Slashdot Mirror
Happy Birthday Code Red
totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."
Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since
Granted, the 'Net was a lot smaller, but what about the Morris worm?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
What exactly are we supposed to celebrate? The inept SAs that have failed to patch their systems? The sad lack of software development skills and abundance of corporate greed that combine to push shoddy software upon millions of users?
Maybe we should celebrate the resiliency of the Net. The fact that while attacks on systems continue to come daily, and at a seemingly increasing rate, everything still works most of the time.
--knowledge, not information, is power
June 18, 2001 14:29:28 -0700
Microsoft Security Bulliten MS01-033
June 18, 2001 14:36:53
q300972_w2k_sp3_x86_en.exe
When did Code Red hit? Did I bother to notice? Did I bother to record? No. It didn't affect me much.
Is it slashdotted or is that the demonstration?
;)
Corporate America mostly runs Windows 2000. That's the system that needs security and reliability most. And where's Microsoft?
Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.
Aw, fuck it. Let's go bowling. - The Big Lebowski
Considering that despite the worm being in the wild for over a year, that either installing a *nix varient, applying a service pack, or simply running a decent antivirus app were alternatives to being infected? All of which are conscientious actions of the user, admin, etc? All actions that are made on the part of the user? All options undertaken or not by the user?
Sounds an awful lot like the fault of the user to me...
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Does that mean, therefore, that anyone running Linux without the fix for the 1i0n (or however that's spelled) exploit, can sue Linus Torvald, Redhat, et al for damages? How about anyone running a Micro$oft OS that has an exploit taken advantage of with a worm, virus, etc, that was created on a Linux system with the sole purpose of damaging as many M$ OSs as possible?
If you get shot by someone and suffer horrendous injuries, do you sue every bullet proof vest manufacturer, or gun manufacturer because they didn't base their business model around you? Or do you sue (or at least lock up) the one who pointed the gun at you and pull the trigger? Do you go around your neighborhood, testing each doorknob to see if the house is locked, then rob and burn down each house that isn't? Is it the homeowner's fault for not locking the door, or you for entering in the first place?
If you want to hold anyone responsible, try the guy/s who code viruses and worms... Anyone with sufficient pathological incentive to wreak havoc and trash a computer system (or, basically, anything else) will do so...
Responsibility goes two ways, on one hand, those who have known for a substantial period of time that there was a problem that needed addressing, and those who take advantage of that problem... The net makes this all more obvious, at least to those of us with a smidgen of common sense...
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
If you think Linux is a "Safe Haven" then you're just asking for your ass to be handed to you.
If you think you can put ANY server up on a public network and not maintiain it--you WILL be in for a rude awakening one day.
Of course - that's not to say it can't happen to Linux in the future. Some changes that would have to take place would include:
1) An increase in un-administered machines (which is possible as more Linux machines go in to service and are promptly forgotten about or appropriate support stuff aren't also put in place).
2) More distributions installing services by default without user knowledge (which most distros seem fairly resistant to doing - but not all).
3) Patches that become as devistating as the security threat they attempt to mitigate (I've yet to see this and would think that any organization that constantly produced dangerous patches / replacement packages would find their user base fleeing to another distribution).
I guess I should consider myself lucky.
Total/Unique
Nimda hits: 6213/134
CodeRed hits: 76/76
Damn annoying, though.
-- Will program for bandwidth
That stands for "You have been trolled".
The perl script is a troll, it won't work, I can't believe this got modded up.
Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.
Yeah, that's fine and dandy for those who don't need the IDA, et all mappings; but what of those people who DO use them?! You know, a lot of those corporate servers that were hacked had those script mappings set for a reason, i.e. they were using them.
That's great that you knew better than to keep the default script mappings, but what about people who needed them?? It would have been a lot nicer if Microsoft had written a secure server in the first place instead. Even the most vigilant sysadmin would still get infected running IIS if he needed to use the IDQ & IDA mappings. In short, don't blame the sysadmin, because it's not always their fault.
Did it occur to you that maybe you should connect the box to the Internet as the LAST STEP? - AFTER the server is configured and PATCHED?
Perhaps that should be obvious to an experienced sysadmin, but most installers of Windows 2000 won't have a clue about such precautions. The intelligent thing for Microsoft to have done is not had IIS turned on by default. This is especially obvious when you consider how many of the Code Red hits you get come from people who obviously don't even use the IIS that's running on their box.
Since Microsoft is aiming their software at clueless users who can't be bothered to secure their machines, Microsoft needs to ensure that their software is secure out of the box.
Hey kids, there's only 5 days left 'til Yak Shaving Day!
Fifteen years ago we knew that Sun insisted on shipping SunOS with a "+" in
In the real world you have a checklist of things that must be done and things that must be changed before the box can put into production especially on the the big bad Internet. In our company, where the NT operations MCSE staff are not exactly the brightest thinkers, we have a standard Windows 2000 build document that has a security checklist and says to only install IIS if the box is going to be a web server. There ARE checkboxes in the custom install where you can deselect the install of IIS and other unneeded programs.
If you dare to draw a paycheck you SHOULD be a Professional. It's up to you to learn how a professional operates.
Ever dream you could fly? Get up from the Flight Sim. I Fly
You are assuming that all web apps are written using MS technologies...how about ColdFusion, Lotus Domino, etc? We have quite a mix of stuff, as our environment has evolved over the years...and there have definitely been hotfixes that have broken Domino.