Slashdot Mirror
1 Year Anniversary of Nimda Outbreak
dots and loops writes "Today marks one year to the date that the nimda
worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!
I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.
The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.
This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".
Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(
Conversion Rate Optimisation French / English consultant
That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?
I work in a rather large school district and we run 6+ Netware servers and only 2 NT servers, not because we want to run NT, just because some software requires it. Anyways, we run Nortans Corporate Virus Scanner on a couple of the Netware boxes and they scan every file that comes through the network and beep if the file is infected. So I'm sitting in a lab and I'm looking through some folders on the network and I'm seeing tons of these .elm file and such. I ask another tech what was up. He didn't know. I walk into the server room and all I hear is BEEEEEEEP BEEP BEEEEP BEEP BEEP etc etc. At this point I concluded that we were screwed. I do some quick reasearch and discover nimd@. Oh, joy, it infects mapped drives. Good thing we have mapped drives in EVERY login script. Crap... Quickly login and start doing recursive deletions of .elm and etc files that nimd@ creates. Then we spend the weekend running a nimd@ cleaner on every machine in the district (1000+). All the while that was going on our NT boxes were attacking 5-6 other districts NT boxes and their boxes were attacking ours. It was a joyous occasion...
-Tolerate my intolerance
What about a module that detected Nimda, Code Red, whatever attacks, then just attacked back? On attacking back, it uses the very same security holes (I think four of them) through which these worms propagate to issue a shutdown on the system and change the registry key for the startup text to say, "Hey, you're infected by Nimda, fix this now, download this."
Actually, rather than a shutdown, which may just restart some servers, it should issue a big fat SYSTEM HALT with a notice of infection. "Oh, yeah, we've changed your administrator password to XYZZY, too. A registry key has been added such that, if an attack is detected from your machine a second time, FORMATTING OF YOUR HARD DRIVE WILL OCCUR." Probably get someone's attention.
Yeah, this wouldn't be particularly legal, but it isn't as if Nimda logs what targets it is attacking. Just leave up a few boxes running this and the infection would drop dramatically.
(sorry man, I'm just pokin' fun)
:) 'kay. Perhaps I should have mentioned that it's got lots more features than that... most notably the pretty reports with graphs and such.
No offense taken... grep is what I used before I decided I wanted something that could make more sense visually.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.
Help me out here.
Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.
Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.
slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.
So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]
Thank you.
--mandi
Will we see a 1 year anniversary of Apache & Mozilla bugs/Linux Worms
One year ago today, I woke up to the sound of my pager screaming that several of my WAN segments were down.
I rush off to one of the sites, to discover that the link is still up, but latency is through the roof, because we're being bombarded with network traffic. - I think who would want to DDOS a school district? (and only on port 80)
So until I can figure out where the attack is coming from, I shut down inbound port 80 at the perimiter (which pisses off most of the teachers, as most of the web servers are used to distribute assignments), and head to the office to trace down where the attack might be coming from.
I check my email, and see a reports that there is a worm responsible. The teachers are pissed that they have to find another way to distribute their assignments, but slowly things return to normal, and eventually the blocks can be removed.
None of the servers at the schools were vulnerable to Nimda, but it took out our network for the better part of a day, and caused untold havok.
----------------------
Fast forward to last week - Slapper was released, and I found out about it by reading Bugtraq - I've checked the logs, but the amount of hits we get for it are minimal. None of our servers are vunlnerable to that either.
A week later, and Slapper is still a non-issue for us.
If Slapper ever causes the same amount of downtime as Nimda, I'm sure that we'll see a 1 year anniversary for it, too. But I don't really think it will happen. Not because it's not MS, but because it's a non-issue.
Is there some website that has information on websites (apache vs iis, uptime, etc) that I don't know about? Could you post a link? TIA
What are people's opinions on an anti-nimda client which when scanned by a nimda infected machine will use the Nimda exploits to remove Nimda from the attacking system?
You could use the tftp client to download the M$ patches and on the condition they were non-interactive you could install them?
I am under the impression this is highly illegal, but I am just about fed up with my Apache logs filling up! My ipchains DENY list is already quite excessive as I have a program which denies a machine after it has scanned me. The only problem with this approach is the fact most of these people are dialups with dynamic IP's so I am not doing myself any favours except filtering out whole ISP's in a slow time.
Thanks, Chris
Washington, DC: It's like Hollywood for ugly people.