Slashdot Mirror
1 Year Anniversary of Nimda Outbreak
dots and loops writes "Today marks one year to the date that the nimda
worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!
happy birthday to nimda..
..
happy birthday to nimda
happy birthday you iis infecting worm...
happy birthday to you...
may you make anti virus vendors riiiiiiccchhh
Its hard to believe that its been one year and I'm still getting scans on my apache server. Are there really that many braindead admins??
Using your sig line to advertise for friends is lame.
I work for a school district, and I swear, everyone pronounces it nimBA - it drives me crazy.
Anyway, yeah, last year around this time was fun. Thanks for dredging up those memories.
Thats what you linux guys say every time there is an Apache worm, isn't it? Let's be consistent, shall we?
We had just brought in a bunch of dot-com reject sys admins.
Suddenly you hear everyone talking about the NAMBLA virus. Seriously, it was a spoonerism, or whatever. But everyone was running around blaming NAMBLA. Finally we realized it was NIMDA.
Turns out there was a dude that got smoked out because he had kiddie porn on his PC. We just fired him.
But if it weren't for this virus, we'd wouldn't have had the witch hunt that found this perv.
I get none. Why don't people have virus filters on their e-mail servers?
Exim + Exiscan = Bliss.
If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.
According to my logs (please be gentle), I've been hit 650 times yesterday.
Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Where did I put my hard hard? I think I might be needing it.
Never email donotemail@WeAreSpammers.com
I'm still getting nailed by Code Red. Weird how something can survive for two years without touching a single permanent storage device.
Nimda 0|/\|Nz j00 !
No really , its a brilliant little Virus. I am sure lot of unscrupulous people made a lot of money from that one. Think about it, any unsecured server with this virus broadcasts this fact to the whole world !
Just backtrack to the Broadcassting computer, and you can own it in 5 Minutes. I shudder to think at all the financial information that was made availiable from this virus.
With Windows 2000 and XP still unsecure, we just need to wait for Nimda 2 and really make some money =-)
And it's probably no coincidence that slashdot stats report 365days uptime today.
M@
Krispy Cream is people
I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.
The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.
This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".
Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(
Conversion Rate Optimisation French / English consultant
Why is it every time there's an addendum or update on a worm/virus report that Taco hasta remind us how much crap mail he gets?
There are only 10 kinds of people in this world... those who understand binary and those who don't
What about Linux/Slapper then?
That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?
Ill tell you what if the OpenSSL bug does 1 hundreth of the damage to network communication that nimda did Ill buy the cake..
i WISH i was getting 5-10. i'm still getting 50-70 a day, after peaking at ~100.
I'm getting somewhere between 10 and 20 Klez worms a day, too. Of course I filter them with procmail, but I'm paranoid and I send them to a separate mail folder.
What's really annoying is the automatic mail I get from the few with-it ISPs out there who detect a Klez worm sent through their mail servers with my name on it!
I've been collecting the mail headers, hoping to track down the worst offenders. So, is there a way to trace Klez, or are the headers forged so much that it's impossible to track? I haven't had any luck so far...
Why?
Because the fewer than 14,000 servers infected with slapper are nothing compared to the infection of NIMDA and its derivatives.
duh.
Aha... Now I understand the meaning of that phrase...
Whilst fornicating in bed
Felt something new
Saying, "Melissa, is that you?"
And found Bill Gates naked, instead.
--Chag
Yeah, that pisses me off. There is one local ISP that e-mails postmaster@domain-that-was-in-the-from for every virus it gets in the mail. I know the virus isn't coming from my server, cause as I said in another post I run Exiscan from within Exim. It is nice, it just closes the SMTP connection when a virus is detected with an error message.
50 to 70 per day? Please!!!
Over 2200 various and assundry Windows virii/worms hits since Monday.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
I work in a rather large school district and we run 6+ Netware servers and only 2 NT servers, not because we want to run NT, just because some software requires it. Anyways, we run Nortans Corporate Virus Scanner on a couple of the Netware boxes and they scan every file that comes through the network and beep if the file is infected. So I'm sitting in a lab and I'm looking through some folders on the network and I'm seeing tons of these .elm file and such. I ask another tech what was up. He didn't know. I walk into the server room and all I hear is BEEEEEEEP BEEP BEEEEP BEEP BEEP etc etc. At this point I concluded that we were screwed. I do some quick reasearch and discover nimd@. Oh, joy, it infects mapped drives. Good thing we have mapped drives in EVERY login script. Crap... Quickly login and start doing recursive deletions of .elm and etc files that nimd@ creates. Then we spend the weekend running a nimd@ cleaner on every machine in the district (1000+). All the while that was going on our NT boxes were attacking 5-6 other districts NT boxes and their boxes were attacking ours. It was a joyous occasion...
-Tolerate my intolerance
One year after Nimda. We are fighting the Slaper worm. Did anyone say Deja vu?
Wonder what we are going to fight next year.
Does this mean I have to write another one?
NO! NO! Please don't mod me, I'm too young to die a troll. *click* Oh the pain, the pain...
Dear hikeran,
It has come to our attention that you published a portion of our copyrighted material. Namely the lyrics to the popular [but copyrighted] song : 'Happy Birthday To You'.
We would ask that you refrain from repeating this action and ask that you make the best effort to remove such violations made by you.
Should this matter be brought before us again we will demand a license fee payable to Warner Brothers.
The work has been subject to copyright laws since 1935 and doesn't expire until 2012.
For more details see here
Thank you,
Daffy & The Guys
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
We occasionally get all sorts of old viruses hitting our AV system on the mail server. Some, like the Snow White one, is very old. We don't see them every day, but we definately see them a few times per year.
Klez is definately still going strong. We see 5 to 8 of those per day. We're not even a big shop (180 users).
ISPs don't want to take Linux seriously for one large reason: it makes setting up a server affordable. They don't want you setting up a server, they want you to pay to use theirs, and to use less bandwith all around so they can make more money off you. Hell, just installing Debian asks you for a domain name for the box to be part of. You think ISPs want to help support user-box subdomains, or explain to a user that they won't help them with it? I didn't think so. Anyway, yeah...UNIX is powerful. ISPs desire sheep users as clientele, not technocrats and l33t h4x0rZ. Stereotypes i know, but thats how business works. Sucks, don't it?
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
It's viruses.
Conversion Rate Optimisation French / English consultant
Are you serious? The Vast Majority of ISPs are running some *NIX. Which I would put a large percent of that number running Linux. I just switched a major site from a BSD host to a linux box and we have seen no problems. And I am talking about 35 gigs of hosting.
I am starting my own hosting company and my two servers are on Redhat. There are thousands of little hosting companies that run linux, and some large ones as well. Valueweb is switching from BSD to Linux and thier are pretty big. Rackspace is a big linux shop.
Do ISP's take Linux seriously? Yeah, I say that is why the all use it.
As for your ISP? Well, you are ultimately responsible for securing your own box. Windows, Linux, or whatever. Your ISP can issue warnings but if they are worth their salt they will protect you an themselves.
You know I have ranted too much. Troll elsewhere.
Puto
The Revolution Will Not Be Televised
No doubt in celebration of the birthday, I got a number of nimda hits this morning.
//xx.xx.xx.xx/C$ /mnt/dork /mnt/dork/boot.ini
/mnt/dork
mount -t smbfs password=
vi
Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".
umount
-- Will program for bandwidth
Here's one I just got;
Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blankedAlison
"It is a miracle that curiosity survives formal education." - Albert Einstein
Sadly, I completely understand his predicament, since I'm still receiving klez emails at about the same rate (which is one of the reasons I use Mozilla for email). Even worse, klez forges the FROM field through SMTP, so it's extremely difficult to tell who's infected. I get bounce messages all the time from people who think I'm infected, because of the header forging (I'm not; I checked the running processes, ran a virus scan, and ran netstat looking for unexpected connections).
I dumped OE because of Nimda. Yeah, there's a patch but I still haven't gone back and secured it. I switched to Pegasus. I hate Pegasus, but I guess not as much as I hate sending away for the patch.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Here's an idea for a web service. Have a query system over at one of the major security clearinghouses that can be queried remotely by an application. Then have an application that runs on your system that periodically scans your system for files that are potentially at risk due to the latest security vulnerability.
Right now, the problem is that vendors will release information specific to their platform, but then if you download anything outside that platform, you are possibly putting yourself at risk unless you actively keep track of each piece of software. If you install enough software this becomes a tremendous pain.
This way, if there's a possible problem, you get alerted to it, can review the related security advisory, and then easily download the patches for it. That could really trim down on the severity of worm outbreaks I suspect.
This sig has been temporarily disconnected or is no longer in service
the reason why klez and its variants are still going strong now is because they are programmed to commence 'attacking' on September 13 (among other dates). lots of systems were infected but because the virus was dormant, they were undetected. since september 13, Klez has been in full force.
What filter would you use? I use an online email client(not hotmail), and I know it is klez because of the large message size, but how do you filter it out? Usually there is nothing in the body of the message, and the subject seems random.
Moon Macrosystems. Sun's biggest competitor.
What about a module that detected Nimda, Code Red, whatever attacks, then just attacked back? On attacking back, it uses the very same security holes (I think four of them) through which these worms propagate to issue a shutdown on the system and change the registry key for the startup text to say, "Hey, you're infected by Nimda, fix this now, download this."
Actually, rather than a shutdown, which may just restart some servers, it should issue a big fat SYSTEM HALT with a notice of infection. "Oh, yeah, we've changed your administrator password to XYZZY, too. A registry key has been added such that, if an attack is detected from your machine a second time, FORMATTING OF YOUR HARD DRIVE WILL OCCUR." Probably get someone's attention.
Yeah, this wouldn't be particularly legal, but it isn't as if Nimda logs what targets it is attacking. Just leave up a few boxes running this and the infection would drop dramatically.
Anyway, here is it again for Taco:
Put this in your .procmailrc file:
Of course, this is a bit drastic by throwing every file that ends in that type into the bin, so you may want to replace it with something like /home/username/mail/viruses
Finally (and this bit is especially for Taco) you will probably need to have a .forward file with the following in it:
Once you've done that, then finally we'll never heard again from you how many viruses a day you can get.
Avantslash - View Slashdot cleanly on your mobile phone.
Extraordinary Vacations. Exceptional Prices
I've started reporting Klez to the site abuse mailboxes in the hopes they will do something about it. Just report it as you would a normal spam, but say it's a probable virus and give the IP address.
I can't say they'll do anything, but it's better than doing nothing.
Here is my Nimbda nightmare. I manage two offices, primarily CAD and graphics. Both connected to the net via a T1. My local office sits behind a nice iptables firewall with my patch and locked down NT server serving one IP for VPN. The other office is managed by a consultant because I cant' always get there as needed. Long story short the server died ( dead array) so after 12 hours of recovering the work I headed out instructing the consultant to lck down the server ( patch it, remove uneeded service, apply lockdown patch close unecessary ports) ofcourse he didn't in the space of 12 hours my entire network was filled with nimda eml nws files. luckly that was teh extent of teh infection that office. The server was a fresh install W2k server. Needless to say the next few days was speent hand picking corrupted files from the server. Before I even thought nimda was cute but now it's hell's own scurge. I consistently e-mail ISP's notifying them of infected machines probing my network.
What's wrong with the Return-Path: in the headers?
Works just fine here.
If there is one thing a Mac is good for it is checking email.
http://www.treachery.net/~jdyson/earlybird/
I recieved this link from a linux group. It basically detects nimda attacts on your apache/linux system then attempts to e-mail the sysadmin of the ISP. it works great. It has spam potential yes but nimda and the incompitent Admins who incubate this virus on there system needs to be irradicated.
Welcome to Slashdot, where the fight for the moral, cultural, technological, and sociological good is the driving force, paused only when it may cost one of us time or money.
Finally, math books without any of that base 6 crap in them.
yeah even you are the first one hero found the problem you are the easily one to blame. Don't feel bad about it.
Just for the sake of exp sharing. If keeping log is not an requirement then I'll just turn it off or redirect it to null, unless you've some measure of cleaning up the log. Log files is always the bane for lazy admin.(and definitely not your fault). Turn off anything that they didn't ask for, there's no need to be your daddies' good boy in business.
If keeping logs is an requirement? Easy, add up huge function points in spec and charge more for services. Schedule extra time to test and teach the log keeping - and even more money will be charged.
That's the logs you asked to look, you shouldn't blame me to charge more.
NetInfo connection failed for server 127.0.0.1/local
"Given the choice between dancing pigs and security people will choose dancing pigs every time."
There'll be many "nimdas" yet to come...
Anyone else ever notice that Nimda = Admin spelled backwards?
Thats not a coincidence.
What are people's opinions on an anti-nimda client which when scanned by a nimda infected machine will use the Nimda exploits to remove Nimda from the attacking system?
You could use the tftp client to download the M$ patches and on the condition they were non-interactive you could install them?
I am under the impression this is highly illegal, but I am just about fed up with my Apache logs filling up! My ipchains DENY list is already quite excessive as I have a program which denies a machine after it has scanned me. The only problem with this approach is the fact most of these people are dialups with dynamic IP's so I am not doing myself any favours except filtering out whole ISP's in a slow time.
Thanks, Chris
Because I don't run a 'virus filter' on my web server.
That's how they probably found the perv -- scanning files looking for the string NAMBLA, and they found these obscene text files... The rest, as they say, is history (much like the kiddi-porn ex-employee).
Free Software: Like love, it grows best when given away.
I just start with the ISP, and then I either use the reverse DNS, or do a traceroute (mtr) to find the responsible ISP for that IP.
For web probes, I use a script on my linux box that auto-mails the responsible ISP. I think I'm down to 2 or 3 probes a day, now.
Free Software: Like love, it grows best when given away.
Well if the "5-10" in the subject wasn't enough for you, quoting CmdrTaco, "I'm still getting 5-10 klez virus's a day!"
This thread was about Taco always complaining about the number of viruses he gets in his inbox. You'd think the person responsible for creating Slashdot would do something a little more proactive than complaning...or not.
But Alanis couldn't get it past the corporate censors
Oh, but she got "will she go down on you in a theater" and "are you thinking of me when you f*ck her?" right past them...
the "corporate censors" aren't as bad as you think.. (at least in this case).. you should try listening to Nick Cave's Murder Ballads sometime..
Intelligent Life on Earth
Hey, I've been in that same situation with Blueyonder. Here's what you do, if they really insist on using Windows;
You lie.
I've had some great conversations like that.
Techie: "Now reboot"
Me: "Right, just rebooting now." Pause to drink some coffee, stare at wallpaper, whatever, until a reasonable sounding amount of time has passed. "Done"
The trick is to just say "Okay" and "Right" and "Done" a lot, write down the settings they give you (if any) and then do your own thing entirely. Better; unless you need action on their part don't call them at all, and if you do, tell them what to do directly, like so: "See the big red button on that router? Press it".
Basically the problem they seem to have is they've been taught to follow a script, and if you confuse them they have to start it all over again. You get similar problems if any actual physical faults occur on the line - eg, no signal/broken cable - if you start your call by telling them the problem they get pretty confused.
eg.
Me: "Hi, the cable's down and the modem isn't able to connect. It's not receiving or sending anything at all according to the LED indicators."
Techie: "Uhh, okay, have you tried rebooting your computer?"
Me: "Why would I do that? The modem isn't receiving anything! The computer is not the problem."
Techie: "Okay, well, can you reboot your computer?"
Me: Sigh, pretend to reboot computer.
Techie: "Does it work now?"
Me: "No! There is no signal!"
Techie: "Right, well, please reinstall your drivers, do you have your driver disk with you?"
Me: "It's an external modem, I think my network drivers are just fine"
Techie: "Please reinstall your drivers"
Me: "Oh, very well" I pretend to reinstall my drivers.
Techie: "Does it work now?"
Me: "No!"
Techie: "Did you reboot?"
Me: Pretend to reboot the machine again.
Techie "Does it work now?"
Me: "No!"
Techie: "Ah. Are all of the LEDs on the modem turned off?"
Me: "YES!"
Techie: "Okay, your cable's down, so the modem can't connect. Sorry"
Recently I had to setup an ArcIMS (IMS = internet map server, or as I call it "Incomplete Masochistic Software") on a Windows 2000 Server.
You have your choice of IIS or Apache, and guess which one I chose? Yep, Apache.
After testing the box out, I cleared the logs (access/error) at about 3pm and left it running.
Next day, I discover that less than an hour later a single IP address (204.xxx.xxx.xxx) hammered on it for 300+ hits with *both* codered and nimda and (the same ip or one in the range, I don't recall) hitting all of the default IIS directories looking for *anything*.
I chuckled for a good half hour after that.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
I hope you called the authorities on that guy.
If not, some poor kid will pay for it.
The Kruger Dunning explains most post on
Well, perhaps not, but today is the twentieth birthday of the emoticon!! Check out this interview (Requires Real) with the first person to ever use the ubiquitous smiley.
Yeah, I know. Isn't it ironic?
This sig is umop apisdn.