Slashdot Mirror
Nimda To Strike Again
Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.
This NAMBLA virus really rules, and holds true to its name.
Pounds ya right in the ass.
Now where are those scripts to shut down the boxes. To hell with the legal ramifications, I am sick of megabyte upon megabyte of log file filled with these fucking attacks.
All NT admins leave at 4:50 PM, too bad for them.
Je t'aime Stéphanie
....code crayola returns....
"Hatred is the coward's revenge for being intimidated"
What does this mean? I was under the impression that once Nimda infected a machine it would attempt to propigate indefinitely unless the machine were cleaned. What was the propagation time cycle for the first run?
Mind you, I've not seen a significant dropoff in my firewall hits (hits doubled after Nimda first hit), but perhaps I've not been checking properly.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Well, once more I have to thank you guys at slashdot for the heads up.
On another note, I think that these viruses totally justify Ashcrofts view as labeling "hackers" as terrorists...the virus writers are really wreaking havoc.
-z
PayPal $$ if you sign up for free offers (eBay, cred cards, e
I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.
Maybe just corn syrup and regular ants for the admins who still haven't patched their servers.
I'm still getting hack attempts from compromised nimba boxes on my linux machine (running roxen).
How's that? Last time I checked Greenwich is east of the US, but not 20 hours east of us.
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.
Are you kidding?
Legislation shows that people have a hard time differentiating what's a serious offence and what isn't.
For one thing, taking this out on someone hard, would only lead to approval of laws like the proposed law to make a bunch of kids in HS "terrorists" for winnuking each other.
We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.
If anything, they need counseling to know WHY what they are doing is bad, that it affects other people and that it isn't just a game, but certainly making an example of these people sets a precident for the treatment of all of us.
In other words, turn some silly kid with a script for making viruses into a real criminal, when people are getting in trouble for stupid stuff like scanning someone's ports, and soon you'll see anybody without corporate backing thrown in jail for having a debugger.
I wish I could believe that there won't be any machines that are still unpatched but I am sure that my firewall at work will get another round of hits. (Last time we were getting hit around 6 times a second at some times) Heads need to roll for any admins that haven't properly patched there systems.
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." - Pla
No double stockade and fireants for the IIS creators?
Gosh! It would be interesting to see if any more servers turns up affected after so much of patching and screaming and thrashing. I would normally expect everyone of those Admins to patch their boxes by now, but at the same time, there would be some more, either ignorant or out on vacation, who is bound to get hit.
.. Err..well..
And when shit hits the fan, the management is sure to turn around and bite yelling "But we all knew about it..Why didnt you do it ?"
Patch those boxes up..and do so in a routine manner. Sure its pathetic and time consuming. but its your data and your hardware..
Rapid Nirvana
Actually, 9 P.M. GMT is 5 P.M. ET, 4 P.M. CT.
Why on Earth would there still be any unpatched IIS servers out there?!?!
I suppose everyone who gets it this time must have recently installed IIS at home... we'll see.
And that's my $0.32 (adjusted for inflation).
I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.
, 00 .html
(Plain-text link):
http://www.wired.com/news/business/0,1367,47037
a video game i wrote 10 years ago in Qbasic was just emailed to me today via sircam...
that means that someone actually had it on their computer, and that made me feel all fuzzy.
god bless sircam, and its glorious resurrection and distribution of great software titles.
MARIJUANA, SHROOMS, X: ONLINE?! - E
As Tim states: "I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.", we'll why not just throw marshmallows at them as well!
The damage done to my web site and users systems is bad enough... The author should get more like 5 to 10 years! Also give 50-60 years to BILLY GATES for being creating a product that's prone to require DAILY PATCHES to keep up with the jerks bent on showing how small their genitals really are.
By the way, I DID KEEP UP WITH THE DOWNLOADS when SIRCAM came out and it did not help to prevent NIMDA.
Linux is so much an option to me, too bad the bosses here own Microsoft stock.
Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!
How rude, you forgot about the guys who made it all possible.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
that "nimda" is really "admin" backwards.
Why is windows suffering so many of these attackes recently (I know this is the same but I mean coupled with Code Red etc)? Is it becuase the exploits have only recently been found that enable them? This implies that fewer such exploits existed in older MSware - is this true?
/. recently?
Is their widespreading mostly helped by the recent influx of cable/dsl users? Instead of the usual MS bash, could we try to explain some of the factors that make these stories so common on
Of course, we can't escape that it was Microsoft that published exploitable code but I'm sure their software has always been as bad so what else is behind the current surge?
I'd like to see some fireants for the server admins who still haven't patched for this thing. What kind of rock do you have be living under not to have heard of this by now?
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
WTF?
P.S.:
Your comment violated the postercomment compression filter. Comment aborted.
What horseshit....
9pm GMT -04:00 (EDT) is 5pm EDT.
9pm GMT -05:00 (EST) is 4pm EST.
However, the time mentioned in the article is 1am ET. Hazard a guess that it is really EDT they are citing, making 5am GMT zero hour. It will be 12:00am (Midnight) EST.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
They share alot of the blame. The patch has been heavily advertised and available for a while.
I say at least a set of Chinese finger traps for admins who STILL haven't yet patched their systems
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
I won't be able to look at pr0n, eerrr research my project at my school's network anymore....
You're right -- I just updated it to reflect the right time :)
Sorry about that.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
My organization was hit hard by Nimda. Our poor Windows Administration staff ran around like crazy cleaning, patching, and upgrading hundreds of machines.
Is this a Microsoft problem? You bet.
Microsoft OSs do not have a complete, common set of system administration tools built in. This results in haphazard machine administration.
Microsoft and other companies sell useful administration tools, but these are high priced tools that only do a piece of the job. And since they aren't included with the OS, very few sysadmins have expertise with them.
So Microsoft, get on the ball. If you want to sell an OS, it should be ready for the enterprise.... including enterprise administration.
In the meantime, we're porting our apps from IIS to Apache. Yay!
Clearly all the NT admins out there are tired of being blamed for this... it's stupid home users who pirate WIN2k Advanced that don't install the patches... Most admins have gotten it through their heads to install the patches...
But on a more serious note... What about the Macs??? Microsoft, can we get a version of IIS for Macs... All my friends running Macs are feeling sooo left out... Microsoft, can you help???
---
Programming is like sex... Make one mistake and support it the rest of your life.
It seems to me that cutting off access to any machine which appears to be spreading this virus is a reasonable thing to do. However, nobody seems to be doing it. Instead, ISPs seems to be going off half-cocked and blocking inbound port 80 at their core, or another drastic "solution". What do you think?
If you running M$ IIS, or for that matter if your relying on anything MS you'd better expect a virus.Admins need to start keeping up to date with patches, although with Microsoft products thats a never ending battle and half the time patches will do more harm then good.
Thanks Snoozer
Whatever happened to all the "3v1|_ h4x0r5"(TM)??
We seen a number of highly infectious viruses in the last year (Sircam, Code Red, Nimda, etc), but none of these were actually very destructive. Sure they are a pain to get rid of, and may spread a little information around, eat up bandwidth, or compel you to reformat just to be sure, but they aren't flattening people's systems.
Whatever happened to the anarchists out to destroy the system? Now admittedly I don't want to encourage people to be more destructive, but it seems almost trivial to think of ways that viruses and worms could easily be made more destructive. For instance, upon infection, delete everything in the "My Documents" folder. Or, change default web page to a share of the whole computer. Or even wait a couple days and then wipe the person's hard drive.
I haven't been vulnerable to anything to come along lately, and I'm glad, but I'm also glad to note that the truly skilled black hats out there seem to have moderated how much damage they actually intend to do. I wonder if they are scared what the law might do to them if their attack truly was evil.
You're right -- I've updated the story now to reflect the right time. Sheesh, I tried to be helpful by providing a more universal time figure than the article, and screwed it up -- sorry :( Brain, meet keyboard.
Like you say, it's east of the US, making the real target time 5:00 GMT.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
the most damned funny commercial:
EVERYBODY DIES
from radio savant's ortho stint...
To put it mildly, YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security. You can start by reading up on Nimdahere.
If you have a problem with my views, REPLY, don't moderate!
I'd like to see something similar for the IIS developers along other selected members of Microsoft.
chongo (was here)
Nimda, and maybe some fireants.
Yes, and a special one for those who roll out vulnerable server software. Ideally, with all the attacks, IIS should get stronger, as a body's immune system does with constant testing, however, it would indeed be a sad body which has been so patched. Make Frankenstein's monster look like George Clooney.
A feeling of having made the same mistake before: Deja Foobar
It's funny. You'll see all of the boxes that have their clocks set way off. They'll jump the gun, and we can sit back, behind our Apache boxes and giggle.
Um, this is my sig.
Here's what most terrorists do. Atleast this is what I've heard/seen done by past terrorists:
1. They take hostages
2. They kill people
3. They make demands
4. They invoke terror in their victims
In no way do these "hackers" fit the description of a terrorist except for maybe #4. These are generally just people who find a whole in security and take advantage of it. They can be really annoying, and people who make these types of viruses should be tried for damages, but I don't think they fit the desciption of a terrorist.
But more important, I think Ashcroft isn't talking about virys writing hackers, but any type of hacker. Essentially, if you mess with a system at all, then you're a terrorist accroding to Ashcroft.
Boy, my parents must be disappointed in me now, rasing a terrorist..
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Any guess how long it will be before you will require a government license to run a webserver on the internet?
--jeff
ipv6 is my vpn
if we look at how long did it take before code red and the likes stop trying to infect our linux boxes, Nimda will surely be able to infect a lot of NT boxes again!
To be a NT admin, you must
1- Don't take care of the security of your network
2- Work for a employer that don't take care of the security of his network
Then you're not vulnerable to either.
Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.
If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.
Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.
Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.
And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
While it's true that Microsoft products are no less secure than those of other vendors...
You're Trolling, right? It's been over 3 years since the last remote root exploit in Apache, and IIS has had several this year!
If you're not Trolling and you actually believe what you just said, you'd better do some research.
This thing has been spreading on the networks my company runs since it started - there has been no let-up. People seem to keep getting re-infected (our users aren't very bright).
Anyway, i think this whole re-activation thing is a sham.
G.
I administer Notes, NT, Win9x and a Linux box, plus firewalls yadda, yadda.
I work in a Corporate Travel Agency in NYC, they just decimated my entire staff and I have me and one other guy who has been relegated to inputting ticket refunds.
I DON'T HAVE TIME FOR THIS! My lone IIS server has been patched since the first day. Lotus Notes doesn't care about these dumb ass viruses (virii) and my Norton's are all up to date.
My USERS got this crap from infected web pages!
We're losing a machine a day in the field b/c these bozos can't figure out how to click on a button called VIRUS_FIX on the corporate intranet.
I am ready to frigging quit and become an English Teacher fuck the money! If the whole MS world can be brought to its knees everytime some kid in Sweden has the day off then we're all fucked.
CIOs who continue to use Outlook/IIS deserve whatever happens to them. (We HAD to use IIS for a 3rd party software app.) Micorsoft SHOULD ABSOLUTELY BE PAYING IT'S CUSTOMERS BACK FOR THIS! HOW DARE THEY GET READY TO RELEASE YET ANOTHER VIRUS RUNTIME OS.
It is seriously time for the MCSE farms to be shut down and for corporate America to move to another OS. Fuck the users; guess what they don't know all that much about the OS they are on switching them now will have no lasting impact.
This
Sorry to be nitpicky-Stockades aren't much of a punishment, really just a jail. I think you mean stocks or a pillory.
Take a look here: Stocks and Pillories
...especially considering that the IIS patch has been available on WINDOWS UPDATE for the last THREE MONTHS. Fireants for any worthless tech who hasn't figured this out yet.
-Jayde
What's a sig?
No, if the world revolved around Linux I don't think we'd be hearing about viruses EVERY week. Sure we'd hear about them, just not as much as we bo with MS's great products.
Thanks Snoozer
I didn't know you read comments (or just the ones about articles you post?). That's cool, as well as the fact that you can admit when you make a mistake every once in awhile.
If you celebrate Xmas, befriend me (538
Sure now we see your true colors shine you communist pig!
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Nimda is not a fun virus for people who have an unfortunate dependance on MS boxes to provide internet stuff for them. One network I use was shut down for two days completely, and the computers using it were turned on without internet access the next day. I don't know when we will get internet access back. And now it is getting set to propagate again. I wish that people placed more value on security in their networks and software. IIS and IE can only get away with having more security holes than swiss cheese because people let them.
I do.
0x or or snor perron?!
Okay so they checked the code. But did they test it out? Has somebody changed the time on a server [issolating it first] and seen if really starts flinging bad bits?
Well since the topic was about micro$oft one might conclude that something you post would actually have to do with topic at hand.
Thanks Snoozer
If there's anything surprising about the entire worm phenomenon, it's that the payloads have been so benign. There's absolutely no reason why that has to be the case though, and sooner or later some little shit is going to slip in something like:
FORMAT C:
as the ultimate payload of a nimda-like worm, and all hell, and I truly mean all hell is going to break loose.
I think that it's absolutely shocking that no one knew until right now that the damn thing is going to start up again tomorrow. What else don't we know about the program? I certainly hope that the experts who are now giving us some six hours notice (at night!) that the damn thing is about to restart haven't missed any other little details of the worm's operation.
The entire ISS/Outlook security situation is absolutely shameful. Microsoft has been fucking around for years piling on layer after layer of buggy, insecure active this and executable that into the Windows mail system, and pretending that it doesn't matter, and the result, today, right now, today, is an internet that's about as secure as an airport with no guards, and half the locks in the terminals and on the planes flat out nonfunctional.
Someone is responsible for this mess, and it ain't the folks who wrote the RFCs!
I was helping a friend install Win2KPro on his home machine to do some development work (for work, of course). I'm not a big Win guy, but I've done the point-click install before.
Anyway, as soon as we were done (installing while his home network was live), we tried getting to windowsupdate.microsoft.com to install patches. However, we soon discovered that we were already infected! Two freaking minutes after installation!!
If you don't install behind a firewall, how the hell are you supposed to get updates to all of Win2kPro's problems without getting infected?
I think its time for someone to write a virus that will propagate through these well advertised security holes, reproduce, and format C These lamers have had enought time to patch there damn boxes.
Sig you!
Are the antivirus companies violating the DMCA / law by doing their job? (Not that I mind, just thought I'd ask...) After all, they have to reverse-engineer (Or simply look at the programming) the virus to see it. As I recall, that makes it illegal, unless (of course) illegal material cannot be copyrighted / patented at all, in which case people could freely make copies of something like DeCSS (and never run it legally) or the original Napster (wasn't that declared illegal? I dunno...) and make identical versions/copies. Or am I missing something?
net view > machinelist.txt
/s /b *.nws,*.msg > infected.txt
take that list and generate another script that basically does
net use v:\\machinename\c$
dir
Then just import that text file into excel, add the del cmd before each entry and export it to a space delimited file. Then just rename the file into a batch script.
Of course I do realize, nimda does overwrite critical networking files, but if those machines are dead on the network, chances are they wont be infecting anyone else.
It's not MS fault this happened, it happened because someone really immature knows that the laws to prosecute these types of crimes are not really in place at the moment. So writing this virus was fun for them, but hell for us today. The bad guy is the virus writer, just remember that.
It's not going to matter what o/s it is if someone can write a virus, root kit, whatever for it. Just so happens more people are writing them for MS.
--Toq
~~Moderators *Note, This was posted with my real account because I stand behind my opinions and take responsibility for what I say, unlike karma whoring anonymous cowards.
A good sysadmin is a lazy one.
Sure we'd hear about them, just not as much as we bo with MS's great products.
Of course you realize that Linux hasn't had nearly enough exposure to back up that claim.
It is VIRUSES.
(I am yelling you fucking filter!)
Given the economic impact of viruses like Nimda, it shouldn't be hard to tell that creating and unleashing viruses like it is and should be a serious offense.
And yes, making an example of them DOES set a precedent for the treatment of all of us. That's the point of laws and law enforcement.
Please give the slippery slope angle a rest in this case, too. It's like you're arguing that outlawing assault with a handgun is tantamount to repealing the 2nd Amendment -- it simply ISN'T.
Destroying other peoples' property is a crime. Criminals who commit that crime should be punished accordingly. How complicated IS this?
The sad truth is that patches to protect yourself from these worms were released well ahead of the worms themselves. Getting hit by it is irresponsible, but Microsoft's current patching procedures are such a mishmash that getting the right information ahead of time is a total bitch.
Those who are forced by circumstance to be responsible for administering IIS and other microsoft software should look at St. Bernard Software's UpdateExpert. It's a little pricey, but it doesn't cost nearly as much as even one full day of nimda / CodeRed / etc. infection.
It simply keeps a list of all patches released on the Microsoft support site, and lets you roll them out to machines on your network without the users knowing about it. It's saved my bacon a few times now.
Even Jesus hates listening to Creed.
If I were writing a virus, I would write one that could be patched by more recent strains of the virus....so the core code would be hidden on your machine, even if you patched your IIS hole...then a new strain exploits a new hole and can patch the core code sitting on your machine again..then the core code could use the new exploit..In this way a family of friendly viruses could continually infect your machine... Now if only I had a good use for that core code...
but since I don't. I give this idea for someone to patent freely..then you can sue any virus writer who steals this idea from you..
While I tend to agree that Apache is more secure than IIS, those statistics don't mean anything to me.
It could be the guys writing virii/worms are too busy writing stuff for MS to write stuff for *nix.
After all, there's a lot more "glory" in exploiting the (unfortunate) industry leader than it is exploiting the underdog.
If a piece of software requires regular patches for serious security problems, that's probably a sign that its basic approach to security is flawed.
But does IIS really need patches as frequently as you imply? Code Red, Code Blue, Nimda et al exploit the same security hole that is almost a year old. The problem is that for every security hole, there are several waves of worms because IIS admins simply never patch their boxes.
If you disbelieve me check out Netcraft's security survey which shows how long several IIS boxes have gone unpatched and that about 12% of SSL sites (meaning they are probably eCommerce related) running IIS have been "rooted".
It's VIRUSES.
(I am yelling you fucking filter!)
If a company wasn't hit by both, presumably their security policies and procedures are either already up to scratch, or capable of being improved sufficiently. But if a company was hit by both, their procedures are probably beyond repair, and they'd be better off with a server that's more secure by default.
So I think Gartner was absolutely correct. Not only that, but people who didn't pick up that subtlety from the Gartner report are also more likely to need to switch servers, so the report works either way! :P
You know, the good side to all these viruses running around all the time is that a lot of security holes have been patched. Therefore, if we (meaning anyone) are attacked via computer by someone trying to do some real damage then there are a lot of security holes that have already been plugged. Throw in some on-the-job crisis management for the IT guys and you have a company that is much better for a targeted attack.
:)
I'd love a world without virii but then I'd be out of a job and the number of stories on slashdot would be halved!
I think the previous poster's analogy to Sendmail and Bind were quite appropriate. But I also think that Gartner is slightly over the top on this one too.
Apache is more secure than IIS because it does not trust itself to police itself-- it allows the OS to police it too! This is the problem behind Sendmail and BIND, and it also exists in many competing web servers, including Tux, Websphere, etc. I do not know enough about iplanet to comment about their security model.
That being said, there are some places where IIS may be the most secure alternative (where the security needs to be integrated into the user-level security on a domain, f. ex). I just believe that the world of serving pages to public networks is not it...
LedgerSMB: Open source Accounting/ERP
After Gartner's recommendation, thousands of PHB's and even sane people will rush to switch from IIS to Apache / IBM HTTP Server / whatever.
Has anyone written a product yet to translate Active Server Pages (ASP) code to PHP, JSP, or some other format? Most of the basic scripting language concepts should translate pretty nicely.
Even if someone has built their IIS / ASP application 'correctly' (cough cough) isolating middle-tier logic to MTS or something similar, wouldn't Perl / Java / whatever wrappers to those COM / COM+ services also be straightforward to write?
Or has someone done this already? Isn't there (or wasn't there) a Chilisoft implementation of ASP that you could run on Apache and Linux?
Really. I hope Nimda wrechts the infected servers completely, deletes all data and spinns the hd's up to 50000 rpm.
;)
Well. Actually is doesn't have to be that bad, but what message has to be sent into this world TO GET THOSE DAMN SERVERS PATCHED?!
Of course mail all the webmaster-wannabies who's machines are infected should be spammed with the patches.
Dammit. It's just too simple to click SETUP.EXE and lay back without reading the F**^H^Hriendly manual.
LAST HINT: UPDATE, PATCH, REPARE and don't forget BACKUP!!!
Privacy is terrorism.
nimda and its ilk are the killer apps that will
spark the next information revolution.
I'm looking forward to Microsoft's first foray into creating actual worms, instead of just
providing the infrastructure.
One day we will all look forward to the next MS worm with all the enthusiasm that we now share for the next Windows.
I have been monitoring my logs, and most of the hits I get are from Cable/DSL users. I bet a lot of these people are unaware that they are even running IIS, let alone that they need to install a security patch.
I have not used W2k much (set up a test server at work, and reboot it now and then when it fails mysteriously), so I guess by default there is no automatic "Your Software needs updating" dialog that pesters you. If MS had their SW configured to do a weekly check and let users know that updates were available it would help. I know that Mac OS 9 and Mac OS X do this and it is useful for making sure systems stay current, and I wrote a few scripts that run as cron job on my Debian box at home that do apt-get update weekly, and mail me if there is a security update.
Maybe something like this is already there in W2K (though if it is it sould be surprising), and I just have never seen it, I apologize if I speak from ignorance, but if there is not, then MS needs to get on the ball. Their software is causing a lot of problems, and they need to be more active in making sure that their boxes get updated.
Hyperbole is the worst thing ever.
(I already made this as a reply to comment, but I'm irked about this enough that I want to post it to the main thread in hopes that people read it)
I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.
Why don't you have a secure firewall to protect your servers?
We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."
Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.
25K lost? Serves you right.
http://www.lamersville.org/attacks.php
YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security.
Market leader?? If that was it, I think that Apache would be three times the can of worms that IIS is. You must admit that the default installation of Apache is MUCH more secure than the default installation of IIS.
IIS has the same design flaw that Sendmail does, an dit has enough market share to be a viable target. It is also true that many other vendors make the same mistake (including Red Hat and IBM)but lack the market share to be reasonable targets.
Moral of the story: If you want to use IIS, tell it only to listen to IP address 127.0.0.1. If you can't figure out how to do this, please install Apache instead. (www.apache.org)
LedgerSMB: Open source Accounting/ERP
Not only are they too busy. If someone learns enough about *nix to know how to write a virus for it, they end up having too much respect for the operating system to do it. :)
If they were going to exploit the industry leader then they *would* write Apache exploits. Despite what MS would like you to believe, according to Netcraft they only have about 20% of the webserver market to Apache's 60%. So that argument goes out the window, the underdog IS IIS.
If someone was able to step all of your shipments from the shipping companies trucks that you use because the trucking company did not put locks on the doors than wouldn't your company sue the hell out of the trucking company??
It's because the trucking company is responsible for providing reasonable security since that is part of the agreement. The Windows EULA basically says that M$ is not responsible at all no matter what. In reality, whomever agreed to the EULA's is responsible for this mess.
This is not about somebody breaking into something that was responsable protected, instead it is a faulty product.
int func(int a);
func((b += 3, b));
Let's make some profit out of Nimda :)
:"Suicidal" with a kind of Nimda showing.
:)))
Like T-shirts...
"I've been attacked by Nimda and all I got whas this T-shirt"
"Chicks dig Nimda"
"(front:)IIS (back:) you are dumb"
Or posters...
"Internet map of Nimda infected domains"
New 'Inc DeMotivators' poster
We should inform Thinkgeek of this nifty plan
42 + 1 = 42
Well, I suggest that we go farther. We already block harmful and suspect viruses at our perimeter and throughout the enterprise. Why not instruct our routers, firewalls, and proxies to block any packets that indicate the content is coming from IIS - and block any M$ Internet Explorer broswer? Just drop the packets?
OK. I'm speaking toungue in cheek, but I could actually make a justifiable argument that such use has PROVEN twice in a month that those tools are demonstrated security risks and should be defined as dangerous activity.
More info on the above Windows update comment ...
Here is a copy and paste from Microsoft's built-in update page:
Windows Critical Update Notification 3.0
54 KB/ Download Time: 1 min
Download this component and never miss a Critical Update again. Whenever a new Critical Fix is released, you will be notified. Microsoft has improved Windows Critical Update Notification by adding a feature which allows this component to update itself as improvements and new features become available. Note This is an updated version of Critical Update Notification.
Not calandar days but days since the box got infected. Friday is 10 days after the first reports since the warning.
If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:
... ditto all the way down
/var/log/access_log combined env=!attacks
/var/log/attack_log combined env=attacks
SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
SetEnvIf Request_URI "^/scripts" attacks # For nimda
SetEnvIf Request_URI "^/c/winnt" attacks #
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks
CustomLog
CustomLog
This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.
http://asp2php.naken.cc/
Cool logo aswell - would make a great T-shirt.
Of course, translating that ASP to PHP is half
the story; if you're offering to host an app
for someone, you have to get them to give you
a plain text export of the database, in a format
that you can then import into MySQL.
Definitely not a tape backup from MS SQL Server
(which has its own special tape backup format!),
even when the whole thing compresses down to
less than a floppy in size...
The car/airbag/cupholder/other car analogy is great.
Stop misrepresenting the netcraft numbers, FUD spresding dumbass.
Apache hosts 60% of sites, not servers. That means that microsoft.com's 50 servers are counted ONCE, wile bumfuckISP.com's 586 box hosting 50 domains is counted 50 times. Actual server marketshare (which costs money) puts Apache and IIS at about equal.
That of course doesn't include dumbass cablemodem users, which have been the worst hit by these worms.
I am contracted to a mid-size steel and auto-parts company. They have contracted out the most complicated IT tasks. From my company, there are 5 consultants that had to drop every task to battle Nimda. We bill at $75 per hour. We put in a total of about 30 hours a piece on Nimda last week. 30 x 5 = 150 hours. 150 x 75 = $11,250 in pure wages. We have about 100 sales people that couldn't do their jobs for a good 6 hours. I happend to know the average salesperson at the company sales about $5,000 in steel and parts a day. So lets say a low number of $2,000 per person was lost that day. 100 x 2,000 = 200,000. I think that number speaks for itself. Just in case my numbers are inflated (they aren't) lets remove 1/2 of that. 100,000 is still one heck of a chunk of change. That figure is just for our main office. We have 10 smaller satellite offices. Was it our fault? Maybe. Is it our fault that Windows is the defacto OS in the company? Absolutely not. I am one of the biggest pushers of Linux. I probably send the IT manager 3 links a week on Linux. The problem is that those in charge don't know squat about security. In fact, the IT manager is an accountant and she wouldn't know a router from a washing machine and if you mention a CSU/DSU she would probably mention what a great school it is. Bottom line is that Techies from Macrosalt built an OS that isn't worth crap. They have sales people that couldn't grasp recursion trying to tell IT managers who wouldn't know a VPN appliance from a toaster what a great product Windows is. Until the managers start listening to those in the trenches, this cycle won't end soon. Just my 2 cents worth.
My own site started life hosted for free on a friend's WinNT4/Sambar server, now it's hosted cheaply on a linux box. Yes, I'm more happy being served by linux, but no I don't intend to run linux on my desktop (might set up dualboot to fiddle round with gcc and bits though).
If people can write these things to be destructive, why can't anyone write a virus patch, it infects a machine patches and then trys to patch other infected machines..
:)
Either that or something that just drops the infected machine to it's knees once infected..
Apparently that's what M$ is working on right now...a system to "push" updates directly to .NET Server. They are also working on ways of applying the patches without the endless reboots between patches. Considering that companies have been doing this for years (Symantec "Live Update" anyone?) it's absolutely STOOPID that M$ hasn't done this before.
2.IIS admins are typically inexperienced and unknowledgable about security and thus never get around to installing a patch even though it was released almost a year ago.
And as someone who has been through eight (count 'em!) Microsoft Official Courseware MCSE courses, including their "Designing Secure Windows 2000 Networks" course, I can tell you from experience they don't teach you SHIT about security. You NEVER get tested on how to lock down IIS against exploits. Firewalls get short shrift in favor of endless prattle about VPNs. MICROS~1 needs to talk about security from point zero on in their MOCs. There is no excuse.
3.IIS patches need to be on the Windows Update [microsoft.com] website.
Actually they are, if memory serves me right. However, when Code Red v.1 was at its apex, Windows Update itself got hosed by the worm. Hilarious. I laughed my ass off.
what you suggest would require that lawmakers and law-enforces had a grasp of the actual situation.
let's take a step into their minds for a second.
#1 - "#2, give me the situation"
#2 - "Sir, a 14 year old from delaware has written a computer 'virus' that's verging on 'taking down the internet'"
#1 - "my god! how has this happened?"
#2 - "well, the [gov't acronym here] believes that this individial is a very skilled hacker... probably the kind of person who hacks into NASA, DOD, etc and sells our national security secrets to Iraq, Libya, etc"
you know, these ppl don't understand what a script kiddie is. they don't understand that often a successful hack is really just the result of a stupid admin.
we're talking about the people who just a few years ago were lockin kids up behind bars for years for web site defacements.
don't get me wrong, i don't disagree w/ you. but we should also be giving ppl who are heroin, meth, and coke/crack addicts heavy counsiling, support, and guidence. but u see, there's no political will for that. "lock em up and forget about it, those ppl are just trash".
what we have are ppl who don't understand the reality of the technology that's running the world they live in. they are so hopelessly disconnected that they are forced to rely on advisors who aren't neccessarily gonna know anything either. this kind of thing isn't going to get better until we have a changing of the guard in the us gov't. when younger, more techno-savy, ppl begin to filter in.
in short, our 'leaders' are those ppl who have '12:00' flashing on their VCRs at home. don't expect them to be sympathetic or understanding to the plight of geeks/hackers.
Since I am running Win2k with Apache 1.3.20 for Win32, and am relatively new to webhosting, I have little idea of how to do anything about the problem. Can the same Apache scripts that are run on Unix be run on Windows? If so, could someone point me to a website with a script that will at least pop up a message to the user of the machine, if not simply shut them down? Help would be much appreciated.
A word can paint a thousand pictures
Actually, here's where to get it:t form/Utility/3.1/NT45/EN-US/nshc.exe
http://download.microsoft.com/download/win2000pla
Since I heard about Code Red, and Nimda, I've been hitting Windows update every day or so just to make sure I'm still up to date with all their security patches.. I've gone there before, downloaded security updates, and regularly make the rounds.
For the past month or so, all that's been there are IE6 and Microsoft Messenger 3.6. Whoopie.
So, I'm safe. Nothing can touch me.
UNTIL I SEE THIS STORY ON SLASHDOT. That "command line tool" (hfnetchk) showed that I had 8 security patches I needed to apply, one of them had a WARNING next to it.
Uh, hello Microsoft? Is Windows Update NOT for security updates? Just a place to peddle your frickin MSN Messenger!? I'm sure there's thousands of people like me who think that since Microsoft doesn't have any security updates posted under the CRITICAL heading on Windows Update, that we're free and clear. Geeze.
We need some tits n ass YEA!
I feel good today Silent Bob, we're gonna make some money. Then you know what we gonna do? We're gonna party, get some pussy, and I'ma fuck this bitch, I'ma fuck this bitch, I'LL FUCK ANYTHING THAT MOVES!
What the fuck you looking at? I'll kick your fucking ass. Shit yea. Dude that motherfucker owed me ten bucks.
You know, fucking, tonight, we are gonna rip off this fuckers head and take out his fucking soul. Remind me if he tries to buy something to shit in the motherfuckers bag.
What's up baby, sup sluts?
Silent Bob you a rude motherfucker you know that? But you're cute as hell. I could go down on you, suck you, line up three other guys and make like a circus seal.
Eww you fucking faggot! I hate guys, I LOVE WOMEN!
What you want grizzly adams?
Researchers say Nimda is set to propagate again after rechecking Nimda's code.
So, researchers concluded that Nimda rechecked its own code and discovered that it (Nimda) had been programmed to propagate again?
I consider this an amazing programming feature. Self-analyzing artificial intelligence. This would require that Nimda is aware that it is aware, which meets the definition of true consciousness.
I know, that was a deliberate misreading of an unintentionally ambiguous sentence, but it does bring up the question: will viruses ever really be intelligent? As in, conscious?
What do you Slashdotters think?
Neopets - the best free game on the Int
And how many do the thousands of at http://www.google.com count as?
First of all I love the comment "Given that IIS sucks anyway".
Just for the record. We had some issues with this at work because some development machines weren't properly patched. Old NT4 w/SP5, Office 97, etc.
At home, on the other hand, I am at the bleeding edge. Win2k sp2/hotfixes, Norton XP, Office XP, IE 6.0, etc.
Got home after fighting the virus at work, went to Outlook to check my email. Yep, got a handful of emails from Nimda.
Confidentally opened up the emails to see what they contained using Outlook XP... thought it was kind of cute, but I deleted them.
Went out viewed a couple of websites to see what the latest news was.
Then I decided I probably better update my Virus definitions, so I did that.
Not once was I ever vulnerable to Nimda. The IIS exploits were very old, as were the IE exploits. Outlook has had patches available since last year for Outlook 2000 to prevent this type of attack. Outlook XP by default out of the box blocks many types of attachments, and does not allow email with HTML content to be scripted.
So granted, some older versions of their applications and OS are vulnerable to some problems. What do you expect Microsoft to do? Fix it?
They already have.
I would have thought the various reports from Netcraft showing IIS is in use on most commercial web sites would have laid to rest the false claim that Apache is more popular.
These "exploits" are being distributed to discredit TCP/IP to allow M$ to switch 95% of the worlds computers to a proprietary networking protocol that M$ owns and controls in the interest of "safety".
"Its the protocol that is weak, allow us to fix it" M$ will say. And in the eyes of the public they will save the day.
When ever you see a M$ exploit in the news that just says computer virus call the paper or write a letter and set the record straight. Lets put the FUD on our side.
GNU or get out.
According to the website MS needed outside help to write this patch checking utility.
Runn IIS, Go To Jail. First offense, zero tolerance. It's the ONLY way to solve this problem.
The Windows EULA basically says that M$ is not responsible at all no matter what. In reality, whomever agreed to the EULA's is responsible for this mess.
That's unfair. If someone using Linux or FreBSD suffered from some kind of attack, is it their fault for choosing an OS that doesn't provide someone to sue?
And can you suggest an OS alternative that does provide legal recource for something like Nimda? I can't think of one.
The guys who wrote Nimda and Sircam have caused a lot of frustration and lost time, I'll grant, but in some ways, they've accomplished something that neither evangelism, nor PR group, nor Marketroid has been able to do.
Think about it. Nimda got Gartner to admit that IIS should be dumped.
After years and years of virus attacks that demonstrate the shoddy default config of MS software (and possibly, the shoddiness of the software itself, depending on who you ask), one dimension of the cost of just using what everyone else uses (despite any demonstration of merits) has been soundly demonstrated.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
I've seen that picture and its ovopisly staged,
either your friends are lying or you are, TROLL!
For any other sweeb who thinks its a real shot: the people around are posing and the two people must be the worse f**ks in the world, the bed is still nice and tightly wrapped.
There shouldn't be security holes that allow these viruses to exist in the first place. Don't blame the kids who wrote this, but rather blame microsoft. I'm sure you can use the excuses that microsoft can't be held responsible for everything their software causes, but this is rediculous. Why did it take tons of viruses for microsoft to even patch this?.. Why wasn't this patched before, or caught before and addressed? It's simply because microsoft can't afford to make their software secure until it's demanded, and that's just wrong for a company like microsoft.
Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.
Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...
Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.
My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.
We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:
The common thread here is user error.
The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.
I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.
I do not deploy Linux. Ever.
Checkout my CodeRed and Nimda spammer which I use every night to inform the owners of the domain (according to whois and DNS SOA record) and the administrative addresses related to that domain.
bash$
Cheers for the HFNetChk info. What a pain that it needs IE 5 to run. There's no way I want to install that on a production server on a Friday afternoon. Not much choice though...
my blog: good times, man, good times
Thousands, retard. But thanks for piping up before someone pulled out the IIS-needs-more-boxes-because-it's-less-scalable saw.
is it their fault for choosing an OS that doesn't provide someone to sue?
Yes, it is, even though linux comes is distrubutions, its basically a "build your own OS", like a "build your own house", you can't sue if the construction was shotty. But a real house you can.
How much are they paying you?
If they are the market leader, how come there are more than twice as many Apache servers as there are IIS servers out there?
Cheers //Johan
Installed the Bubblemon yet?
See up to date MRTG statistics Nimda-Log
A /. editor that actually reads the discussion and *gasp* responds to it?
timothy for president!
I think I need some more coffee
/var/run/twitter.sock is a twitter socket puppet.
http://www.microsoft.com/downloads/release.asp?rel easeid=31154
Enjoy!
liB
Alot of companies have spent large amounts of money on IIS based websites that cant just be moved over to an Apache or other webserver. I think there has been too much hype about IIS being insecure, perhaps companies should just stop leaving the responsobilities of webserver security to clueless admin's with microsoft certs.
y )
With a few easy steps, you can setup an IIS server so that it wont be vulnerable to a large number of new vulnerabilities and worms taking advantage of these vulnerabilities.
- Take the time to do a custom install of the option pack, and remove what you wont need (transaction server, frontpage extensions etc.)
- Setup the webroot on another drive (not C:), and make the filesystem NTFS.
- Remove all sample directories
- Remove all associations to default ISAPI objects (webhits.dll, ism.dll) from the management console
- Apply the latest service pack
- Apply all the latest hot fixes since the latest Service Pack (only those that apply to your server).(http://www.microsoft.com/technet/securit
- Monitor Microsoft alerts and security mailing lists for latest bugs
- Turn off verbose error output from the server, and have a customer error (404) page, a custom 404 page still returns a 200 OK response and confuses alot of scanners
- Install an IDS (snort has been ported to win32, http://www.snort.org)
All this shouldnt take too long, and will give you a much better chance of surviving a worm outbreak.
Why is it that nobody at Microsoft seems to remember what the Morris Worm was? Since then, there hasn't been an outbreak of worms on the Internet... until Microsoft in its infinite stupidity made it possible once again. Why is it that Microsoft seems so intent on opening up old holes and adding holes where none existed in the first place?
The filters here have caught next to nothing from nimda's email vector, sircam is still a far bigger threat and problem out there.
-- The Flying Hamster
I've gone through my logs and found quite a few
What I do is go connect to the offending box via smb
Usually they have a printer attached to it so I print out a page of A4 with :
"YOU ARE INFECTED WITH NIMDA, SORT IT OUT
here's how : http://www.antivirus.com"
on it in 72 point text
it's working so far
if they don't have a printer then they usually have an open share that's world writable so I leave text files called
you are infected with nimda.txt
and put the url inside them
that's closed a couple too
(I also found a keygen I'd been looking for so that was a bonus)
I'm not sure if nimda resets the passwords but which might not lead to a surprise of how far you can go with
un : adminsitrator
pw :
have fun
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
OK, so which OS is the "real house?" MacOS? Windows? Solaris? Which OS is licensed under terms providing you with someone to sue when there's a security flaw?
I don't think such a beast exists.
Did you feel sexually aroused when you wrote this? Has your pussy grown all wet and soggy?
Jeez, if you're her friend, tell her to get her radiation scarred sagging skin out of the damn sun. That woman is turning herself into jerky.
Also, last I heard, friends don't post candid photo's on the web for every cheez-o-news site and pathetic geek (like me) to leech then lech over. Give the girl a break, huh?
If you were blocking sigs, you wouldn't have to read this.
it's because someone with actual skill found and implemented exploits for old (and often fixed) security problems.
Now, any idiot with half a brain cell can (and does) modify this code to do whatever he wants.
#!perl
d \d)?$/) {
\ /articles\/$3\/$4\/$5.ASP";
d \d)?$/$1\t\t$2\tA TARGET=\"$3$4$5\" HREF=\"http:\/\/support.microsoft.com\/support\/kb \/articles\/$3\/$4\/$5.ASP\">$3$4$5\/A> \tFONT COLOR=black>I>$title\/I>\/ FONT>/;
use LWP::Simple;
if (not open (FILE, "hfnetchk.exe")) {
die "Could not find program 'hfnetchk.exe' in local directory";
};
close FILE;
my $CDE="hfnetchk.exe @ARGV";
my @log=`$CDE`;
open (FILE, ">hfnetchk.html") or die "Could not create the result file";
print FILE 'HTML>HEAD>TITLE>Microsoft Network Security Hotfix Checker Logger/TITLE>/HEAD>/BODY>' , "\n";
print FILE 'H2>FONT COLOR=purple>B>Microsoft Network Security Hotfix Checker Logger/B>/FONT>/H2>BR >BR>', "\n\n", 'FONT SIZE=small>PRE>';
my $URL;
my $ficurl;
my $title;
BOUCLE: foreach my $line (@log) {
if ($line=~/^(\s*.*?\s+)(MS[\d-]+)\s+(Q\d\d\d)(\d)(\
$URL="http:\/\/support.microsoft.com\/support\/kb
$ficurl=get ($URL);
if ($ficurl=~/TITLE>\s*(.*?)\s*\/TITLE&g t;/im) {
$title=$1;
print "$title\n";
};
$line=~s/^\s*(.*?)\s+(MS[\d-]+)\s+(Q\d\d\d)(\d)(\
$line=~s/^(.*?Patch Found.*)/FONT COLOR=green>B>$1\/B>\/FONT >/;
$line=~s/^(.*?Patch NOT Found.*)/FONT COLOR=red>$1\/FONT>/;
$line=~s/^(.*?WARNING.*)/FONT COLOR=red>B>$1\/B>\/FONT&g t;/;
}
print FILE $line;
}
print FILE '/PRE>/FONT>/BODY>/HT ML>';
close FILE;
print "\n\n\nCreated 'hfnetchk.html'\n\n";
system ('explorer.exe hfnetchk.html');
__DATA__
The world belongs to those who get up early. - I'm far from being the king of Earth then
OK, let's say there's an intranet with all sorts of Windows boxes, which uses a masquerade (IPCHAINS) Debian Linux box to connect to the Internet.
How can I use the Linux firewall to protect all the machines inside it from those evil viruses? Any ideas/URLs? There *must* be something!
If I was the one writing a virus sending files from the infected computer to other people, I would include a small flesh tone detector for finding the right files to resend.
but of course because /dev/mouse is a streaming file, it caused the browser to basical block until the end of time. Mouse movement got real glichy. I almost was able to click to kill icon on NS, eventualy had to [ctrl alt backspace] to stop X-Windows. Actualy I thougth that my machine handled it pretty well. Brought back memories of running windows. Immagine in Linux we have to emmulate viruses via diliberate user intervention; or of course use WINE/IE/OUTLOOK.
Apocalypse Cancelled, Sorry, No Ticket Refunds
"Researchers say Nimda is set to propagate again after rechecking Nimda's code."
You mean the "Researchers" reverse engineered the code?! The author of Nimda should have them prosecuted under the DMCA !!
There are no mailbox/mail facilities on a Windows box.
Mailing Administrator@infected.adsl.somewhere.com will reach their box, but it will sit there forever.
Best thing to do is modify Nimda to format the hard drives. That way, people will **eventually** realise they have a problem.
Ehh, Nimda, Nambla, it all involves getting fucked up your arse against your wishes.
Absolutely! Try any enterprise OS such as Solarios, HP-UX, PowerMax, etc.
My company uses HP-UX and you better believe if we find a bug in the OS that is interupting software development, they are responsible to fix it.
Linux and FreeBSD are free! That is why there is no responsibility. They are community projects. If you really were posed to lose a lot of money and your admins were that inept then I wouldn't recommended either of those either.
int func(int a);
func((b += 3, b));
The authorities have Carnivore and echelon stuff running overtime. Do you think this is all a coincidence, or does it feel more like a way for the terrorists to bury their commo channels in background clutter, while still asaulting a worthy target? sphealey, do you feel like you're being kicked in the groin? well don't take it personaly, you and your company is just one battle in a terrorist war to take down Microsoft, and after that probably Sun. Maybe they'll have a hard time deciding between Apple and Linux for number three.
These guys hate the internet because it lets us communicate and do business all over the world. We can post our opinions and our rants for the world to see, and they don't want the world to see. They think we're soft, decadent in short we are their prey. It's their perogative to use us like chattle, just like they do to their own woman. Just do the math $25K for one company times all of the simalar companies, the economic implications are staggering. What is this doing to the TOC for the products of the biggest software company in the world? Viability for future sales? Remember most of the Military runs on Microsoft, and they flew an airliner into the pentagon. What happens if Microsoft goes belly up five years from now?
Microsoft might to have to put some money in an reactive defense initiave to counter-attack infected users; maybe send then viruses who's payloads are uninstalled patches. How many broadband users would even notice?
I know this sounds like a rant or troll but just think about it. Actualy Linux needs Microsoft to keep things honest. We need to get the message out to everybody, use a firewall, use anti-virus and get those patches installed. If we don't do it it will be legeslated.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If your users can't click on the VIRUS_FIX button, why not insert a batch file into the login script? Ours gives the users the opportunity of refusing the first time, but automatically runs the fix and updates the virus signatures upon the second login. Checks the update version and only runs if needed.
Users are Losers. Don't trust 'em to help you out in your job. (And if you think becoming an English teacher is a way to RELIEVE stress, then you better find a good shrink now...)
------------------------------
Er, if Britney was worried about that, don't you think she'd have left showbusiness long ago?
Female Prison Rape in NY
My brother told me about a class he went to about securing web servers Apache, 15 minutes, Netscape 30 min. and IIS, the remainder of the two day course. Go Figure, it's not because of market share.
Apocalypse Cancelled, Sorry, No Ticket Refunds
But live updates are scary too - what if they break your homegrown middleware that you have running on that machine, or introduce worse holes that you don't know about? Although I can see a lot of MS shops using this as a quick safety net, it has its own spectacular failure modes as well.
Not to mention what happens if someone man-in-the-middles the update connection and sends you some bad updates...
Your right to not believe: Americans United for Separation of Church and
I use apache so I dont know what this does, and I added backslashes to the get just to be safe and choped off the code so not to distribute /default.ida?Code_Green__V1.0_beta_written_by_'Der _HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sis terli_'Doro'.Save_Whale_and_visit__and_ Code deleted on purpose HTTP/1.0" 200 1 "-" "-"
203.247.193.77 - - [09/Sep/2001:09:15:57 -0400] "\G\E\T
Apocalypse Cancelled, Sorry, No Ticket Refunds
Microsoft Personal Security Advisor
This is probably the best tool to tell you how secure your system is. The command-line tool is good on a small scale or for your own personal computer, but it only tells you what hotfixes you need. The Security Advisor tells you everything, and helps you completely (well, almost completely because nothing is truly secure) secure your system. Check it out. I love it.
please me, have no regrets.
They would work just like a driver's liscense.
Class A: You can administer high-bandwidth connections (ISPs)
Class B: You can get broadband
Class C: 56k dialup max
Class D: 28.8 AOL for you!
You might wanna ask yourself a question before replying to posts... "do I really know what I'm talking about, or at least to sound like I do?".
Concerning the Nimbda virus (if you're referring to something else, sorry, I assumed you were OnTopic), even if you have EVERY patch installed on your MS IIS servers, you still get slammed by random IP's from MS servers that weren't patched, thereby bringing "your internet" to a slow crawl (bandwidth/data rate dependent, of course).
So, all in all, in defense of the NT admin you responded to (FYI, I'm not an Admin, I'm a programmer), sometimes you can't do anything about the problem besides try blocking the most common IPs that hammer your site, after all, you aren't going to be able to get all of them blocked (which is probably what they were doing till 3am).
"I have no special gift, I am only passionately curious." - Albert Einstein
There are some distinct actions one would take to get rid of viruses.
Skip Office and you'll get rid of about 80-90%. If you change OS the numbers will be about 99% (+-1%).
I think this problems are a great opportunity for other OS to show that they are worth using (or atlesat trying it out). One problem is that normal users can't install and configure a normal Unix/linux system.
The problem nowadays is the normal user who doesnt know that Outlook etc (All Microsoft products) are true evil. Normal users can't be blamed because they are just the average users. They does'nt deserve this attacks even if they use the software that spreads them 'round. This is because they does'nt know any better. Without normal users an ordinary pc would cost hundreds of times more (because the normal user is the biggest group, and they buy these machines). And we can't stop them from using pc's, and why should we? An ordinary pc with windows on it is designed for the "normal" user, I can't imagine putting a Solaris-system in the hands of my mother. That would be disastrous.
The bottom line is; the one to blame should be companys who writes programs with security holes.
And of course, company's that designs OS which are so vulnerable to attacks, should also be blamed...
Maybe we sould send da spanish Inquisition 'round to these companies? Yes I think that'll do it
2 reptiles beneath your current threshold.
Try
NET SEND [idiot's IP address] Hey idiot, your friggin' computer is infected with [IIS virus of the week], why don't you get a clue and fix it?
My Mac server's firewall software has been logging these attempts forever. I'm currently looking for an AppleScriptable Mac program that can send out these NET SEND messages to the idiots automatically. For now, I have to print the firewall log from my Mac and send the messages manually from my PC.
~Philly
Look at the Server header matching /Microsoft/ returned from a simple HTTP HEAD request. Your input in bold.
$ telnet www.microsoft.com 80Trying 207.46.197.113...
Connected to www.microsoft.akadns.net.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
Content-Location: http://CPMSFTWBW34/default.htm
Date: Fri, 28 Sep 2001 15:12:58 GMT
Content-Type: text/html
Accept-Ranges: none
Last-Modified: Fri, 28 Sep 2001 12:28:47 GMT
Content-Length: 23232
Connection closed by foreign host.
they wrote a fucking internet worm.
they did not kill anyone.
they didnt steal money.
therefore, they should not be subject to
'fire ants' or other forms of torture.
way to go, get yourself put on amnesty internationals list of countries with human rights abuses.
I had a stupid idea...write a worm enters a backdoor set by the code red and nimda worms that fixes all the code red and nimda boxes and then, after a few months, removes itself from the box it's on (to stop looking for infected boxes). Unfortunately I don't think I could write something like that anytime soon..too busy at work. Call it "Early Bird" since the Early bird gets the worm. he he.
Moving at the speed of government.
Can you say "cowardice"? Can you say "stupid moderator"? "Overatted" is what you do with someone elses post if they've been modded up
undeservedly.... not what you give to a plain
ol' post -- an a cogently written one at that.
If you think I'm wrong, hit post. Don't just
mod down.
--Weston
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
I'm late with this post so it may not be seen by too many people but i had to share my story.
we had to rebuild a win2k web server for a client. the box is hosted at dell host, but managed by us. we sent dell specific instructions on how to initially set up the box- basically do NOT install IIS (we don't run IIS anyway for this client). they contacted us and said the box was online and ready for us to configure. of course, IIS web and ftp were up and running, and a scan of the box showed it was already infected with code red. the guy at dell tried to blame it on us saying it's up to us to patch it- no mention of the fact that their default image is insecure, no mention of our specific instructions to not install IIS. now we and they need to do more work all because they f*cked up in the first place. they also said they have about 30-40 boxes that are infected. i wonder why.
It is disturbing to see this attitude propagating faster than the virus. For some reason people see these instances as not their fault. The person who wrote the virus took the time to explore the code and figure out a way to exploit it. Granted that on M$ is is easier to do this than writing a shell script on UNIX-like boxes, but that is a discussion for another thread.
The fact is that the expense of this virus is because of the (inability|ignorance|negligence) of the system administrators or management of this company. Every company defines a threshhold of pain. Whether this is officially documented or defined by the company's actions it still exists. Just like putting a fence around the company to keep people from throwing rocks through the windows there are measures that can be put in place to defend against most attacks.
In many ways the community is better about viruses than the local governments are about vandalism. There are teams of experienced people searching constantly for vulnerabilities in software and encouraging the vendors to release patches. You probably won't see your local government making fencing materials available (free of charge) to protect your business.
It is possible to have adequate protection and stay within the level of pain that is comfortable for the company. All that is required is the knowledge of where to look, ability to use the patch(es) and the desire to protect your company's interests and not settle for management's inability to swallow the cost-pill.
"God help all the MS boxes ... again." and suddenly a song pops into my head... "What if God was one of us..." ;)
42 + 1 = 42
Check this URL out for the Personal Security Advisor. You should run it with Admin privileges to get the most benefit.
http://www.microsoft.com/technet/mpsa/start.asp
Instructions:
It's viruses. Ain't no such thing as "virii".
Believe it or not, some clarity in communications really does increase your credibility.
Ignorance killed the cat. Curiosity was framed.
When it comes to security against viruses there is an often quoted piece of advice "never open an attachment from an email that looks suspicious"
I have one question: what if the e-mail in question is not suspicious? A clever virus could look in the e-mail system for mails that have already been sent with executable attachments, then send the same mail again to the same person, except with a modified heading like "oops here goes again" or "updated version" and this time the attachment would contain a copy of the virus.
Do you think you would not be fooled by this one?
The other piece of advice we get is "always to make sure you get the latest updates for you virus scanning software"
My question is: what about new viruses that have not been detected yet? Considering that a virus that doesn't draw attention to itself could be months out in the open before the virus protection companies are even aware of it's existence.
The next piece of advice is suppose, is not to worry because once they find an antidote for the virus it can easily be removed from your system. But what if you don't have a system anymore because, unlike the previous worms, this one has a truly evil payload and has just formatted all your shared and local hard drives?
With these prieces of advice we are assured by the experts that we are completly protected against any virus. But somehow I don't feel so safe...
I remember that one from a previous job. The thing about it was that we normally never noticed it, but there was one cash register PC where the floppy drive would stop working once NATAS took hold. It wasn't used very often to test code, but when one of those stopped reading floppies, it was time to go around and run a virus checker on hard drives and stacks of floppies. Also nasty was that it would infect an executable file of some sort in our software which had a file extension that the virus scanner's "quick" mode didn't scan! After about four years (yes, years), I think we finally got rid of it.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
This might not be news to you bleeding edge slashdotters, but speaking of Gartner group (farther up the page) they just recommended in a Computerworld article that corporate users who have been burned once too many times by MicroSoft's approach to coding and security jump ship.
slashdot: A failed experiment.
for several more years, anyhow.
And my wallet is allergic to politicians.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I know, plus anything that you do in a public place has really to be considered public. It's not the same as snapping her with a tele lens through a window.
I'm just an old fashioned guy, I suppose. ;)
If you were blocking sigs, you wouldn't have to read this.