Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?
Cheers,
Jim in Tokyo
-- My Weblog.
This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.
I'd rather have someone respond than be modded up.
When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
"It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."
Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.
And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...
I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.
=== The price of freedom is eternal vigilance
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
The only people that think they are getting something secure when they buy/download any operating system are the unwashed masses. The ones that don't know any better. These are the same people that allow the Code Red-style worms to spread.
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
You see, as an admin in charge of machines running IIS and other Microsoft software, I am subscribed to several alert lists, including Microsoft's security list. And when Microsoft releases a patch for anything that can be used to "arbitrarily execute code of the attacker's choice" on a port not blocked by my firewall, I immediately install that patch. The end.
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
"And like that
Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.
You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.
What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.
Two other points:
Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.
You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!
In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.
08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net
These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)
But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.
None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.
So far today 08/11/01 at 10:00am I've had 69 probes.
As far as I can see, getting all these systems disinfected and patched hasn't even started yet.
t_t_b
I'm on PJ's "enemies" list! Are you?
well, not really, the IPv6 address space will be largley unused. but the areas that are used will be well known, it would be very easy to specify the good ranges to scan.
-- free as in swatantryam - not soujanyam.