1 Year Anniversary of Nimda Outbreak

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

happy birthday

[hikeran]

happy birthday to nimda..

happy birthday to nimda ..

happy birthday you iis infecting worm...

happy birthday to you...

may you make anti virus vendors riiiiiiccchhh

Still Going....

[DCheesi]

Heh, my company network is still being swamped by NIMDA activity!

Re:Still Going....

[Blkdeath]

Our business website, the websites we host, as well as my personal (read: vanity) website are still being hit left, right, and centre.

Is this a prequel to the one-year anniversary of 'bugtraq.c'? Will we see Apache servers still sploited next September, and still probing half the 'net for new potential victims?

This only goes to strengthen my resolve that people should be licensed to use the Internet. Basic common sense and knowledge that product updates exist should top the list of test requirements.

Re:Still Going....

[N3WBI3]

I still have a few troubled users who bring in floppys from home that are infected but as we dont use IIS and all of our storage is SAMBA/NFS is more of a novelty.

Whats really funny is another department of $Employer recently sent us one of there PC images to approve and it was loaded with nimda..

Re:Still Going....

True, thanks to there still being some people out there who can't be bothered to patch/don't realise they need to.

Just today alone (20th September ) my server has had the Nimda worm attempt to connect from 7 different IPs, and it's still only 3pm.

At least I'm running Linux and therefore using Apache not IIS (which the flaw is in) and Windows (which the cmd.exe file is only found on)... very little chance of infection then! Still, it's annoying when you try to read the logs. Thank god for 'grep -v "cmd\.exe"'.

Wish many of these people would get round to checking if they're infected or not.

One year, and still..

[molo]

Its hard to believe that its been one year and I'm still getting scans on my apache server. Are there really that many braindead admins??

Re:One year, and still..

[digitalsushi]

But how many of these machines are run by admins? (definition of admin being a professional)

Re:One year, and still..

[Bob+C.+Cock]

I was pretty braindead after working 12-18 hour days for a week straight trying to cleanup that mess.

Re:One year, and still..

[N3WBI3]

I find its really helpful that I let all of my users know that if I have to I will reimage their computers, thus forcing them to store all data on the NFS/Samba server.

Doing this not only makes recovering from a major virus hit a matter of takeing one PC off the network resotre the standard image (than update that image to be safe, and image the 'new' standard image), and resotring that image to users pc (or if you have the $$ the terminal server you should be using). This policy also protectes you from users who spill soda/coffee/gasoline on their desktop, and makes it easy to recover data a sudden ex-employee decides to delete/alter (if you back up your server).

Re:One year, and still..

[ryanr]

Nimda also spreads via e-mail, file shares, etc... so it's much more than just machines with administrators that get infected. That's one of the big reasons for Nimda's "success".

Re:One year, and still..

[jsse]

I'm not kidding, the expectation of an MS admin can be as low as:

1) Keep the services that should run running(even if it's already owned, as long as nothing is being defaced...)
2) Keep up to the latest service patches (okay, if it's not the latest, the next latest)
3) The server will crash and blue occasionally(may be due to some exception in virus), just reboot it, case close.
3) The server will be mysterically getting slower and slower(due to unhandled Code Red, e.g.). Ask for more rams, extra disk and extra CPU or even a newer server.

I.e., no need to scan security news, no need to tune the system, no need to perform any housekeeping tasks, no scary log files to be seen....

I haven't seen one exception of them around so far.

Re:One year, and still..

[suicidal]

I hate it when my users are spilling gasoline on their desktops. So far they've alway forgotten the matches. Whew!

Re:One year, and still..

[N3WBI3]

I had to put that in there because even with devellpers you never know ;). I had a developer spill half a bag of domino sugar *INDISE* his computer....

Re:One year, and still..

[nayrbmai]

I just fired 3 of them.... And I've only been here 2 days.... 1600 employees with Masters and I had 3 admins that thought IIS and "I'll fix it with more ram", would be just fine.... There response was, "How were we supossed to know". Man-alive. Any Apache Admins want a job?? I'm sick of people buying into swiss cheeze (iis).

Re:One year, and still..

[vadim_t]

There aren't that many possible security exploits. For example, the most common buffer overflows probably can be fixed simply installing the grsecurity patch. Other errors such as letting people execute stuff by using stuff like "cgi.pl?file=foo;rm -rf /" are also widely known. If suddenly everybody started attacking Linux we'd have a hard time for a while, but most of that would get patched really quickly.

Besides, from what I've heard, even FreeBSD gets quite a lot of break in attempts, and I wouldn't say it's very popular.

Re:One year, and still..

[Hassan79]

Remember that Apache has a higher market share than IIS, according to NetCraft, but less security problems. See the list of unpatched IE vulnerabilities. See Microsoft developers confess that Outlook Express is so broken that its flaws are unfixable. See this interview (old, but still interesting) with Bill Gates to get an idea about the level of contempt M$ has for its customers.

Being a Unix admin just requires a higher level of understanding what's going on in your computer, so, Unix admins are usually smarter than their Windows colleagues. Exceptions may occur.

Re:One year, and still..

Are you new to Linux?

Re:One year, and still..

[frank_adrian314159]

Its hard to believe that its been one year and I'm still getting scans on my apache server. Are there really that many braindead admins??

Actually, almost all of mine are coming from individual subscribers coming through big DSL-/Cable-based ISP's like RoadRunner, SW Bell, etc. For each incident, I fire off E-Mail to their security departments, giving times, IP's, etc. (I have set of log scanning scripts that generate them automatically. How's that for geekiness? No, you can't have them. They suck. That's high in geek factor, too :-). I've seen NO action taken by them. What a bunch of lamers. Do they really think their customers want to be infected and spew out into the net? The issue is that, really, as long as that $50/mo. comes in, they don't give a rat's ass.

The smaller DSL ISP's are usually on the job, though. They give me a small amount of hope.

Re:One year, and still..

[vadim_t]

No, been using it for several years, why do you ask?

Re:One year, and still..

Sure, I'll do apache admin. Check out my resume

Re:One year, and still..

[jasonisgodzilla]

You point out IIS and outlook express. I am a windows admin, and I agree that these are both pieces of shit. Outlook express is a memory hog and executes and/or forwards every piece of malicious code passed to it. As for IIS, its insecure because its default configuration is insecure and it is active by default. This has nothing to do with Windows. These are seperate applications. So to say that Linux is better than Windows because Apache is better than IIS is like saying that a chevy car is better than a ford because it has michelin tires instead of firestone. You dont have to run IIS or outlook express to run or administer a windows platform. In most corporate environments web serving is a very minimal part of the overall environment. I really dont see what the hell Apache being better than IIS has to do with windows versus linux. To say that a linux admin has to know more about the low level functions of the system in order to administer it is also a false assumption. Having to compile something every 3 days doesnt mean you know anymore about mem allocation, processor priorities, etc than someone who doesnt. People claim windows crashes a lot. Yes it does. Most of the time a simple reboot will fix the problem. When linux crashes however, code has to be recompiled etc. Linux crashes a lot more than you guys would like people to know. A former roommate of mine was a linux guru who had written and had published multiple books about linux and his system crashed constantly. I myself run it from time to time and experience the same amount of problems that I do with windows. I think windows gets a rap for crashing more, because stupid ass people buy it and try and run it. If these same people tried to run linux the output would be the same. I think that there are merits to both OS's and I think intelligent people use a mix of the two, but to say a linux admin is "smarter than a dumb ass windows admin" is a gross overstatement. It could also be that your hiring managers at your companies are morons and your hr doesnt have a clue so they hire paper tigers and you get screwed over, but you cant apply that experience to a whole group of professionals.

Yeah

[eamber]

I work for a school district, and I swear, everyone pronounces it nimBA - it drives me crazy.

Anyway, yeah, last year around this time was fun. Thanks for dredging up those memories.

Nimda

Of course, the patch to fix the security problem was out months beforehand but lazy sysadmins just didn't update their systems.

Thats what you linux guys say every time there is an Apache worm, isn't it? Let's be consistent, shall we?

Re:Nimda

I don't think the infection rate of the Apache/OpenSSL will ever even at it's peak approach the numbers that Nimda has. Get back to me about how stupid Linux admins are AFTER you have some numbers. The number of probes I get for this Apache/OpenSSL worm are still lower than the current rate of Nimda probes.

Re:Nimda

[Mandi+Walls]

See F-Secure for the current infection of the slapper worm, 5 days after discovery. Infected servers: < 14,000 total, according to them.

Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.

Help me out here.

Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.

Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.

slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.

So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]

Thank you.
--mandi

Re:Nimda

Fixed months beforehand? What were you smoking?
Their first patch was incomplete, and when some people who applied it were found to be getting owned anyway, they ended up releasing an updated patch (days after the exploit was running rampant). If
I recall, they had at least 3 iterations of that patch before they got it close enough to stop nimda.

Re:Nimda

If you for example mean Slapper scroll down in that page and look how the worm was almost killed after 3 days. Although no system can ever be totally secure (except dead systems) it seems that linux machines are much easier to clean up and patch then Windows machines.

Re:Nimda

We are consistant. Windoze and its proponents can lick my balls and I will consistantly say that.

our office got it.

[snatchitup]

We had just brought in a bunch of dot-com reject sys admins.

Suddenly you hear everyone talking about the NAMBLA virus. Seriously, it was a spoonerism, or whatever. But everyone was running around blaming NAMBLA. Finally we realized it was NIMDA.

Turns out there was a dude that got smoked out because he had kiddie porn on his PC. We just fired him.
But if it weren't for this virus, we'd wouldn't have had the witch hunt that found this perv.

5-10?

[\\]

i WISH i was getting 5-10. i'm still getting 50-70 a day, after peaking at ~100.

Re:5-10?

[Neon+Spiral+Injector]

I get none. Why don't people have virus filters on their e-mail servers?

Exim + Exiscan = Bliss.

Re:5-10?

stats for a central server handling about 1000 email addresses over about a week (sendmail-milter/amavis/sophos):

Virus: W32/Klez-H found 476 times (68 %)
Virus: W32/Yaha-E found 99 times (14 %)
Virus: W32/Sircam-A found 86 times (12 %)
Virus: W32/Magistr-B found 16 times (2 %)
Virus: W95/CIH-10xx found 3 times ( <1 %)
Virus: W32/Nimda-A found 3 times ( <1 %)
Virus: W32/Yaha-D found 1 times ( <1 %)
Virus: W32/ElKern-A found 1 times ( <1 %)
Virus: VBS/Redlof-A found 2 times ( <1 %)
Virus: W32/Cervivec-A found 1 times ( <1 %)
Virus: W32/Hybris-C found 1 times ( <1 %)
Virus: W32/Weird-10240 found 1 times ( <1 %)
Virus: W32/Hybris-B found 2 times ( <1 %)
Virus: W32/Klez-E found 1 times ( <1 %)

Re:5-10?

[N3WBI3]

~100 wow you had it good, Every PC I had had got it (at the time 120 users), not to mention my (at the time) PC servers. Red hat should through Nimda a party it gave me the leverage to move all data storage to a their platform..

Re:5-10?

[Dominic_Mazzoni]

i WISH i was getting 5-10. i'm still getting 50-70 a day, after peaking at ~100.

I'm getting somewhere between 10 and 20 Klez worms a day, too. Of course I filter them with procmail, but I'm paranoid and I send them to a separate mail folder.

What's really annoying is the automatic mail I get from the few with-it ISPs out there who detect a Klez worm sent through their mail servers with my name on it!

I've been collecting the mail headers, hoping to track down the worst offenders. So, is there a way to trace Klez, or are the headers forged so much that it's impossible to track? I haven't had any luck so far...

Re:5-10?

[Neon+Spiral+Injector]

Yeah, that pisses me off. There is one local ISP that e-mails postmaster@domain-that-was-in-the-from for every virus it gets in the mail. I know the virus isn't coming from my server, cause as I said in another post I run Exiscan from within Exim. It is nice, it just closes the SMTP connection when a virus is detected with an error message.

Re:5-10?

[iceT]

50 to 70 per day? Please!!!

Over 2200 various and assundry Windows virii/worms hits since Monday.

Re:5-10?

[misfit13b]

Really? Oh crap, sorry about that. I'll go patch up that server tomorrow, I promise. It's just that's it's been really busy around here lately and I have to go pick up my son at school...

Re:5-10?

[GCU+Friendly+Fire]

I get none. Why don't people have virus filters on their e-mail servers?

Who needs a virus filter to deal with worms? Just don't permit email clients to execute code.

Re:5-10?

[siskbc]

The variants I've seen do not successfully forge the headers, only the "from" field. I've used the header to track it back to friends of mine who have me in their Outlook addy book.

One of my solutions has been to only make friends with people who don't use Outlook. ;)

Re:5-10?

[compwizrd]

What's wrong with the Return-Path: in the headers?

Works just fine here.

Re:5-10?

[SCHecklerX]

Because I don't run a 'virus filter' on my web server.

Re:5-10?

You pussy. Every PC I had had got it plus a lot more I didn't have have. This one-upsmanship makes me want to through up.

Re:5-10?

[Jonathan+the+Nerd]

Lucky. I only got one copy of Nimda, and I've never gotten any other email viruses. Nobody loves me enough to send me viruses. :-(

Re:5-10?

[Stephen+Samuel]

I generally check the 'recieved' headers... The box that my ISP recieved the message from is (as far as I'm concerned) the responsible box. That's who I send my complaint emails to.

I just start with the ISP, and then I either use the reverse DNS, or do a traceroute (mtr) to find the responsible ISP for that IP.

For web probes, I use a script on my linux box that auto-mails the responsible ISP. I think I'm down to 2 or 3 probes a day, now.

Re:5-10?

[Neon+Spiral+Injector]

Well if the "5-10" in the subject wasn't enough for you, quoting CmdrTaco, "I'm still getting 5-10 klez virus's a day!"

This thread was about Taco always complaining about the number of viruses he gets in his inbox. You'd think the person responsible for creating Slashdot would do something a little more proactive than complaning...or not.

Re:5-10?

[i+give+up+there+are]

Believe it or not, the ones coming from AOL are easy. They have an "X-Apparently-From: " tag in the headers which, AFAICT, is accurate. I read somewhere (in the vast information pit that is usenet) that they come up with this by cross referencing the IP with the time sent. Seems reasonable.

I've tracked down some others by noting the ISP in the received line, then looking for someone who would have both yours and the "from" address in their address book and uses that ISP. Won't work for big ones like Earthlink, but I was able to track down a couple of people using small providers.

Still kicking

[JediTrainer]

If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.

According to my logs (please be gentle), I've been hit 650 times yesterday.

Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.

Re:Still kicking

[fault0]

Yeah, I've gotten pretty much the same conclusions as you. Nimda is still very much alive, and codered(1/2) are practically dead.

Re:Still kicking

[caluml]

Your box is going to die :))
All those nice graphics, and lots of click-happy slashdotters.. ;)

Re:Still kicking

[JediTrainer]

Your box is going to die :)

Probably. Call me insane - it's a P75 on a cable modem. Won't take long :)

Re:Still kicking

[pclminion]

If anybody is interested, I've developed WormScan [freshmeat.net] last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions).

I think I've heard of a similar program before. I might have even used it... Hmm, what was that program?

Oh, yeah! grep

(sorry man, I'm just pokin' fun)

Re:Still kicking

[laserjet]

Will you guys stop clicking his link? I am trying to download his program. Right now at a steady 0.6 KB/s because of all you bastards.

He said be GENTLE. Usually slashdotters are really gentle with links to servers, but today, why must everyone be so rude? One at a time!

Thanks.

Re:Still kicking

[JediTrainer]

(sorry man, I'm just pokin' fun)

:) 'kay. Perhaps I should have mentioned that it's got lots more features than that... most notably the pretty reports with graphs and such.

No offense taken... grep is what I used before I decided I wanted something that could make more sense visually.

Re:Still kicking

[jsse]

According to my logs (please be gentle)

Oh sure.

/me brutally clicks away.

Re:Still kicking

[jsse]

it's better than grep. If you care to click the link you'll see the report is very informative and graphical. I like it. :)

Re:Still kicking

[sheldon]

Interesting... according to my stats I'm only getting around 5-8 hits per day on port 80. Far far less than I was receiving at this time last year.

Re:Still kicking

Please tell me that you've called a successful find "Wormsign"...

--
A Dune Fan.

Re:Still kicking

[Swaffs]

I've heard of a similar program that's great for detecting these viruses. Its called Windows. Works every time.

Re:Still kicking

> a similar program that's great for detecting these viruses. Its called Windows.

I've heard of that. Apparently it works like flypaper. Any virus that touches it sticks like glue.

Re:Still kicking

i thought windows was for testing viruses

Re:Still kicking

[digitalsushi]

i got your grep GUI report right here :D (sh or bash)

for IamElite in `grep winnt /var/log/httpd/access_log|awk '{print $1}'`;do echo -n \#;done

Worm Birthdays?

Will we be celebrating the birthday of the Linux/Apache/OpenSSL worm thats currently doing the rounds, next year?

Whats that, no you say?

Re:Worm Birthdays?

[N3WBI3]

Ill tell you what if the OpenSSL bug does 1 hundreth of the damage to network communication that nimda did Ill buy the cake..

Re:Worm Birthdays?

[Mandi+Walls]

Of course not.

Why?

Because the fewer than 14,000 servers infected with slapper are nothing compared to the infection of NIMDA and its derivatives.

duh.

Re:Worm Birthdays?

[Chicks_Hate_Me]

w3rd

Re:Worm Birthdays?

w3rd

Shouldn't that be w31rd?

stupid fuck

[clinko]

Stupid fuck, turn on your antivirus software and you won't be spreading it.

"i'm still getting the clap!!! I guess i'll keep spreading it!! YEAH!"

Re:stupid fuck

[Meridun]

I believe that Taco means he's still receiving copies of klez at a rate of 5-10 a day. Given that Klez typically run it's payload on Windows with the assistance of Outlook, I sort of doubt that he's spreading it as you seem to believe.

Sadly, I completely understand his predicament, since I'm still receiving klez emails at about the same rate (which is one of the reasons I use Mozilla for email). Even worse, klez forges the FROM field through SMTP, so it's extremely difficult to tell who's infected. I get bounce messages all the time from people who think I'm infected, because of the header forging (I'm not; I checked the running processes, ran a virus scan, and ran netstat looking for unexpected connections).

Re:stupid fuck

Stupid fuck! If you reinstall Windoze all your updates go away. At least with Linux you install the most recent one and not 100 updates to get you back to sane. Whatever I install is going to have SSL patched, not 'unpatched and I have to pay Microwank a subscription so they can auto-update me'

Re:stupid fuck

[biohazard99]

I dunno, he did just bring up his new XP box for playing neverwinter nights and given the shape slash was in before the source was released, he could be that lazy.

How to block Klez emails from my mailbox?

[nis]

Since Taco keeps mentioning it, and I believe I'm getting a lot of Klez messages too, does anyone here have any suggestins on how to stop these messages from appearing in my inbox?

Thanks,

-NiS

Re:How to block Klez emails from my mailbox?

[trazom28]

Uhh.. either a> filter them out with a rule or b> reply to the senders for a while, telling them they're sending you Klez. Takes a little effort..

At least you're running and anti-virus program.. and it's current.. aren't you?

Re:How to block Klez emails from my mailbox?

Visit all of your friends and relatives and quietly destroy their computers. Or at least install your favorite open source OS on their machines. Its the only way.

Re:How to block Klez emails from my mailbox?

[Draoi]

Replying to the senders (the From: address) won't work, 'coz it's forged. Klez pulls email addresses from the victim's address book/inbox and uses them for the 'from'. You have to look deeper into the headers to find the culprit.

Here's one I just got;

From: webmaster <webmaster@msn.com>
Date: Wed Sep 18, 2002 15:03:16 Europe/Dublin
To: webmaster@christymoore.net
Subject: User code here
Return-Path: <tony_XXXXXXXX@oceanfree.net>
Received: from bubble.oceanfree.net ([212.2.162.35]) by ddandd.com (8.11.6/8.11.6) with ESMTP id g8IEADp05002 for <webmaster@christymoore.net>; Wed, 18 Sep 2002 15:10:13 +0100
Received: from [193.203.147.182] (helo=Qrxy) by bubble.oceanfree.net with smtp (Exim 3.33 #3) id 17rfQB-0002p3-00 for webmaster@christymoore.net; Wed, 18 Sep 2002 15:03:16 +0100
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=Z0z7O8r66243H01338eADBxj05jJ7LLMnHZ85
Me ssage-Id: <E17rfQB-0002p3-00@bubble.oceanfree.net>
Statu s:
Attachments: There is 1 attachment

Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blanked ...

Re:How to block Klez emails from my mailbox?

I don't believe responding to the senders will necessarily work with klez. Many strains of klez grab a random email address from the infected computer's contact list and insert it into the "sent" field of the email, which causes a great deal of confusion. After several people I know became infected with klez I got an angry email from someone saying that I sent them a virus, and also I've gotten several automated mail server responses telling me my messges have been rejected because they are infected with klez. I don't use Outlook, and just to be safe, I scanned my computer with the klez removal tool available free from symantec, and I've never been infected with klez. Very nasty, since it's the first virus that's ever affected me without even infecting my computer. What a headache.

Re:How to block Klez emails from my mailbox?

[laserjet]

What filter would you use? I use an online email client(not hotmail), and I know it is klez because of the large message size, but how do you filter it out? Usually there is nothing in the body of the message, and the subject seems random.

Re:How to block Klez emails from my mailbox?

Use procmail to delete klez:

:0fhB:
* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi 0SODIlEjwyLRI4IiUSPCItE$
/dev/null

/Tony
tony@svanstrom.com
www.svanstrom.com
PS there are _NO_ spaces in that long line...

Re:How to block Klez emails from my mailbox?

[Herkum01]

You mean it wasn't from MSN?

Re:How to block Klez emails from my mailbox?

Absolutely, you stat getting reject notices and then suddenly someone you've never heard of is calling you an asshole for sending them a virus. It took me a week to get that guy to back down. Klez infects more than just computers, it is a social disruption vector.

Slapper

[Dynamoo]

Aww heck I hadn't realised Nimda was a year old.. maybe it's not a coincidence that Slapper is gearing up a huge P2P Apache-based worm for something.. maybe today?

Where did I put my hard hard? I think I might be needing it.

Speeking of worms and virii

[sjwt]

It would be nice for my ISP to be puting out a
little helpfull info with teh linux worm,
like the do with every MS infection that comes along..

Is there any major ISP that takes Linux seriously?

i dont think theres any out hear in .au

Re:Speeking of worms and virii

[intermodal]

ISPs don't want to take Linux seriously for one large reason: it makes setting up a server affordable. They don't want you setting up a server, they want you to pay to use theirs, and to use less bandwith all around so they can make more money off you. Hell, just installing Debian asks you for a domain name for the box to be part of. You think ISPs want to help support user-box subdomains, or explain to a user that they won't help them with it? I didn't think so. Anyway, yeah...UNIX is powerful. ISPs desire sheep users as clientele, not technocrats and l33t h4x0rZ. Stereotypes i know, but thats how business works. Sucks, don't it?

Re:Speeking of worms and virii

There's fuck all in the UK. I'm with Blueyonder and every time I need tech support to reconnect my cable modem I have to swap a Windoze 98 Hard drive into my firewall so they can talk me through winipcfg and what Internet Explorer thinks my cable modem settings are. Yeesh!

Re:Speeking of worms and virii

[mwjlewis]

Yes, Speakeasy They are a linux shop.

Re:Speeking of worms and virii

[mwjlewis]

Speakeasy Sorry link didn't work first.

Re:Speeking of worms and virii

Preview, dumbass... not Submit.

Nimbda?

[Second_Derivative]

I'm still getting nailed by Code Red. Weird how something can survive for two years without touching a single permanent storage device.

Re:Nimbda?

Heh, that made me think about how it's more alive than most of the attempts at AI that have been made.

Nimda Fraud

Nimda 0|/\|Nz j00 !

No really , its a brilliant little Virus. I am sure lot of unscrupulous people made a lot of money from that one. Think about it, any unsecured server with this virus broadcasts this fact to the whole world !

Just backtrack to the Broadcassting computer, and you can own it in 5 Minutes. I shudder to think at all the financial information that was made availiable from this virus.

With Windows 2000 and XP still unsecure, we just need to wait for Nimda 2 and really make some money =-)

Slashdot uptime = 1 year

[msheppard]

And it's probably no coincidence that slashdot stats report 365days uptime today.

M@

Re:Slashdot uptime = 1 year

Is there some website that has information on websites (apache vs iis, uptime, etc) that I don't know about? Could you post a link? TIA

Re:Slashdot uptime = 1 year

netcraft
netcraft
netcraft

Re:Slashdot uptime = 1 year

[ethereal]

You can find uptime info for popular sites via www.netcraft.com.

Re:Slashdot uptime = 1 year

[msheppard]

Slashdot stats are available on the main slashdot page, I believe. YOu might need to be logged in and have it selected to display.

M@

Re:Slashdot uptime = 1 year

except netcraft's uptime detection technique wraps around after a few hundred days for most OSes, which makes IRIX and *BSD look far better than they actually are.

NIMDA the sysadmins friend :-s a little anecdote

[fruey]

Oh... first of all, it's viruses. Not virus's... what the hell is that?

I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.

The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.

This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".

Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(

Hrm

[Alizarin+Erythrosin]

Why is it every time there's an addendum or update on a worm/virus report that Taco hasta remind us how much crap mail he gets?

Re:Hrm

Because he's a bitch. Isn't that obvious.

It could be worse, though; he could be michael.

Re:Hrm

[Evro]

I know. I think he must literally be a retard if he can't setup his mail server to deny files with virus attachments. I assume Slashdot is running their own mailserver, so install noattach, a milter for sendmail, and set it to deny any mail that has an attachment that ends in any of the extensions listed here. I mean, do you really need to get .exes and .pifs mailed to you? If you run your own mail server and are still getting virus attachments, the fault is your own. I never touched sendmail before in my life, and I had sendmail+noattach running in a day, plus spam blockage courtesy of spamhaus.org.

Re:Hrm

[Blkdeath]

I know. I think he must literally be a retard if he can't setup his mail server to deny files with virus attachments.

Didja ever stop to think that perhaps he's grep'ing his procmail.log?

Re:Hrm

[Evro]

Honestly, no, because of the way he's whined about the tons of spam he's had to delete in the past (which, granted, may have made it past his filters). But point taken.

100nix??

[saphena]

What about Linux/Slapper then?

As usual...Unbiased News for the masses...

[GiorgioG]

Taco can't help himself but bash Microsoft. Will we see a 1 year anniversary of Apache & Mozilla bugs/Linux Worms?

Re:As usual...Unbiased News for the masses...

Well, how much does a licenced copy of Apache cost? How about Mozilla? How about Linux?

Go out and pay for a Microsoft product if you think they are such good value for money.

Nobody is forcing you to use free software - if you don't like it, PAY for an alternative, (which will almost certainly be inferior anyway).

Re:As usual...Unbiased News for the masses...

[/dev/trash]

I'll say: most probably. The vulenerbility has been out for how many months? It's been fixed for how many? yet it's still in the wild.

Re:As usual...Unbiased News for the masses...

[Dokta_C]

It's not news for the masses, it's for nerds, a subset of the masses.

I'm hoping I've been trolled.

Re:As usual...Unbiased News for the masses...

[mojowantshappy]

Don't fear the penguin!

Re:As usual...Unbiased News for the masses...

If and only if Slapper does as much damage as Nimbda will /. celebrate the anniversary of Slapper. But we all KNOW that will not be the case so NO /. will not have a 1 year party for Slapper. Bitch.
Nimbda entered a network through IIS but then spread internally via several mechanisms and thus affected a much broader range of systems than Slapper EVER will. We will continue to bash microsoft until microsoft gets its act together.

Re:As usual...Unbiased News for the masses...

Will we see a 1 year anniversary of Apache & Mozilla bugs/Linux Worms

One year ago today, I woke up to the sound of my pager screaming that several of my WAN segments were down.

I rush off to one of the sites, to discover that the link is still up, but latency is through the roof, because we're being bombarded with network traffic. - I think who would want to DDOS a school district? (and only on port 80)

So until I can figure out where the attack is coming from, I shut down inbound port 80 at the perimiter (which pisses off most of the teachers, as most of the web servers are used to distribute assignments), and head to the office to trace down where the attack might be coming from.

I check my email, and see a reports that there is a worm responsible. The teachers are pissed that they have to find another way to distribute their assignments, but slowly things return to normal, and eventually the blocks can be removed.

None of the servers at the schools were vulnerable to Nimda, but it took out our network for the better part of a day, and caused untold havok.

----------------------

Fast forward to last week - Slapper was released, and I found out about it by reading Bugtraq - I've checked the logs, but the amount of hits we get for it are minimal. None of our servers are vunlnerable to that either.

A week later, and Slapper is still a non-issue for us.

If Slapper ever causes the same amount of downtime as Nimda, I'm sure that we'll see a 1 year anniversary for it, too. But I don't really think it will happen. Not because it's not MS, but because it's a non-issue.

Re:As usual...Unbiased News for the masses...

That's cos it's hiding on r00ters!
Check your r00ter!

The most long-lived virus/worm/trojan?

[burgburgburg]

CmdrTaco writes that he's still getting multiple Klez viruses after all this time. That begs the question: what has been the most long-lived virus/worm/trojan so far?

That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?

Re:The most long-lived virus/worm/trojan?

[mblase]

That begs the question: what has been the most long-lived virus/worm/trojan so far?

That's easy -- MAKE MONEY FAST!

Re:The most long-lived virus/worm/trojan?

[gyratedotorg]

FWD: FUNNY JOKES!!!!!!

Re:The most long-lived virus/worm/trojan?

[gmuslera]

With enough widespreading and enough no-clues users, you can suppose that a lot of really old virus are around (at least, the ones without timebombs or that break things enough to not working at all after a lot of time). so probably can still be found active boot infectors in old PCs and floppys, in example.

But still widely replicating by email, well, at least I still receiving hybris every week.

Re:The most long-lived virus/worm/trojan?

[Telastyn]

a: Outlook
b: Win95-ME

Note: I am an NT admin in trade, and make such comments (mostly) in jest.

Re:The most long-lived virus/worm/trojan?

[shepherd_97850]

Here is some data from an isp mail server (out of 384k delivered messages) .41% of all mail traffic was the Klez virus. top 10 Viri by messages (percentage by delivered messages) 1144 ( 0.41) W32/Klez.h@MM 83 ( 0.03) W32/Nimda.htm 40 ( 0.01) W32/SirCam@MM 33 ( 0.01) W32/Magistr.b@MM 30 ( 0.01) W32/Hybris.gen@MM 23 ( 0.01) W32/Yaha.g@MM

Re:The most long-lived virus/worm/trojan?

DOS

Re:The most long-lived virus/worm/trojan?

OMG u r so funny LOL.

I wish I could be as original as you and make fun of Microsoft.

You are truly the king of comedy. No, really, I mean it.

Re:The most long-lived virus/worm/trojan?

[shepherd_97850]

Here is a better formated list.

top 10 Viri by messages (percentage by delivered messages)
1144 ( 0.41) W32/Klez.h@MM
83 ( 0.03) W32/Nimda.htm
40 ( 0.01) W32/SirCam@MM
33 ( 0.01) W32/Magistr.b@MM
30 ( 0.01) W32/Hybris.gen@MM
23 ( 0.01) W32/Yaha.g@MM

Re:The most long-lived virus/worm/trojan?

[David+Gerard]

That begs the question: what has been the most long-lived virus/worm/trojan so far?

So how's Happy99.exe going these days? The little turd was very much alive and well by the end of 2000 ...

Re:The most long-lived virus/worm/trojan?

UNIX

Re:The most long-lived virus/worm/trojan?

your dna.

Re:The most long-lived virus/worm/trojan?

[KnightStalker]

I'd be willing to bet it's something like ANTICMOS, at least where Win95 is still afflicting users.

Re:The most long-lived virus/worm/trojan?

[FattMattP]

That isn't what begging the question means. Read up: http://skepdic.com/begging.html

Re:The most long-lived virus/worm/trojan?

c-brain

Re:The most long-lived virus/worm/trojan?

[Verence]

The HyperCard XMAS virus. That always gave me a chuckle.

Re:The most long-lived virus/worm/trojan?

Arnold says: "Shut up! Shut up, shut up!"

Re:The most long-lived virus/worm/trojan?

> That begs the question: what has been the most long-lived virus/worm/trojan so far?

Begging the Question (some more)

Re:The most long-lived virus/worm/trojan?

[sympleko]

what has been the most long-lived virus/worm/trojan so far?

That would the e-mail warning you about the "Good Times" virus.

Re:The most long-lived virus/worm/trojan?

I wish I had the amount of time on my hands you do. I mean, it must have taken *years* of hard work for you to become as mind-bogglingly stupid as you are today.

Re:The most long-lived virus/worm/trojan?

[Jonathan+the+Nerd]

I still have at least one floppy that's infected with ANTICMOS. I got hit with it back in 1994 or so, and we scanned and cleaned our computer and all the floppies we could remember using, but there's one floppy I never did scan because I never used it again, and I'm quite sure it's still infected.

"Many Happy Returns"

[dskoll]

Aha... Now I understand the meaning of that phrase...

Re:security?

I've got mail! I've got mail! I've got mail! YAAAAAAAAAAAAAAAAAAAAY!!!

Re:NIMDA the sysadmins friend :-s a little anecdot

[unicron]

Virii.

Peg: Look Al, Elvii!

Re:The Nimda *linux* connection

you mean like PERL. C++
don't forget those bastards that run *BSD

A limerick suiting this topic...

[Chagatai]

Nimda, Klez, and Red
Whilst fornicating in bed
Felt something new
Saying, "Melissa, is that you?"
And found Bill Gates naked, instead.

virae

[Raven42rac]

I send you this file in order to have your advice.

Re:our office got it.

[SmlFreshwaterBuffalo]

Hmm...Am I the only one who finds it ironic that both the North American Man-Boy Love Association (NAMBLA) and kiddie porn are mentioned in the same post?

Ahh the memories...

[mrgrey]

I work in a rather large school district and we run 6+ Netware servers and only 2 NT servers, not because we want to run NT, just because some software requires it. Anyways, we run Nortans Corporate Virus Scanner on a couple of the Netware boxes and they scan every file that comes through the network and beep if the file is infected. So I'm sitting in a lab and I'm looking through some folders on the network and I'm seeing tons of these .elm file and such. I ask another tech what was up. He didn't know. I walk into the server room and all I hear is BEEEEEEEP BEEP BEEEEP BEEP BEEP etc etc. At this point I concluded that we were screwed. I do some quick reasearch and discover nimd@. Oh, joy, it infects mapped drives. Good thing we have mapped drives in EVERY login script. Crap... Quickly login and start doing recursive deletions of .elm and etc files that nimd@ creates. Then we spend the weekend running a nimd@ cleaner on every machine in the district (1000+). All the while that was going on our NT boxes were attacking 5-6 other districts NT boxes and their boxes were attacking ours. It was a joyous occasion...

Re:Ahh the memories...

[Suppafly]

Its .eml not .elm ..

Re:Ahh the memories...

[mrgrey]

ahh, yes, you're right. i have had a year to forget.

Re:Ahh the memories...

[No-op]

pull the network cable out ?

an hour of downtime might have saved you the hassle there...

I know that I was watching all the silly hits, but security holes that allow arbitrary execution of code on a target are bad... that is, in fact, what patches are for, and the MS security mailing list helps :)

Re:Ahh the memories...

[mrgrey]

Our main sysAdmin was on vacation at the time nimd@ struck. Our netware servers were getting flooded with files from the virus but they weren't spreading it. We updated our NT boxes as soon as we could, but those initial hours were full of confusion. We weren't really sure what was goin on at first, but we were able to remove infected files from the servers at a pretty good rate. Pulling the cables would have been very bad for us since we have many people in the district working on things for the state and for them to lose information would have been bad. Even if we would have pulled the cables out on the servers we would have had at least 12hrs of downtime. Sure, we could patch our NT boxes in an hour, but removing the virus from over 1000 windows in a 10 mile radius takes alot more time. Granted, not all 1000+ machines were infected, we weren't sure which ones were and which ones weren't.

Re:Ahh the memories...

[No-op]

kinda makes you feel good that all our hard work in those times was recognized, right?

"But how can it be a virus when it says it LOVES me?!?!?"

Re:Ahh the memories...

[mrgrey]

Ha! Good joke. The only time we get recognized is when we get blamed for something not working....

Overworked, underpaid in Michigan....

And what are we doing today?

[lamj]

One year after Nimda. We are fighting the Slaper worm. Did anyone say Deja vu?

Wonder what we are going to fight next year.

Re:And what are we doing today?

> One year after Nimda. We are fighting the Slaper(sic) worm [f-secure.com]. Did anyone say Deja vu?
> Wonder what we are going to fight next year.

Nimda and whatever Unix-attack-of-the-day-due-to-careless-admins occurs.

Re:And what are we doing today?

[Fjord]

Nimda and whatever Unix-attack-of-the-day-due-to-careless-admins occurs.

To be fair, according to the link, it took 3 days, not one, before the slapper virus was removed from it's network (it just shows how many hosts were on the p2p network it was setting, up, there may still be infected hosts out there that have been blocked from the network (by a firewall, for example).

Does this mean...

[McFly69]

Does this mean I have to write another one?

Re:Does this mean...

[Darth+RadaR]

Or at least put out a service pack. ;)

Cease and Desist

[DrSkwid]

Dear hikeran,

It has come to our attention that you published a portion of our copyrighted material. Namely the lyrics to the popular [but copyrighted] song : 'Happy Birthday To You'.

We would ask that you refrain from repeating this action and ask that you make the best effort to remove such violations made by you.

Should this matter be brought before us again we will demand a license fee payable to Warner Brothers.

The work has been subject to copyright laws since 1935 and doesn't expire until 2012.

For more details see here

Thank you,

Daffy & The Guys

Re:Cease and Desist

[queenb**ch]

Hmm...let me think about this for a moment...

You and your RIAA thugs can pucker up and kiss my pink little bootie.

Re:Cease and Desist

[MaximusPrime]

Hmm...let me think about this for a moment

You should have taken more time...

*obvious*

[fussman]

Everyone knows Anti-Virus software makers produce viruses when they feel they need a jump in sales.

Hard to say...

[NetJunkie]

We occasionally get all sorts of old viruses hitting our AV system on the mail server. Some, like the Snow White one, is very old. We don't see them every day, but we definately see them a few times per year.

Klez is definately still going strong. We see 5 to 8 of those per day. We're not even a big shop (180 users).

Re:Hard to say...

I work for an Canadian ISP's helldesk. We still get quite a few Klez calls per week, although they are slowing down a bit.

Re:Hard to say...

[doomdog]

>> I work for an Canadian ISP's helldesk

Stressed out a little at work, eh?

Sad news ... Stephen King dead at 54

I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

Re:Sad news ... Stephen King dead at 54

This *is* sad news. He had just come out with a new novel (called "Buick 8" or something like that.) I wonder if he has anything else written and waiting for publication so that it can be put out posthumously?

CNN doesn't have anything about this. Did you hear what the cause of death was (i.e., accident, disease, something more sinister?)

I was already having a bad day, this is going to make it much worse. :(

Re:Sad news ... Stephen King dead at 54

Anna Nicole Smith suffocated him by sitting on his face...

Why Sourceforge is down?

Excuse me for possible offtopic. Does anyone know what happened with Sourceforge? www.sf.net is down ...

Re:our office got it.

Ironic? What do you mean ironic?

Re:our office got it.

[eam]

Yes you are.

Re:NIMDA the sysadmins friend :-s a little anecdot

[fruey]

http://www.perl.com/language/misc/virus.html

It's viruses.

Re:Speeking of worms and virii Troll

[puto]

Are you serious? The Vast Majority of ISPs are running some *NIX. Which I would put a large percent of that number running Linux. I just switched a major site from a BSD host to a linux box and we have seen no problems. And I am talking about 35 gigs of hosting.

I am starting my own hosting company and my two servers are on Redhat. There are thousands of little hosting companies that run linux, and some large ones as well. Valueweb is switching from BSD to Linux and thier are pretty big. Rackspace is a big linux shop.

Do ISP's take Linux seriously? Yeah, I say that is why the all use it.

As for your ISP? Well, you are ultimately responsible for securing your own box. Windows, Linux, or whatever. Your ISP can issue warnings but if they are worth their salt they will protect you an themselves.

You know I have ranted too much. Troll elsewhere.

Puto

Re:our office got it.

[slyxter]

I loved the way it sent around cookies from job search websites. A couple of employess were fired because of that.

Still getting hit

[rossz]

No doubt in celebration of the birthday, I got a number of nimda hits this morning.

mount -t smbfs password= //xx.xx.xx.xx/C$ /mnt/dork
vi /mnt/dork/boot.ini

Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".

umount /mnt/dork

Re:Still getting hit

Nice!

Re:Still getting hit

I like putting:

@c:\windows\command\fdisk /mbr

into the autoexec.bat file of any dual boot windows box I find.

Keeps that Lilo bootsector virus at bay. Make sure you do it to your box.

Re:IIS encourages admins to be lazy

The problem is that IIS encourages lazy admins. After all, the main marketing behind IIS is that even a trained monkey can set up and administrate it. So most companies hire lazy idiots to save money, and don't bother with security. With Apache, you have to know what you are doing, making the issue of lazy and/or stupid administrators not much of a problem.

still so much activity...

[Ruliz+Galaxor]

Strange that there is still so much Nimda activity. I have a scanner for the unicode vulnerability, which can scan complete ip-ranges and i found almost no vulnerable servers in 4 months. But Nimda might use other vulnerabilities of course.

At least it seems most admins patched their servers... or they just use apache instead of iis :)

sig(h)

Nimda?

[rlangis]

I haven't ever seen this noted, so I'm going to say it, and risk the inevitable flames...

Anyone else ever notice that Nimda = Admin spelled backwards?

Re:Nimda?

Anyone else ever notice that Nimda = Admin spelled backwards?

Wow, what are the odds!

It's a pretty amazing coincidence that the guys who wrote the worm named "admin" backwards! I wonder if they knew?

You remind me of the Friends episode where Phoebe says she's gonna get a tatoo of a lilly, because her mother's name was Lilly - and Chandler replied "Wow, that's lucky - what if her name was Big Ugly Splotch?"

Re:Nimda?

[Suppafly]

Anyone else ever notice that Nimda = Admin spelled backwards?

Thats not a coincidence.

Re:Nimda?

[Fjord]

I had noticed it too. Kinda cute when you think about it.

I Dumped OE

[istartedi]

I dumped OE because of Nimda. Yeah, there's a patch but I still haven't gone back and secured it. I switched to Pegasus. I hate Pegasus, but I guess not as much as I hate sending away for the patch.

Re:I Dumped OE

[Duckz]

I've been using David Harris's Pegasus Mail program since late 1996 IIRC, it's been great.

Why don't you support him, since he's been making Pegasus better and better all the time? It's only $29.95 for the manuals (in PDF format).
--
Todd

Re:I Dumped OE

[AceCaseOR]

Switch to Eudora. It's not OE, and it's pretty user friendly. And you can get a free version (you just have to put up with very small advertisments in the lower left hand corner of the window).

A good use for web services...

[sterno]

Here's an idea for a web service. Have a query system over at one of the major security clearinghouses that can be queried remotely by an application. Then have an application that runs on your system that periodically scans your system for files that are potentially at risk due to the latest security vulnerability.

Right now, the problem is that vendors will release information specific to their platform, but then if you download anything outside that platform, you are possibly putting yourself at risk unless you actively keep track of each piece of software. If you install enough software this becomes a tremendous pain.

This way, if there's a possible problem, you get alerted to it, can review the related security advisory, and then easily download the patches for it. That could really trim down on the severity of worm outbreaks I suspect.

Klez programmed to go off September 13

the reason why klez and its variants are still going strong now is because they are programmed to commence 'attacking' on September 13 (among other dates). lots of systems were infected but because the virus was dormant, they were undetected. since september 13, Klez has been in full force.

How hard would it be ... ?

[adipocere]

To write some some kind of module for Apache to correct this. It wasn't hard to write a module, apparently, that e-mailed the sysadmin in question and said, hey, you're infected. Do something about it, Bozo!

What about a module that detected Nimda, Code Red, whatever attacks, then just attacked back? On attacking back, it uses the very same security holes (I think four of them) through which these worms propagate to issue a shutdown on the system and change the registry key for the startup text to say, "Hey, you're infected by Nimda, fix this now, download this."

Actually, rather than a shutdown, which may just restart some servers, it should issue a big fat SYSTEM HALT with a notice of infection. "Oh, yeah, we've changed your administrator password to XYZZY, too. A registry key has been added such that, if an attack is detected from your machine a second time, FORMATTING OF YOUR HARD DRIVE WILL OCCUR." Probably get someone's attention.

Yeah, this wouldn't be particularly legal, but it isn't as if Nimda logs what targets it is attacking. Just leave up a few boxes running this and the infection would drop dramatically.

Re:How hard would it be ... ?

[PenguinRadio]

Why not just fix the machine? Isn't their a simple fix that could be sent to their machine, run, thus clearning things up for them. Didn't someone try this?

Re:How hard would it be ... ?

[kc0dby]

Actually, you could look at these viruses as more of a protocol than a virus. When the other user initiates the connection, you can simply send a series of 'response' packets to verify that you received the request for a connection. If their computer doesn't know how to handle the 'response' and does something silly like crash, well, that just means they need to update the driver they have for that 'protocol' I mean, the guy who wrote that version they are running now must have been crazy! Its practically a virus!

Re:How hard would it be ... ?

[Restil]

It might not be legal in the sense that you "attack back" the infected server. However, If you set up a webpage that people go to in order to "fix" their infected computers, and that page just so happens to be named one of the files that the worms are attempting to access.

In the past, I've seen pages that would allow you to test your system to see if you were vulnerable to the various nuke programs (winnuke, teardrop, etc), of the sort "if you get this message, that means you're still operational, and you're not vulnerable"

So set up a page, explain exactly what it will do, and include on there a link to the script that will "fix" the client computer. If people come along, access my server, and my server does exactly what they requested it to do.... how grey is the legal area?

Of course, its probably still illegal, since nobody "authorized" the activity, but it might be less shaky legal ground. If you don't want my webserver fixing your computer, then don't access it. Dunno.

-Restil

Re:How hard would it be ... ?

[Blkdeath]

"Give a man a fish and he will eat for a day. Teach a man to fish, and he will eat for the rest of his life."

(Apologies, etc..)

Re:How hard would it be ... ?

[joshki]

This was discussed in great detail and at length in the original threads about Nimda a year ago. I think the general conclusion of the community (if you can really say there was one) was that the legal risk (at least for those of us in the states) was too high to do it.

calendar

[Ruliz+Galaxor]

wow! we should get a calendar with all anniverseries of viruses, so we can celebrate anna kournikova's birthday!
err... the virus of course ;)

sig(h)

While your post is informative, your comment..

[Genjurosan]

about "US" sysadmins is uncalled for. Perhaps if the HR department of the educational institution wasn't so gullible, they wouldn't have hired incompetent sysadmins. Your dislike for anything "US" shows by your broad statement. Does your use of the word "they" encompass 2 maybe 3 sysadmins? I'm sure that "they" represent .0000000000000001% of all sysadmins that hold US citizenship.

Yes my post is flame bait, sorry.. but I don't think the last post deserves a 5, perhaps a 3-4 since sys-admin skill has NOTHING to do with citizenship. Perhaps making broad uneducated comments about the people of Morocco will get my post modded up.

Re:While your post is informative, your comment..

[fruey]

Excuse me... I am not saying that US sysadmins do not have clue. I was saying that IF you think (which I don't) that US sysadmins don't have a clue (and this is possible for some of the /. readership who seem to think no-one has clue except them) then you should see Moroccan sysadmins. That's all.

Sorry if you misunderstood me. I have a lot of respect for a number of US sysadmins who I meet on mailing lists and have often saved my bacon.

There are some good admins here too, but they often don't have a solid MIT education etc and are not as used to using the Internet as the wonderful resource that it is, or have to share a crappy 64kbps connection with 50 other users.

Re:While your post is informative, your comment..

[nexthec]

Dude, relax, he wasnt ripping on US admins. he was...nevermind....you dont want to understand, you'd rather be ignorant.

Re:While your post is informative, your comment..

[TheShadow]

Top 3 /. pasttimes:

3. Posting links to pictures of some guy's stretched anus. (goatse.cx)
2. Making fun of Microsoft products.
1. Making fun of stupid Americans.

Wow... we have some really creative people around here.

Re:While your post is informative, your comment..

[Blkdeath]

If I didn't understand the crux of a vocal minority, I'd really start to buy into the American persecution complex theories.

Long story short; since /. is based in North America, and many of the stories tend to relate to .COM's and other North-American companies / corporations, most of the talk is therefore about (you guessed it) US systems administrators. The poster was clearly giving an "If you think $SITUATION_1 is bad, $SITUATION_2 will blow your mind!"

If anything, Moroccans should be offended at his insiduous remark about the horrible sysadmins over there.</SARCASM>

Now step down from that horse of yours and join the rest of us, won't you?

Re:While your post is informative, your comment..

lol what a dick. Insecure about something arent you? Is it that "NT for dummies" book in your pocket?

Re:NIMDA the sysadmins friend :-s a little anecdot

[Tregod]

as long as someones wrong, we are all happy :)

The solution

[Mr_Silver]

It would appear that Taco doesn't read postings on Slashdot, even the ones modded +5.

Anyway, here is it again for Taco:

Put this in your .procmailrc file:

:0 B
* Content-Disposition: attachment
* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
{
# Stick it somewhere
:0 B:
/dev/null
}

Of course, this is a bit drastic by throwing every file that ends in that type into the bin, so you may want to replace it with something like /home/username/mail/viruses

Finally (and this bit is especially for Taco) you will probably need to have a .forward file with the following in it:

|/usr/bin/procmail

Once you've done that, then finally we'll never heard again from you how many viruses a day you can get.

Re:The solution

[coyote1]

This one works better I think...

# Klez worm procmail filter - courtesy of www.shove-it.com :0 B
* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi 0SODIlEjwyLRI4IiUSPCItE$
klez/ /dev/null

Re:The solution

[coyote1]

Let me try this again...


# Klez worm procmail filter - courtesy of www.shove-it.com
:0 B
*^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJR I8Q i0SODIlEjwyLRI4IiUSPCItE$

/dev/null

Re:The solution

You are missing a few -- check SET PATHEXT on an NT box.

There's of course still preview-pane attacks and so on.

Re:The solution

[Fjord]

I'm guessing you didn't want that space in the string as well. It's put there to prevent widening the page (which makes it very annoying to read as you have to scroll back and forth).

Re:The solution

[SecretAsianMan]

Just a few small notes:

• You may want to use H instead of B to deliver to the bit bucket. The header is likely to be smaller than the body, so using H can result in a much smaller write.
• You don't need to put a second colon on that line, either. There's no reason to use locks when delivering to the bit bucket. I think procmail may even ignore this colon.
• Maybe you should anchor the regular expressions to the beginning of the line.

Re:The solution

Taco's been quoted as saying he doesn't read the comments. He thinks people only care about the stories. Not that he'll spellcheck 'em or look for dupes....

my update on nimda

[valmont]

check out my /.journal for two articles i've posted, the first one about how to keep your apache logs clean from coredred/nimda queries, and a second one posted a few months ago which points you to a list of all unique codered/nimda queries i've received.

Re:our office got it.

Good job genius. Except it's not called irony if it's the entire F**king point

not to get off subject...

[Tregod]

but i just happened to notice the slashdot stats (it's very rare i log in, anymore), it appears as though in a few hours slashdot will hit that 365 day uptime. congrats :)

Re:Nimda The problem

is that without knowing it anybody that installed a Microsoft Server OS was obliged to install IIS. Its part of the default install and most MCSE just say what the heck that would be so cool to run a web server. So most don't even realize that they are running IIS. If they don't know, they don't patch. This IS an example of microsoft featuritis. Customers demand it. Microsoft delivers. Unfortunately the customer tends to be a complete dumbass when it comes to security.

reporting klez

[Parsec]

I've started reporting Klez to the site abuse mailboxes in the hopes they will do something about it. Just report it as you would a normal spam, but say it's a probable virus and give the IP address.

I can't say they'll do anything, but it's better than doing nothing.

Re:reporting klez

[garcia]

I report them several times a day. Does nothing. I still have people hitting my webserver (the same IPs).

Re:reporting klez

[Eric+Savage]

You realize that Klez is a client virus right? Mailing abuse@ is only going to piss off the person reading and take time away from dealing with issues they have some control over.

Re:reporting klez

[leviramsey]

It depends on the network you're emailing to. University IT departments, being knowledgeable, will tend to just immediately disable that computer's MAC address.

For instance, UMass apparently tells the DHCP server to assign an IP address on one of the netblocks reserved for NAT and has the routers redirect any HTTP requests to a page saying that that computer's rights to access the network have been suspended and how to restore those rights (apply the patches, and inform the IT people, who presumably run a scan on your computer to determine whether you've patched).

Re:reporting klez

[Parsec]

Yes. It's a client virus that harms both the network it's using and other's networks. I think abuse@ is the perfect group to deal with it.

Besides, they are the ones with the tools at hand to track down who was using what IP at what time and notify them. Otherwise we wait until that user discovers they have 30 different viruses all competing for network time on their machine. That is how they can have control over this issue. The user doesn't have to be cut off, just informed.

Also, by prefacing it with a little note like "probable virus at IP#", if they choose not to deal with it, it only takes them 4 seconds to read and delete.

Re:NIMDA the sysadmins friend :-s a little anecdot

[Brigadier]

Here is my Nimbda nightmare. I manage two offices, primarily CAD and graphics. Both connected to the net via a T1. My local office sits behind a nice iptables firewall with my patch and locked down NT server serving one IP for VPN. The other office is managed by a consultant because I cant' always get there as needed. Long story short the server died ( dead array) so after 12 hours of recovering the work I headed out instructing the consultant to lck down the server ( patch it, remove uneeded service, apply lockdown patch close unecessary ports) ofcourse he didn't in the space of 12 hours my entire network was filled with nimda eml nws files. luckly that was teh extent of teh infection that office. The server was a fresh install W2k server. Needless to say the next few days was speent hand picking corrupted files from the server. Before I even thought nimda was cute but now it's hell's own scurge. I consistently e-mail ISP's notifying them of infected machines probing my network.

Re:our office got it.

[dohcvtec]

Hmm... NAMBLA... perv... does your "office" happen to be a Catholic church? :)

Macs

[tral]

If there is one thing a Mac is good for it is checking email.

Re:Macs

[Mononoke]

Yup. Nimda: Just another app that won't run on Macs.

I do like being able to safely open all the interesting attachments Klez sends me. Interesting and funny stuff in there from time to time.

Re:Macs

[Cubeman]

One of the documents I've found was ironic in that it was a boy's report about biological viruses :)

Nimda ISP warning program

[Brigadier]

http://www.treachery.net/~jdyson/earlybird/

I recieved this link from a linux group. It basically detects nimda attacts on your apache/linux system then attempts to e-mail the sysadmin of the ISP. it works great. It has spam potential yes but nimda and the incompitent Admins who incubate this virus on there system needs to be irradicated.

Re:IIS encourages admins to be lazy

[Malcolm+MacArthur]

The other problem comes when you set up a new machine. So you install IIS on it ... which is unpatched as it comes out-of-the-box. Then you go off and download the patches... but by that time it's too late, and you've already been infected!

If I recall correctly, this is one of the big reasons why Nimda still persists...

Re:NIMDA the sysadmins friend :-s a little anecdot

[unicron]

Welcome to Slashdot, where the fight for the moral, cultural, technological, and sociological good is the driving force, paused only when it may cost one of us time or money.

Hallmark?

I want to know when Hallmark is going to start selling cards for occasions such as this... Happy Birthday !

AC

Re:NIMDA the sysadmins friend :-s a little anecdot

[Ymerej]

Oh... first of all, it's viruses. Not virus's... what the hell is that?

Amen to that, brother!

Re:NIMDA the sysadmins friend :-s a little anecdot

[jsse]

yeah even you are the first one hero found the problem you are the easily one to blame. Don't feel bad about it.

Just for the sake of exp sharing. If keeping log is not an requirement then I'll just turn it off or redirect it to null, unless you've some measure of cleaning up the log. Log files is always the bane for lazy admin.(and definitely not your fault). Turn off anything that they didn't ask for, there's no need to be your daddies' good boy in business.

If keeping logs is an requirement? Easy, add up huge function points in spec and charge more for services. Schedule extra time to test and teach the log keeping - and even more money will be charged.

That's the logs you asked to look, you shouldn't blame me to charge more.

Re:NIMDA the sysadmins friend@@@@@@

Cheap admins are the MAJOR selling point for microsoft products. The salesman walks in and gives a spiel on how much money the company will save. The company hires a couple clueless MCSE and they set up the network. Only to find that the network is as secure as a lemonade stand in Harlem.

Re:NIMDA the sysadmins friend :-s a little anecdot

[fruey]

Good point. In this particular case it wasn't practical because I was using the logs to run analysis on where people were surfing. However, in the end the logs just got purged every day I went in there and then I got my machine back and reinstalled it, since it was a demo box.

Re:our office got it.

[Mononoke]

Hmm...Am I the only one who finds it ironic that both the North American Man-Boy Love Association (NAMBLA) and kiddie porn are mentioned in the same post?

Like rain on your wedding day?

I still get 4000+ viruses/worms every single day

I've got a similar procmail filter - it deletes all emails with an attachment.

My procmail logs are rotated every day - with the result:

Wed Sep 18 03:01:00 CDT 2002

Total Number Folder
----- ------ ------
551259546 4027 /dev/null
17420717 1635 /var/spool/mail/irt
----- ------
568680263 5662

But the point is I still get them every single day

Then out of the 1635 messages that get passed onto spamcop - about 1 or 2 are actually for me!

Notify origins.

[tandr]

May be Taco should notify sysadmins from these networks that "something is wrong"? Or at least set some autoreply "your mail is infected, cya later" ?

But which is the oldest?

[burgburgburg]

We know Nimda is a year old. When did the others first appear/get reported?

As Ed Felton said...

[MoonRider]

"Given the choice between dancing pigs and security people will choose dancing pigs every time."

There'll be many "nimdas" yet to come...

WormBlock

[baerrs]

I created WormBlock for my personal use (home), if you think it could benefit from it as well, then by all mean use it.
It will scan your logfiles, and then block the Nimda/CodeRed I & II.. IP's via IPtables
If you would like to have IPTables block the infected IP's from ever reaching your Apache server.. then try this out... WormBlock

How many pc's are still getting infected daily?

[The+Moving+Shadow]

Okies, it's a sort of doom sounding topic, "Nimda worm celebrates 1st birthday" But what i would think is interesting is wether the worm still infects that much servers as it used to? I bet - with all the patching of server software - it should have been died out by now more or less. Or is the world of system administrators turning slower as we all think?

Checking pop3 via web just may save a network

[1155]

Personally, I would use mail2web.com to check incoming e-mail first to see if its infected. That's just me though. popcorn (tinyapps.org) is cool for windows use as well.

Re:NIMDA the sysadmins friend :-s a little anecdot

[jsse]

In this case you can consider redirect all the known viruses entries into a seperate files as a summary, .e.g virus.log -> 12 Sep 2002: code red 54 times, nimda...etc. That way you could keep a healthy and useful log base, until next virus outbreak. :)

Cleared up

[Genjurosan]

All cleared up, the art of visual communication makes for many interpretations. Just re-read, "If you think US sysadmins could get some clue, think again." It's very easy to take that as a bash. I see your side of it.

In summary, the other points you made are exactly the reasons why the anti-virus (viruses, not virii, is correct plural form as you said) software guru's stand to ALWAYS make money.

Re:Cleared up

[fruey]

Cool. I hate getting flamed for something I just miswrote ;-)

Re:our office got it.

[C_nemo]

I look just like your father, but i am the midnight NAMBLA, NAMBLA!

Re:NIMDA the sysadmins friend :-s a little anecdot

you mean "someone's"

it's a contraction of "someone is" genius

Re:IIS encourages admins to be lazy

[Blkdeath]

So you're running a newly installed machine, with IIS running, live on the Internet, and wonder how you ever got infected?

Yeesh... My love for the status quo is ever unchanged.

Taco's Klez complaints

[quackPOT]

Don't you have any SMTP level filtering?

Get Mailscanner and set the virus notices to off, and you'll NEVER get another klez/sircam/et al bug/notice to your inbox ever again.

Team it up with SpamAssassin and watch your spam counts plummit!

Re:Taco's Klez complaints

One problem with this is when our customers start complaining about false positives, we even get one and they may well find somewhere else to host. The other major problem is if one virus does sneak through wiping their files, after theyve paid for an email system including virus scanning as a feature, we are in a dodgy position wrt liability.

If its my personal mailserver, Id probably use something like you mention, if its a production box...forget it.

Nimda Removal

[Sufoog]

What are people's opinions on an anti-nimda client which when scanned by a nimda infected machine will use the Nimda exploits to remove Nimda from the attacking system?

You could use the tftp client to download the M$ patches and on the condition they were non-interactive you could install them?

I am under the impression this is highly illegal, but I am just about fed up with my Apache logs filling up! My ipchains DENY list is already quite excessive as I have a program which denies a machine after it has scanned me. The only problem with this approach is the fact most of these people are dialups with dynamic IP's so I am not doing myself any favours except filtering out whole ISP's in a slow time.

Thanks, Chris

Re:NIMDA the sysadmins friend :-s a little anecdot

[dmelomed]

Why not simply use automatically rotated and sized logs, such as provided with "multilog"?

Re:our office got it.

[kev0153]

NAMBLA = National Association of Marlon Brando Look Alikes?

Re:heh

[Raven42rac]

you people are dumb, does the name "sircam" ring any bells, no, obviously not.

Or worse.....

[snatchitup]

"NAMBLA = National Association of Marlon Brando Look Alikes?"

How about Kenny Rogers lookalikes

Re:our office got it.

You missed the point of the story entirely. Please go back to sleep.

Phew

If it weren't for witch hunts, where would we be?

use calypso

much better than pegasus.

download from:
http://www.tucows.com/preview/194171.html

Hook. Line. Sinker.

YHBT. I've seen this one on /. for at least several months. It's not funny anymore.

Re:our office got it.

[Stephen+Samuel]

Hmm...Am I the only one who finds it ironic that both the North American Man-Boy Love Association (NAMBLA) and kiddie porn are mentioned in the same post?

That's how they probably found the perv -- scanning files looking for the string NAMBLA, and they found these obscene text files... The rest, as they say, is history (much like the kiddi-porn ex-employee).

Re:NIMDA the sysadmins friend :-s a little anecdot

Oh... first of all, it's viruses. Not virus's... what the hell is that?

Technically, I think it's virii. Not that anyone cares though (even me).

Re:our office got it. (OT)

[Stephen+Samuel]

Like rain on your wedding day?

I've always been of the opinion that that line was the result of self censorship... I think that it was originally

getting laid on your wedding day

But Alanis couldn't get it past the corporate censors.

Most of the other 'ironic' ocurrences have something good, and then a subscript saying why it was ironic. Rain on your wedding day doesn't fit that... it's in the wrong order. 'Rain' is also missing 2 syllables that had to be smoothed over by Alanis' warbling. 'Getting laid', on the other hand...

(we now return you to your regularly scheuled program)

Reverse It

[shadex]

What we need is a program that when gets hit by one of these, follows up by "infecting" the sending server with something that cleans it out. You already know its most likely unpatched so couldn't it be installed the same was the worm was in the first place?

Re:our office got it. (OT)

> But Alanis couldn't get it past the corporate censors.

..as opposed to several of the lyrics of "You Oughta Know"?...

Re:our office got it. (OT)

[LinuxHam]

But Alanis couldn't get it past the corporate censors

Oh, but she got "will she go down on you in a theater" and "are you thinking of me when you f*ck her?" right past them...

the "corporate censors" aren't as bad as you think.. (at least in this case).. you should try listening to Nick Cave's Murder Ballads sometime..

Re:IIS encourages admins to be lazy

[aridhol]

And you download your patches how?

Re:IIS encourages admins to be lazy

[Blkdeath]

And you download your patches how?

Well, let's see...

• Behind a firewall (a consumer-grade broadband router will suffice)
• With my newly installed, potentially vulnerable servers (IIS/Apache {cough} ) disabled
• On another machine, from which to transfer (CDRW, crossover cable, null-modem cable, ZIP disk, etc..) to the newly installed machine

I'm sure there are other ways, but that's about the gist of it.

Re:Speaking of worms and virii

[kaiidth]

Hey, I've been in that same situation with Blueyonder. Here's what you do, if they really insist on using Windows;

You lie.

I've had some great conversations like that.

Techie: "Now reboot"

Me: "Right, just rebooting now." Pause to drink some coffee, stare at wallpaper, whatever, until a reasonable sounding amount of time has passed. "Done"

The trick is to just say "Okay" and "Right" and "Done" a lot, write down the settings they give you (if any) and then do your own thing entirely. Better; unless you need action on their part don't call them at all, and if you do, tell them what to do directly, like so: "See the big red button on that router? Press it".

Basically the problem they seem to have is they've been taught to follow a script, and if you confuse them they have to start it all over again. You get similar problems if any actual physical faults occur on the line - eg, no signal/broken cable - if you start your call by telling them the problem they get pretty confused.

eg.

Me: "Hi, the cable's down and the modem isn't able to connect. It's not receiving or sending anything at all according to the LED indicators."

Techie: "Uhh, okay, have you tried rebooting your computer?"

Me: "Why would I do that? The modem isn't receiving anything! The computer is not the problem."

Techie: "Okay, well, can you reboot your computer?"

Me: Sigh, pretend to reboot computer.

Techie: "Does it work now?"

Me: "No! There is no signal!"

Techie: "Right, well, please reinstall your drivers, do you have your driver disk with you?"

Me: "It's an external modem, I think my network drivers are just fine"

Techie: "Please reinstall your drivers"

Me: "Oh, very well" I pretend to reinstall my drivers.

Techie: "Does it work now?"

Me: "No!"

Techie: "Did you reboot?"

Me: Pretend to reboot the machine again.

Techie "Does it work now?"

Me: "No!"

Techie: "Ah. Are all of the LEDs on the modem turned off?"

Me: "YES!"

Techie: "Okay, your cable's down, so the modem can't connect. Sorry"

Re:our office got it. (OT)

[blitziod]

nick cave...murder ballads..." I'm a mean mother fucker don't you know ..and I'll crawl over 50 good pussies just to get to one fat boys asshole."
how about when he was with the birthday party adn put out an albumn called "Drunk on the Pope's Blood"?

let me spell it out for you.

T H E I R W I L L N E V E R B E O N E S I N G L E S A T I S F A C T O R Y S O L U T I O N T O S E C U R I T Y A N D V I R U S E S. Did you get that important part their ? NEVER.

Why ? They make too much damned money off of it for it to happen other wise.

If you created the 'perfect' solution the antics would stop, because their would be no fun, and thus no business for av/security 'companies'. like it or not, thats logic for you.

{chuckle}

[A_Non_Moose]

Recently I had to setup an ArcIMS (IMS = internet map server, or as I call it "Incomplete Masochistic Software") on a Windows 2000 Server.

You have your choice of IIS or Apache, and guess which one I chose? Yep, Apache.

After testing the box out, I cleared the logs (access/error) at about 3pm and left it running.
Next day, I discover that less than an hour later a single IP address (204.xxx.xxx.xxx) hammered on it for 300+ hits with *both* codered and nimda and (the same ip or one in the range, I don't recall) hitting all of the default IIS directories looking for *anything*.

I chuckled for a good half hour after that.

Re:NIMDA the sysadmins friend :-s a little anecdot

Actually it's virii. As long as we're picking nits we may as well pick the correct nits. :)

plural

isn't the plural of virus, virii?

Re:our office got it.

[geekoid]

I hope you called the authorities on that guy.
If not, some poor kid will pay for it.

Re:our office got it.

Like rain on your wedding day?

Rain on one's wedding day has nothing to do with irony, and neither have most stanzas in Alanis Morissette's song. Check this out.

Don't complain

At least your popular enough to get viruses. Please send some admin234@aol.com

a more important birthday?

[commodoresloat]

Well, perhaps not, but today is the twentieth birthday of the emoticon!! Check out this interview (Requires Real) with the first person to ever use the ubiquitous smiley.

Re:Speaking of worms and virii

[sjwt]

I do that with windows too :)

I think ive only been wrong once,
cable unplug :)

All the other tiems, ive been loged as
an early complante of a state wide
down :)

Re:our office got it.

[rsteele19]

Rain on one's wedding day has nothing to do with irony, and neither have most stanzas in Alanis Morissette's song. Check this out.

Yeah, I know. Isn't it ironic?

Re:NIMDA the sysadmins friend :-s a little anecdot

[jsse]

I think automatic logrotate is already done in most default installation. The problem is the overwhelming virus logs. :)