Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nimda To Strike Again

Posted by ryuzaki0 on from the and-again-and-again dept.

Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.

5 of 523 comments (clear)

  1. Learn Internet Security Or Get Off The Web! by BIGJIMSLATE · · Score: 5, Informative

    I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.

    (Plain-text link):
    http://www.wired.com/news/business/0,1367,47037, 00 .html

  2. Fight back by Anonymous Coward · · Score: 5, Informative

    Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!

  3. If you follow good practice... by drinkypoo · · Score: 5, Informative

    Then you're not vulnerable to either.

    Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.

    If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.

    Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.

    Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.

    And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:SysAdmins....wake up by Roofus · · Score: 5, Informative

    Heh, I work with a guy who isn't the brightest at times. He's been setting up a 2000 Server that's been hit twice with nimda in the last week. He reinstalled the server from scratch after each infection. His response?

    "I put the computer on the network to install Norton, and it keeps getting infected before I can get the updates"

    Ok, TWO THINGS:

    1) If your going to install IIS, do not plug it into the network you've shut down IIS. Then go download the updates.

    2) Norton isn't going to stop you from getting infected, it will only warn you about it during a routine check. If you want your machine to stay healthy, PATCH YOUR GODDAMN SYSTEM.

    Seriously, Microsoft has a little utily called HFNetChk that will scan any local or remote system and will tell you what patches need to be applied. This includes system, IIS, and SQL Server, and IE.

    Not all updates are listed on the little automatic update website.

    Sigh...

  5. Don't want the attacks clogging up your logs? by rayvd · · Score: 5, Informative

    If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:

    SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
    SetEnvIf Request_URI "^/scripts" attacks # For nimda
    SetEnvIf Request_URI "^/c/winnt" attacks # ... ditto all the way down
    SetEnvIf Request_URI "^/_mem_bin" attacks
    SetEnvIf Request_URI "^/_vti_bin" attacks
    SetEnvIf Request_URI "^/MSADC" attacks
    SetEnvIf Request_URI "^/msadc" attacks
    SetEnvIf Request_URI "^/d/winnt" attacks

    CustomLog /var/log/access_log combined env=!attacks
    CustomLog /var/log/attack_log combined env=attacks

    This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.