Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?
Cheers,
Jim in Tokyo
-- My Weblog.
This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.
I'd rather have someone respond than be modded up.
When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
The only people that think they are getting something secure when they buy/download any operating system are the unwashed masses. The ones that don't know any better. These are the same people that allow the Code Red-style worms to spread.
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
You see, as an admin in charge of machines running IIS and other Microsoft software, I am subscribed to several alert lists, including Microsoft's security list. And when Microsoft releases a patch for anything that can be used to "arbitrarily execute code of the attacker's choice" on a port not blocked by my firewall, I immediately install that patch. The end.
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
"And like that