Slashdot Mirror
1 Year Anniversary of Nimda Outbreak
dots and loops writes "Today marks one year to the date that the nimda
worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!
We had just brought in a bunch of dot-com reject sys admins.
Suddenly you hear everyone talking about the NAMBLA virus. Seriously, it was a spoonerism, or whatever. But everyone was running around blaming NAMBLA. Finally we realized it was NIMDA.
Turns out there was a dude that got smoked out because he had kiddie porn on his PC. We just fired him.
But if it weren't for this virus, we'd wouldn't have had the witch hunt that found this perv.
If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.
According to my logs (please be gentle), I've been hit 650 times yesterday.
Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
And it's probably no coincidence that slashdot stats report 365days uptime today.
M@
Krispy Cream is people
I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.
The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.
This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".
Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(
Conversion Rate Optimisation French / English consultant
That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?
Whilst fornicating in bed
Felt something new
Saying, "Melissa, is that you?"
And found Bill Gates naked, instead.
--Chag
No doubt in celebration of the birthday, I got a number of nimda hits this morning.
//xx.xx.xx.xx/C$ /mnt/dork /mnt/dork/boot.ini
/mnt/dork
mount -t smbfs password=
vi
Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".
umount
-- Will program for bandwidth
Here's one I just got;
Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blankedAlison
"It is a miracle that curiosity survives formal education." - Albert Einstein
Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.
Help me out here.
Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.
Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.
slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.
So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]
Thank you.
--mandi
Actually, almost all of mine are coming from individual subscribers coming through big DSL-/Cable-based ISP's like RoadRunner, SW Bell, etc. For each incident, I fire off E-Mail to their security departments, giving times, IP's, etc. (I have set of log scanning scripts that generate them automatically. How's that for geekiness? No, you can't have them. They suck. That's high in geek factor, too :-). I've seen NO action taken by them. What a bunch of lamers. Do they really think their customers want to be infected and spew out into the net? The issue is that, really, as long as that $50/mo. comes in, they don't give a rat's ass.
The smaller DSL ISP's are usually on the job, though. They give me a small amount of hope.
That is all.