OT: patch those windows systems

Ok, i know this is very off topic, please forgive me.

Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a website
from your computer, uninstall the IIS service. if you need/want it, then make sure you have the
latest security patch for it.

Within just this year, i have so far received 82 connections probing for an unpatched IIS server.
what it found was a non-vulnerable (to this attack) apache server running on Linux.

Among the network security community, these attacks are believed to be from a worm. I can't remember
what one, but it is either Nimda, Codered, or the new Codered II.

So run virus scans and patch those IIS services if you must run them.

The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
charter.com, and the list goes on.

Again, i apologize for posting a message so blatantly off-topic, but i figured it was a notice
worth posting.

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

"Technician" <[email protected]> skrev i en meddelelse
news:[email protected]...
> Ok, i know this is very off topic, please forgive me.

Half the topics in this "mountain bike" group is OT anyway....

> Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> have the latest security patch for it.
>
> Within just this year, i have so far received 82 connections probing for an unpatched IIS server.
> what it found was a non-vulnerable (to this attack) apache server running on Linux.
>
> Among the network security community, these attacks are believed to be from a worm. I can't
> remember what one, but it is either Nimda, Codered, or the new Codered II.
>
> So run virus scans and patch those IIS services if you must run them.
>
> The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com, swbell.net,
> megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net, covad.net, rr.com,
> nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net, charter.com, and the list
> goes on.

Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...

Use a Linux box, as you are doing, and your worries are over

Peter

 

where do u uninstall it from

"Peter Tønnesen" <[email protected]> wrote in message
news:[email protected]...
>
> "Technician" <[email protected]> skrev i en meddelelse
> news:[email protected]...
> > Ok, i know this is very off topic, please forgive me.
>
> Half the topics in this "mountain bike" group is OT anyway....
>
> > Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> > website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> > have the latest security patch for it.
> >
> > Within just this year, i have so far received 82 connections probing for an unpatched IIS
> > server. what it found was a non-vulnerable (to this attack) apache server running on Linux.
> >
> > Among the network security community, these attacks are believed to be from a worm. I can't
> > remember what one, but it is either Nimda, Codered, or the new Codered II.
> >
> > So run virus scans and patch those IIS services if you must run them.
> >
> > The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
> > swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
> > covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
> > charter.com, and the list goes on.
>
> Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...
>
> Use a Linux box, as you are doing, and your worries are over
>
> Peter

 

"MX-Pilot" <[email protected]> wrote in message
news:[email protected]...
> where do u uninstall it from
>

Assuming you speak of IIS and you are running Windows 2000 or XP, just got to Control Panel -
Add/Remove Programs and click on Add/Remove Windows components. Find Internet Information Services,
uncheck it, and hit OK.

Matt

 

"Peter Tønnesen" <[email protected]> wrote in message
news:[email protected]...
>
> "Technician" <[email protected]> skrev i en meddelelse
> news:[email protected]...
> > Ok, i know this is very off topic, please forgive me.
>
<snip>
> Use a Linux box, as you are doing, and your worries are over
>
> Peter
>

Ummmm, I thing knowing what you are doing is a big step no matter what OS you run. It's not like my
parents (for example) can just go use a Linux box instead of windows and that would end their
computing worries.

Common sense, a little education, and basic precautions are all anyone really needs to protect
themselves. It's not like just running Linux will overcome lack of these basic things. I think it
would just be worse since there is a steeper learning curve with Linux.

Matt

 

In article <[email protected]>, [email protected] says...
>
> "Technician" <[email protected]> skrev i en meddelelse
> news:[email protected]...
> > Ok, i know this is very off topic, please forgive me.
>
> Half the topics in this "mountain bike" group is OT anyway....
>
> > Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> > website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> > have the latest security patch for it.
> >
> > Within just this year, i have so far received 82 connections probing for an unpatched IIS
> > server. what it found was a non-vulnerable (to this attack) apache server running on Linux.
> >
> > Among the network security community, these attacks are believed to be from a worm. I can't
> > remember what one, but it is either Nimda, Codered, or the new Codered II.
> >
> > So run virus scans and patch those IIS services if you must run them.
> >
> > The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
> > swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
> > covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
> > charter.com, and the list goes on.
>
> Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...
>
> Use a Linux box, as you are doing, and your worries are over
>
> Peter
>
>
>

Not exactly over. I discovered there was an exploit in my version of OpenSSL thus enabling an
attacker, in this case a worm, to get shell access, download a trojan (as source code), compile it,
and run it. research identified it as part of a DOS attack cluster. I only found it afterward by
remembering the process name running a while back. it was killed though when i moved the /tmp folder
to a different partition. some of the .* files would not copy over (the work was one of them). when
i restarted to help the new /tmp partition take effect (so it can regenerate lost files and so
forth), the process was killed, thus completely removing the worm. after finding about it, i quickly
downloaded the patch for OpenSSL.

And so far, there are 100+ viruses and trojans known to self propagate on Linux. the reason Linux is
less likely to get infected is because not every server has the same set of exploits, whereas about
90% of windows servers are running IIS, and each one is shipped with a pocket full of known and
unknown exploits.

But then, we don't need to bring the Linux VS. Windows debates here. there are enough of them in
other newsgroups, and they will never stop, just as the Ford VS. Chevy debates will never stop
(unless Ford and Chevy merged of course).

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

In article <[email protected]>, [email protected] says...
> "Peter Tønnesen" <[email protected]> wrote in message
> news:[email protected]...
> >
> > "Technician" <[email protected]> skrev i en meddelelse
> > news:[email protected]...
> > > Ok, i know this is very off topic, please forgive me.
> >
> <snip>
> > Use a Linux box, as you are doing, and your worries are over
> >
> > Peter
> >
>
> Ummmm, I thing knowing what you are doing is a big step no matter what OS you run. It's not like
> my parents (for example) can just go use a Linux box instead of windows and that would end their
> computing worries.
>
> Common sense, a little education, and basic precautions are all anyone really needs to protect
> themselves. It's not like just running Linux will overcome lack of these basic things. I think it
> would just be worse since there is a steeper learning curve with Linux.
>
> Matt
>
>
>

I think i remember a quote, perhaps from Linus Torvalds, "If your VCR is still blinking 12:00, then
perhaps your shouldn't use Linux".

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

"Technician" <[email protected]> wrote in message
news:[email protected]...
> In article <[email protected]>, [email protected] says...
> >
> > "Technician" <[email protected]> skrev i en meddelelse
> > news:[email protected]...
> > > Ok, i know this is very off topic, please forgive me.
> >
> > Half the topics in this "mountain bike" group is OT anyway....
> >
> > > Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> > > website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> > > have the latest security patch for it.
> > >
> > > Within just this year, i have so far received 82 connections probing
for
> > > an unpatched IIS server. what it found was a non-vulnerable (to this attack) apache server
> > > running on Linux.
> > >
> > > Among the network security community, these attacks are believed to be from a worm. I can't
> > > remember what one, but it is either Nimda,
Codered,
> > > or the new Codered II.
> > >
> > > So run virus scans and patch those IIS services if you must run them.
> > >
> > > The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
> > > swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
> > > covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
> > > charter.com, and the list goes on.
> >
> > Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...
> >
> > Use a Linux box, as you are doing, and your worries are over
> >
> > Peter
> >
> >
> >
>
> Not exactly over. I discovered there was an exploit in my version of OpenSSL thus enabling an
> attacker, in this case a worm, to get shell access, download a trojan (as source code), compile
> it, and run it. research identified it as part of a DOS attack cluster. I only found it afterward
> by remembering the process name running a while back. it was killed though when i moved the /tmp
> folder to a different partition. some of the .* files would not copy over (the work was one of
> them). when i restarted to help the new /tmp partition take effect (so it can regenerate lost
> files and so forth), the process was killed, thus completely removing the worm. after finding
> about it, i quickly downloaded the patch for OpenSSL.
>
> And so far, there are 100+ viruses and trojans known to self propagate on Linux. the reason Linux
> is less likely to get infected is because not every server has the same set of exploits, whereas
> about 90% of windows servers are running IIS, and each one is shipped with a pocket full of known
> and unknown exploits.

So, like, is this why the paddles in my Pong game go all fluey now and then?

Bill "K62, Doze 98, more bugs than an exterminator's showroom" S.

 

"Sorni" <[email protected]> wrote in message
news:[email protected]... <snip>
> So, like, is this why the paddles in my Pong game go all fluey now and
then?
>
> Bill "K62, Doze 98, more bugs than an exterminator's showroom" S.
>

Yeah, that's that Pong virus everyone's been worried about. Very deadly.

Dude, make some bux at that new job and get a new machine when you can. Win2k and XP are WAY more
stable than '98. If you bring it with you (along with some beer) on your next pilgrimage I'll get
you all dialed in.

Matt (then you have another excuse to head for the high country)

 

In article <[email protected]>, [email protected] says...
> "Technician" <[email protected]> wrote in message
> news:[email protected]...
> > In article <[email protected]>, [email protected] says...
> > >
> > > "Technician" <[email protected]> skrev i en meddelelse
> > > news:[email protected]...
> > > > Ok, i know this is very off topic, please forgive me.
> > >
> > > Half the topics in this "mountain bike" group is OT anyway....
> > >
> > > > Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> > > > website from your computer, uninstall the IIS service. if you need/want it, then make sure
> > > > you have the latest security patch for it.
> > > >
> > > > Within just this year, i have so far received 82 connections probing
> for
> > > > an unpatched IIS server. what it found was a non-vulnerable (to this attack) apache server
> > > > running on Linux.
> > > >
> > > > Among the network security community, these attacks are believed to be from a worm. I can't
> > > > remember what one, but it is either Nimda,
> Codered,
> > > > or the new Codered II.
> > > >
> > > > So run virus scans and patch those IIS services if you must run them.
> > > >
> > > > The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
> > > > swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
> > > > covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
> > > > charter.com, and the list goes on.
> > >
> > > Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...
> > >
> > > Use a Linux box, as you are doing, and your worries are over
> > >
> > > Peter
> > >
> > >
> > >
> >
> > Not exactly over. I discovered there was an exploit in my version of OpenSSL thus enabling an
> > attacker, in this case a worm, to get shell access, download a trojan (as source code), compile
> > it, and run it. research identified it as part of a DOS attack cluster. I only found it
> > afterward by remembering the process name running a while back. it was killed though when i
> > moved the /tmp folder to a different partition. some of the .* files would not copy over (the
> > work was one of them). when i restarted to help the new /tmp partition take effect (so it can
> > regenerate lost files and so forth), the process was killed, thus completely removing the worm.
> > after finding about it, i quickly downloaded the patch for OpenSSL.
> >
> > And so far, there are 100+ viruses and trojans known to self propagate on Linux. the reason
> > Linux is less likely to get infected is because not every server has the same set of exploits,
> > whereas about 90% of windows servers are running IIS, and each one is shipped with a pocket full
> > of known and unknown exploits.
>
> So, like, is this why the paddles in my Pong game go all fluey now and then?
>

No that's due to wear or contamination on the potentiometer resistive surface (the pots are in the
paddles). ;-)

> Bill "K62, Doze 98, more bugs than an exterminator's showroom" S.
>

Humorous reference to AMD processors at http://www.chasten.org/hacker.htm <quote> If your son has
requested a new "processor" from a company called "AMD", this is genuine cause for alarm. AMD is a
third-world based company who make inferior, "knock-off" copies of American processor chips. They
use child labor extensively in their third world sweatshops, and they deliberately disable the
security features that American processor makers, such as Intel, use to prevent hacking. AMD chips
are never sold in stores, and you will most likely be told that you have to order them from internet
sites. Do not buy this chip! This is one request that you must refuse your son, if you are to have
any hope of raising him well. </quote> ;-)

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

"MattB" <[email protected]> wrote in message news:[email protected]...
> "Sorni" <[email protected]> wrote in message
> news:[email protected]... <snip>
> > So, like, is this why the paddles in my Pong game go all fluey now and
> then?
> >
> > Bill "K62, Doze 98, more bugs than an exterminator's showroom" S.
> >
>
> Yeah, that's that Pong virus everyone's been worried about. Very deadly.
>
> Dude, make some bux at that new job and get a new machine when you can. Win2k and XP are WAY more
> stable than '98. If you bring it with you (along with some beer) on your next pilgrimage I'll get
> you all dialed in.
>
> Matt (then you have another excuse to head for the high country)

"New job"?!? I'm prefectly happy being self-underemployed, TYVM -- how else could I be leaving for a
ride at noon-thirty on a Monday?

But thanks for the offer to geek for me; I'll settle for some wrenching on my FAVORITE
machines instead.

Bill "could afford a new computer if not for the fallout from SPEEDING TICKET I got driving home
last time" S.

(I'll prolly get a Dell, Dude, like fairly soon.)

 

"Peter Tønnesen" <[email protected]> wrote in message

> Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...

And they deserve whatever they get from their ignorance. My only complaint is that these rooted
boxes are later used to attack others.
>
> Use a Linux box, as you are doing, and your worries are over

It is probably better now but at one time the average unpatched Redhat server would only last about
1 month on the Internet before getting rooted. Server and network security is about vigilence and
paranoia, not about blind faith in your OS.

-- The Ogre

 

Technician wrote:
> Ok, i know this is very off topic, please forgive me.
>
> Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> have the latest security patch for it.

Jeez Trav, you're just about as sharp as a button, and only two years behind on all the
IIS exploits.

Also, people shouldn't need to 'uninstall' IIS, because IIS is not installed by default in Win 2K
Pro or XP.

> Within just this year, i have so far received 82 connections probing for an unpatched IIS server.
> what it found was a non-vulnerable (to this attack) apache server running on Linux.

82 hits really isn't that much...

> Among the network security community, these attacks are believed to be from a worm. I can't
> remember what one, but it is either Nimda, Codered, or the new Codered II.

"New" Code Red II? Code Red II came out in August 2001.

You should be able to tell which worm it is, by analysing the command strings.

> So run virus scans and patch those IIS services if you must run them.
>
> The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com, swbell.net,
> megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net, covad.net, rr.com,
> nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net, charter.com, and the list
> goes on.

They're usually infected machines that are just propogating the worm. As such, there'll be no
real pattern.

> Again, i apologize for posting a message so blatantly off-topic, but i figured it was a notice
> worth posting.

Although well meaning, you'd be better off advising about general pc security. Open NetBIOS shares
are far more commonly left open, and far more commonly exploited than an unpatched IIS.

 

In article <[email protected]>, [email protected] says...
> "Peter Tønnesen" <[email protected]> wrote in message
>
> > Not exactly news, but a good reminder. Lots of people have installed IIS without knowing it...
>
> And they deserve whatever they get from their ignorance. My only complaint is that these rooted
> boxes are later used to attack others.

It is a default of the windows installation, only if you know enough to do the custom install do you
find a place to not install IIS.

> >
> > Use a Linux box, as you are doing, and your worries are over
>
> It is probably better now but at one time the average unpatched Redhat server would only last
> about 1 month on the Internet before getting rooted. Server and network security is about
> vigilence and paranoia, not about blind faith in your OS.
>

Interestingly, mine lasted about 6 months before it was compromised. may be a benefit of running
software that is really old. Now i am paranoid of every single connection that looks out of the
ordinary. like this strange FTP connection now and then. just connects, and disconnects. does not
even log in. my guess is the client was simply checking the server version to see if it can be
compromised. apparently it can't as that is all they seem to be doing.

I have my system locked down as best as i can, aside from updating software (just don't have the
bandwidth, and nothing better is available). i even changed my root password to one so long i
frequently make mistakes when logging in.

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

Technician wrote:

> It is a default of the windows installation, only if you know enough to do the custom install do
> you find a place to not install IIS.

Not true. Win 2K Server / Advanced Server install IIS by default, but not Win 2K Pro - you have to
deliberately install IIS on Pro.

>>>Use a Linux box, as you are doing, and your worries are over
>>
>>It is probably better now but at one time the average unpatched Redhat server would only last
>>about 1 month on the Internet before getting rooted. Server and network security is about
>>vigilence and paranoia, not about blind faith in your OS.

My first attempt at Linux was Red Hat and it was hit within four days. Fortunately, the person who
cracked it didn't know what they were doing, so no damage was done.

> Interestingly, mine lasted about 6 months before it was compromised. may be a benefit of running
> software that is really old. Now i am paranoid of every single connection that looks out of the
> ordinary. like this strange FTP connection now and then. just connects, and disconnects. does not
> even log in. my guess is the client was simply checking the server version to see if it can be
> compromised. apparently it can't as that is all they seem to be doing.

My FTP servers often get hit with anonymous connections - they're just kiddies looking for open
servers where they can dump warez, etc.

> I have my system locked down as best as i can, aside from updating software (just don't have the
> bandwidth, and nothing better is available). i even changed my root password to one so long i
> frequently make mistakes when logging in.

Security should not come at the expense of usability. 8 alpha-numeric and special characters
should suffice.

As for general security tips, turn off any unwanted services, install some decent IPTables rules and
keep up to date with exploits by subscribing to security mailing lists or newsgroups.

 

In article <[email protected]>, myarse247 @hotmail.com says...
> Technician wrote:
>
> > It is a default of the windows installation, only if you know enough to do the custom install do
> > you find a place to not install IIS.
>
> Not true. Win 2K Server / Advanced Server install IIS by default, but not Win 2K Pro - you have to
> deliberately install IIS on Pro.

Yes, that's right, i forgot that difference.

>
> >>>Use a Linux box, as you are doing, and your worries are over
> >>
> >>It is probably better now but at one time the average unpatched Redhat server would only last
> >>about 1 month on the Internet before getting rooted. Server and network security is about
> >>vigilence and paranoia, not about blind faith in your OS.
>
> My first attempt at Linux was Red Hat and it was hit within four days. Fortunately, the person who
> cracked it didn't know what they were doing, so no damage was done.
>
> > Interestingly, mine lasted about 6 months before it was compromised. may be a benefit of running
> > software that is really old. Now i am paranoid of every single connection that looks out of the
> > ordinary. like this strange FTP connection now and then. just connects, and disconnects. does
> > not even log in. my guess is the client was simply checking the server version to see if it can
> > be compromised. apparently it can't as that is all they seem to be doing.
>
> My FTP servers often get hit with anonymous connections - they're just kiddies looking for open
> servers where they can dump warez, etc.

Could be interesting. just have to write a script that takes a win32 virus/worm/trojan (preferably
one that is really nasty and hard to detect), grabs the files in the "uploads" directory, injects
the virus/worm/trojan into the files, and places them in the "just_uploaded" folder and then deletes
the original "clean" file. it may not stop the warez problem, but at least it will wreak havoc with
their systems for a while, and thus providing and form of cheap entertainment. silent backdoors are
always fun (if only i had a few to toy with).

>
> > I have my system locked down as best as i can, aside from updating software (just don't have the
> > bandwidth, and nothing better is available). i even changed my root password to one so long i
> > frequently make mistakes when logging in.
>
> Security should not come at the expense of usability. 8 alpha-numeric and special characters
> should suffice.
>
> As for general security tips, turn off any unwanted services, install some decent IPTables rules
> and keep up to date with exploits by subscribing to security mailing lists or newsgroups.
>
>

I have turned off all services that i can, and blocked ports for the others. the only ports that are
open that i can detect from the outside are 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 110 (POP3),
119 (NNTP), and 443 (HTTPS).

FTP does not allow anonymous access. SMTP only relays for internal hosts, and only receives mail for
this domain. HTTP is as secure as http can be. POP3 is just the inetd pop3 daemon. would like to
change to something i can actually configure. NNTP is userassword protected and only provides
access to local groups only (such as server news and user created groups and so forth). HTTPS is
fairly secure as it uses my own certificate generated from a nice source of random data.

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

In article <[email protected]>, myarse247 @hotmail.com says...
> Technician wrote:
> > Ok, i know this is very off topic, please forgive me.
> >
> > Those that have windows, specifically 2000, and possibly XP, if you do not intend to host a
> > website from your computer, uninstall the IIS service. if you need/want it, then make sure you
> > have the latest security patch for it.
>
> Jeez Trav, you're just about as sharp as a button, and only two years behind on all the IIS
> exploits.

I'm not behind, the people that are still vulnerable are behind.

>
> Also, people shouldn't need to 'uninstall' IIS, because IIS is not installed by default in Win 2K
> Pro or XP.

Already pointed out in another post.

>
> > Within just this year, i have so far received 82 connections probing for an unpatched IIS
> > server. what it found was a non-vulnerable (to this attack) apache server running on Linux.
>
> 82 hits really isn't that much...

It is when they are 99% of my total connections.

>
> > Among the network security community, these attacks are believed to be from a worm. I can't
> > remember what one, but it is either Nimda, Codered, or the new Codered II.
>
> "New" Code Red II? Code Red II came out in August 2001.

Codered II changed into a slightly different variation within that last few months and has been
dubbed the new Codered II by several other network security analyst i have been in contact with. it
is not yet an entirely new version, just a slight variation.

>
> You should be able to tell which worm it is, by analysing the command strings.

Well, i tried to post the packet data, but my ISPs news server seemed to take it as a binary post
(obviously the admin needs a swift kick in the butt as ASCII text surrounded by more ASCII text is
NOT binary). see http://www.megalink.net/~farmers/packet_data.txt for packet data.

in any case, it is Codered II. i think it is even the newer variation, but i can't remember the
differences off the top of my head)

>
> > So run virus scans and patch those IIS services if you must run them.
> >
> > The Sources so far are fairly random. Lets see, i have gte.net, snet.net, direcpc.com,
> > swbell.net, megapath.net, cox-internet.com, verestar.net, interquest.net, cablerocket.net,
> > covad.net, rr.com, nuvox.net, astound.net, tds.net, bellsouth.net, aei.ca, arrival.net,
> > charter.com, and the list goes on.
>
> They're usually infected machines that are just propogating the worm. As such, there'll be no real
> pattern.

I knew there was no pattern, just listing some of the source ISPs. Though approximately 90% of the
hits come from broadband connections (though that could also be the percentage of users in the us
that have broadband).

>
> > Again, i apologize for posting a message so blatantly off-topic, but i figured it was a notice
> > worth posting.
>
> Although well meaning, you'd be better off advising about general pc security. Open NetBIOS shares
> are far more commonly left open, and far more commonly exploited than an unpatched IIS.
>
>

Very true, but if you are using open shares you pretty much invite trouble (you don't rent a storage
unit and then leave the door unlocked). I think one of the more common problems now though are open
WiFi gateways. a friend of mine with a laptop and a WiFi card drove around with a WiFi War program
(with GPS) and managed to map out a very nice array of open gateways. he usually only makes use of
them by finding an openly shared printer and popping out a message like "warning, your wireless
network is insecure. I am printing this from my car while i drive by".

Nothing worse than a corporate network, locked down with a high grade firewall, and the latest
security patches everywhere, and some idiot installs a WiFi gateway so he/she can work from home,
thus removing the protection the firewall provides.

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)

 

Technician wrote:

>>82 hits really isn't that much...
>
>
> It is when they are 99% of my total connections.

Install a logging firewall, and then see how many people are really trying to connect to you

>>"New" Code Red II? Code Red II came out in August 2001.
>
>
> Codered II changed into a slightly different variation within that last few months and has been
> dubbed the new Codered II by several other network security analyst i have been in contact with.
> it is not yet an entirely new version, just a slight variation.

Although there maybe slight variations in the code, they essentially exploit the same vulnerability.
The last Code Red vulnerability listed by CERT was August 2001.

>>They're usually infected machines that are just propogating the worm. As such, there'll be no real
>>pattern.
>
>
> I knew there was no pattern, just listing some of the source ISPs. Though approximately 90% of the
> hits come from broadband connections (though that could also be the percentage of users in the us
> that have broadband).

Nowhere near. Broadband uptake in the US is still less than 30%, IIRC.

>>Although well meaning, you'd be better off advising about general pc security. Open NetBIOS shares
>>are far more commonly left open, and far more commonly exploited than an unpatched IIS.
>>
>
> Very true, but if you are using open shares you pretty much invite trouble (you don't rent a
> storage unit and then leave the door unlocked).

Unfortunately, a lot of home users don't even know there's a door...

I think one of the more common problems now though are open
> WiFi gateways. a friend of mine with a laptop and a WiFi card drove around with a WiFi War program
> (with GPS) and managed to map out a very nice array of open gateways. he usually only makes use of
> them by finding an openly shared printer and popping out a message like "warning, your wireless
> network is insecure. I am printing this from my car while i drive by".

Read up on 'war driving'.

> Nothing worse than a corporate network, locked down with a high grade firewall, and the latest
> security patches everywhere, and some idiot installs a WiFi gateway so he/she can work from home,
> thus removing the protection the firewall provides.

I haven't got time to teach you all about remote access security, suffice to say that it's much more
complicated than that.

--
a.m-b FAQ: http://www.t-online.de/~jharris/ambfaq.htm

b.bmx FAQ: http://www.t-online.de/~jharris/bmx_faq.htm

 

Technician wrote:

>>My FTP servers often get hit with anonymous connections - they're just kiddies looking for open
>>servers where they can dump warez, etc.
>
>
> Could be interesting. just have to write a script that takes a win32 virus/worm/trojan (preferably
> one that is really nasty and hard to detect), grabs the files in the "uploads" directory, injects
> the virus/worm/trojan into the files, and places them in the "just_uploaded" folder and then
> deletes the original "clean" file. it may not stop the warez problem, but at least it will wreak
> havoc with their systems for a while, and thus providing and form of cheap entertainment. silent
> backdoors are always fun (if only i had a few to toy with).

You're getting in to dodgy territory with virii. If you want to do something like that, look at
honeypots.

>>As for general security tips, turn off any unwanted services, install some decent IPTables rules
>>and keep up to date with exploits by subscribing to security mailing lists or newsgroups.
>>
>
> I have turned off all services that i can, and blocked ports for the others. the only ports that
> are open that i can detect from the outside are 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 110
> (POP3), 119 (NNTP), and 443 (HTTPS).
>
> FTP does not allow anonymous access. SMTP only relays for internal hosts, and only receives mail
> for this domain. HTTP is as secure as http can be. POP3 is just the inetd pop3 daemon. would like
> to change to something i can actually configure. NNTP is userassword protected and only provides
> access to local groups only (such as server news and user created groups and so forth). HTTPS is
> fairly secure as it uses my own certificate generated from a nice source of random data.

If you collect mail with SMTP, why are you running POP3?

--
a.m-b FAQ: http://www.t-online.de/~jharris/ambfaq.htm

b.bmx FAQ: http://www.t-online.de/~jharris/bmx_faq.htm

 

In article <[email protected]>, [email protected] says...
> Technician wrote:
>
> >>82 hits really isn't that much...
> >
> >
> > It is when they are 99% of my total connections.
>
> Install a logging firewall, and then see how many people are really trying to connect to you

Hmmm, could be interesting.

>
> >>"New" Code Red II? Code Red II came out in August 2001.
> >
> >
> > Codered II changed into a slightly different variation within that last few months and has been
> > dubbed the new Codered II by several other network security analyst i have been in contact with.
> > it is not yet an entirely new version, just a slight variation.
>
> Although there maybe slight variations in the code, they essentially exploit the same
> vulnerability. The last Code Red vulnerability listed by CERT was August 2001.
>
> >>They're usually infected machines that are just propogating the worm. As such, there'll be no
> >>real pattern.
> >
> >
> > I knew there was no pattern, just listing some of the source ISPs. Though approximately 90% of
> > the hits come from broadband connections (though that could also be the percentage of users in
> > the us that have broadband).
>
> Nowhere near. Broadband uptake in the US is still less than 30%, IIRC.
>
> >>Although well meaning, you'd be better off advising about general pc security. Open NetBIOS
> >>shares are far more commonly left open, and far more commonly exploited than an unpatched IIS.
> >>
> >
> > Very true, but if you are using open shares you pretty much invite trouble (you don't rent a
> > storage unit and then leave the door unlocked).
>
> Unfortunately, a lot of home users don't even know there's a door...
>
> I think one of the more common problems now though are open
> > WiFi gateways. a friend of mine with a laptop and a WiFi card drove around with a WiFi War
> > program (with GPS) and managed to map out a very nice array of open gateways. he usually only
> > makes use of them by finding an openly shared printer and popping out a message like "warning,
> > your wireless network is insecure. I am printing this from my car while i drive by".
>
> Read up on 'war driving'.

Hmmm, got my copy of Net Stumbler, now all i need is a laptop, WiFi card, and a GPS receiver.

>
> > Nothing worse than a corporate network, locked down with a high grade firewall, and the latest
> > security patches everywhere, and some idiot installs a WiFi gateway so he/she can work from
> > home, thus removing the protection the firewall provides.
>
> I haven't got time to teach you all about remote access security, suffice to say that it's much
> more complicated than that.
>

~Travis
--
To reply by email, remove clothes.

travis5765.homelinux.net, Primary Administrator TF Custom Electronic, Owner/Founder/Developer
(current project: Automotive exhaust flame-thrower)