Posted by
CmdrTaco
on from the no-surprise-there dept.
quakeslut writes "It's Feb. 1st everyone... and all of you who have been reading Slashdot know that today MyDoom.A begins it's attack... according to Reuters, SCO has already been hit hard. Stay tuned for Tuesday when MyDoom.B hits Microsoft..."
Well actually...
by
Chicane-UK
·
· Score: 5, Informative
If you query their DNS servers, you'll see that they have removed the A records to their site.
So the traffic just won't get to them anyway..
-- "Hey! Unless this is a nude love-in, get the hell off my property!!"
Re:Well actually...
by
Anonymous Coward
·
· Score: 1, Informative
Um... no they haven't:
> dig @nsca.sco.com sco.com
;; ANSWER SECTION: sco.com. 1M IN A 216.250.128.12
Re:Well actually...
by
anticypher
·
· Score: 5, Informative
Not yet. I just checked all 4 of their name servers:
AUTHORITY SECTION: sco.com. 6H IN NS ns.calderasystems.com. sco.com. 6H IN NS ns2.calderasystems.com. sco.com. 6H IN NS nsca.sco.com. sco.com. 6H IN NS c7ns1.center7.com.
and all of them return www.sco.com. 1M IN A 216.250.128.12
So their name servers are still up and running, and pointing to a valid address. Reasonably, they have a 1 minute TTL, which will give them a quick response if they do decide to point it at 127.0.0.1 or 66.35.250.150.
the AC
the slashdot crud filter doesn't like double semi-colons in posts
-- Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
It shouldn't have happened yet
by
linuxci
·
· Score: 5, Informative
I think SCO have took their site down themselves as the attack shouldn't have happened yet.
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack
I'm typing this and the time is currently 14:30UTC.
For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.
They just didn't want to see if Linux could hack the pressure.
-- [ Monday is a terrible way to spend one seventh of your life. ]
SCO move to BSD
by
Oen_Seneg
·
· Score: 3, Informative
OpenBSD journal was commenting on how SCO moved their servers to OBSD: http://www.deadly.org/article.php3?sid=20040131082 431 Not even the might of OpenBSD web servers can stand up to a mass of infected windows boxen - watch out Microsoft, they're coming your way soon!
Re:SCO move to BSD
by
whiteknight31
·
· Score: 2, Informative
Check out the bottom of this page: http://uptime.netcraft.com/up/graph/?host=sco.com
It looks like they for the most part run Linux. Also they apperantly run apache to:)
Netcraft stats
by
mnordstr
·
· Score: 4, Informative
Well they should have taken Netcraft joke advice seriously and change the www.sco.com A pointer towards 127.0.0.1 or similar.
DDoS attack time table + analysis of DoS in Mydoom
by
Anonymous Coward
·
· Score: 5, Informative
There was a story posted "Refuting tall-tales and stories about the Mydoom worms" which can be found at: http://www.math.org.il/mydoom-facts.txt
It contains the Time Table for the attack along with reverse engineering analysis of the DoS component in Mydoom.
You might also want to check: http://www.math.org.il/newworm-digest1.txt
Which contains an analysis and reverse engineering bits for Mydoom.A>
Re:How stupid do you have to be?
by
SoTuA
·
· Score: 2, Informative
I left user-pass blank... it works.
Oh the irony... look at the first three packages:
IBMJava2-JAVACOMM_1_4-1.4.1-4.i586.rpm
IBMJava2-JRE_1_4-1.4.1-5.i586.rpm
IBMJava2-SDK_1_4-1.4.1-5.i586.rpm
A bit further down:
SuSEfirewall2-3.1-50.noarch.rpm
SuSEfirewall2-3.1-90.noarch.rpm
null routing to sco?
by
fcs-error
·
· Score: 3, Informative
From a list that I am on, there was consideration that routes to SCO may be dropped due to the expected traffic to SCO. The plans were to null route the traffic at the edge of individual AS's.
Re:Finally!
by
Anonymous Coward
·
· Score: 1, Informative
If any newspaper is interested in the list of people most likely to benefit from the actions of this virus, and most likely to have been involved in writing it, there is a list available here
Re:Is it Down or is it 'down'?
by
Megane
·
· Score: 4, Informative
(thanks for the tip of trying linuxupdate.sco.com)
traceroute to www.sco.com (216.250.128.12), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.902 ms 22.986 ms 20.92 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.957 ms 20.977 ms 20.878 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 24.012 ms 22.046 ms 20.96 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.907 ms 23.2 ms 23.912 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.96 ms 22.868 ms 23.999 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.063 ms 22.648 ms 23.905 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.954 ms 37.252 ms 47.928 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.88 ms 37.841 ms 38.944 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.949 ms 49.296 ms 50.948 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.886 ms 49.851 ms 50.774 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.912 ms 52.526 ms 51.004 ms
15 * * *
traceroute to linuxupdate.sco.com (216.250.128.241), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.947 ms 20.046 ms 20.905 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.919 ms 29.145 ms 20.855 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 20.951 ms 22.991 ms 23.963 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.945 ms 22.989 ms 23.894 ms
8 p5-1-0-3.rar1.dallas-tx.us.xo.net (65.106.4.193) 23.955 ms 25.426 ms 24.013 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 26.979 ms 62.002 ms 27.099 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.821 ms 37.981 ms 38.89 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.789 ms 38.094 ms 38.888 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 51.054 ms 50.024 ms 50.811 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 51.001 ms 49.886 ms 50.934 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.903 ms 53.136 ms 53.841 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 50.937 ms 51.759 ms 50.787 ms
16 linuxupdate.sco.com (216.250.128.241) 51.004 ms 52.438 ms 50.988 ms
traceroute to ftp.calderasystems.com (216.250.128.13), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.892 ms 20.06 ms 23.887 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 21.051 ms 19.935 ms 21.034 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 23.82 ms 23.095 ms 23.868 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.987 ms 23.063 ms 20.829 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.989 ms 22.84 ms 23.934 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.086 ms 25.935 ms 23.877 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.916 ms 38.112 ms 38.925 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.603 ms 38.096 ms 38.94 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.947 ms 49.871 ms 50.914 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.944 ms 49.782 ms 51.008 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 50.836 ms 53.072 ms 53.935 ms
15 * * *
So either they're being merely slashdotted or they "accidentally on purpose" kicked www.sco.com's router power plug out of the wall. According to ARIN, they're all on the same/20 network, so they're probably not on a different final link from XO. They're certainly not being DoS'ed for bandwidth.
Re:Why today...
by
0x54524F4C4C
·
· Score: 1, Informative
No, they work from Saturday to Wednesday. Really weird. This is one of the major problems while trying to do business with muslim counties, one can only count with 3 days per week where both places have people working.
Re:How did this virus spread so easily?
by
Lumpy
·
· Score: 4, Informative
a lot of stupid users? yes and no. For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding. They knew it was a gigantic hole when they added it, and many MANY times industry experts have pleaded to them to remove it. Microsoft refuses.
Microsoft did not spread the virus but they created the tools to ensure it's spread by the non-technical.
and people ask about the "cost" of linux, how about the extreme cost of continuing to use Microsoft products...
Apache isn't licensed under the GPL. It's the BSD license (or similar) but BSD haters still use Apache yet flame the BSD license. How funny. Same with X.
Re:Why today...
by
Maserati
·
· Score: 2, Informative
Note to moderators, Smith & Wesson doesn't make the Glock, so the parent is the better analogy.
Offline.... but why
by
triptolemeus
·
· Score: 2, Informative
The virus was going to hit at 16:something hour. I checked the SCO website this night at 1:30 (CET) and then it was already offline. No reply no more
My guess is they took it offline themselves. Or they applied one of the tricks from yesterdays netcraft post.
-- The site where: "I'm right, as long as you ignore the things that prove me wrong", became a valid method of debate.
Re:Why today...
by
SpaceLifeForm
·
· Score: 4, Informative
SCO obviously does not care about being forewarned,
and wants to milk this for all they can.
From the article:
"While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning," Jeff Carlon, worldwide director of Information Technology infrastructure, The SCO Group, said in the statement.
NOTE TO SCO: You don't have to communicate any
series of contingency plans to anyone except
your own IT staff (if you have any left).
Any press releases from SCO will be
obvious FUD and will not mean a damn thing.
-- You are being MICROattacked, from various angles, in a SOFT manner.
Re:Isn't there a better solution?
by
BuckaBooBob
·
· Score: 2, Informative
Depending on the Business and the Size of their Pipe to the internet these DDOS attacks can Flood the pipe will over its capasity so You don't even have time to see the packets and drop the ones that meet your criteria to be suspicious and likey to be MyDoom.
Ok Now say that your pipe is big enough to handle all the incomming packets... You will need enough additional hardware to examine all the packets and reject the ones you define in your criteria to be suspicious of MyDoom.
Blocking at the router level has a few Issues. #1 Being the more rules you add to filter packets the worse the router preforms its Packet routing.. #2 There are only very simplistic set of rules available to use to block packets.. Such as Block from ip Range, Block all traffic on port, Ect... Nothing advanced as Block all Traffic that hits this address over this time period ect.. Only Simplistic rules...
Only highend firewalls have advanced complex rules that you could use to do this type of filtering you talk about... and again your hit with the costs of hardware to handle the load and a pipe large enough to handle all the traffic.
Look how often sites get feel the effects of/. and thats not an attack persay.. Its a low number of people using vaild connection protocols in a manner it was suposed to be used when compared to the number of vulnerable windows machine out there using "Dammaging" Connection methods and protocols/Formats designed to Deny Service to would be Web Clients.
-- Who needs WiFi when we can have Packet Over Sheep!
http://datacomm.org/PoS-InternetDraft.txt
Re:Slashdotted Reuters?
by
hankaholic
·
· Score: 4, Informative
Did you read the paragraph preceding the one you cite from the article? It reflects my own initial thoughts on reading your post, and doesn't attempt to blame the OS for what really is a network problem:
If ISPs would begin adopting the practice of preventing the escape of fraudulently addressed packets from within their controlled networks, this potent attack, and its many cousins, would die overnight.
This seems much wiser a suggestion than the anti-MS paragraph which you chose to cite. Who better to set actual network policy than those responsible for managing those networks?
Microsoft including a raw socket API is about as evil as Microsoft supporting the creation of outgoing connections to any arbitrary mail servers -- sure, it's open to abuse (DDoS, spam, etc.), but removing the sort of API that traceroute and ping tools would use to perform useful work is not a security fix. It closer to asking Home Depot not to sell hammers because they can be used as weapons.
Further, having MS remove the raw socket API would lead those with cruel intentions to use non-Windows machines exclusively to do their evil deeds. Consider that the mind which concludes that the raw socket API must be removed because of the unpleasant actions of a few people probably isn't far from thinking that operating systems which are engineered in an open and flexible environment can be used for subversion as well. Suddenly those using "subversive" non-MS operating systems which haven't removed raw packet interfaces are a little more suspect in the public eye.
If ISPs would only permit traffic with sane source IP addresses to leave their networks, then the only effect sending such packets out would have would be to waste traffic between the would-be tricksters and their ISP's router(s).
-- Somebody get that guy an ambulance!
Ignore the man behind the curtain
by
PetoskeyGuy
·
· Score: 3, Informative
Forget about the DDOS attacks. It's a distraction. The bigger problem is that the DDOS may be able to be changed on command to any other site on the internet.
This is a spam zombie virus. We need to work securing our comprimised systems and keeping them from joining the spam network and obeying the commands. If anyone has any real information about how this virus works as a relay and how to stop it at the network level please post it.
So far I've found the following links. Blocking port 3127 at the router seems like it could help a lot. Any other (real) solutions would be appreciated.
Re:What the hell?
by
dave1212
·
· Score: 2, Informative
Seeing a few other comments saying that they're seeing the Apache default install page, but I think they're actually seeing their own localhost, not set up yet.
Still happening, btw.
Re:Lawyer think...
by
LinuxGeek
·
· Score: 4, Informative
Correction to make on my previous post. I had already done a dig and nslookup, but on sco.com and not www.sco.com.
[root]# host www.sco.com Host www.sco.com not found: 3(NXDOMAIN)
SCO has updated their dns servers and axed the record for www.sco.com. NXDOMAIN means no such domain. Wonder why SCO didn't announce that they themselves took www.sco.com completely offline.
Hopefully the media will know about this when SCO complains about the DDOS attack. Now I know why the rest of their services are fairly intact and responding.
--
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
But wait!!! I can prove it's not the virus.
by
dtfinch
·
· Score: 5, Informative
www.sco.com no longer resolves. They removed it from their name server yesterday. Only sco.com without the www resolves to an ip address. The attack should be almost completely averted by now because of this, but sco.com is still down.
The only possible cause I see for them to still be offline is if they took it offline themselves, or there's been another attack that they've failed to mention to the press, but it's unlikely that they'd turn down any opportunity to slam us if that were the case. Check it yourselves. The worm specifically attacks the domain www.sco.com, which no longer exists, and the dns entry expired yesterday. All that worm traffic should be going to oblivion by now, because Windows doesn't reuse expired dns records when requery attempts fail.
Apart from slashdot readers and lawyers who goes to the SCO site these days?
Honestly, my company. We still use SCO OpenServer currently. Product registration is done via the website. While there are other ways to register (via phone and fax I believe), this will be a annoyance. Plus there is the fact that we have close to 700 existing servers out in the field that will need the knowledge base at some point it time.
Re:Lawyer think...
by
zem_11
·
· Score: 2, Informative
Slashdot Mirror
If you query their DNS servers, you'll see that they have removed the A records to their site.
So the traffic just won't get to them anyway..
"Hey! Unless this is a nude love-in, get the hell off my property!!"
From this page:
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack
I'm typing this and the time is currently 14:30UTC.
For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.
Check out: http://uptime.netcraft.com/up/graph/?host=sco.com
Apparently SCO are running Linux.
They just didn't want to see if Linux could hack the pressure.
[ Monday is a terrible way to spend one seventh of your life. ]
OpenBSD journal was commenting on how SCO moved their servers to OBSD: http://www.deadly.org/article.php3?sid=20040131082 431
Not even the might of OpenBSD web servers can stand up to a mass of infected windows boxen - watch out Microsoft, they're coming your way soon!
Some news about the SCO dns:a y_morning_and_wwwscocom_is_still_in_the_dns.html
o .com
http://news.netcraft.com/archives/2004/02/01/sund
And graphs showing the results:
http://uptime.netcraft.com/perf/graph?site=www.sc
oh and here is a link to The Groklaw analysis of the situation.
An infinite number of monkeys will eventually come up with the complete works of
Well they should have taken Netcraft joke advice seriously and change the www.sco.com A pointer towards 127.0.0.1 or similar.
There was a story posted "Refuting tall-tales and stories about the Mydoom worms" which can be found at:
t
http://www.math.org.il/mydoom-facts.txt
It contains the Time Table for the attack along with reverse engineering analysis of the DoS component in Mydoom.
You might also want to check:
http://www.math.org.il/newworm-digest1.tx
Which contains an analysis and reverse engineering bits for Mydoom.A>
Oh the irony... look at the first three packages:
IBMJava2-JAVACOMM_1_4-1.4.1-4.i586.rpm
IBMJava2-JRE_1_4-1.4.1-5.i586.rpm
IBMJava2-SDK_1_4-1.4.1-5.i586.rpm
A bit further down:
SuSEfirewall2-3.1-50.noarch.rpm
SuSEfirewall2-3.1-90.noarch.rpm
From a list that I am on, there was consideration that routes to SCO may be dropped due to the expected traffic to SCO. The plans were to null route the traffic at the edge of individual AS's.
If any newspaper is interested in the list of people most likely to benefit from the actions of this virus, and most likely to have been involved in writing it, there is a list available here
traceroute to www.sco.com (216.250.128.12), 30 hops max, 40 byte packets .
.
.
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.902 ms 22.986 ms 20.92 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.957 ms 20.977 ms 20.878 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 24.012 ms 22.046 ms 20.96 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.907 ms 23.2 ms 23.912 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.96 ms 22.868 ms 23.999 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.063 ms 22.648 ms 23.905 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.954 ms 37.252 ms 47.928 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.88 ms 37.841 ms 38.944 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.949 ms 49.296 ms 50.948 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.886 ms 49.851 ms 50.774 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.912 ms 52.526 ms 51.004 ms
15 * * *
traceroute to linuxupdate.sco.com (216.250.128.241), 30 hops max, 40 byte packets
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.947 ms 20.046 ms 20.905 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.919 ms 29.145 ms 20.855 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 20.951 ms 22.991 ms 23.963 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.945 ms 22.989 ms 23.894 ms
8 p5-1-0-3.rar1.dallas-tx.us.xo.net (65.106.4.193) 23.955 ms 25.426 ms 24.013 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 26.979 ms 62.002 ms 27.099 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.821 ms 37.981 ms 38.89 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.789 ms 38.094 ms 38.888 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 51.054 ms 50.024 ms 50.811 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 51.001 ms 49.886 ms 50.934 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.903 ms 53.136 ms 53.841 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 50.937 ms 51.759 ms 50.787 ms
16 linuxupdate.sco.com (216.250.128.241) 51.004 ms 52.438 ms 50.988 ms
traceroute to ftp.calderasystems.com (216.250.128.13), 30 hops max, 40 byte packets
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.892 ms 20.06 ms 23.887 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 21.051 ms 19.935 ms 21.034 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 23.82 ms 23.095 ms 23.868 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.987 ms 23.063 ms 20.829 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.989 ms 22.84 ms 23.934 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.086 ms 25.935 ms 23.877 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.916 ms 38.112 ms 38.925 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.603 ms 38.096 ms 38.94 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.947 ms 49.871 ms 50.914 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.944 ms 49.782 ms 51.008 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 50.836 ms 53.072 ms 53.935 ms
15 * * *
So either they're being merely slashdotted or they "accidentally on purpose" kicked www.sco.com's router power plug out of the wall. According to ARIN, they're all on the same /20 network, so they're probably not on a different final link from XO. They're certainly not being DoS'ed for bandwidth.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
No, they work from Saturday to Wednesday. Really weird. This is one of the major problems while trying to do business with muslim counties, one can only count with 3 days per week where both places have people working.
a lot of stupid users? yes and no. For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding. They knew it was a gigantic hole when they added it, and many MANY times industry experts have pleaded to them to remove it. Microsoft refuses.
Microsoft did not spread the virus but they created the tools to ensure it's spread by the non-technical.
and people ask about the "cost" of linux, how about the extreme cost of continuing to use Microsoft products...
Do not look at laser with remaining good eye.
Apache isn't licensed under the GPL. It's the BSD license (or similar) but BSD haters still use Apache yet flame the BSD license. How funny. Same with X.
Note to moderators, Smith & Wesson doesn't make the Glock, so the parent is the better analogy.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
The virus was going to hit at 16:something hour. I checked the SCO website this night at 1:30 (CET) and then it was already offline. No reply no more
My guess is they took it offline themselves. Or they applied one of the tricks from yesterdays netcraft post.
The site where: "I'm right, as long as you ignore the things that prove me wrong", became a valid method of debate.
From the article:
"While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning," Jeff Carlon, worldwide director of Information Technology infrastructure, The SCO Group, said in the statement.
NOTE TO SCO: You don't have to communicate any series of contingency plans to anyone except your own IT staff (if you have any left). Any press releases from SCO will be obvious FUD and will not mean a damn thing.
You are being MICROattacked, from various angles, in a SOFT manner.
Depending on the Business and the Size of their Pipe to the internet these DDOS attacks can Flood the pipe will over its capasity so You don't even have time to see the packets and drop the ones that meet your criteria to be suspicious and likey to be MyDoom.
/. and thats not an attack persay.. Its a low number of people using vaild connection protocols in a manner it was suposed to be used when compared to the number of vulnerable windows machine out there using "Dammaging" Connection methods and protocols/Formats designed to Deny Service to would be Web Clients.
Ok Now say that your pipe is big enough to handle all the incomming packets... You will need enough additional hardware to examine all the packets and reject the ones you define in your criteria to be suspicious of MyDoom.
Blocking at the router level has a few Issues. #1 Being the more rules you add to filter packets the worse the router preforms its Packet routing.. #2 There are only very simplistic set of rules available to use to block packets.. Such as Block from ip Range, Block all traffic on port, Ect... Nothing advanced as Block all Traffic that hits this address over this time period ect.. Only Simplistic rules...
Only highend firewalls have advanced complex rules that you could use to do this type of filtering you talk about... and again your hit with the costs of hardware to handle the load and a pipe large enough to handle all the traffic.
Look how often sites get feel the effects of
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
This seems much wiser a suggestion than the anti-MS paragraph which you chose to cite. Who better to set actual network policy than those responsible for managing those networks?
Microsoft including a raw socket API is about as evil as Microsoft supporting the creation of outgoing connections to any arbitrary mail servers -- sure, it's open to abuse (DDoS, spam, etc.), but removing the sort of API that traceroute and ping tools would use to perform useful work is not a security fix. It closer to asking Home Depot not to sell hammers because they can be used as weapons.
Further, having MS remove the raw socket API would lead those with cruel intentions to use non-Windows machines exclusively to do their evil deeds. Consider that the mind which concludes that the raw socket API must be removed because of the unpleasant actions of a few people probably isn't far from thinking that operating systems which are engineered in an open and flexible environment can be used for subversion as well. Suddenly those using "subversive" non-MS operating systems which haven't removed raw packet interfaces are a little more suspect in the public eye.
If ISPs would only permit traffic with sane source IP addresses to leave their networks, then the only effect sending such packets out would have would be to waste traffic between the would-be tricksters and their ISP's router(s).
Somebody get that guy an ambulance!
Forget about the DDOS attacks. It's a distraction. The bigger problem is that the DDOS may be able to be changed on command to any other site on the internet.
i cle_id=91
This is a spam zombie virus. We need to work securing our comprimised systems and keeping them from joining the spam network and obeying the commands. If anyone has any real information about how this virus works as a relay and how to stop it at the network level please post it.
So far I've found the following links. Blocking port 3127 at the router seems like it could help a lot. Any other (real) solutions would be appreciated.
http://xforce.iss.net/xforce/alerts/id/161
http://www.savvy.net/detail.asp?category_id=7&art
I guess there just aren't that many Darl's around, probably something for which we should be grateful.
Or you can get "fax on demand" phone numbers to call his line.
p ://www.state.nd.us/sec//faxondemand.htmw w.sctax.org/Forms+and+Instructions/Fax+On +Demand/default.htmn teractive/faxdemand.c fmw ww.state.nj.us/treasury/pensions/fax_on_de mand.htm. dmvnv.com/fax.htmo m/letstalk.asp0 2.html
d ustrial/microbiology/h ome/service/faxod.html
http://osdbuweb.dot.gov/about/faq/fax.html
htt
http://w
http://www.sla.org/content/i
http://www.massdor.com/help/fax_dmnd.htm
http://
http://www.rid.org/fax.html
http://www
http://www.connectionoptions.c
http://www.snm.org/am_2002/fax_am
http://www.tesol.org/global/fod.html
L&M's exclusive Fax On Demand:
1-800-839-9887
24-hour Fax on Demand Service
1-877-550-FAXX
Fax On Demand
888-959-0057
Try our Fax on Demand service by calling, toll free
888.959.0057
3m
1-800-328-6553
http://www.3m.com/US/mfg_in
Seeing a few other comments saying that they're seeing the Apache default install page, but I think they're actually seeing their own localhost, not set up yet.
Still happening, btw.
Correction to make on my previous post. I had already done a dig and nslookup, but on sco.com and not www.sco.com.
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 14794
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
[root]# host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)
[root]# dig www.sco.com
; > DiG 9.2.1rc1 > www.sco.com
SCO has updated their dns servers and axed the record for www.sco.com. NXDOMAIN means no such domain. Wonder why SCO didn't announce that they themselves took www.sco.com completely offline.
Hopefully the media will know about this when SCO complains about the DDOS attack. Now I know why the rest of their services are fairly intact and responding.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
www.sco.com no longer resolves. They removed it from their name server yesterday. Only sco.com without the www resolves to an ip address. The attack should be almost completely averted by now because of this, but sco.com is still down.
The only possible cause I see for them to still be offline is if they took it offline themselves, or there's been another attack that they've failed to mention to the press, but it's unlikely that they'd turn down any opportunity to slam us if that were the case. Check it yourselves. The worm specifically attacks the domain www.sco.com, which no longer exists, and the dns entry expired yesterday. All that worm traffic should be going to oblivion by now, because Windows doesn't reuse expired dns records when requery attempts fail.
> www.sco.com
Server: ns.calderasystems.com
Address: 216.250.130.1
*** ns.calderasystems.com can't find www.sco.com: Non-existent domain
> sco.com
Server: ns.calderasystems.com
Address: 216.250.130.1
Non-authoritative answer:
Name: sco.com
Address: 216.250.128.12
http://www.news.com.au/common/story_page/0,4057,85 59932%255E401,00.html