On the sats, yes since GPS depends on that time to calc the time shift to calc position. But thats on satellites in use for years. FOr the beacon, as long as it had a fairly accurate clock on it that was synced to a atomic std clock before launch, it woudl be fine since the missle would only be in use for minutes. Not enough time for any clock drift to have a huge impact. All GPS needs is a time source, however if its not accurate it throws everything off, but in this case it wouldn't matter because it wouldn't have a chance tro drift much if at all given that missles life span once it was launched
You didn't read the article. The target missle had a GPS TRANSMITTER on it, not a receiver. The receiver was on the ground, using the sats as reference points - thus they coudl track the missle based of it's stream.
Finally got Incidents.org to respond, they posted new data (looks like the hours shifted though):
11AM - 22,001
12PM - 32,502
1PM - 41,968
SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same
Thats what they say anyway - ANY signal being emitted from a device can be homed in on. Now I tend to believe the Air Force - they WANT to know where the missle is and GPS helps them do that. But given that previous tests of Star Wars involved heating up the missle with infrared so it was obvious to the interceptor - you take the claims with a grain of salt. Sure, the test was probably legit, but the pressure on this test was huge and it would NOT shock me to learn they homed in on the GPS or some other signal coming frmo teh missle.
200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles
Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.
My bad - their DB is for all infections reported not just Code Red - the 'Code Red Real Time Stats' thing underneath threw me - it just links back to incidents.org:( Links are supposed to be UNDERLINED people!
I'm with you here, but I think its the ego thing - they want the publicity - a worm like you describe wouldn't generate the instant news coverage they crave - a worm liek you describe wouldn't because half the admins would think it was data corruption, not a worm - it would generate news on/., etc but not the national news media.
DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.
Yes, that's Code Red. If you see x.ida?AAAAAAAA, that is a vulnerability scanner from EEye Software which probes for the vulnerability but doesn't infect anything - used by net admins to hunt down vulnerable servers on their network - and also, it seems based on teh spike in x.ida hits I got last evening, used by people looking for seed hosts for Code Red round 2.
Which is strange - I thought CRv2 defaced the pages of english based sites - or were these non english based sites. Maybe this is a new variant that doesn't put the hacked by chinese page up - instead tosses the default page in (or doesn't do anything to the main page)? Also - many folks use virtual servers and forget to do anythign with the default server which an IP access will route to. No telling. BUt it would be interesting to see if a new variant is on teh loose.
will DirectTV get probable cause for searches? It'll be interesting to see if judges grant the warrants based on product sales, etc. Especially when cops raid legitimate places using the cards (for what I have NO idea:) ) So DirectTV has some addresses, but is that enough to grant a warrant - what if the person just bought a non DirectTV hack product from teh same company - it could get messy.
Yes but looking at it now (12 EDT) I see a gradual rise in packet loss and a drop in reachability - now that may be normal lunch hour jams, but the gradual increase tells me this is just getting rolling. Its not a matter of if, but how much, I'm seeing more scans as time goes by - trick is how bad it really gets and where it tops out at.
When will virus/worm authors learn that publicitiy (at least initially) is their ENEMY?
True, but what will surprise me is if some other worm doesn't show up today. While everyone is watching to see if Code Red hits, what better time to release a really stealth worm that doesn't deface the main page and hides the best it can to spread itself somewhat slower - and have it set to DDOS (using DNS of course, not hardcode IP) on teh 18th instead - now that would be funny.
Actually, it got its name from teh guys who did the initial analysis late at night and they drank a lot of Code Red to stay awake. BUt it sure was descriptive and catchy once this took off
The other interesting thing is the # of probes I got from the Eeye Scanner starting yesterday afternoon a few hours before 8PM EDT - From IPs on totally different nets (ie it wasn't a local ISP admin doing it) Looks to me like some folks were looking for seed hosts to get things rolling again. Even more interesting is the probes wern't being done sequentially since I didn't see scans across my web server IPs, they were more random.
I'd say its a bit premature to say this is all over. I doubt it'll be as bad as before - but remember, CRv1 was slow to spread due to the lack of a random IP seed. Once CRv2 came out it spread like wildfire.
I've seen 5 scans across 2 servers so far from five unique hosts - Last time I got between 20 and 30 per server. But its just getting started. So it may very well continue to spread at a slower rate due to the # of hosts that have been patched - but there are still plenty of vulnerable hosts out there. On Jul y19th, my scans didn't really pick up till the afternoon - I have no idea when v2 hit the net, but its the whole snowball effect, it starts slowly then picks up speed rapidly.
I think it'll be a lot less of a problem than the media wants to believe, but I think it'll still be a significant problem.
Excellent! No sysadmin will know how to use every single tool, etc. Better they admit it than try to fake it - I'll never forget in high school, our physics teacher would ALWAYS post all teh equations we'd need for a test on teh blackboard - his feeling was, better you know how to USE the equations and when to apply them, vs wasting time trying to remember them all by heart.
Another thing is ask if they've ever been in a situation were they had to innovate to get service back up. For example, we had an IBM file server go down hard on Friday - IBM didn't want to come in till MOnday (it was our last IBM and we'd let the contract expire) so we built a temporary server out of spare parts we had around, and had the file server back up the next morning - it ran that way for a few weeks until we could order a new proper fileserver. Stuff like that.
You're right - the costs were scary - though having been there - I know that other factors come into play including the relationship with teh vendor, the support, etc, etc. The costs for HP-UX alone will make you turn pale. But I'd much rather have seen HP try to reduce the cost of PA-RISC CPUs (Which I felt were a very good technology) to compete instead of ditching them. Of course if Itanium lives upto its billing it'll be moot anyway, but if it doesn't, well that puts HP in an interesting position.
For a while one had to wonder if the high end CPU makers were just giving up and jumping on the Intel bandwagon (*cough* HP *cough*) Glad to see Sun is still looking to extend and improve their CPU line to stay competitive.
Don't get me wrong, I love my Athlons, but I used to work in an HP based shop with PA-RISC all around. I'll never forget when the K-Class and N Class servers first came into our data center with the latest PA-RISC beasts - they were so fast it was scary (this was like 3 years ago)
Turns out that this signature is probably from the eEye CodeRed scanner to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
Sure enough - decided I'd start some log traces on my (Apache) servers and watch for anything.ida Sure enough, the scans are starting already, though this looks like a different variant, instead of default.ida, its x.ida?AAAA...
Exactly - for example - a user, dumb enough to install somethign like this, is viewing the corporate HR web page or other offical page and sees links to outside content. This user could assume that the corporation was somehow recommending or approved of the sites the links went to. Talk about an opening for litigation!
Slashdot Mirror
On the sats, yes since GPS depends on that time to calc the time shift to calc position. But thats on satellites in use for years. FOr the beacon, as long as it had a fairly accurate clock on it that was synced to a atomic std clock before launch, it woudl be fine since the missle would only be in use for minutes. Not enough time for any clock drift to have a huge impact. All GPS needs is a time source, however if its not accurate it throws everything off, but in this case it wouldn't matter because it wouldn't have a chance tro drift much if at all given that missles life span once it was launched
You didn't read the article. The target missle had a GPS TRANSMITTER on it, not a receiver. The receiver was on the ground, using the sats as reference points - thus they coudl track the missle based of it's stream.
SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same
Oh man that is classic - will have to remember that one! I sure hope he got a promotion out of it :)
Thats what they say anyway - ANY signal being emitted from a device can be homed in on. Now I tend to believe the Air Force - they WANT to know where the missle is and GPS helps them do that. But given that previous tests of Star Wars involved heating up the missle with infrared so it was obvious to the interceptor - you take the claims with a grain of salt. Sure, the test was probably legit, but the pressure on this test was huge and it would NOT shock me to learn they homed in on the GPS or some other signal coming frmo teh missle.
ROFLMAO!
Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.
My bad - their DB is for all infections reported not just Code Red - the 'Code Red Real Time Stats' thing underneath threw me - it just links back to incidents.org :( Links are supposed to be UNDERLINED people!
Dshield.org has some stats going too. Looks like 23,400 infections as of around 10AM EDT....
DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.
Yes, that's Code Red. If you see x.ida?AAAAAAAA, that is a vulnerability scanner from EEye Software which probes for the vulnerability but doesn't infect anything - used by net admins to hunt down vulnerable servers on their network - and also, it seems based on teh spike in x.ida hits I got last evening, used by people looking for seed hosts for Code Red round 2.
Which is strange - I thought CRv2 defaced the pages of english based sites - or were these non english based sites. Maybe this is a new variant that doesn't put the hacked by chinese page up - instead tosses the default page in (or doesn't do anything to the main page)? Also - many folks use virtual servers and forget to do anythign with the default server which an IP access will route to. No telling. BUt it would be interesting to see if a new variant is on teh loose.
will DirectTV get probable cause for searches? It'll be interesting to see if judges grant the warrants based on product sales, etc. Especially when cops raid legitimate places using the cards (for what I have NO idea :) ) So DirectTV has some addresses, but is that enough to grant a warrant - what if the person just bought a non DirectTV hack product from teh same company - it could get messy.
Yes but looking at it now (12 EDT) I see a gradual rise in packet loss and a drop in reachability - now that may be normal lunch hour jams, but the gradual increase tells me this is just getting rolling. Its not a matter of if, but how much, I'm seeing more scans as time goes by - trick is how bad it really gets and where it tops out at.
And now thanks to a slashdotting isn't even responding :) I wanna see the 12 o'clock total! Its like watching a game :)
True, but what will surprise me is if some other worm doesn't show up today. While everyone is watching to see if Code Red hits, what better time to release a really stealth worm that doesn't deface the main page and hides the best it can to spread itself somewhat slower - and have it set to DDOS (using DNS of course, not hardcode IP) on teh 18th instead - now that would be funny.
Actually, it got its name from teh guys who did the initial analysis late at night and they drank a lot of Code Red to stay awake. BUt it sure was descriptive and catchy once this took off
The other interesting thing is the # of probes I got from the Eeye Scanner starting yesterday afternoon a few hours before 8PM EDT - From IPs on totally different nets (ie it wasn't a local ISP admin doing it) Looks to me like some folks were looking for seed hosts to get things rolling again. Even more interesting is the probes wern't being done sequentially since I didn't see scans across my web server IPs, they were more random.
I've seen 5 scans across 2 servers so far from five unique hosts - Last time I got between 20 and 30 per server. But its just getting started. So it may very well continue to spread at a slower rate due to the # of hosts that have been patched - but there are still plenty of vulnerable hosts out there. On Jul y19th, my scans didn't really pick up till the afternoon - I have no idea when v2 hit the net, but its the whole snowball effect, it starts slowly then picks up speed rapidly.
I think it'll be a lot less of a problem than the media wants to believe, but I think it'll still be a significant problem.
Another thing is ask if they've ever been in a situation were they had to innovate to get service back up. For example, we had an IBM file server go down hard on Friday - IBM didn't want to come in till MOnday (it was our last IBM and we'd let the contract expire) so we built a temporary server out of spare parts we had around, and had the file server back up the next morning - it ran that way for a few weeks until we could order a new proper fileserver. Stuff like that.
You're right - the costs were scary - though having been there - I know that other factors come into play including the relationship with teh vendor, the support, etc, etc. The costs for HP-UX alone will make you turn pale. But I'd much rather have seen HP try to reduce the cost of PA-RISC CPUs (Which I felt were a very good technology) to compete instead of ditching them. Of course if Itanium lives upto its billing it'll be moot anyway, but if it doesn't, well that puts HP in an interesting position.
Don't get me wrong, I love my Athlons, but I used to work in an HP based shop with PA-RISC all around. I'll never forget when the K-Class and N Class servers first came into our data center with the latest PA-RISC beasts - they were so fast it was scary (this was like 3 years ago)
Turns out that this signature is probably from the eEye CodeRed scanner to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
[baptiste@surfboard httpd]$ tail -f access_log | grep .ida
136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280
136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280
Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart
Exactly - for example - a user, dumb enough to install somethign like this, is viewing the corporate HR web page or other offical page and sees links to outside content. This user could assume that the corporation was somehow recommending or approved of the sites the links went to. Talk about an opening for litigation!