Slashdot Mirror
Nimda To Strike Again
Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.
All NT admins leave at 4:50 PM, too bad for them.
Je t'aime Stéphanie
What does this mean? I was under the impression that once Nimda infected a machine it would attempt to propigate indefinitely unless the machine were cleaned. What was the propagation time cycle for the first run?
Mind you, I've not seen a significant dropoff in my firewall hits (hits doubled after Nimda first hit), but perhaps I've not been checking properly.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.
Maybe just corn syrup and regular ants for the admins who still haven't patched their servers.
I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.
Are you kidding?
Legislation shows that people have a hard time differentiating what's a serious offence and what isn't.
For one thing, taking this out on someone hard, would only lead to approval of laws like the proposed law to make a bunch of kids in HS "terrorists" for winnuking each other.
We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.
If anything, they need counseling to know WHY what they are doing is bad, that it affects other people and that it isn't just a game, but certainly making an example of these people sets a precident for the treatment of all of us.
In other words, turn some silly kid with a script for making viruses into a real criminal, when people are getting in trouble for stupid stuff like scanning someone's ports, and soon you'll see anybody without corporate backing thrown in jail for having a debugger.
No double stockade and fireants for the IIS creators?
Gosh! It would be interesting to see if any more servers turns up affected after so much of patching and screaming and thrashing. I would normally expect everyone of those Admins to patch their boxes by now, but at the same time, there would be some more, either ignorant or out on vacation, who is bound to get hit.
.. Err..well..
And when shit hits the fan, the management is sure to turn around and bite yelling "But we all knew about it..Why didnt you do it ?"
Patch those boxes up..and do so in a routine manner. Sure its pathetic and time consuming. but its your data and your hardware..
Rapid Nirvana
I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.
, 00 .html
(Plain-text link):
http://www.wired.com/news/business/0,1367,47037
a video game i wrote 10 years ago in Qbasic was just emailed to me today via sircam...
that means that someone actually had it on their computer, and that made me feel all fuzzy.
god bless sircam, and its glorious resurrection and distribution of great software titles.
MARIJUANA, SHROOMS, X: ONLINE?! - E
Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!
from the article it is clear that the 1 AM Eastern Time Friday is the correct time. And what is ET, GMT - 5, right? So it will be 6 AM GMT.
-sam
The REAL sam_at_caveman_dot_org is user ID 13833.
Why is windows suffering so many of these attackes recently (I know this is the same but I mean coupled with Code Red etc)? Is it becuase the exploits have only recently been found that enable them? This implies that fewer such exploits existed in older MSware - is this true?
/. recently?
Is their widespreading mostly helped by the recent influx of cable/dsl users? Instead of the usual MS bash, could we try to explain some of the factors that make these stories so common on
Of course, we can't escape that it was Microsoft that published exploitable code but I'm sure their software has always been as bad so what else is behind the current surge?
I'd like to see some fireants for the server admins who still haven't patched for this thing. What kind of rock do you have be living under not to have heard of this by now?
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Ditto...I'm up to nearly 13k hits logged since Nimda began, vs. a bit under 10k Code Red hits. The weird bit is that the number of Nimda-infected hosts is much lower...400 vs. 3500 for Code Red. Maybe it spends so much time banging away at the same system that it doesn't spread itself as effectively as Code Red.
20 January 2017: the End of an Error.
9pm GMT -04:00 (EDT) is 5pm EDT.
9pm GMT -05:00 (EST) is 4pm EST.
However, the time mentioned in the article is 1am ET. Hazard a guess that it is really EDT they are citing, making 5am GMT zero hour. It will be 12:00am (Midnight) EST.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
You're right -- I just updated it to reflect the right time :)
Sorry about that.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
My organization was hit hard by Nimda. Our poor Windows Administration staff ran around like crazy cleaning, patching, and upgrading hundreds of machines.
Is this a Microsoft problem? You bet.
Microsoft OSs do not have a complete, common set of system administration tools built in. This results in haphazard machine administration.
Microsoft and other companies sell useful administration tools, but these are high priced tools that only do a piece of the job. And since they aren't included with the OS, very few sysadmins have expertise with them.
So Microsoft, get on the ball. If you want to sell an OS, it should be ready for the enterprise.... including enterprise administration.
In the meantime, we're porting our apps from IIS to Apache. Yay!
Whatever happened to all the "3v1|_ h4x0r5"(TM)??
We seen a number of highly infectious viruses in the last year (Sircam, Code Red, Nimda, etc), but none of these were actually very destructive. Sure they are a pain to get rid of, and may spread a little information around, eat up bandwidth, or compel you to reformat just to be sure, but they aren't flattening people's systems.
Whatever happened to the anarchists out to destroy the system? Now admittedly I don't want to encourage people to be more destructive, but it seems almost trivial to think of ways that viruses and worms could easily be made more destructive. For instance, upon infection, delete everything in the "My Documents" folder. Or, change default web page to a share of the whole computer. Or even wait a couple days and then wipe the person's hard drive.
I haven't been vulnerable to anything to come along lately, and I'm glad, but I'm also glad to note that the truly skilled black hats out there seem to have moderated how much damage they actually intend to do. I wonder if they are scared what the law might do to them if their attack truly was evil.
To put it mildly, YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security. You can start by reading up on Nimdahere.
If you have a problem with my views, REPLY, don't moderate!
I'd like to see something similar for the IIS developers along other selected members of Microsoft.
chongo (was here)
Nimda, and maybe some fireants.
Yes, and a special one for those who roll out vulnerable server software. Ideally, with all the attacks, IIS should get stronger, as a body's immune system does with constant testing, however, it would indeed be a sad body which has been so patched. Make Frankenstein's monster look like George Clooney.
A feeling of having made the same mistake before: Deja Foobar
Here's what most terrorists do. Atleast this is what I've heard/seen done by past terrorists:
1. They take hostages
2. They kill people
3. They make demands
4. They invoke terror in their victims
In no way do these "hackers" fit the description of a terrorist except for maybe #4. These are generally just people who find a whole in security and take advantage of it. They can be really annoying, and people who make these types of viruses should be tried for damages, but I don't think they fit the desciption of a terrorist.
But more important, I think Ashcroft isn't talking about virys writing hackers, but any type of hacker. Essentially, if you mess with a system at all, then you're a terrorist accroding to Ashcroft.
Boy, my parents must be disappointed in me now, rasing a terrorist..
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Maybe InfoWorld uses FrontPage 2002 to do their page creation. If so, they wouldn't be able to give proper credit to everyone involved, as it would violate the EULA.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Then you're not vulnerable to either.
Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.
If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.
Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.
Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.
And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
While it's true that Microsoft products are no less secure than those of other vendors...
You're Trolling, right? It's been over 3 years since the last remote root exploit in Apache, and IIS has had several this year!
If you're not Trolling and you actually believe what you just said, you'd better do some research.
Why do you need to label yourself anyways?
So we know what shelf to sit on?
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
I administer Notes, NT, Win9x and a Linux box, plus firewalls yadda, yadda.
I work in a Corporate Travel Agency in NYC, they just decimated my entire staff and I have me and one other guy who has been relegated to inputting ticket refunds.
I DON'T HAVE TIME FOR THIS! My lone IIS server has been patched since the first day. Lotus Notes doesn't care about these dumb ass viruses (virii) and my Norton's are all up to date.
My USERS got this crap from infected web pages!
We're losing a machine a day in the field b/c these bozos can't figure out how to click on a button called VIRUS_FIX on the corporate intranet.
I am ready to frigging quit and become an English Teacher fuck the money! If the whole MS world can be brought to its knees everytime some kid in Sweden has the day off then we're all fucked.
CIOs who continue to use Outlook/IIS deserve whatever happens to them. (We HAD to use IIS for a 3rd party software app.) Micorsoft SHOULD ABSOLUTELY BE PAYING IT'S CUSTOMERS BACK FOR THIS! HOW DARE THEY GET READY TO RELEASE YET ANOTHER VIRUS RUNTIME OS.
It is seriously time for the MCSE farms to be shut down and for corporate America to move to another OS. Fuck the users; guess what they don't know all that much about the OS they are on switching them now will have no lasting impact.
This
Sorry to be nitpicky-Stockades aren't much of a punishment, really just a jail. I think you mean stocks or a pillory.
Take a look here: Stocks and Pillories
...especially considering that the IIS patch has been available on WINDOWS UPDATE for the last THREE MONTHS. Fireants for any worthless tech who hasn't figured this out yet.
-Jayde
What's a sig?
I didn't know you read comments (or just the ones about articles you post?). That's cool, as well as the fact that you can admit when you make a mistake every once in awhile.
If you celebrate Xmas, befriend me (538
Because there are a million people that don't even know they're running a webserver.
When you log attempts on port 80 from infected boxes go and have a look with a browser.
The majority will show the default "this site is under construction" page, the rest show the Code Red defacement page.
Okay so they checked the code. But did they test it out? Has somebody changed the time on a server [issolating it first] and seen if really starts flinging bad bits?
If there's anything surprising about the entire worm phenomenon, it's that the payloads have been so benign. There's absolutely no reason why that has to be the case though, and sooner or later some little shit is going to slip in something like:
FORMAT C:
as the ultimate payload of a nimda-like worm, and all hell, and I truly mean all hell is going to break loose.
I think that it's absolutely shocking that no one knew until right now that the damn thing is going to start up again tomorrow. What else don't we know about the program? I certainly hope that the experts who are now giving us some six hours notice (at night!) that the damn thing is about to restart haven't missed any other little details of the worm's operation.
The entire ISS/Outlook security situation is absolutely shameful. Microsoft has been fucking around for years piling on layer after layer of buggy, insecure active this and executable that into the Windows mail system, and pretending that it doesn't matter, and the result, today, right now, today, is an internet that's about as secure as an airport with no guards, and half the locks in the terminals and on the planes flat out nonfunctional.
Someone is responsible for this mess, and it ain't the folks who wrote the RFCs!
I was helping a friend install Win2KPro on his home machine to do some development work (for work, of course). I'm not a big Win guy, but I've done the point-click install before.
Anyway, as soon as we were done (installing while his home network was live), we tried getting to windowsupdate.microsoft.com to install patches. However, we soon discovered that we were already infected! Two freaking minutes after installation!!
If you don't install behind a firewall, how the hell are you supposed to get updates to all of Win2kPro's problems without getting infected?
Sure we'd hear about them, just not as much as we bo with MS's great products.
Of course you realize that Linux hasn't had nearly enough exposure to back up that claim.
The sad truth is that patches to protect yourself from these worms were released well ahead of the worms themselves. Getting hit by it is irresponsible, but Microsoft's current patching procedures are such a mishmash that getting the right information ahead of time is a total bitch.
Those who are forced by circumstance to be responsible for administering IIS and other microsoft software should look at St. Bernard Software's UpdateExpert. It's a little pricey, but it doesn't cost nearly as much as even one full day of nimda / CodeRed / etc. infection.
It simply keeps a list of all patches released on the Microsoft support site, and lets you roll them out to machines on your network without the users knowing about it. It's saved my bacon a few times now.
Even Jesus hates listening to Creed.
If a piece of software requires regular patches for serious security problems, that's probably a sign that its basic approach to security is flawed.
But does IIS really need patches as frequently as you imply? Code Red, Code Blue, Nimda et al exploit the same security hole that is almost a year old. The problem is that for every security hole, there are several waves of worms because IIS admins simply never patch their boxes.
If you disbelieve me check out Netcraft's security survey which shows how long several IIS boxes have gone unpatched and that about 12% of SSL sites (meaning they are probably eCommerce related) running IIS have been "rooted".
If a company wasn't hit by both, presumably their security policies and procedures are either already up to scratch, or capable of being improved sufficiently. But if a company was hit by both, their procedures are probably beyond repair, and they'd be better off with a server that's more secure by default.
So I think Gartner was absolutely correct. Not only that, but people who didn't pick up that subtlety from the Gartner report are also more likely to need to switch servers, so the report works either way! :P
I think the previous poster's analogy to Sendmail and Bind were quite appropriate. But I also think that Gartner is slightly over the top on this one too.
Apache is more secure than IIS because it does not trust itself to police itself-- it allows the OS to police it too! This is the problem behind Sendmail and BIND, and it also exists in many competing web servers, including Tux, Websphere, etc. I do not know enough about iplanet to comment about their security model.
That being said, there are some places where IIS may be the most secure alternative (where the security needs to be integrated into the user-level security on a domain, f. ex). I just believe that the world of serving pages to public networks is not it...
LedgerSMB: Open source Accounting/ERP
After Gartner's recommendation, thousands of PHB's and even sane people will rush to switch from IIS to Apache / IBM HTTP Server / whatever.
Has anyone written a product yet to translate Active Server Pages (ASP) code to PHP, JSP, or some other format? Most of the basic scripting language concepts should translate pretty nicely.
Even if someone has built their IIS / ASP application 'correctly' (cough cough) isolating middle-tier logic to MTS or something similar, wouldn't Perl / Java / whatever wrappers to those COM / COM+ services also be straightforward to write?
Or has someone done this already? Isn't there (or wasn't there) a Chilisoft implementation of ASP that you could run on Apache and Linux?
nimda and its ilk are the killer apps that will
spark the next information revolution.
I'm looking forward to Microsoft's first foray into creating actual worms, instead of just
providing the infrastructure.
One day we will all look forward to the next MS worm with all the enthusiasm that we now share for the next Windows.
I have been monitoring my logs, and most of the hits I get are from Cable/DSL users. I bet a lot of these people are unaware that they are even running IIS, let alone that they need to install a security patch.
I have not used W2k much (set up a test server at work, and reboot it now and then when it fails mysteriously), so I guess by default there is no automatic "Your Software needs updating" dialog that pesters you. If MS had their SW configured to do a weekly check and let users know that updates were available it would help. I know that Mac OS 9 and Mac OS X do this and it is useful for making sure systems stay current, and I wrote a few scripts that run as cron job on my Debian box at home that do apt-get update weekly, and mail me if there is a security update.
Maybe something like this is already there in W2K (though if it is it sould be surprising), and I just have never seen it, I apologize if I speak from ignorance, but if there is not, then MS needs to get on the ball. Their software is causing a lot of problems, and they need to be more active in making sure that their boxes get updated.
Hyperbole is the worst thing ever.
(I already made this as a reply to comment, but I'm irked about this enough that I want to post it to the main thread in hopes that people read it)
I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.
Why don't you have a secure firewall to protect your servers?
We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."
Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.
25K lost? Serves you right.
YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security.
Market leader?? If that was it, I think that Apache would be three times the can of worms that IIS is. You must admit that the default installation of Apache is MUCH more secure than the default installation of IIS.
IIS has the same design flaw that Sendmail does, an dit has enough market share to be a viable target. It is also true that many other vendors make the same mistake (including Red Hat and IBM)but lack the market share to be reasonable targets.
Moral of the story: If you want to use IIS, tell it only to listen to IP address 127.0.0.1. If you can't figure out how to do this, please install Apache instead. (www.apache.org)
LedgerSMB: Open source Accounting/ERP
If they were going to exploit the industry leader then they *would* write Apache exploits. Despite what MS would like you to believe, according to Netcraft they only have about 20% of the webserver market to Apache's 60%. So that argument goes out the window, the underdog IS IIS.
Let's make some profit out of Nimda :)
:"Suicidal" with a kind of Nimda showing.
:)))
Like T-shirts...
"I've been attacked by Nimda and all I got whas this T-shirt"
"Chicks dig Nimda"
"(front:)IIS (back:) you are dumb"
Or posters...
"Internet map of Nimda infected domains"
New 'Inc DeMotivators' poster
We should inform Thinkgeek of this nifty plan
42 + 1 = 42
Well, I suggest that we go farther. We already block harmful and suspect viruses at our perimeter and throughout the enterprise. Why not instruct our routers, firewalls, and proxies to block any packets that indicate the content is coming from IIS - and block any M$ Internet Explorer broswer? Just drop the packets?
OK. I'm speaking toungue in cheek, but I could actually make a justifiable argument that such use has PROVEN twice in a month that those tools are demonstrated security risks and should be defined as dangerous activity.
It's not MS fault this happened
snip!
Just so happens more people are writing them for MS
Gee, why do you think that is? They don't exactly have a monopoly on the server market. Saying they have 30% is a error in their favour.
*gasp*
Do you think it's because they write a hole-riddled bit of software?? If 70% of the market is someone elses, and yet 100% of the exploits that make the news are written for MS, that does not bode well even in the most conservative analysis.
*gasp*
Now, if they did write a hole-ridden bit of shit, that does make it their fault! Damn, the logic train just keeps going... And just like MS, the verdict of the logic train ain't in your favour.
.sig: Now legally binding!
It's not going to matter what o/s it is if someone can write a virus, root kit, whatever for it.
From the OpenBSD website: "Four years without a remote hole in the default install!"
Now, with the resources that M$ has, there's no reason why they shouldn't be able to say the same. The simple fact is that they've determined that they can make the public believe that they are not at fault, so it is more cost effective to add another "feature" to the os. If general motors didn't put airbags into their cars so that they could put in extra cup holders, would they be at fault? After all, it is the other car that actually caused the fatalities, right?
"Don't blame me, I voted for Kodos!"
If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:
... ditto all the way down
/var/log/access_log combined env=!attacks
/var/log/attack_log combined env=attacks
SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
SetEnvIf Request_URI "^/scripts" attacks # For nimda
SetEnvIf Request_URI "^/c/winnt" attacks #
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks
CustomLog
CustomLog
This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.
I am contracted to a mid-size steel and auto-parts company. They have contracted out the most complicated IT tasks. From my company, there are 5 consultants that had to drop every task to battle Nimda. We bill at $75 per hour. We put in a total of about 30 hours a piece on Nimda last week. 30 x 5 = 150 hours. 150 x 75 = $11,250 in pure wages. We have about 100 sales people that couldn't do their jobs for a good 6 hours. I happend to know the average salesperson at the company sales about $5,000 in steel and parts a day. So lets say a low number of $2,000 per person was lost that day. 100 x 2,000 = 200,000. I think that number speaks for itself. Just in case my numbers are inflated (they aren't) lets remove 1/2 of that. 100,000 is still one heck of a chunk of change. That figure is just for our main office. We have 10 smaller satellite offices. Was it our fault? Maybe. Is it our fault that Windows is the defacto OS in the company? Absolutely not. I am one of the biggest pushers of Linux. I probably send the IT manager 3 links a week on Linux. The problem is that those in charge don't know squat about security. In fact, the IT manager is an accountant and she wouldn't know a router from a washing machine and if you mention a CSU/DSU she would probably mention what a great school it is. Bottom line is that Techies from Macrosalt built an OS that isn't worth crap. They have sales people that couldn't grasp recursion trying to tell IT managers who wouldn't know a VPN appliance from a toaster what a great product Windows is. Until the managers start listening to those in the trenches, this cycle won't end soon. Just my 2 cents worth.
Apparently that's what M$ is working on right now...a system to "push" updates directly to .NET Server. They are also working on ways of applying the patches without the endless reboots between patches. Considering that companies have been doing this for years (Symantec "Live Update" anyone?) it's absolutely STOOPID that M$ hasn't done this before.
2.IIS admins are typically inexperienced and unknowledgable about security and thus never get around to installing a patch even though it was released almost a year ago.
And as someone who has been through eight (count 'em!) Microsoft Official Courseware MCSE courses, including their "Designing Secure Windows 2000 Networks" course, I can tell you from experience they don't teach you SHIT about security. You NEVER get tested on how to lock down IIS against exploits. Firewalls get short shrift in favor of endless prattle about VPNs. MICROS~1 needs to talk about security from point zero on in their MOCs. There is no excuse.
3.IIS patches need to be on the Windows Update [microsoft.com] website.
Actually they are, if memory serves me right. However, when Code Red v.1 was at its apex, Windows Update itself got hosed by the worm. Hilarious. I laughed my ass off.
Since I am running Win2k with Apache 1.3.20 for Win32, and am relatively new to webhosting, I have little idea of how to do anything about the problem. Can the same Apache scripts that are run on Unix be run on Windows? If so, could someone point me to a website with a script that will at least pop up a message to the user of the machine, if not simply shut them down? Help would be much appreciated.
A word can paint a thousand pictures
Since I heard about Code Red, and Nimda, I've been hitting Windows update every day or so just to make sure I'm still up to date with all their security patches.. I've gone there before, downloaded security updates, and regularly make the rounds.
For the past month or so, all that's been there are IE6 and Microsoft Messenger 3.6. Whoopie.
So, I'm safe. Nothing can touch me.
UNTIL I SEE THIS STORY ON SLASHDOT. That "command line tool" (hfnetchk) showed that I had 8 security patches I needed to apply, one of them had a WARNING next to it.
Uh, hello Microsoft? Is Windows Update NOT for security updates? Just a place to peddle your frickin MSN Messenger!? I'm sure there's thousands of people like me who think that since Microsoft doesn't have any security updates posted under the CRITICAL heading on Windows Update, that we're free and clear. Geeze.
First of all I love the comment "Given that IIS sucks anyway".
Just for the record. We had some issues with this at work because some development machines weren't properly patched. Old NT4 w/SP5, Office 97, etc.
At home, on the other hand, I am at the bleeding edge. Win2k sp2/hotfixes, Norton XP, Office XP, IE 6.0, etc.
Got home after fighting the virus at work, went to Outlook to check my email. Yep, got a handful of emails from Nimda.
Confidentally opened up the emails to see what they contained using Outlook XP... thought it was kind of cute, but I deleted them.
Went out viewed a couple of websites to see what the latest news was.
Then I decided I probably better update my Virus definitions, so I did that.
Not once was I ever vulnerable to Nimda. The IIS exploits were very old, as were the IE exploits. Outlook has had patches available since last year for Outlook 2000 to prevent this type of attack. Outlook XP by default out of the box blocks many types of attachments, and does not allow email with HTML content to be scripted.
So granted, some older versions of their applications and OS are vulnerable to some problems. What do you expect Microsoft to do? Fix it?
They already have.
I'm aware of one company where the major causes for concern were people running systems in violation of company policy (which is no net-facing IIS). They'd managed to sneak around the security controls in the company.
That wasn't the fault of the systems staff in the company, but they still ended up cleaning up the mess because a bunch of idiots were Doing The Wrong Thing.
More to the point, Nimda is *not* just another Code Red; it spreads through shares, email, and a number of other vectors, including browser use. It's quite capable of destroying an internal network simply by getting on a staff member's laptop while they work off-site and then unleashing itself internally.
I would have thought the various reports from Netcraft showing IIS is in use on most commercial web sites would have laid to rest the false claim that Apache is more popular.
The Windows EULA basically says that M$ is not responsible at all no matter what. In reality, whomever agreed to the EULA's is responsible for this mess.
That's unfair. If someone using Linux or FreBSD suffered from some kind of attack, is it their fault for choosing an OS that doesn't provide someone to sue?
And can you suggest an OS alternative that does provide legal recource for something like Nimda? I can't think of one.
Strange, I could have sworn nimda only used a selection of old, well known exploits, the patches having been available for anywhere between 1 and 6 months...
That is what everyone says. However, I have a hard time believing it because I have seen it hit systems with those patches on it.
I even saw it hit an XP system with a read-nly share (NTFS Permissions denied write access) and IE6 (which is not supposed to be vulnerable. IIS was not involved in either case, nor, surprisingly was Outlook, at least not directly...
LedgerSMB: Open source Accounting/ERP
There shouldn't be security holes that allow these viruses to exist in the first place. Don't blame the kids who wrote this, but rather blame microsoft. I'm sure you can use the excuses that microsoft can't be held responsible for everything their software causes, but this is rediculous. Why did it take tons of viruses for microsoft to even patch this?.. Why wasn't this patched before, or caught before and addressed? It's simply because microsoft can't afford to make their software secure until it's demanded, and that's just wrong for a company like microsoft.
Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.
Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...
Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.
My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.
We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:
The common thread here is user error.
The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.
I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.
I do not deploy Linux. Ever.
Cheers for the HFNetChk info. What a pain that it needs IE 5 to run. There's no way I want to install that on a production server on a Friday afternoon. Not much choice though...
my blog: good times, man, good times
How much are they paying you?
I share my knowledge and expertise for free.
See up to date MRTG statistics Nimda-Log
http://www.microsoft.com/downloads/release.asp?rel easeid=31154
Enjoy!
liB
Alot of companies have spent large amounts of money on IIS based websites that cant just be moved over to an Apache or other webserver. I think there has been too much hype about IIS being insecure, perhaps companies should just stop leaving the responsobilities of webserver security to clueless admin's with microsoft certs.
y )
With a few easy steps, you can setup an IIS server so that it wont be vulnerable to a large number of new vulnerabilities and worms taking advantage of these vulnerabilities.
- Take the time to do a custom install of the option pack, and remove what you wont need (transaction server, frontpage extensions etc.)
- Setup the webroot on another drive (not C:), and make the filesystem NTFS.
- Remove all sample directories
- Remove all associations to default ISAPI objects (webhits.dll, ism.dll) from the management console
- Apply the latest service pack
- Apply all the latest hot fixes since the latest Service Pack (only those that apply to your server).(http://www.microsoft.com/technet/securit
- Monitor Microsoft alerts and security mailing lists for latest bugs
- Turn off verbose error output from the server, and have a customer error (404) page, a custom 404 page still returns a 200 OK response and confuses alot of scanners
- Install an IDS (snort has been ported to win32, http://www.snort.org)
All this shouldnt take too long, and will give you a much better chance of surviving a worm outbreak.
I've gone through my logs and found quite a few
What I do is go connect to the offending box via smb
Usually they have a printer attached to it so I print out a page of A4 with :
"YOU ARE INFECTED WITH NIMDA, SORT IT OUT
here's how : http://www.antivirus.com"
on it in 72 point text
it's working so far
if they don't have a printer then they usually have an open share that's world writable so I leave text files called
you are infected with nimda.txt
and put the url inside them
that's closed a couple too
(I also found a keygen I'd been looking for so that was a bonus)
I'm not sure if nimda resets the passwords but which might not lead to a surprise of how far you can go with
un : adminsitrator
pw :
have fun
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
OK, so which OS is the "real house?" MacOS? Windows? Solaris? Which OS is licensed under terms providing you with someone to sue when there's a security flaw?
I don't think such a beast exists.
Jeez, if you're her friend, tell her to get her radiation scarred sagging skin out of the damn sun. That woman is turning herself into jerky.
Also, last I heard, friends don't post candid photo's on the web for every cheez-o-news site and pathetic geek (like me) to leech then lech over. Give the girl a break, huh?
If you were blocking sigs, you wouldn't have to read this.
OK, let's say there's an intranet with all sorts of Windows boxes, which uses a masquerade (IPCHAINS) Debian Linux box to connect to the Internet.
How can I use the Linux firewall to protect all the machines inside it from those evil viruses? Any ideas/URLs? There *must* be something!
but of course because /dev/mouse is a streaming file, it caused the browser to basical block until the end of time. Mouse movement got real glichy. I almost was able to click to kill icon on NS, eventualy had to [ctrl alt backspace] to stop X-Windows. Actualy I thougth that my machine handled it pretty well. Brought back memories of running windows. Immagine in Linux we have to emmulate viruses via diliberate user intervention; or of course use WINE/IE/OUTLOOK.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The authorities have Carnivore and echelon stuff running overtime. Do you think this is all a coincidence, or does it feel more like a way for the terrorists to bury their commo channels in background clutter, while still asaulting a worthy target? sphealey, do you feel like you're being kicked in the groin? well don't take it personaly, you and your company is just one battle in a terrorist war to take down Microsoft, and after that probably Sun. Maybe they'll have a hard time deciding between Apple and Linux for number three.
These guys hate the internet because it lets us communicate and do business all over the world. We can post our opinions and our rants for the world to see, and they don't want the world to see. They think we're soft, decadent in short we are their prey. It's their perogative to use us like chattle, just like they do to their own woman. Just do the math $25K for one company times all of the simalar companies, the economic implications are staggering. What is this doing to the TOC for the products of the biggest software company in the world? Viability for future sales? Remember most of the Military runs on Microsoft, and they flew an airliner into the pentagon. What happens if Microsoft goes belly up five years from now?
Microsoft might to have to put some money in an reactive defense initiave to counter-attack infected users; maybe send then viruses who's payloads are uninstalled patches. How many broadband users would even notice?
I know this sounds like a rant or troll but just think about it. Actualy Linux needs Microsoft to keep things honest. We need to get the message out to everybody, use a firewall, use anti-virus and get those patches installed. If we don't do it it will be legeslated.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Er, if Britney was worried about that, don't you think she'd have left showbusiness long ago?
Female Prison Rape in NY
My brother told me about a class he went to about securing web servers Apache, 15 minutes, Netscape 30 min. and IIS, the remainder of the two day course. Go Figure, it's not because of market share.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I use apache so I dont know what this does, and I added backslashes to the get just to be safe and choped off the code so not to distribute /default.ida?Code_Green__V1.0_beta_written_by_'Der _HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sis terli_'Doro'.Save_Whale_and_visit__and_ Code deleted on purpose HTTP/1.0" 200 1 "-" "-"
203.247.193.77 - - [09/Sep/2001:09:15:57 -0400] "\G\E\T
Apocalypse Cancelled, Sorry, No Ticket Refunds
They would work just like a driver's liscense.
Class A: You can administer high-bandwidth connections (ISPs)
Class B: You can get broadband
Class C: 56k dialup max
Class D: 28.8 AOL for you!
You might wanna ask yourself a question before replying to posts... "do I really know what I'm talking about, or at least to sound like I do?".
Concerning the Nimbda virus (if you're referring to something else, sorry, I assumed you were OnTopic), even if you have EVERY patch installed on your MS IIS servers, you still get slammed by random IP's from MS servers that weren't patched, thereby bringing "your internet" to a slow crawl (bandwidth/data rate dependent, of course).
So, all in all, in defense of the NT admin you responded to (FYI, I'm not an Admin, I'm a programmer), sometimes you can't do anything about the problem besides try blocking the most common IPs that hammer your site, after all, you aren't going to be able to get all of them blocked (which is probably what they were doing till 3am).
"I have no special gift, I am only passionately curious." - Albert Einstein
Try
NET SEND [idiot's IP address] Hey idiot, your friggin' computer is infected with [IIS virus of the week], why don't you get a clue and fix it?
My Mac server's firewall software has been logging these attempts forever. I'm currently looking for an AppleScriptable Mac program that can send out these NET SEND messages to the idiots automatically. For now, I have to print the firewall log from my Mac and send the messages manually from my PC.
~Philly
At least the 'net so far today doesn't seem to be bogged down like it was when Nimda first hit...
20 January 2017: the End of an Error.
I remember that one from a previous job. The thing about it was that we normally never noticed it, but there was one cash register PC where the floppy drive would stop working once NATAS took hold. It wasn't used very often to test code, but when one of those stopped reading floppies, it was time to go around and run a virus checker on hard drives and stacks of floppies. Also nasty was that it would infect an executable file of some sort in our software which had a file extension that the virus scanner's "quick" mode didn't scan! After about four years (yes, years), I think we finally got rid of it.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
I know, plus anything that you do in a public place has really to be considered public. It's not the same as snapping her with a tele lens through a window.
I'm just an old fashioned guy, I suppose. ;)
If you were blocking sigs, you wouldn't have to read this.