Code Red III 759
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
Comment removed (Score:5, Insightful)
Re:More info on Code Red III (Score:2, Insightful)
Stop addressing Code Red (Score:4, Insightful)
Why people love Code Red (Score:2, Insightful)
Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"
The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."
The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!
Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!
News like this is the best kind around.
Re:Microsoft should be sued (Score:2, Insightful)
From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:
Hi, how are you?
We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.
If you have any advice on this file, please email us back!
See you later!
Re:Microsoft should be sued (Score:3, Insightful)
I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.
My view is very simple: Things you buy shouldn't suck.
Re:Buffer overflow vulnerabilities (Score:2, Insightful)
Any manual check can be forgotten and be a potential security hole. Once it is forgotten it merely depends on who finds the hole first: script kiddie or code maintainer.
And lets rub this in deeply, there are plenty of languages that protect you against the single most frequent cause of security leaks that is costing the world billions of dollars in damage annually (and it sure isn't C). Any program that is going to be exposed to hackers (i.e. any internet server software) should never ever be programmed in C. You simply cannot guarantee that the compiler and libraries are correct. Even if your program is correct, those still can be a potential source of bugs. Your average UNIX system likely has dozens of undiscovered potential buffer overflows.
Us java programmers are laughing our asses of each time a buffer overflow is wreaking havoc on the internet. We don't have to worry about such things. Java may not be the greatest thing, but you can rest assure that buffer overflows won't happen.
One problem.... (Score:3, Insightful)
RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.
less talk...more help (Score:2, Insightful)
And no, this isn't the time to send off an email that says "ditch your M$ crap and goto apache" because most of these poor admins aren't running IIS because they WANT to...it's what they HAVE to do.
So let's take back some bandwidth already!
Re:Microsoft should be sued (Score:3, Insightful)
Re:Copycats (Score:5, Insightful)
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
It's not like they haven't announced the patch (Score:5, Insightful)
The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.
Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.
But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.
Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.
Version 3? Don't think so. (Score:5, Insightful)
My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.
Obviously,IIS is *vastly* more popular then apache (Score:4, Insightful)
More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.
IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.
Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.
"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."
Because the patch doesn't block all infections (Score:1, Insightful)
http://www.incidents.org/diary/august2001.php#801 [incidents.org] courtesy of incidents.org
Re:Copycats (Score:1, Insightful)
Re:Buffer overflow vulnerabilities (Score:2, Insightful)
The thing is, with Perl and Java, the language's runtime handles memory allocation/de-allocation. And barring a bug in the language itself, there's no way an app written in such language can overflow a buffer. Either the buffer will be grown dynamically to fit the data, or the app will get an exception. But corruption of unrelated data cannot happen in this way.
make some money off banner ads (Score:5, Insightful)
Re:More information? (Score:2, Insightful)
Re:Code Red is trying to eat me! (Score:3, Insightful)
As much as I hate Verizon and their bullshit, at least they are trying to do something.
Gotta give em SOME credit
Re:Microsoft should be sued (Score:5, Insightful)
Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.
*: This also applies to NT 4.0.
Re:Microsoft should be sued (Score:5, Insightful)
Re:Bah. (Score:3, Insightful)
And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.
Re:More information? (Score:2, Insightful)
You may get 403'd several times, as the infected machines reach their limits after a while. Just keep poking at it, you'll get your directory listing. What you won't get, though, is privilege enough to shut down either IIS or the OS itself, format the drives, reboot the box, etc.
Some folks have taken to leaving graffiti in infected machines as they find them. It's awfully tempting...
Re:Microsoft should be sued (Score:3, Insightful)
Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:
1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.
Suddenly, it all makes sense...
Re:Please stop bragging about apache... (Score:1, Insightful)
Windows get's targeted because it's the most common OS. Apache is the most common web server; why isn't apache targeted? Nothing MS is known for it's great security or reliability; Why is it always the MS product that gets hit with a virus/worm? Because it's easy.
So does the GPL (Score:2, Insightful)
It specifically disclaims any and all liabilities and warranties.
If the Microsoft EULA disclaiming responsibility is invalid, isn't the GPLs? If you argue that GPLed software is free, so consumer protection laws don't apply, then what if you paid Red Hat $15 for their distribution?
Regardless of whether you paid them for the packaging or the 1-800 support number, you bought something from 'em, so shouldn't they be liable if your linux box ruins your MySQL database?
Re:Can the internet community sue microsoft? (Score:1, Insightful)
for example, if you load MS/NT/W2K on a PC that controls your companies Fire Alarms and because of a virus/worm/???? your Fire Alarms are down when a fire starts and burns your business to the ground (including physical injury to staff)....
MS is NOT liable for one red cent of any kind of damagaes....
MS was certainly not the first S/W company to immunize themselves from product liability through licensing....
BUT, the MS license agreement is one way non-negotiable (Take it or Don't Load It), not subject (by the user) to any modification under any circumstances (if a consultant GUARANTEES anything about Windows performance that's not binding on MS) and best of all....
the mere fact that you install the s/w is COMPLETELY BINDING ON YOU AND ALL YOUR COWORKERS...
SO, if over your loud objections, your IS/IT dept installs W2K in your department and it crashes another app (say an Oracle8 database on Solaris) and destroys it completely, well, the mere act of installation binds you completely, even if you didn't want it, didn't need and told everyone that if ruin your existing applications...
NOW THAT'S ***INNOVATION***