Perhaps you should remove the union link from your sig, I do not think they neeed the support of someone that do not know the difference between news and knews.
It is a reference to the USSC and abortion/having to give our names to the State. Perhaps you should not be so defensive of our current liberal administration.
No, that isn't cool. People saying crap like that will be used by those in power to remove your radios from you.
Hams are playing this like it is some game, and it isn't. You are fighting people with lots of money and power and making snide little comments will not buy you ANY friends.
I used to be on the hams side, till I realized they where acting like a bunch of spoiled kids and spining every piece of info to make their side look perfect and the other side look like the devil.
You are also overlooking the large push to move all those emergency services over to different systems that are much more resistant to interference (digital and encrypted links, look at the ads in mags targeting those useres)
Handlers Diary June 24th 2004 Updated June 25th 2004 01:27 UTC (Handler: Marcus H. Sachs) * {update #2}.org dns problems, RFI - Russian IIS Hacks?.org DNS Issues
This morning, DNS resolution of.org domains appears to fail occasionally. Preliminary information shows that some of the UltraDNS servers are not responding. The cause and scope of this problem is unknown so far. Reports about problems are mostly limited to North America at this time.
UPDATE (1930 UTC) - the.org zone is working now.
Sometimes it helps to use the "dig" command to zero-in on suspected DNS issues. Try this command and modify it as needed when troubleshooting:
% dig sans.org ns +trace
RFI - Russian IIS Hacks?
UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.
The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops.
Two readers sent us snips from their proxy logs (thanks, Rich and Mike!) While the flows are slightly different, this is the pattern to look for as an indicator that one of your clients has attempted to visit the Russian site:
NOTE: These links are obfuscated. Accessing these URLs may result in a virus infection
GET _http_://217.107.218.147/dot.php GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147/dot.php GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147//main.chm GET _http_://217.107.218.147/msits.exe GET _http_://217.107.218.147/redir.php
GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147/dot.php GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147/md.htm GET _http_://217.107.218.147/redir.php GET _http_://217.107.218.147/dot.php GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147/dot.php GET _http_://217.107.218.147/new.html GET _http_://217.107.218.147/md.htm GET _http_://217.107.218.147/redir.php
One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included:
Code snippits.doc iis6xx.dll (multiple copies, where xx varies) iis7yy.dll (multiple copies, where yy varies) Download_Ject_Symantec.doc ipaddress.txt issue.csv ads.vbs agent.exe ftpcmd.txt secur ity_log.rtf
Finally, the executable we mentioned in the previous update (msits.exe) is not detected by most AV suites, contrary to what we earlier thought. Here is what we found when we tested it at virustotal.com:
UPDATE (1930 UTC) - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:
- An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new.dll file(s) in \winnt\
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.
Read the article, they aren't upset because of what he did, they are upset about what he didn't do.
What he did not do is pay the correct tax, if he had paid the 'correct' tax they might have left him alone.
Then explain why goverment has grown so much in size and power with the GOP in charge.
Then you should have pointed it out in a message attached to the first.
Perhaps you should remove the union link from your sig, I do not think they neeed the support of someone that do not know the difference between news and knews.
Then explain games like NWN.
Are you new here?
/., we all have lots of systems laying around.
This is
Damn Newbie.
It is a reference to the USSC and abortion/having to give our names to the State. Perhaps you should not be so defensive of our current liberal administration.
Did I touch a nerve?
A funny thing about the list of corps that oppose BPL, a lot of them have invested a lot of money in other methods of broadband delivery..
Our goverment is huge, I bet you could find sections of the goverment that like bpl (have any links to backup what you said?)
If this is too hard for you to understand I will try to find a 6 year old to explain it to you.
No, that isn't cool. People saying crap like that will be used by those in power to remove your radios from you.
Hams are playing this like it is some game, and it isn't. You are fighting people with lots of money and power and making snide little comments will not buy you ANY friends.
I used to be on the hams side, till I realized they where acting like a bunch of spoiled kids and spining every piece of info to make their side look perfect and the other side look like the devil.
You are also overlooking the large push to move all those emergency services over to different systems that are much more resistant to interference (digital and encrypted links, look at the ads in mags targeting those useres)
And according to the video that was posted to /. about a week or two ago, BPL on harms communication when you are very near overhead powerlines.
No, they will be too busy trying to pump 1000 Watts into the nearest power lines because they will be blaming BPL for the war ;->
Why is it misguided? That video that /. linked to a week or so ago shows that the BPL interference only happens very close to power lines...
And officially China, Cuba and the former Iraq are/were elected goverment who got 99.997% of the vote.
The labs would grind to a halt if even 1/2 the students had to use them in place of their own systems.
And them not encrypting their data is different for how they do things now?
Please read todays news.
I await your apology.
Why?
No, the 'tool' that has been most used to terrorize people has been, and still is, food.
You see the shit that is on TV these days? All that reality tv and talkshow shit? The people that like that crap do pay attention to the ads.
sad, very sad
You know why it was rejected? So they could post that shity RedVSBlue crap.
IMTO/.
The parent post is proof that the apple mods will mod anything that is positive about Apple up to +5 in 3.2 seconds.
Damn, Doom on an apple 2?
IMTO/.
http://isc.sans.org/
.org dns problems, RFI - Russian IIS Hacks? .org DNS Issues
.org domains appears to fail occasionally. Preliminary information shows that some of the UltraDNS servers are not responding. The cause and scope of this problem is unknown so far. Reports about problems are mostly limited to North America at this time.
.org zone is working now.
.dll file(s) in \winnt\
Handlers Diary June 24th 2004
Updated June 25th 2004 01:27 UTC (Handler: Marcus H. Sachs)
* {update #2}
This morning, DNS resolution of
UPDATE (1930 UTC) - the
Sometimes it helps to use the "dig" command to zero-in on suspected DNS issues. Try this command and modify it as needed when troubleshooting:
% dig sans.org ns +trace
RFI - Russian IIS Hacks?
UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.
The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops.
Two readers sent us snips from their proxy logs (thanks, Rich and Mike!) While the flows are slightly different, this is the pattern to look for as an indicator that one of your clients has attempted to visit the Russian site:
NOTE: These links are obfuscated. Accessing these URLs may result in a virus infection
GET _http_://217.107.218.147/dot.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147/dot.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147//main.chm
GET _http_://217.107.218.147/msits.exe
GET _http_://217.107.218.147/redir.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147/dot.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147/md.htm
GET _http_://217.107.218.147/redir.php
GET _http_://217.107.218.147/dot.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147/dot.php
GET _http_://217.107.218.147/new.html
GET _http_://217.107.218.147/md.htm
GET _http_://217.107.218.147/redir.php
One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included:
Code snippits.doc
iis6xx.dll (multiple copies, where xx varies)
iis7yy.dll (multiple copies, where yy varies)
Download_Ject_Symantec.doc
ipaddress.txt
issue.csv
ads.vbs
agent.exe
ftpcmd.txt
secur ity_log.rtf
Finally, the executable we mentioned in the previous update (msits.exe) is not detected by most AV suites, contrary to what we earlier thought. Here is what we found when we tested it at virustotal.com:
BitDefender 7.0/20040624 nothing
eTrustAV-Inoc 4641/20040623 nothing
F-Prot 3.14e/20040624 nothing
Kaspersky 3.0/20040625 nothing
McAfee 4369/20040624 nothing
NOD32v2 1.794/20040623 nothing
Norman 5.70.01/20040512 nothing
Panda 7.02.00/20040624 nothing
Sybari 7.50.1138/20040624 [Win32.Webber]
Symantec 8.0/20040624 [Backdoor.Berbew.F]
TrendMicro 1.00/20040624 nothing
UPDATE (1930 UTC) - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:
- An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new
IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.
Me. I don't pay list price for books, 5.99 - 7.99 for a paper back is a joke.
What about the voices in your head?
Check to see what the energy density of that laptop battery is.
Hint, it could fsck you over.