Slashdot Mirror
Hotmail Servers Shut Down by Code Red
An Anonymous Coward writes: "SF Gate has this story about Code Red taking down some of Microsoft's Hotmail servers. That's funny." So is Code Red a problem yet? Meanwhile my sircams have stopped, except for 2 people who mail me a hundred or more a day. Thank god for filters, but if I had a monthly bandwidth cap, I'd be pissed.
Did anyone read the Dilbert comic where MS had mis-spelled a word in MS Word? I can imagine the Admin(s) in question to be put into a similar situation
.. At our Comdex booth
MS Admin: We got the virus we've been teaching people to prevent.
Bill: Great, so what are you going to do about it?
MS Admin: Kill myself as an example to others?
Bill:
I find it amazing that they didn't take every precaution to protect what might be their highest-profile property. If MSDN went down, they could cover it - Most of their other servers, too. But Hotmail? That's so closely associated with Passport and, by association, dot-net, that I think they would do absolutely everything in their power to keep it spotless in the minds of the users.
Good luck to them. They'll need it.
I got two unsolicited calls asking how to set up Apache on a Windows 2000 server. These were people who had never seen a need to switch before. If I convert their servers for them, I'll probably set up a Linux box or two, 'just for backup purposes'.
Heh heh.
Cheers,
Jim in Tokyo
-- My Weblog.
I just queried Netcraft What's That Site Running and it answers:
... I'm laughing as much as everyone!
The site www.hotmail.com is running Microsoft-IIS/5.0 on Windows 2000
I also tried the SSL Port 443 and it's also hosted on IIS5/Win2K. Hope this clears up any confusion *grin*
One thing to consider here folks: this is a classic case of Security Process falling down. It just so happens it's an Win2K hole in this instance. If Hotmail still ran BSD and there was a root exploit discovered, someone still needs to follow the process and plug the hole.
NB: I'm not excusing MS here
Well, here we have a gold-plated example of a fatal flaw in a piece of commercial software, coupled to a lax attitude towards fixing it, that has without question resulted in the loss of Actual Money by a great deal of people. One would think then, that IS Managers across the world would be queuing up to sue Microsoft and recover their costs.
Sue Microsoft because your sysadmin is too lax to install a security patch that came out almost two months ago?
Yeah, that'll work.
NO CARRIER
Microsoft has just reported on its website that the hotmail/passport servers will be down indefinitely because the programmers and technicians who are supposed to fix them can't log into their passport accounts to access their tools to fix the problem.
More on this at 11.
Best. Comment. Ever. Enjoy!
Make a modified version of CodeRed called, say, CodeNap. Include in the payload an MP3 by Metallica. Wait 48 hours until it's everywhere. Now sue Microsoft because they are making money of a system that is being used to make illegal copies of copyrighted works!
324006
I bet Microsoft is wishing they left those hotmail servers on BSD. If I remember correctly, they started moving from BSD to Windows 2000 just about this time last year...of course that was after an unsuccessful try in about the 97/98 time frame....
Crewd
Microsoft is using a Beta version of the new IIS software for their hotmail servers that come with the worm already bundled with it.
I submitted this as an article this morning, but as it is still pending, and both my home and work servers are still under constant annoyance, I figured I'd pass it on here as well. If you are running a Windows NT server, kindly do us all a favor and just turn it off for a few months.
According to yesterday's Handler's Diary on www.incidents.org, "Microsoft has confirmed that if an IIS 4.0 webserver is using URL redirection, it is still vulnerable to Code Red even if the Microsoft patch is installed". The only known solution is to remove all URL redirections from NT servers running IIS 4.0.
-Tommy
"I got a half gallon of Jack, and 2 dozen Ant Traps. I'm about to get wild." -me
Can anyone write a new napster using this "protocol". Then we just have to set up NT servers and wait for the files to arive. First it spread itself to any boxes on the net then start transfering files on off Your HD. Everyday when you come home from work you got 2gb of fresh pron. Should keep you busy for the rest of the evening.
Back when MS bought out Hotmail, they were running on BSD software (Apache, I think,) and then a lot of people started to make fund of them because they didn't even use their own software on their own servers.
So they moved it over to an MS platform. According to my scanner, it's running IIS 5.0.
[64.4.53.7:80] World Wide Web HTTP
HTTP/1.1 302 Redirected..Server: Microsoft-IIS/5.0..Date: Thu, 09 Aug 2001 14:48:33 GMT..Location: http://lc2.law5.hotmail.passport.com
Except that the EULA, any EULA, is absolute and total bullshit, except in Maryland and Virginia(?) who think UCITA makes sense.
You can't make addendums to a contract after the sale without agreement from both sides. Clicking a button or hitting a key does not constitute proof of agreement. That requires a signature. Please help spread the news that EULA's are bullshit until they are upheld in a court of law or supported by legislation. At the present, they are just some grandstanding bullshit from rich software companies with nothing more than threats from lawyers standing behind them.
BTW, did I mention that EULAs are BULLSHIT mumbo-jumbo legalese that don't have the force of spit.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
MSN Hotmail has a new look!
MSN Hotmail has a brand new face...and it's easier to use. You'll find it easier to create and manage your folders, see which of your Messenger buddies has been hacked by chinese, and quickly choose names from your Address Book when send document for to ask advice.
Promote proofreading. Don't mod up sloppy posts.
Who has losses that arise from code red?
ISP's and individuals/companies paying for bandwith used.
Who causes this mess?
People who haven't patched their software (gross negligence).
Who can sue who?
People who have losses because of gross negligence.
Micorosoft is shielded by a EULA that limits (or denies)liability (although this EULA might not be fully apllicable worldwide).
Back in the Dark Ages of corporate acceptance of Free Software (circa '97 or so) a common pointy-haired manager complaint was "Who do we sue?"
IE, if the software contained some fatal flaw that resulted in Actual Money being lost, the corporation could go after a commercial software house in the courts in an attempt to recover costs.
Free Software, being provided as a community service with no sue-able corporation behind it, lacked this perceived accountability.
Well, here we have a gold-plated example of a fatal flaw in a piece of commercial software, coupled to a lax attitude towards fixing it, that has without question resulted in the loss of Actual Money by a great deal of people. One would think then, that IS Managers across the world would be queuing up to sue Microsoft and recover their costs.
Anybody seeing any evidence of this happening?
Want to learn about race cars? Read my Book
They are difficult to patch or upgrade or remotely configure or fix, or even publish to.
So...how, exactly, are these systems easy to use again?
I work for a small company that handles license production for a number of the software companies, most of the stuff for OEMs - one of them is Microsoft. (You know that little piece of paper with the cool hologram and bunch of numbers? We make them)
Now Microsoft is very critical about who gets access to the serial numbers and databases. They have there own servers, VLAN, and firewall at our plants for distribution of licenses. Think it would be pretty secure, right?
Well not really, they all got Code Red when it first came out. Now we were cleaning Code Red up on our own webserver (Yeah, I know, should have patched) Noticed that the MS server were infected, called up MS and told them what was up. They didn't believe us and told us the servers were already patched. Took a number of calls and yelling to get their boxes fixed.
I don't know if its really funny or really sad.
The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data.
NT's standard remote admin tools, like Event Viewer and Server Manager, require RPC using NetBIOS, which is difficult if not impossible to secure.
UNIX may have its problems, but secure remote administration using native tools is not one of them.
Helevius
And this the company whose software that the vast majority of ISPs insist that you use if you want to connect to the internet using their lines.
I think I'll have some new ammunition the next time I get into an argument with an ISP over what software I'm allowed to run.
CUR ALLOC 20195.....5804M
(twas a ZDNet story I can't seem to locate)
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
One little server on a little 128k leased line and the attack pattern since 1st August reads
13,35,24,27,27,63,73,47,32 (in 15 hours)
Until the 4th August all the attacks were from the initial breed (NNNNNN). On the 4th 3 of the 27 attacks were from the new breed (XXXXXX). On the 5th 15 NNNNN and 12 XXXXX. Day 6 and only 10 of the old breed arrive while 63 of the new breed are in and since then we are down to about 3 attacks of the old NNNNN per day.
I actually agree with the concept setting up a lot of machines to reply to the virus with the fix. It seems obvious that too many NT/2000 boxes out there are abandoned and vulnerable thanks to the lack of knowledge required to expose one. Who thinks that we won't see any attacks next month?
Never underestimate the dark side of the Source
Um... maybe that's where Code Red originally came from.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
We discussed this one year ago this week. It was concluded that they were running a round-robin DNS, and you'd sometimes get Apache (~20% of the time) and sometimes get IIS 5.0 (~80% of the time.) To run your own experiment, try the script that I included at the time.
/var/tmp/hotmail
#!/bin/bash
i=1
while [ "$i" -lt 253 ]
do
lynx -head -dump http://lw7fd.law7.hotmail.msn.com/ |grep Server >>
let i="$i"+1
done
-Waldo
GET /default.ida?heheheheheheheheheheheh.....heheheh.m uahahahahahahahahaaaaaaaaaaaaaaaaaaaahahahahaHAHAH AHAHAHAAAAAAAAAAAAAAAAAAAAa%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0
;-)
-- It only takes 20 minutes for a liberal to become a conservative thanks to our new outpatient surgical procedure!
...Code Red is taking down Hotmail so that people can't get to their accounts that are filled up with SirCam?
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
The patch has been out since what, June? MS is happy to say "we had a patch out months ago, sent out plenty of warnings, everyone had plenty of time to stop this, it's not our fault they didn't patch it" when people complain about the problem.
The fact that they didn't get their systems patched is a real indictment of either their system administration practices (if even the vendor doesn't install widely-publicized vendor patches, how can they claim that Bob's Bait Store should always be up to date?) or the "easy administration" of W2K. Unfortunately I doubt anyone will actually be indicted....
Sign me up for Hailstorm right now! Do you need my credit card number now or later? When do you want my ssn, drivers license, home address and other personal information? Boy, I sure am glad I've got a big responsible company to handle my sensitive data instead of a bunch of foreign nobodies. If MicroSoft can't protect my information, who can we trust? ;)
You must be the change you wish to see in the world - Ghandi
Oh, sorry I forgot. Some people just can't take the competition.
Is it true that I can get my FREE download of MSN Explorer at http://explorer.msn.com/intl.asp? Wow! That's just what I've always wanted, FREE software.
Friends don't help friends install M$ junk.
"Sucks to be them"
I can think of worse jobs than being paid by Microsoft to watch their servers being brought down by their own software!
As far as I can recall, it was running on BSD, and it was being recently "migrated" to Win2K. Re: fixing worms ... don't even go there!!
Ok, I know it's a lot of servers, but the company that runs Hotmail, also wrote the OS that is insecure. This company release a warning, what, like 6 months ago, and also released a patch at the same time. They have been claiming that this is a major security hole since then and strongly encourages everybody to install the patch, yet they themselves don't.
Somehow, when I picture a server farm, I see this clean, organized room with nice neat racks. With everything that happens with MS's servers, all I can envision is a building reminiscent of a level from Diablo. Something dark & gloomy with servers just sitting on workbenches with their hard drives just hanging out of the side of the case and the motherboard coated in 1/2" of dust.
How can you forget a bunch of servers. I work for a small ISP so we're not the most organized place, but hell, all we have is two racks for modems & routers, and a dozen boxes sitting on the floor for servers. But we at least have pieces of paper tacked to the wall with a list of IP addresses, server names, functions and OS. We install the patches on all of our machines just fine.
All you need is a list of all the servers. Then take that list around with you and after you install the patch, put a little "X" next to the server on the list. Not really complex guys. Of course this is Microsoft, they're probably running little handhelds with WinCE, connecting wirelessly to a MSSQL server that seems to simply misplace records for the hell of it.
These guys are good at making money...
Actually, they're not that good at making money. They've coded themselves into a hole where people don't want to upgrade their software to new versions every year or two. Windows 98 or 2000, Office 2000 and Internet Explorer 5.5 do everything the typical office worker needs. It's the same on the server side. Most offices aren't looking for new features. They want to reduce support costs. That doesn't translate well into writing more checks to Microsoft.
For a long time Microsoft had no real professional services arm. They left that to all the independant MCP's. Now they're catching on to what IBM, SAP, Oracle, and everyone else figured out at least 5-10 years ago. Software sales is only part of the pie. Service and support can be a big revenue source, especially if your software isn't easy to support. Now Microsoft is building up their professional services arm.
first off, cmdrtaco, please keep moaning about getting too much mail all the time from these viruses. it really adds to the discussion to hear every 5 posts or so, 'wah, i am getting megs of virus mail.' okay, we get it. but... what is really weird is the reaction of 'real businesses' to these viruses. IBM for one (and this is why i'm posting anonymously...) SHUT DOWN their entire internal access to all port 80 traffic to stop the spread of code red -- this is a big deal, as this is affecting entire companies' modes of operation and costing millions in lost productivity (no access to even internal web docs, let alone external web resources, etc).
Actually, the MS provided patch doesn't work against Code Red if you have URL forwarding on your server. I bet they have it enabled, and so they were left open...
Think about this...
For A Linux box or a Windows box, go through the same list and realize that it's the administrator that matters. Not the OS! Really. A windows box can be just as secure as linux box if the administrator knows what he is doing. An admin for a win2k box is cheaper than a linux admin. There's more of them. So the cost of the OS takes itself out.
1) Pick a platform that is difficult to administer remotely
(2) Pick a platform that is insecure
3) Pick a platform that can't handle the amount of customers you have
4) Pick a platform that costs a tonne of money
5) Pick a platform that requires a person with a dodgy qualification to run it, who doesn't know left from right, and demands more money than they are worth
6) Pick a platform that is proprietary
7) Pick a platform that runs on low-end server hardware or worse only
8) Pick a platform that you will have to lease by the year or per billion processor cycles within the next 3 years
9) Pick a platform with a database server that "loses" data given certain queries
10) Pick a platform that is forever morphing, changing technology, and has a history of instability
11) Pick a platform which would get you the sack if management had a clue
They've coded themselves into a hole where people don't want to upgrade their software to new versions every year or two
Actually, this is so true it hurts. I work for a company with customers all over the world. Unfortunately, we decided to switch our Unix based software to NT several years ago (we maintain both versions, but I'm stuck working with the NT shit).
We just completed testing to see if our stuff runs on Win2K a little while ago, and are talking about XP testing soon.
The ironic thing is, I'm only aware of one of our customers who is even running win2K, and that's for the improved terminal server version (based on Citrix if memory serves). The vast majority of our international customer base isn't going to switch away from NT for years (unless we stupidly force them to).
We're prediciting very poor sales of XP server whenever it's due to ship, at least to customers in our industry. Microshaft should really look into expanding beyond the 'sell, sell, sell' mentality that worked for them in the 80's.
-- If at first you do succeed, try to hide your astonishment. -- Harry F. Banks
Known about this since Sunday. When I went thro my error_log file on my apache box and found this.
Tue Aug 7 05:37:56 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:38:45 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:38:54 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:40:21 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:01 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:15 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:42:20 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:48:55 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
[Tue Aug 7 05:49:13 2001] [error] [client 64.4.13.230] File does not exist:
/usr/local/apache/htdocs/default.ida
64.4.13.230 is msgr-cs20.msgr.hotmail.com
You'd figure they'd patch themselves.
colour
favourite
mum
mate
Piss off, you stupid Yank.
You think you have "rights", but when was the last time you tried to exercise one of them that might conflict with the interests of one of your powers-that-be?
(Note: calls work fine; it's just directory information that you cannot get.)
[reposted from here]
When you select for the setting 'When connection to this resource, the content should come from' option 3: A redirection to a URL, (On the 'Home Directory' Tab in the website's properties in IIS4) you are still vulnerable. You are thus not vulnerable when you do response.redirect() kinda stuff in ASP.
Never underestimate the relief of true separation of Religion and State.
Not just building it up, but engaging in activities which would have required users to pay annual license fees, without even a service contract. Granted this would be initially targeted to large customers, but it's only a matter of time before the appetite calls for individual users, too. (Leverage that monopoly!)
Could the future hold a bill such as this:
Month of April
MSN Service Surcharge* $0.98
Word XP/2005 $1.51
Outlook XP/2005 $3.27
Virus/Worm Filtering $46.35
IE XP/2003 $2.06
31337 h4X0r, Inc. fees $46.35
Please remit: 100.52
* Does not include your Internet Service Provider fee.
A feeling of having made the same mistake before: Deja Foobar