True that. I find it funny too that the same vulnerabilities find their way into each subsequent version of Windoze software. *Supposedly* Windoze 2003 Server was written from the ground up as a marked departure from earlier versions. And each line of code was *supposedly* reviewed by a peer group for sceurity. It doesn't appear to be so, since the same RPC flaw affects 2003 Server and is retroactive back to NT 4.0 Server.
Same deal with Internet Explorer 6.0. Most of its security vulnerabilities are retoractive all the way back to 5.0.
Guess Micro$loth is big on backwards compatibility. Even for crappy, lazy OS and application programming that doesn't perform boundary checking (since it's not built into the programming language(s) by default).
I'm thinking about hooking my old P200 laptop up again and leaving it up all weekend to help the MSBlaster cause.
Also on the retro tip.....drumroll please...Windoze 2003 Server. Although we say the code was written from the ground up with security in mind, with each line peer reviewed to ensure trustworthiness, it's still part of the same garden variety buffer overruns like its predecessors. You too can be vulnerable to LoveSAN.
Tomorrow I'm going to sit and replay that Bill Gates pie-in-the-face attack video and LMAO!
The most ironic point of this DCOM RPC exploit is that it works the same on Windoze 2003 Server as it does on Windoze 2000 Server. What happened to that sales pitch that Windoze 2003 Server was built from the ground up with security in mind? Supposedly their code was rigorously rewritten and every line passed under peer review for security. BWAH HAH HAH HAH!
A snippet of M$ propaganda from their website regarding Win2K3:
Security. Businesses have extended the traditional local area network (LAN) by combining intranets, extranets, and Internet sites. As a result, increased system security is now more critical than ever before. As part of the Microsoft commitment to reliable, secure, and dependable computing, the company has intensely reviewed the Windows Server 2003 family to identify possible fail points and exploitable weaknesses.
Can't someone edit the original post so that it doesn't erroneously indicate they didn't have backups? In their statement they indicate they did, but they were backups of potentially compromised data.
Half of the posts I am reading now pertain to not backing up or not patching. No one RTFA or follows the linked FSF statement.
They would be mirrors of the same compromised data, genius. If you'd have bothered to RTFA you'd see they backed up. But since the site was been compromised since 3/2003 the datasets backed up aren't 100% "clean".
It's certainly been an interesting week. Everything from Windows worm exploits to now some GNU FTP compromises.
Seems like each section of the computing populace is getting slapped around.
But there are some exceptions. Maybe the next target will be Apple users working on a Banyan VINES network or maybe some VAX junkies working on ARCnet!
Serisouly though. Most of the lessons I've learned tell me that it's not all to be blamed on programmers, nor is it all to be blamed on sysadmins and endusers. But God knows I subscribe to every security mailing list possible provided by me hardware/software vendors.
If you'd have bothered to RTFA you'd see they had backups, but these were done during times when their servers had been compromised. So the data itself might not have integrity. Get it?
If you look at my reply I was addressing the RPC DCOM hole in general. Any similar code to the msblast.exe can do far more damage than just placing a tftp program. It's all an open remote shell exploit.
The tftp server in and of itself leaves a mechanism to upload other files to the infected PC. That poses a risk beyond getting rid of the primary executable too. Since tftp is a file transfer protocol I am thinking things could be installed rather easily, eh?
They should read the EULA and cry in their coffee. But of course since the EULA is so unfair and slanted it's no longer part of the manuals and can't be printed from the PC since they're down! I would love to know if any satellite offices for Micro$loth got hit too. That would be priceless!
Besides their Windows Updates site being flooded their toll-free virus support number (866-PCSAFETY) was ringing fast busy on and off for most of the day from what I gathered.
Imagine being one of those help desk folks manning the phones. I can't imagine the beating they're taking. Maybe the MSBLAST will have a telco equivalent. A 'hammer' application that will pound calls into their queue until they are forced to sign off their phones and run to the nearest exit!
The RPC DCOM hole in and of itself allows a malcious user to run a remote shell on the compromised system. That means the entire hard drive's contents is freely available. So in actuality it's a relatively dangerous thing.
Do a Google search for dcom.c and see sample source code. It's a lot more dangerous than the old exploits of doing a null NET USE session to look at group names, user account names, server resources, etc. on Windoze servers through the same RPC flaws.
Two words --> boundary checking. That is the root of 99% of Micro$loth's security vulnerabilities.
Looking at software like any other purchased commodity, I would be really nervous if I had a new car and every month I got 4 or 5 factory recalls on it. What would I look to do? That's what I hope some of these customers do. Switch!
There has to be a vulnerable service attached to the port that's being attacked. So if you don't have necessary services using the ports disabling them is a quick fix. That combined with regularly keeping tabs on vendor software patches is the best defense I can offer.
The box I have only provides Intranet web services, so I block all public IP's from accessing port 80. That and cutting off public FTP and a few other things makes my job easier in regard to external risks.
In 3+ years of having this box up I've never had it taken down by any of the virii, worms, etc. that have hit so many other sites. Like I said they fact that I block public WWW, FTP, etc. helps out tremendously.
I would have to say I feel free and safe at this time. If you'd like I'll give you my public IP. Feel free to see how you do cracking my box:-)
You are a clown. The lack of Linux boxes you claim shows your lack of knowledge. Linux Apache servers run a decent amount of the Internet's web content there, sparky.
If Linux has as many security problems as Windows I really doubt you can name too many of them since you're not even aware of general facts.
Reformatting, reinstalling, and patching in the long run will save time versus trying to find needles in the haystack of which files were modified, deleted, or otherwise compromised if you were hit by this RPC exploit. Weeks later you'd be hunting around for incorrect files or would have IRC bots screwing you up. Penny wise, pound foolish.
I think that Linux system sales could be dramatically increased by bundling new Windoze PC sales with Linux-based firewall boxes. Best Buy, CompUSA, Circuit City, etc. could throw in some cheap i386 box with all of the necessary ports blocked. Besides keeping naive home users safer Linux installations would equal what Microsoft claims to be Windoze XP software shipments!
I have a Win NT 4.0 box acting as Exchange/IIS/Proxy server. It's working fine, as patched with what I downloaded several weeks ago. I've been port scanned hundreds of times today alone and it's good to go. I'm using the Winsock Proxy connection right now to post this message!
Slashdot Mirror
Right now David Berkowitz is sitting in his locked room at Belleview wishing he too had electricity so he could help propagate the worm.
Same deal with Internet Explorer 6.0. Most of its security vulnerabilities are retoractive all the way back to 5.0.
Guess Micro$loth is big on backwards compatibility. Even for crappy, lazy OS and application programming that doesn't perform boundary checking (since it's not built into the programming language(s) by default).
I'm thinking about hooking my old P200 laptop up again and leaving it up all weekend to help the MSBlaster cause.
Tomorrow I'm going to sit and replay that Bill Gates pie-in-the-face attack video and LMAO!
What a joke. Johnnie Cochran must be part of their legal team.
A snippet of M$ propaganda from their website regarding Win2K3:
Security. Businesses have extended the traditional local area network (LAN) by combining intranets, extranets, and Internet sites. As a result, increased system security is now more critical than ever before. As part of the Microsoft commitment to reliable, secure, and dependable computing, the company has intensely reviewed the Windows Server 2003 family to identify possible fail points and exploitable weaknesses.
He looks like he just rode his bicycle without the seat again.
This one Noel's Revenge.
RTFA!!!!
Half of the posts I am reading now pertain to not backing up or not patching. No one RTFA or follows the linked FSF statement.
(2) You should (gasp) RTFA to see they did backup.
People who can't RTFA is actually the STUPIDEST THING that I have heard all day. They had backups. Try following the link and actually read.
They would be mirrors of the same compromised data, genius. If you'd have bothered to RTFA you'd see they backed up. But since the site was been compromised since 3/2003 the datasets backed up aren't 100% "clean".
Seems like each section of the computing populace is getting slapped around.
But there are some exceptions. Maybe the next target will be Apple users working on a Banyan VINES network or maybe some VAX junkies working on ARCnet!
Serisouly though. Most of the lessons I've learned tell me that it's not all to be blamed on programmers, nor is it all to be blamed on sysadmins and endusers. But God knows I subscribe to every security mailing list possible provided by me hardware/software vendors.
If you'd have bothered to RTFA you'd see they had backups, but these were done during times when their servers had been compromised. So the data itself might not have integrity. Get it?
The tftp server in and of itself leaves a mechanism to upload other files to the infected PC. That poses a risk beyond getting rid of the primary executable too. Since tftp is a file transfer protocol I am thinking things could be installed rather easily, eh?
BWAH...HAH...HAH!
Imagine being one of those help desk folks manning the phones. I can't imagine the beating they're taking. Maybe the MSBLAST will have a telco equivalent. A 'hammer' application that will pound calls into their queue until they are forced to sign off their phones and run to the nearest exit!
Do a Google search for dcom.c and see sample source code. It's a lot more dangerous than the old exploits of doing a null NET USE session to look at group names, user account names, server resources, etc. on Windoze servers through the same RPC flaws.
Looking at software like any other purchased commodity, I would be really nervous if I had a new car and every month I got 4 or 5 factory recalls on it. What would I look to do? That's what I hope some of these customers do. Switch!
The box I have only provides Intranet web services, so I block all public IP's from accessing port 80. That and cutting off public FTP and a few other things makes my job easier in regard to external risks.
In 3+ years of having this box up I've never had it taken down by any of the virii, worms, etc. that have hit so many other sites. Like I said they fact that I block public WWW, FTP, etc. helps out tremendously.
I would have to say I feel free and safe at this time. If you'd like I'll give you my public IP. Feel free to see how you do cracking my box :-)
If Linux has as many security problems as Windows I really doubt you can name too many of them since you're not even aware of general facts.
Reformatting, reinstalling, and patching in the long run will save time versus trying to find needles in the haystack of which files were modified, deleted, or otherwise compromised if you were hit by this RPC exploit. Weeks later you'd be hunting around for incorrect files or would have IRC bots screwing you up. Penny wise, pound foolish.
I think that Linux system sales could be dramatically increased by bundling new Windoze PC sales with Linux-based firewall boxes. Best Buy, CompUSA, Circuit City, etc. could throw in some cheap i386 box with all of the necessary ports blocked. Besides keeping naive home users safer Linux installations would equal what Microsoft claims to be Windoze XP software shipments!
I have a Win NT 4.0 box acting as Exchange/IIS/Proxy server. It's working fine, as patched with what I downloaded several weeks ago. I've been port scanned hundreds of times today alone and it's good to go. I'm using the Winsock Proxy connection right now to post this message!
It works. Take the space out after 'bulletin' and it pastes in fine. My bad!
Thanks for this timely update. I also heard that Reagan was recently capped...