1 Year Anniversary of Nimda Outbreak 304
dots and loops writes "Today marks one year to the date that the nimda
worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!
happy birthday (Score:2, Funny)
happy birthday to nimda
happy birthday you iis infecting worm...
happy birthday to you...
may you make anti virus vendors riiiiiiccchhh
Cease and Desist (Score:3, Funny)
Dear hikeran,
It has come to our attention that you published a portion of our copyrighted material. Namely the lyrics to the popular [but copyrighted] song : 'Happy Birthday To You'.
We would ask that you refrain from repeating this action and ask that you make the best effort to remove such violations made by you.
Should this matter be brought before us again we will demand a license fee payable to Warner Brothers.
The work has been subject to copyright laws since 1935 and doesn't expire until 2012.
For more details see here [cni.org]
Thank you,
Daffy & The Guys
a more important birthday? (Score:2)
One year, and still.. (Score:3, Funny)
Re:One year, and still.. (Score:3, Insightful)
Re:One year, and still.. (Score:2)
1) Keep the services that should run running(even if it's already owned, as long as nothing is being defaced...)
2) Keep up to the latest service patches (okay, if it's not the latest, the next latest)
3) The server will crash and blue occasionally(may be due to some exception in virus), just reboot it, case close.
3) The server will be mysterically getting slower and slower(due to unhandled Code Red, e.g.). Ask for more rams, extra disk and extra CPU or even a newer server.
I.e., no need to scan security news, no need to tune the system, no need to perform any housekeeping tasks, no scary log files to be seen....
I haven't seen one exception of them around so far.
Re:One year, and still.. (Score:2)
Re:One year, and still.. (Score:4, Insightful)
Actually, almost all of mine are coming from individual subscribers coming through big DSL-/Cable-based ISP's like RoadRunner, SW Bell, etc. For each incident, I fire off E-Mail to their security departments, giving times, IP's, etc. (I have set of log scanning scripts that generate them automatically. How's that for geekiness? No, you can't have them. They suck. That's high in geek factor, too :-). I've seen NO action taken by them. What a bunch of lamers. Do they really think their customers want to be infected and spew out into the net? The issue is that, really, as long as that $50/mo. comes in, they don't give a rat's ass.
The smaller DSL ISP's are usually on the job, though. They give me a small amount of hope.
Re:One year, and still.. (Score:2)
Yeah (Score:2, Funny)
Anyway, yeah, last year around this time was fun. Thanks for dredging up those memories.
Nimda (Score:2, Insightful)
Thats what you linux guys say every time there is an Apache worm, isn't it? Let's be consistent, shall we?
Re:Nimda (Score:5, Interesting)
Now. this report [com.com] from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.
Help me out here.
Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.
Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.
slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.
So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]
Thank you.
--mandi
our office got it. (Score:4, Funny)
Suddenly you hear everyone talking about the NAMBLA virus. Seriously, it was a spoonerism, or whatever. But everyone was running around blaming NAMBLA. Finally we realized it was NIMDA.
Turns out there was a dude that got smoked out because he had kiddie porn on his PC. We just fired him.
But if it weren't for this virus, we'd wouldn't have had the witch hunt that found this perv.
Re:our office got it. (Score:2)
If not, some poor kid will pay for it.
Re:our office got it. (Score:3, Funny)
Re:our office got it. (OT) (Score:2)
Oh, but she got "will she go down on you in a theater" and "are you thinking of me when you f*ck her?" right past them...
the "corporate censors" aren't as bad as you think.. (at least in this case).. you should try listening to Nick Cave's Murder Ballads sometime..
Re:our office got it. (Score:2)
Yeah, I know. Isn't it ironic?
Re:our office got it. (Score:2)
That's how they probably found the perv -- scanning files looking for the string NAMBLA, and they found these obscene text files... The rest, as they say, is history (much like the kiddi-porn ex-employee).
Still kicking (Score:5, Informative)
According to my logs (please be gentle) [websoup.net], I've been hit 650 times yesterday.
Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.
Re:Still kicking (Score:2)
Re:Still kicking (Score:5, Funny)
I think I've heard of a similar program before. I might have even used it... Hmm, what was that program?
Oh, yeah! grep
(sorry man, I'm just pokin' fun)
Re:Still kicking (Score:2, Interesting)
No offense taken... grep is what I used before I decided I wanted something that could make more sense visually.
Re:Still kicking (Score:2)
for IamElite in `grep winnt
Re:Still kicking (Score:2)
Re:Still kicking (Score:3, Funny)
He said be GENTLE. Usually slashdotters are really gentle with links to servers, but today, why must everyone be so rude? One at a time!
Thanks.
Nimda ISP warning program (Score:2)
I recieved this link from a linux group. It basically detects nimda attacts on your apache/linux system then attempts to e-mail the sysadmin of the ISP. it works great. It has spam potential yes but nimda and the incompitent Admins who incubate this virus on there system needs to be irradicated.
Re:Still kicking (Score:2)
Slapper (Score:3, Informative)
Where did I put my hard hard? I think I might be needing it.
Nimbda? (Score:3, Insightful)
Nimda Fraud (Score:2, Insightful)
No really , its a brilliant little Virus. I am sure lot of unscrupulous people made a lot of money from that one. Think about it, any unsecured server with this virus broadcasts this fact to the whole world !
Just backtrack to the Broadcassting computer, and you can own it in 5 Minutes. I shudder to think at all the financial information that was made availiable from this virus.
With Windows 2000 and XP still unsecure, we just need to wait for Nimda 2 and really make some money =-)
Slashdot uptime = 1 year (Score:5, Funny)
M@
Re:Slashdot uptime = 1 year (Score:2)
M@
NIMDA the sysadmins friend :-s a little anecdote (Score:5, Interesting)
I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.
The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.
This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".
Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(
Re:NIMDA the sysadmins friend :-s a little anecdot (Score:2)
Here is my Nimbda nightmare. I manage two offices, primarily CAD and graphics. Both connected to the net via a T1. My local office sits behind a nice iptables firewall with my patch and locked down NT server serving one IP for VPN. The other office is managed by a consultant because I cant' always get there as needed. Long story short the server died ( dead array) so after 12 hours of recovering the work I headed out instructing the consultant to lck down the server ( patch it, remove uneeded service, apply lockdown patch close unecessary ports) ofcourse he didn't in the space of 12 hours my entire network was filled with nimda eml nws files. luckly that was teh extent of teh infection that office. The server was a fresh install W2k server. Needless to say the next few days was speent hand picking corrupted files from the server. Before I even thought nimda was cute but now it's hell's own scurge. I consistently e-mail ISP's notifying them of infected machines probing my network.
Re:NIMDA the sysadmins friend :-s a little anecdot (Score:2)
Just for the sake of exp sharing. If keeping log is not an requirement then I'll just turn it off or redirect it to null, unless you've some measure of cleaning up the log. Log files is always the bane for lazy admin.(and definitely not your fault). Turn off anything that they didn't ask for, there's no need to be your daddies' good boy in business.
If keeping logs is an requirement? Easy, add up huge function points in spec and charge more for services. Schedule extra time to test and teach the log keeping - and even more money will be charged.
That's the logs you asked to look, you shouldn't blame me to charge more.
Re:NIMDA the sysadmins friend :-s a little anecdot (Score:2, Informative)
It's viruses.
Re:NIMDA the sysadmins friend :-s a little anecdot (Score:2)
Hrm (Score:3, Insightful)
The most long-lived virus/worm/trojan? (Score:4, Interesting)
That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?
Re:The most long-lived virus/worm/trojan? (Score:4, Funny)
That's easy -- MAKE MONEY FAST! [stopspam.org]
Re:The most long-lived virus/worm/trojan? (Score:4, Funny)
b: Win95-ME
Note: I am an NT admin in trade, and make such comments (mostly) in jest.
Hard to say... (Score:2)
Klez is definately still going strong. We see 5 to 8 of those per day. We're not even a big shop (180 users).
Re:The most long-lived virus/worm/trojan? (Score:2, Informative)
Re:The most long-lived virus/worm/trojan? (Score:2)
So how's Happy99.exe going these days? The little turd was very much alive and well by the end of 2000 ...
Re:The most long-lived virus/worm/trojan? (Score:2)
Re:The most long-lived virus/worm/trojan? (Score:2)
"Many Happy Returns" (Score:2, Funny)
A limerick suiting this topic... (Score:5, Funny)
Whilst fornicating in bed
Felt something new
Saying, "Melissa, is that you?"
And found Bill Gates naked, instead.
Ahh the memories... (Score:2, Interesting)
Re:Ahh the memories... (Score:2)
Re:Ahh the memories... (Score:2)
an hour of downtime might have saved you the hassle there...
I know that I was watching all the silly hits, but security holes that allow arbitrary execution of code on a target are bad... that is, in fact, what patches are for, and the MS security mailing list helps
And what are we doing today? (Score:2)
Wonder what we are going to fight next year.
Re:And what are we doing today? (Score:2)
To be fair, according to the link, it took 3 days, not one, before the slapper virus was removed from it's network (it just shows how many hosts were on the p2p network it was setting, up, there may still be infected hosts out there that have been blocked from the network (by a firewall, for example).
Does this mean... (Score:2, Funny)
Re:Does this mean... (Score:2)
Still getting hit (Score:5, Informative)
mount -t smbfs password=
vi
Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".
umount
I Dumped OE (Score:2)
I dumped OE because of Nimda. Yeah, there's a patch but I still haven't gone back and secured it. I switched to Pegasus. I hate Pegasus, but I guess not as much as I hate sending away for the patch.
A good use for web services... (Score:2)
Right now, the problem is that vendors will release information specific to their platform, but then if you download anything outside that platform, you are possibly putting yourself at risk unless you actively keep track of each piece of software. If you install enough software this becomes a tremendous pain.
This way, if there's a possible problem, you get alerted to it, can review the related security advisory, and then easily download the patches for it. That could really trim down on the severity of worm outbreaks I suspect.
Klez programmed to go off September 13 (Score:2, Informative)
How hard would it be ... ? (Score:2, Interesting)
What about a module that detected Nimda, Code Red, whatever attacks, then just attacked back? On attacking back, it uses the very same security holes (I think four of them) through which these worms propagate to issue a shutdown on the system and change the registry key for the startup text to say, "Hey, you're infected by Nimda, fix this now, download this."
Actually, rather than a shutdown, which may just restart some servers, it should issue a big fat SYSTEM HALT with a notice of infection. "Oh, yeah, we've changed your administrator password to XYZZY, too. A registry key has been added such that, if an attack is detected from your machine a second time, FORMATTING OF YOUR HARD DRIVE WILL OCCUR." Probably get someone's attention.
Yeah, this wouldn't be particularly legal, but it isn't as if Nimda logs what targets it is attacking. Just leave up a few boxes running this and the infection would drop dramatically.
Re:How hard would it be ... ? (Score:2)
Re:How hard would it be ... ? (Score:2)
Re:How hard would it be ... ? (Score:2, Insightful)
Re:How hard would it be ... ? (Score:2)
In the past, I've seen pages that would allow you to test your system to see if you were vulnerable to the various nuke programs (winnuke, teardrop, etc), of the sort "if you get this message, that means you're still operational, and you're not vulnerable"
So set up a page, explain exactly what it will do, and include on there a link to the script that will "fix" the client computer. If people come along, access my server, and my server does exactly what they requested it to do.... how grey is the legal area?
Of course, its probably still illegal, since nobody "authorized" the activity, but it might be less shaky legal ground. If you don't want my webserver fixing your computer, then don't access it. Dunno.
-Restil
The solution (Score:3, Insightful)
Anyway, here is it again for Taco:
Put this in your .procmailrc file:
Of course, this is a bit drastic by throwing every file that ends in that type into the bin, so you may want to replace it with something like /home/username/mail/viruses
Finally (and this bit is especially for Taco) you will probably need to have a .forward file with the following in it:
Once you've done that, then finally we'll never heard again from you how many viruses a day you can get.
Re:The solution (Score:2, Interesting)
my update on nimda (Score:2)
reporting klez (Score:2)
I can't say they'll do anything, but it's better than doing nothing.
Re:reporting klez (Score:2)
Re:reporting klez (Score:2, Informative)
Re:reporting klez (Score:2, Informative)
It depends on the network you're emailing to. University IT departments, being knowledgeable, will tend to just immediately disable that computer's MAC address.
For instance, UMass apparently tells the DHCP server to assign an IP address on one of the netblocks reserved for NAT and has the routers redirect any HTTP requests to a page saying that that computer's rights to access the network have been suspended and how to restore those rights (apply the patches, and inform the IT people, who presumably run a scan on your computer to determine whether you've patched).
Re:reporting klez (Score:2)
Besides, they are the ones with the tools at hand to track down who was using what IP at what time and notify them. Otherwise we wait until that user discovers they have 30 different viruses all competing for network time on their machine. That is how they can have control over this issue. The user doesn't have to be cut off, just informed.
Also, by prefacing it with a little note like "probable virus at IP#", if they choose not to deal with it, it only takes them 4 seconds to read and delete.
Macs (Score:2)
Re:Macs (Score:3, Funny)
I do like being able to safely open all the interesting attachments Klez sends me. Interesting and funny stuff in there from time to time.
As Ed Felton said... (Score:2, Insightful)
There'll be many "nimdas" yet to come...
Nimda Removal (Score:2, Interesting)
You could use the tftp client to download the M$ patches and on the condition they were non-interactive you could install them?
I am under the impression this is highly illegal, but I am just about fed up with my Apache logs filling up! My ipchains DENY list is already quite excessive as I have a program which denies a machine after it has scanned me. The only problem with this approach is the fact most of these people are dialups with dynamic IP's so I am not doing myself any favours except filtering out whole ISP's in a slow time.
Thanks, Chris
Yeah.. i remember this day well.. (Score:3, Interesting)
Ironically... (Score:2)
Incidentally, the email address it was sent to is one that I haven't looked at in years. It was too long...so I made an alias to it with iName. Nobody else had it -- they all used the alias, and frankly I forgot existed. Then mail.com started charging for the service which took practically no resources on their end. About this time, I also started getting about 7 million spam emails from that address. So I turned off the alias, and moved everything to web-only email on webslum.
By accident I opened OE, which promptly downloaded thousands of spam emails. This can only mean one thing: mail.com sold my fucking address! It was in the process of lazily deleting these that the virus 'sploited my IE laziness and wrote itself in every EXE on my machine until I jacked the plug. By doing this I lost several programs, including my encryption system.
If not for email.com selling my address against my wishes and after I severed my association with the,, this never would have happened. Shouldn't that shit be illegal? Should I get, like, a bigass check or a $500 per hour systems guru to rebuild my shattered win2k machine?
Re:Ironically... (Score:2, Insightful)
You should have to pay $500 for being a prat and not patching your system. If you are still running an unpatched system or not virus checker then you are nearly as bad as the people who wrote the virus in the first place!
Yay Spelling! (Score:2)
Yay Spelling!
Bob the Angry Flower on the use of the apostrophe [angryflower.com] .
New 'winnuke' on the webserver (Score:4, Interesting)
well, I just found a lovely use for the latest 'winnuke' vulnerability. I'm writing a perl script tonight, and naming it as one of the pages that gets hit.
maybe people who's machines keep going down for unknown reasons will start to have some sort of clue before connecting to a public network.
I figure if they haven't fixed their machines against something that is a year old, then they certainly haven't applied the patch against this vulnerability (find it yourself :P) and likely have smb exposed too. We can hope :)
{chuckle} (Score:2)
You have your choice of IIS or Apache, and guess which one I chose? Yep, Apache.
After testing the box out, I cleared the logs (access/error) at about 3pm and left it running.
Next day, I discover that less than an hour later a single IP address (204.xxx.xxx.xxx) hammered on it for 300+ hits with *both* codered and nimda and (the same ip or one in the range, I don't recall) hitting all of the default IIS directories looking for *anything*.
I chuckled for a good half hour after that.
Re:5-10? (Score:2)
Exim + Exiscan = Bliss.
Re:5-10? (Score:2)
Re:5-10? (Score:2)
This thread was about Taco always complaining about the number of viruses he gets in his inbox. You'd think the person responsible for creating Slashdot would do something a little more proactive than complaning...or not.
Re:5-10? (Score:2)
I'm getting somewhere between 10 and 20 Klez worms a day, too. Of course I filter them with procmail, but I'm paranoid and I send them to a separate mail folder.
What's really annoying is the automatic mail I get from the few with-it ISPs out there who detect a Klez worm sent through their mail servers with my name on it!
I've been collecting the mail headers, hoping to track down the worst offenders. So, is there a way to trace Klez, or are the headers forged so much that it's impossible to track? I haven't had any luck so far...
Re:5-10? (Score:2)
Re:5-10? (Score:2)
Works just fine here.
Re:5-10? (Score:2)
I just start with the ISP, and then I either use the reverse DNS, or do a traceroute (mtr) to find the responsible ISP for that IP.
For web probes, I use a script on my linux box that auto-mails the responsible ISP. I think I'm down to 2 or 3 probes a day, now.
Re:5-10? (Score:2)
Over 2200 various and assundry Windows virii/worms hits since Monday.
100nix?? (Score:2)
What about Linux/Slapper [sophos.com] then?
Re:Worm Birthdays? (Score:2, Insightful)
Re:Worm Birthdays? (Score:2)
Why?
Because the fewer than 14,000 [f-secure.com] servers infected with slapper are nothing compared to the infection of NIMDA [com.com] and its derivatives.
duh.
Re:Speeking of worms and virii (Score:2)
Re:Speeking of worms and virii Troll (Score:2)
I am starting my own hosting company and my two servers are on Redhat. There are thousands of little hosting companies that run linux, and some large ones as well. Valueweb is switching from BSD to Linux and thier are pretty big. Rackspace is a big linux shop.
Do ISP's take Linux seriously? Yeah, I say that is why the all use it.
As for your ISP? Well, you are ultimately responsible for securing your own box. Windows, Linux, or whatever. Your ISP can issue warnings but if they are worth their salt they will protect you an themselves.
You know I have ranted too much. Troll elsewhere.
Puto
Re:Speaking of worms and virii (Score:2, Funny)
You lie.
I've had some great conversations like that.
Techie: "Now reboot"
Me: "Right, just rebooting now." Pause to drink some coffee, stare at wallpaper, whatever, until a reasonable sounding amount of time has passed. "Done"
The trick is to just say "Okay" and "Right" and "Done" a lot, write down the settings they give you (if any) and then do your own thing entirely. Better; unless you need action on their part don't call them at all, and if you do, tell them what to do directly, like so: "See the big red button on that router? Press it".
Basically the problem they seem to have is they've been taught to follow a script, and if you confuse them they have to start it all over again. You get similar problems if any actual physical faults occur on the line - eg, no signal/broken cable - if you start your call by telling them the problem they get pretty confused.
eg.
Me: "Hi, the cable's down and the modem isn't able to connect. It's not receiving or sending anything at all according to the LED indicators."
Techie: "Uhh, okay, have you tried rebooting your computer?"
Me: "Why would I do that? The modem isn't receiving anything! The computer is not the problem."
Techie: "Okay, well, can you reboot your computer?"
Me: Sigh, pretend to reboot computer.
Techie: "Does it work now?"
Me: "No! There is no signal!"
Techie: "Right, well, please reinstall your drivers, do you have your driver disk with you?"
Me: "It's an external modem, I think my network drivers are just fine"
Techie: "Please reinstall your drivers"
Me: "Oh, very well" I pretend to reinstall my drivers.
Techie: "Does it work now?"
Me: "No!"
Techie: "Did you reboot?"
Me: Pretend to reboot the machine again.
Techie "Does it work now?"
Me: "No!"
Techie: "Ah. Are all of the LEDs on the modem turned off?"
Me: "YES!"
Techie: "Okay, your cable's down, so the modem can't connect. Sorry"
Re:How to block Klez emails from my mailbox? (Score:4, Informative)
Here's one I just got;
Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blankedRe:How to block Klez emails from my mailbox? (Score:2)
Re:stupid fuck (Score:2)
Sadly, I completely understand his predicament, since I'm still receiving klez emails at about the same rate (which is one of the reasons I use Mozilla for email). Even worse, klez forges the FROM field through SMTP, so it's extremely difficult to tell who's infected. I get bounce messages all the time from people who think I'm infected, because of the header forging (I'm not; I checked the running processes, ran a virus scan, and ran netstat looking for unexpected connections).
Re:Nimda? (Score:2)
Thats not a coincidence.