Code Red Goes The Way Of Y2K 407
beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?
Not Quite (Score:2, Informative)
day off? (Score:2)
Darn, I was sorta hoping it would so I could take the day off and go fishing.
Well, depending on where you live, and what job you do - you still have a chance! Today is personal freedom day... personalfreedomday.com [personalfreedomday.com]
Strangely Enough (Score:2)
I didn't get my daily feed of juicy documents from that Sircam newsgroup I somehow seem to have joined - maybe its because the Code Red worm has knocked out all of the poster's Exchange servers...
Worm Author's Restraint (Score:5, Interesting)
The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com [slashdot.org], there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.
Perhaps if they had researched... (Score:2, Insightful)
It's the name! (Score:2)
Remember, the media wants stories to be as dirt stupid simple as possible: They don't want "Boy finds girl, boy loses girl, boy finds girl again", they want "boy finds girl". "Code Red Worm ATTACKS WHITEHOUSE" is an attention getting headline. "Sircam forwards private documents" isn't.
So remember 5|<r!P7|<!dd!3Z, if you want your worm to be successful, attack a high-profile target, and make sure your worm gets a menacing name.
Geometric growth. (Score:2)
I wouldn't go so far as to predict a continuation, but the numbers are still kind of fun. A 1.6x per hour for 24 hours would give 79,228x. With a basis of 22,001 reporting right now, that would give 1.74 million infections at this time tomorrow.
Surely this one will saturate its niche long before then, if only because of all the repairs that were made a couple of weeks ago. But it gives a hint about what's going to happen when The Big One (tm) comes along.
And the viruses seem to be getting smarter lately. I would guess that TBO will come along by the end of the year, or surely no later than the middle of next year.
Get to work on those disaster recovery plans, folks.
NEW DATA [was Re:Geometric growth.] (Score:3, Informative)
SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same
Re:NEW DATA [was Re:Geometric growth.] (Score:2)
OTOH, when Incidents [incidents.org] isn't Slashdotted, it looks like the curve is flattening out at around 25% of the total infected last time - about 60,000 +/- 5000 is my guess. The question is, is that enough infected hosts to cause enough ARP floods to impact global connectivity. So far connectivity has been patchy for me - jobserve was down all afternoon, a couple of other sites were patchy, everything else was OK. Same as normal, in other words.
OK - it doesn't add up! [was Re:NEW DATA] (Score:3, Insightful)
Oh, but the price! (Score:2, Insightful)
Are you sure you want to delete The Internet? (Score:2)
Re:Are you sure you want to delete The Internet? (Score:2)
If so, telnet to it, enter password, enable, enter password, then:
set web disable
write
reboot
Best to update to CBOS 2.4.1.
BTW, I've been hit 51 times today (one machine covering 16 IP addresses). No effect, of course, but it is funny to see in the logs. Almost 400 hits in one day last month.
Re:Are you sure you want to delete The Internet? (Score:2)
Fortunately, my 678 had 2.4.1 on it when I got it. Flashing the bios in one of those things can be a risky venture.
Misunderstanding of the behavior of the worm... (Score:5, Informative)
Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.
What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.
So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.
Jeff
Looking at the numbers... (Score:2)
I'm going to put the number of infections at 6 - 8 PM a 250,000 - 450,000 hosts just by running some rough numbers in my head and taking into account whether or not pathces where applied. Thats a lot
-----
Re:Looking at the numbers... (Score:2)
Increase in HTTP hits on my firewall (Score:2, Informative)
date,time,source,transport
2001/08/01,00:39:43 EDT,64.224.192.128:4482,80,TCP (flags:S)
2001/08/01,09:29:53 EDT,203.239.44.55:2464,80,TCP (flags:S)
2001/08/01,09:43:29 EDT,61.157.184.52:4273,80,TCP (flags:S)
2001/08/01,11:25:13 EDT,217.126.188.106:53726,80,TCP (flags:S)
2001/08/01,11:54:00 EDT,193.70.29.42:2668,80,TCP (flags:S)
2001/08/01,11:56:41 EDT,210.119.9.196:4754,80,TCP (flags:S)
2001/08/01,12:22:11 EDT,64.81.148.7:3924,80,TCP (flags:S)
2001/08/01,12:29:15 EDT,61.144.181.223:1319,80,TCP (flags:S)
I admit that's it's not exactly Internet-stopping volume, but if everyone is getting this, that's bound to be a lot of traffic. And note that if I was running an unpatched IIS, I'd be Code Red's bitch by now. (Or somebody's bitch if my ports 111, 139, 515, 31337, etc were open to exploits.)
Not really y2k (Score:2)
With red code, I was 'microsoft is going down!! yeah!', but I didn't see much 'media inpact' (who won the 'predict the headlines' contest).
Nothing happened, but this time I was dissapointed. ;)
Nope, Code Red is still with us. (Score:2)
Re:Nope, Code Red is still with us. (Score:2)
Life is tough. Each time we go to our weekend house, we find a huge piece of equipment from the neighbor's cat on the doorstep...
Re:Nope, Code Red is still with us. (Score:2)
A variant of the original worm supposedly corrected this error.
Re:Nope, Code Red is still with us. (Score:2)
> A variant of the original worm supposedly corrected this error.
I heard about that one too, but the way I heard it was that the initial variant was so inefficient that it went by unnoticed, except by eEye.
The version that was seen spreading exponentially July 19th was already the "fixed" version.
Indeed, if each worm uses the exact same sequence, the spread is linear. Rather than fanning out, each instance would try to re-infect the exact same sites that its parent already has infected, hence linear, rather than exponential growth.
Re:Nope, Code Red is still with us. (Score:2)
It would still grow, unless the RNG had a real short cycle. True, the children would infect no new hosts, but the root worm would... until it is killed, and then the next oldest will take over. Each copy of the worm will infect the sites in a certain sequence (for example 2, 3, 5, 7, 11, 13, 17, ...) which would be infinite (or rather 2^32). The problem would be that it would be the same sequence for each copy of the worm. I.e. Worm number two would also first start with site 2 (itself), then 3, 5, 7, etc. just as number one did. Given enough time the whole 2^32 bit space would still be probed, but only the very first worm would contribute to this. The others would only redo sites which the root already has checked.
A more in-depth description can be found here [securityfocus.com]
Re:Nope, Code Red is still with us. (Score:2)
It was modified by parties unknown to be more flexible and go anywhere. So in theory the threat is now much greater.
Hope that helps.
D
The Reason Code Red gets the Klaxons (Score:2, Funny)
The reason is simple. Everyone wants to get potentially damning documents from anyone. If the internet grinds to a halt then you would't be able to get that information from SirCam.
--
.sig seperator
--
I wonder if... (Score:2)
Don't you get it!?? (Score:2, Funny)
It has most DEFINITELY kicked off again - logs on my primary server indicate at least one hundred hits from this bug.
Already, that's almost as many as last time, and there are 18 more days of this.
For me, it's almost like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.
Kinda sick, isn't it?
Re:Don't you get it!?? (Score:2)
ROFLMAO!
I don't know about you (Score:2)
I was thinking it was related to the worm.
But remember, the last time it struck, it grew exponentially for 7 days until it really hit its stride.
Re:I don't know about you (Score:2)
So maybe something did happen - however, the various survey sites report that nothing really major happened, so this was probably just a coincidence (maybe too many people hitting yahoo.com at the same to see if it was still up?)...
Re:I don't know about you (Score:2)
Re:I don't know about you (Score:2)
Re:I don't know about you (Score:5, Insightful)
Code Red would have started with about 200,000 existing infected machines, except that:
It will not stop the worm from growing, but it will play a role in controlling the code red.
If this incarnation of the worm were really malicious, it would try more than 100 addresses. (though incident.org said that the rng in the latest version is stronger). A relatively benign worm like this is better for the weak sysadmins in the long run, because otherwise they would not have known of this relatively simple security hole.
Re:I don't know about you (Score:2)
Ignoring for the moment the whole "worm vs. virus" thing, I saw a number of news reports that directed people to MS for the patch, and apparently CNN even had a link for it on Wolf Blitzer's page. On the whole, the coverage on this has been suprisingly good considering the general audience for which it is intended.
Re:I don't know about you (Score:5, Informative)
This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!
During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.
Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post.
You could look at this... (Score:2)
Oh, and currently, MAE-East is in the shitter, same as last time. No wonder connections may be crappy.
A solution to the problem? (Score:3, Interesting)
We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.
Prepare for the next time this happens (Score:2)
( ) "aye-aye-ess"
( ) "two-ess"
( ) "aye-ayes"
( ) "aye-iz"
(Of course I don't know how to say it! I run Apache/Linux and Apache/Mac OS X.)
The news... (Score:2)
It's obvious (Score:2, Interesting)
Because Code Red dealt with the White House, which is a national symbol and easily recognized by all the world. Never mind the fact that the white house web site was never in any danger of being taken off-line. Joe & Billy Bob don't know no stinking eye-pee addressess are. High profile attacks get the news...not that secret memo detailing a new flavor of Tang....
Yep. Gone with a whimper. (Score:3, Interesting)
Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.
(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)
MS NT/2000 buffer overflow vulnerabilities galore. (Score:3, Interesting)
NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:
BindView Security Advisory
--------
Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact: tsabin@razor.bindview.com
Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
Overview:
Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.
Affected Systems:
At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.
W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)
Impact:
An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.
Details:
By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.
The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.
If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.
Workarounds:
Firewall off as much as possible.
Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.
References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulleti
Microsoft's patches:
The patches vary, depending upon the service.
See the security bulletin for details.
Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/
Re:Yep. Gone with a whimper. (Score:2)
Well, I'm monitoring the firewall logs for a class C subnet right now, and I'm seeing a hit every two minutes on average. It's not as bad as the 19th of last month, but it's been building steadily throughout the day. I got no hits between 00:00 and 09:00 BST, but they started shortly after that and have been escalating slowly.
I'm hoping this is the peak right now, as the last wave ate up a third of the incoming bandwidth on my company's Internet pipe at its height.
Re:Yep. Gone with a whimper. (Score:2)
Just in the time that's passed since I posted that last comment the hit rate has climbed to two or three every minute. I really hope this peaks soon, as otherwise this pipe's going to be completely clogged by tomorrow.
Waaaah! No /.! I'll have to go back to working or something!
Re:Yep. Gone with a whimper. (Score:2)
It's only just started! (Score:4, Insightful)
Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.
That is, of course, assuming that Gibson was right yesterday when he said it will still be active....
And don't start hyping sircam - I'm enjoying reading private documents ; )
No, let it blow! (Score:3, Interesting)
Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.
Re:No, let it blow! (Score:2, Insightful)
The patch was available for a month before Red Code struck, so how does this show how irresponsible Microsoft is compared to worms that have hit other operating systems? Why has Linux been struck with worms of its own? Does that mean a "closed source, NDA distribution model" is superior, then? Besides, just like with desktops, most web servers on the internet run Windows, so it's not too surprising that more of them get attacked, especially since not only are there more, they're usually used for more important data/applications, especially when it comes to e-commerce.
How inferior is easy to judge (Score:2)
1. Editing a textfile /etc/apt/sources.list
2. apt-get update
3. apt-get upgrade
and free software is retrieved from any of hundreds of mirror sites around the world, closed source distribution will continue to be second or third rate.
A pay for each copy in a box approach to distribution just sucks rocks.
A subscription to closed source junk is almost as bad. It can't be updated as quickly and well, it costs money. Do I really want to pay for my telnet client every month? If you buy microsoft OS, you have bought the same telnet client two or three times in the last four years. Same old bugs, same old look, same limits, yawn.
MS has got a record of inconvenient and extortionate distribution. Their dedication to the pay per each copy on each machine model and "aggresive" competitive measures to break other people's software has left them with nasty co mingled code that sysadmins are rightly hesitant to patch, ever. They have consistently denied any failings by blaming user and sysadmin ignorance and lazyness. People, not just crackers, have noticed that MS stuff won't work and every piece comes at a price. In the end despite all you wrongly say, the proof is in the kaputting. As yet another virus blows over them and anoys everyone, the inferiority shines through.
Viewing other people's files for gratification (Score:2)
I got a .zip yesterday (the second file I've got so far) that had been turned into a .pif, but when I looked at the archive under Linux I had no problem viewing it, and was even able to listen to the really lame midi file in there without needing to do a damn thing to the infectious file.
Basically, you're pretty safe poking around at these under Linux (they're aimed at Win/Outlook users after all). Though since I don't have a permanent net connection and I do have ps -aux and kill -9 I can rest pretty safe : )
Re:It's only just started! (Score:2)
Try piping it through strings.
Billions of dollars spent... (Score:4, Insightful)
I think the security folks should modify code red (Score:2)
Re:Billions of dollars spent... (Score:3, Informative)
I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.
Re:Billions of dollars spent... (Score:2)
Re:Billions of dollars spent... (Score:2)
I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.
Even then, one thing this worm has done a good job of highlighting is that it's not just a waste of your resources if you don't patch your servers. I'm seeing a lot of my bandwidth being eaten up because other people are too lazy/incompetent/ignorant to administer their systems properly.
Sorry. Rant over. I feel calmer now
Re:Good advertising for MS (Score:2)
Hell, I've had users coming up to me all day asking if I patched their workstations... not only does the worm not effect workstations we're an advertising agency, our workstations are all Macs!
Code Red = Code Dud (Score:2)
I got all revved up in late '99, waiting for the death cults and survivalists to do their thing. But everyone was remarkably quiet about it all.
Y2K = all hype and no looting. California Power Crisis = same. Code Red = Same. I promised myself I wasn't going to get excited this time. But with all the coverage, I got suckered into it again.
What am I going to do with my Honda generator that I bought in '99, sold in 2000 and bought back again two weeks ago?
Here are some links to stories about similar dissapointments:
Foretold Apocalypse Refuses To Occur [ridiculopathy.com]
Survivalist Emerges From Y2K Bunker, Says "Oh, Crap" [ridiculopathy.com]
Code Red is getting more press than Sircam... (Score:2)
Sad but true (Score:2, Funny)
I don't know about the rest of you, but I'm rooting for the virus.
A picture paints a thousand sniggers (Score:2)
The best take on this I've seen today is over at User Friendly [userfriendly.org].
Sheesh (Score:2)
For the media to go nuts, it took press conferences and press releases from the FBI and Microsoft. Those big organizations aren't making the same noise about Sircam (or Sklyarov, or...).
Another site with real time stats..... (Score:2)
Dshield.org [dshield.org] has some stats going too. Looks like 23,400 infections as of around 10AM EDT....
Re:Another site with real time stats..... (Score:2)
Red Code vs Sircam -- The MS-FUDyard wars (Score:2, Funny)
That's a show I'd like to see!
People underestimate the bandwidth of the 'net (Score:2)
Having those hosts sending packets that break routers and printers is more of an issue, but those have generally been fixed last month, because they couldn't very well just have been left off until the thing went dormant.
The internet's infrastructure has grown significantly in capacity (although not necessarily in smart physical placement) since it was easy to DOS the whole thing with a worm (or with the start of the school year, for that matter), and it's happened in response to actual use of the bandwidth. All of the clients generating web requests easily overcome the traffic all of the servers running IIS could possibly generate, not to mention the traffic that goes over any large, bulldozer-accessible cable.
Re:People underestimate the bandwidth of the 'net (Score:2)
Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.
Its warming up... (Score:2)
No one is talking about SirCam (Score:5, Funny)
More graphs (Score:4, Informative)
But what about the media? (Score:5, Insightful)
It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?
Re:But what about the media? (Score:2)
Not only that, but only those IIS servers that haven't been patched. I don't know of anyone running IIS who doesn't at least get the Microsoft Security Bulletins. If there is a patch available for anything you'll hear about it on the mailing list. I didn't really worry about this one at all.
I have to wonder though - with both Code Red and Sircam, as well as a number of other virii - the damage inflicted by these programs was much less than it could have been. Its as if the virus writer wanted to grab lots of attention(I'm sure having the national media talk about your creation is very gratifying to these people) rather than inflict as much damage as possible.
Re:But what about the media? (Score:2)
Re:But what about the media? (Score:2)
This isn't true. The routers it affects are largely the routers for people's home DSL installations. Having those routers crash isn't a huge deal for the Internet as a whole, but most home users aren't equipped to deal with the problem.
Re:But what about the media? (Score:2)
I've been hit seven times so far according to my Apache access logs, and a possible three other times on another machine with no web server, but a logging firewall block on port 80.
At least two of the hits are from an @home and a DSL customer. Perhaps by crashing the un-upgraded Cisco DSL routers they're actually doing a service by preventing DS-Lusers' home machines from being able to spread the worm. Not to mention blocking all the skript-k1dd13 IRC DD0S w4r3z that are already running on said lusers' machines.
An interesting anecdote is two weeks ago when I called my ISP, their phone answered with a message about Code Red, and then I overheard a tech support guy in another cubicle at the ISP telling someone to power-cycle their router.
Affects more than just IIS servers (Score:5, Insightful)
Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.
Re:Affects more than just IIS servers (Score:5, Insightful)
This deserves to be the same for Microsoft, for exactly the same reason.
D
Re:Affects more than just IIS servers (Score:2)
Re:But what about the media? (Score:2)
On my way in to work this morning, I was listening to a local news radio station [wbz.com], and they were talking about how "Code Red" will effect servers [wbz.com] and that everyone (!!) should download Microsoft's patch. From the linked article:
Well, the Alphaserver I admin seems to be doing ... ok, actually, it's down right now, but that's another story (flaky hardware, it seems) ... but anyway, during the last Code Red outbreak, it got probed, and it survived the attack without Microsoft's patch. Fancy that, the Apache server running on RedHat 7.0 wasn't effected, and I didn't even install the Microsoft patch!
Listening to them, I would have thought that Microsoft owned the Internet...
Re:But what about the media? (Score:2)
This is what I was talking about above - Microsoft is handling this beautifully, from a PR perspective. News accounts in my area made it sound like Microsoft invented (innovated?
Didn't sound *at all* like MS was fixing a bug in their software. We should all be grateful - Microsoft saved the web out of the goodness of their hearts.
Re:More media crapola (Score:2)
When in actuality all we need to do to save the internet is to destroy Microsoft.
Code Red...unneeded hype..... (Score:3, Insightful)
Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning. They don't want to risk not issuing a warning, but if there's a possible severe storm heading our way, they want to make sure it's severe before issuing the warning (hence weather spotters, advancing NEXRAD and other things of this sort). If they just issued a warning for every cell that has a possiblity of being severe, then the poeple may dismiss a valid warning.
Why does this compare to the Code Red thing? If you hype the virus too much, if the attack is benign or doesn't happen, then when a real bad virus hits and spreads across the net, the people will ignore it and open the stupid attachment or not patch the computer. The media needs to start being responsible and until the media becomes less liberal and less concerned about getting ratings, we will have to live with over hypeness such as Y2K and the Code Red. And when the big one comes, because the media cried wolf so many times, the un-thinking populus will suffer. Also, there were people worrying about their PeeCee's at home when this thing has no danger to the common schlub running Windows 98 or ME. The worst that can happen to them is they have no access or slow access to the internet. The common schlub cares more about the price of gas on the corner then if his internet connection works. (I on the other hand would be freakin! ;) )
Re:Code Red...unneeded hype..... (Score:2)
My father works for the National Weather Service, and this is exactly the reason they have so many checks they have to go through before they issue a warning or a watch. (Not that it takes long to get through them, but they do check themselves on it very well.)
I suppose the big difference is that when people don't listen to the NWS they tend to die. (I still remember when my dad came home just devastated when some people in a national park were drowned in a flash flood that he put out a watch for.) Still, you're absolutely right.
The problem is that there's no central authority that most people know of to go to for this sort of accurate information. There's nobody competing with the NWS on the weather. The news states the information they get from the NWS exactly as it comes (with some embellishment to add entertainment value). If those media people could quote and point to actual security experts (not just the loudest), we'd be much better off.
When are virus/worm writers going to get serious? (Score:3, Insightful)
Data *corruption* is far more damaging than blitzing a server or formatting a hard disk. It's where the real danger lies.
You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.
They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.
So, I'm not worried about files being deleted or servers being DOSd. I have backups, I can move servers, it's a minor inconvenienience at worst.
I'm worried about trojans/worms which search boxes and *change* information.
Re:When are virus/worm writers going to get seriou (Score:2)
DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.
Re:white house (Score:2, Insightful)
Yeah, here's one. (Score:2)
Trying 65.24.228.11...
Connected to 65.24.228.11.
Escape character is '^]'.
get
<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title& gt;</head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></ html> Connection closed by foreign host.
Re:"something bad didn't happen" (Score:2)
[micah@nova logs]$ grep NNNN *log | wc -l
25
And that's just since last night. I got 75 of them 2 weeks ago. But it appears to just be getting started.
Re:When will they learn? (Score:2)
True, but what will surprise me is if some other worm doesn't show up today. While everyone is watching to see if Code Red hits, what better time to release a really stealth worm that doesn't deface the main page and hides the best it can to spread itself somewhat slower - and have it set to DDOS (using DNS of course, not hardcode IP) on teh 18th instead - now that would be funny.
Re:Snapple virus wouldn't sound very scary (Score:2)
Re:Use the data, Luke! (Score:2)
Re:is this it? (Score:2)
61.131.51.74 - - [01/Aug/2001:15:59:39 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 316 "-"
Why is it my favorite hit so far? Because I really was "hacked by Chinese"!
inetnum: 61.131.51.72 - 61.131.51.79
netname: NANAN-SHISHAN-SCHOOL
descr: Shishan middle school of Nan'an
descr: town of Quanzhou city of Fujian
descr: province
country: CN
admin-c: MD47-AP
tech-c: MD47-AP
mnt-by: MAINT-CHINANET-FJ
changed: milizi@sina.com 20010526
source: APNIC
Re:Don't speak too soon (Score:2)
Re:How do they know 22,000 servers were infected.. (Score:2)
Re:Premature Announcement...much? (Score:2)
20:00 EST == 00:00 GMT
--Ben
Re:A bit premature? (Score:2)
Re:Incidents.org mini-mirror (Score:3, Insightful)
Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.
Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?
Re:Am I the only one besides beanspace... (Score:2)
And now thanks to a slashdotting isn't even responding :) I wanna see the 12 o'clock total! Its like watching a game :)
Re:Huh? (Score:2)