that *SD accounts for less than a fraction of 1 percent of all servers. Coming on top of of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick nd its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For ll practical purposes, *BSD is dead.

*BS is dying

Re:BSD

I thought the backend was Oracle on Solaris.

Re:BSD

"The telnetd service is enabled by default on all FreeBSD installations if the 'high' security setting is not selected at install-time"

Read your links next time.

Windows NT servers

[tringstad]

I submitted this as an article this morning, but as it is still pending, and both my home and work servers are still under constant annoyance, I figured I'd pass it on here as well. If you are running a Windows NT server, kindly do us all a favor and just turn it off for a few months.

According to yesterday's Handler's Diary on www.incidents.org, "Microsoft has confirmed that if an IIS 4.0 webserver is using URL redirection, it is still vulnerable to Code Red even if the Microsoft patch is installed". The only known solution is to remove all URL redirections from NT servers running IIS 4.0.

-Tommy

in reading the article...

[linuxpng]

I found out that a couple of the servers were infected by code red.. not taken down. It even states that it caused no slow down accessing hotmail. The only news here is that MS doesn't care enough about hotmail to patch a few servers. Woo.

Re:Hotmail running Windows again?

[Jucius+Maximus]

"I thought Hotmail was not running Windows. Correct me if I am wrong, but I thought it was running Solaris."

Back when MS bought out Hotmail, they were running on BSD software (Apache, I think,) and then a lot of people started to make fund of them because they didn't even use their own software on their own servers.

So they moved it over to an MS platform. According to my scanner, it's running IIS 5.0.

[64.4.53.7:80] World Wide Web HTTP
HTTP/1.1 302 Redirected..Server: Microsoft-IIS/5.0..Date: Thu, 09 Aug 2001 14:48:33 GMT..Location: http://lc2.law5.hotmail.passport.com

Hmmm...free e-mail 'aint so free with MS

[Linux+Freak]

Hmmm...Hotmail used to be a *fantastic* mail service until MS took it over (first, they added SSL which made accessing it from lynx impossible. Fortunately lynx-ssl made it possible again. Then, they added Javascript. Bastards. Javascript, for MAIL???)

Then Hotmail moved their cluster (several times, if memory serves) from trusty, reliable FreeBSD servers to MS products. We have seen the results of this changeover in the past, and now we're seeing what happens now with all the viruses floating around in MS-land.

I was happy enough to discover Yahoo Mail, which IS running on FreeBSD servers, and DOESN'T need SSL or Javascript to access. Haven't had a problem since then. :-)

Not just MS Hotmail server with the bug

[jmoo]

I work for a small company that handles license production for a number of the software companies, most of the stuff for OEMs - one of them is Microsoft. (You know that little piece of paper with the cool hologram and bunch of numbers? We make them)

Now Microsoft is very critical about who gets access to the serial numbers and databases. They have there own servers, VLAN, and firewall at our plants for distribution of licenses. Think it would be pretty secure, right?

Well not really, they all got Code Red when it first came out. Now we were cleaning Code Red up on our own webserver (Yeah, I know, should have patched) Noticed that the MS server were infected, called up MS and told them what was up. They didn't believe us and told us the servers were already patched. Took a number of calls and yelling to get their boxes fixed.

I don't know if its really funny or really sad.

Re:Microsoft to be the target of (more) lawsuits?

[iCEBaLM]

You're right on the money for the most part, however lets make a little modification:

Who has losses that arise from code red?

ISP's and individuals/companies paying for bandwith used.

Who causes this mess?

Microsoft who left a remote buffer overflow in the 5th version of their IIS software

Who can sue who?

People who have losses because of gross negligence.

-- iCEBaLM

code red, sircam, taco, and real business

first off, cmdrtaco, please keep moaning about getting too much mail all the time from these viruses. it really adds to the discussion to hear every 5 posts or so, 'wah, i am getting megs of virus mail.' okay, we get it. but... what is really weird is the reaction of 'real businesses' to these viruses. IBM for one (and this is why i'm posting anonymously...) SHUT DOWN their entire internal access to all port 80 traffic to stop the spread of code red -- this is a big deal, as this is affecting entire companies' modes of operation and costing millions in lost productivity (no access to even internal web docs, let alone external web resources, etc).

Topology of the net

As this article makes clear, the topology of the net is not what was expected.

In trying to understand the topological component of error tolerance, we can get help from a field of physics known as percolation. Percolation theory tells us that if we randomly remove nodes, then at some critical fraction, fc, the network should fragment into tiny, non-communicating islands of nodes. To our considerable surprise, simulations on scale-free networks do not support this prediction. Even when we remove up to 80% of the nodes, the remainder still form a compact cluster (figure 4). The mystery was resolved last year by Reuven Cohen of Bar-Ilan University in Israel and co-workers. They showed that as long as the connectivity exponent G is less than three (which is the case for most real networks, including the Internet) the critical threshold for fragmentation is fc = 1. This is a wonderful demonstration that scale-free networks cannot be broken into pieces by the random removal of nodes, a result also supported by the independent calculations of Duncan Callaway and collaborators at Cornell University. This extreme robustness to failures is rooted in the inhomogeneous topology of the network. The random removal of nodes is most likely to affect small nodes rather than hubs with many links because nodes significantly outnumber hubs. Therefore the removal of a node does not create a significant disruption in the network topology, just like the closure of a small local airport has little impact on international air traffic. The bad news is that the inhomogeneous topology has its drawbacks as well. Scale-free networks are rather vulnerable to attacks. Indeed, the absence of a tiny fraction of the most-connected nodes will cause the network to break into pieces. These findings uncovered the underlying topological vulnerability of scale-free networks. While the Internet is not expected to break under the random failure of the routers and lines, well informed hackers can easily design a scenario to handicap the network.

Basically because most links go through a few highly connected nodes, simultaneous ddos attacks on those nodes COULD 'take down the net'.

This also explains why SirCam and even Lovebug won't die:

"Recently Romualdo Pastor-Satorras from Universitat Politecnica de Catalunya in Barcelona, Spain, and Allessandro Vespigniani from the International Centre for Theoretical Physics in Trieste, Italy, demonstrated that viruses behave rather differently on scale-free networks compared with random networks. For decades, both marketing experts and epidemiologists have intensively studied so-called diffusion theories. These theories predict a critical threshold for virus spreading. Viruses that are less contagious than a well defined threshold will inevitably die out, while those that are above the threshold will multiply exponentially and eventually reach the whole system. The BarcelonaTrieste group, on the other hand, has found that the threshold for a scale-free network is zero. In other words, all viruses, even those that are only weakly contagious, will spread and persist in the system. This explains why "Love Bug", the most damaging virus so far, is still the seventh most frequent virus, a year after its introduction and supposed eradication. "

Re:Smoke and Mirrors?

Right you are... from incidents.org

WinNT/IIS-4.0 with URL Redirection Still Vulnerable After Patch http://www.incidents.org/diary/diary.php#801

Re:What a switcheroo!

[mistered]

jobs.osdn.com was put together by a Toronto-based firm, DevelopersNetwork. DevelopersNetwork is a Microsoft shop, and thus jobs.osdn.com is run on Microsoft "servers." There's even a page at jobs.osdn.com that explains the situation.

Got scanned

[SgtClueLs]

Known about this since Sunday. When I went thro my error_log file on my apache box and found this.

Tue Aug 7 05:37:56 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:38:45 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:38:54 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:40:21 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:01 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:15 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:20 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:48:55 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:49:13 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida

64.4.13.230 is msgr-cs20.msgr.hotmail.com

You'd figure they'd patch themselves.

Re:Okay so...

[cworley]

>people can't get to their accounts that are filled up with SirCam

I was out of town for a week (two weeks ago), when I returned, the Hotmail Janitor had deleted all my saved mail in all my folders, and all I had left was that weeks spam/sircam.

In complaining to Hotmail support, they replied, to my Hotmail account, asking what the name of my Hotmail account was. I'm not joking -- they're that stupid.

In further correspondence, they have said that they can't recover anything deleted by their "auto janitor".

They have said that Hotmail should not be trusted to store valuable mail (and that I should use outlook instead -- the damn software responsible for SirCam in the first place).

They think this is my problem, and I should upgrade my anti-virus software (I've repeatedly assured them that I've been WinDoh's free for four years -- I can't find McAfee's Linux download site).

They say their anti-virus protection is sufficient -- yet I rec'd two more SirCam laced spams today. They won't let me download the contents (even though it won't hurt my Linux system).

I've told them that their anti-virus protection kicks in too late -- they need to not stick any email into the Inbox that has the SirCam virus (they don't let you download the attachment anyway -- why bother letting it fill up your quota).

I've told them they should shut down their Janitor and make backups until this problem is resolved, or more Hotmail customer's are going to get their accounts wiped out without backup.

I've also told them that the correct solution is to bounce new incoming emails headed for an over-quota user, rather than allowing the incoming email and deleting the existing, saved, mail.

They don't get it. They don't understand.

And, if any Microsoft troll cares to say I'm a liar about this (like they did the last time I reported this in Slashdot)... I have the email transcripts to proove that this is Hotmail's behavior.

I have found two solutions:

www.mail.com
www.graffiti.net

Both provide free email excellent (and web hosting) service, and are smart enough to not run Microsoft products.

Re:Moron, Outlook has nothing to do with it

[NutscrapeSucks]

Yes, but unlike ILOVEYOU and so on, it doesn't send mail through outlook, and filtches addresses from other sources besides Outlook. It will fully affect any Win box that doesn't have Outlook installed.

And according to this, it doesn't use Outlook APIs, but instead combs through the Windows address book (WAB file) looking for addresses (which is only used by Outlook in 'internet mode' and is used by Outlook Express, which certainly doesn't support Outlook's COM API). The fact that it doesn't grab Netscape or Eudora's address book is probably just lazyness on the author's part.

Conclusion: Not a Outlook virus, except according to CmdrTaco.

Code Red has done real damage to Britain's phones

[Sara+Chan]

I live in England. For the last day or so, it has not been possible to get telephone-directory inquiries for Europe or Asia. Asking for numbers in Canada/USA works fine. But when I've tried to get a number in Eurasia, I've been told that there are no lines to directory inquiries in those countries. The cause is claimed to be CodeRed, but I haven't been able to find out the details.

(Note: calls work fine; it's just directory information that you cannot get.)

[reposted from here]

Re:Aren't these CodeRed II attacks supposed to fin

[Chakat]

A recent /. article theorized that CRII has already infected pretty much all the servers it's going to infect, and is currently propogating itself among infected servers. An unpatched box, once rebooted, is infected again very quickly simply because of the rapid dissemination techniques.

Over my way, daily average is about 225 attacks, no sign of letting up, and when a browser is pointed towards them, most of them are simply show the default IIS screen. These boxes are probably not going to be patched because the owners of the machines are unaware their machines are owned. So, yeah, Oct 1 is probably when this crap is going to end.

For people who ask WTF is URL redirection:

[Otis_INF]

When you select for the setting 'When connection to this resource, the content should come from' option 3: A redirection to a URL, (On the 'Home Directory' Tab in the website's properties in IIS4) you are still vulnerable. You are thus not vulnerable when you do response.redirect() kinda stuff in ASP.

Re:Other keywords that identify manly Aussies

[IronChef]

You forgot "Vegemite."