Is it time for a black hole list for

Is it time for a black hole list for

Post by Dennis Peterso » Sun, 05 Aug 2001 11:46:28



badly managed servers running IIS? I'm beginning to think so. These IIS
servers that continue to dish out the Code Red Worm weeks after the
first infestation still include domains that are sufficiently large
enough that they should know better.

This is getting absurd. I have this nagging feeling that a lot of folks
have installed NT and don't know they have an active IIS server running.
I could be wrong, but never the less, there's that nagging feeling... I
have no qualms against blocking stupid. I'd be happy to share lists.

dp

 
 
 

Is it time for a black hole list for

Post by Newbie JrSysAdm » Sun, 05 Aug 2001 21:54:58



> badly managed servers running IIS? I'm beginning to think so. These IIS
> servers that continue to dish out the Code Red Worm weeks after the
> first infestation still include domains that are sufficiently large
> enough that they should know better.

> This is getting absurd. I have this nagging feeling that a lot of folks
> have installed NT and don't know they have an active IIS server running.
> I could be wrong, but never the less, there's that nagging feeling... I
> have no qualms against blocking stupid. I'd be happy to share lists.

> dp

can i ask any of you a question?

what evidence do any of you have- evidence- microsoft is not willfully
designing its software with these security holes on the back end? they
go out of their way to design software 'big brother' will be able to
control, then they pretend like it's all an accident when it is
exploited by some geek.

 
 
 

Is it time for a black hole list for

Post by br.. » Sun, 05 Aug 2001 22:19:35



:> badly managed servers running IIS? I'm beginning to think so. These IIS
:> servers that continue to dish out the Code Red Worm weeks after the
:> first infestation still include domains that are sufficiently large
:> enough that they should know better.
:>
:> This is getting absurd. I have this nagging feeling that a lot of folks
:> have installed NT and don't know they have an active IIS server running.
:> I could be wrong, but never the less, there's that nagging feeling... I
:> have no qualms against blocking stupid. I'd be happy to share lists.
:>
:> dp

: can i ask any of you a question?

Why we are talking about NT and IIS in comp.unix.solaris?  Good question.

 
 
 

Is it time for a black hole list for

Post by Thomas Deh » Sun, 05 Aug 2001 23:02:53



Quote:> > badly managed servers running IIS? I'm beginning to think so. These IIS
> > servers that continue to dish out the Code Red Worm weeks after the
> > first infestation still include domains that are sufficiently large
> > enough that they should know better.

> > This is getting absurd. I have this nagging feeling that a lot of folks
> > have installed NT and don't know they have an active IIS server running.
> > I could be wrong, but never the less, there's that nagging feeling... I
> > have no qualms against blocking stupid. I'd be happy to share lists.

> > dp

> can i ask any of you a question?

> what evidence do any of you have- evidence- microsoft is not willfully
> designing its software with these security holes on the back end? they
> go out of their way to design software 'big brother' will be able to
> control, then they pretend like it's all an accident when it is
> exploited by some geek.

It is different to that. M$ basically is a PC software
company which produces easy to use software
for unskilled users. All M$ software is based on
the assumption that the user is a dumb PC user who
does not care about system administration, troubleshooting
problems, or security, as long as his software
is up and running after a reboot, or, if necessary,
a reinstallation.

Thomas

 
 
 

Is it time for a black hole list for

Post by Thomas Deh » Sun, 05 Aug 2001 23:13:42



> badly managed servers running IIS? I'm beginning to think so. These IIS
> servers that continue to dish out the Code Red Worm weeks after the
> first infestation still include domains that are sufficiently large
> enough that they should know better.

> This is getting absurd. I have this nagging feeling that a lot of folks
> have installed NT and don't know they have an active IIS server running.
> I could be wrong, but never the less, there's that nagging feeling... I
> have no qualms against blocking stupid. I'd be happy to share lists.

It is to be assumed that many NT administrators
who run IIS are not aware that per default
various vulnerable IIS features are turned on
which they never use. Who would
assume that IIS per default runs a print server
even if no printer is installed?

BTW, M$ does not even manage to put up
their own security fixes on their own servers.
www.windowsupdate.microsoft.com was down
a few days ago due to the Code Red worm.

Thomas

 
 
 

Is it time for a black hole list for

Post by Richard L. Hamilt » Sun, 05 Aug 2001 23:52:06





>> badly managed servers running IIS? I'm beginning to think so. These IIS
>> servers that continue to dish out the Code Red Worm weeks after the
>> first infestation still include domains that are sufficiently large
>> enough that they should know better.

>> This is getting absurd. I have this nagging feeling that a lot of folks
>> have installed NT and don't know they have an active IIS server running.
>> I could be wrong, but never the less, there's that nagging feeling... I
>> have no qualms against blocking stupid. I'd be happy to share lists.

>> dp

> can i ask any of you a question?

> what evidence do any of you have- evidence- microsoft is not willfully
> designing its software with these security holes on the back end? they
> go out of their way to design software 'big brother' will be able to
> control, then they pretend like it's all an accident when it is
> exploited by some geek.

There was a discussion along those lines some time ago on slashdot;
while * theories abound, there's a simpler answer:

"Never attribute to malice that which can be adequately explained by
stupidity"   http://www.veryComputer.com/

Also, at one time (although I can't find the quote now), I recall that
Gates was reported to have said in effect that customers wanted
features and ease of use, so security just wasn't a priority.  Given that
code is rarely 100% rewritten, yet good security has to be a matter of
careful overall design, coding, defaults, etc., even if that's no longer
their attitude, MS has such a huge burden of legacy code that _was_
produced under such an attitude that a reasonable person could only
expect that it would be a long and messy transition before a deep-set
orientation to security would not only affect development, coding, and
administration practices but would yield results already obtained in
other environments.  (sorry about that long sentence; I do try not to
write code quite that convoluted :-)

--
ftp> get |fortune
377 I/O error: smart remark generator failed

Bogonics: the primary language inside the Beltway


 
 
 

Is it time for a black hole list for

Post by Michael Jank » Mon, 06 Aug 2001 01:53:01



> badly managed servers running IIS? I'm beginning to think so. These IIS
> servers that continue to dish out the Code Red Worm weeks after the
> first infestation still include domains that are sufficiently large
> enough that they should know better.

> This is getting absurd. I have this nagging feeling that a lot of folks
> have installed NT and don't know they have an active IIS server running.
> I could be wrong, but never the less, there's that nagging feeling... I
> have no qualms against blocking stupid. I'd be happy to share lists.

> dp

When the worm first started, we tried to contact the web server
operators. Many of
them had no clue that they were running a web server. Many were on DSL &
cable
modems.

We've found that IIS often gets unknowingly installed when the user is
installing some other
MS package.

--Mike

 
 
 

Is it time for a black hole list for

Post by Dennis Peterso » Mon, 06 Aug 2001 02:58:33




> > badly managed servers running IIS? I'm beginning to think so. These IIS
> > servers that continue to dish out the Code Red Worm weeks after the
> > first infestation still include domains that are sufficiently large
> > enough that they should know better.

> > This is getting absurd. I have this nagging feeling that a lot of folks
> > have installed NT and don't know they have an active IIS server running.
> > I could be wrong, but never the less, there's that nagging feeling... I
> > have no qualms against blocking stupid. I'd be happy to share lists.

> > dp

> can i ask any of you a question?

> what evidence do any of you have- evidence- microsoft is not willfully
> designing its software with these security holes on the back end? they
> go out of their way to design software 'big brother' will be able to
> control, then they pretend like it's all an accident when it is
> exploited by some geek.

It's hard to accept this as a business model for success. They have such
a profound black eye over the endless exploits that it has to be hurting
the bottom line if not their credibility as providers of enterprise
solutions.

dp

 
 
 

Is it time for a black hole list for

Post by Dennis Peterso » Mon, 06 Aug 2001 03:01:39





> :> badly managed servers running IIS? I'm beginning to think so. These IIS
> :> servers that continue to dish out the Code Red Worm weeks after the
> :> first infestation still include domains that are sufficiently large
> :> enough that they should know better.
> :>
> :> This is getting absurd. I have this nagging feeling that a lot of folks
> :> have installed NT and don't know they have an active IIS server running.
> :> I could be wrong, but never the less, there's that nagging feeling... I
> :> have no qualms against blocking stupid. I'd be happy to share lists.
> :>
> :> dp

> : can i ask any of you a question?

> Why we are talking about NT and IIS in comp.unix.solaris?  Good question.

Because it is having a serious effect on data centers, and creating
network outages that are platform agnostic. The network is the computer,
remember? No network, no computer. That affects me. We had a loss of
connection to Qwest for 20 hours while they repaired their equipment. We
run Solaris only. IIS is affecting me, you and a whole lot of us, and
I'm just be little tired of it.

dp

 
 
 

Is it time for a black hole list for

Post by Newbie JrSysAdm » Mon, 06 Aug 2001 06:18:38





> > > badly managed servers running IIS? I'm beginning to think so. These IIS
> > > servers that continue to dish out the Code Red Worm weeks after the
> > > first infestation still include domains that are sufficiently large
> > > enough that they should know better.

> > > This is getting absurd. I have this nagging feeling that a lot of folks
> > > have installed NT and don't know they have an active IIS server running.
> > > I could be wrong, but never the less, there's that nagging feeling... I
> > > have no qualms against blocking stupid. I'd be happy to share lists.

> > > dp

> > can i ask any of you a question?

> > what evidence do any of you have- evidence- microsoft is not willfully
> > designing its software with these security holes on the back end? they
> > go out of their way to design software 'big brother' will be able to
> > control, then they pretend like it's all an accident when it is
> > exploited by some geek.

> It's hard to accept this as a business model for success. They have such
> a profound black eye over the endless exploits that it has to be hurting
> the bottom line if not their credibility as providers of enterprise
> solutions.

> dp

i challenge the notion the monopolist is being hurt. the doj pretends
to go after microsoft all-the-while the government adopts a local
network security model designed by microsoft to apply criteria
basically meaningless outside nt. result: the government moves
wholesale to microsoft products and are certainly microsoft's largest
customer by far.

every meaningful innovation in their networking has been accompanied
by galling intrusions into users' privacy. the latest will affect your
ability to read and write from your hard disk without interacting with
a security daemon, at the behest of the entertainment industry. rather
than encode individual files, each disk will be affected at the
"macro" level. it's already affected sun, in that the labelling of the
drives related to this standard keeps you from doing simple
plug/unplug relabelling of the drives. i challenge anyone to tell me
how this improves network performance.

this all started with a willfully corrupt user registration of windows
95, where microsoft without any warning or obtaining any consent
scanned your hard drive and communicated back to them your directory
structures and the like. microsoft as a company felt they had the
right to do this, and no action whatsoever they have taken since
suggests they now feel otherwise about your rights to privacy, freedom
and indeed ownership of your computer hardware.

if you don't understand this, you need to take a look at microsoft's
newest license for exchange. you assign microsoft *ownership* of all
of your networked content, and they have no liability to you since
they *own* the information and can do with it as they please.

 
 
 

Is it time for a black hole list for

Post by Dennis Peterso » Mon, 06 Aug 2001 08:53:04



> if you don't understand this, you need to take a look at microsoft's
> newest license for exchange. you assign microsoft *ownership* of all
> of your networked content, and they have no liability to you since
> they *own* the information and can do with it as they please.

That won't be necessary as I don't now use or own nor do I plan to use
or own any MS products. And I'm going to find another DLS connection as
Qwest is handing all the residential DSL connections to MSN. But that is
all far from the original point I was trying to make which is these
endless exploites are now becoming as bad or worse than spam and appears
it's going to require similar tactics to eliminate it.

dp

 
 
 

Is it time for a black hole list for

Post by bit-buc.. » Mon, 06 Aug 2001 12:58:25



:>
:> if you don't understand this, you need to take a look at microsoft's
:> newest license for exchange. you assign microsoft *ownership* of all
:> of your networked content, and they have no liability to you since
:> they *own* the information and can do with it as they please.

: That won't be necessary as I don't now use or own nor do I plan to use
: or own any MS products. And I'm going to find another DLS connection as
: Qwest is handing all the residential DSL connections to MSN. But that is
: all far from the original point I was trying to make which is these
: endless exploites are now becoming as bad or worse than spam and appears
: it's going to require similar tactics to eliminate it.

Seems rather simple to me. We simply need to all use whatever tools
we can (I prefer sendmail and procmail) to weed out all messages that
contain "suspect" material (i.e. it's in HTML format, it contains
attachments with suspect extensions, it's from a Microsoft based
site, etc..) and pitch or reject them. If enough people do it on a
large enough basis, it will greatly diminish the problems you refer
to. Just think of it as the email version of the Usenet Death Penalty.

fpsm
--
| Fredrich P. Maney                            maney at maney dot org |
| "Sometimes, fear has a good and useful purpose."                    |
|                          --Fredrich P. Maney                        |
|   Do NOT send me HTML formatted E-mail or copies of netnews posts!  |
|  Address in header is a spamtrap. Use one in signature for replies! |

 
 
 

Is it time for a black hole list for

Post by cjt & trefoi » Mon, 06 Aug 2001 14:30:55




> > badly managed servers running IIS? I'm beginning to think so. These IIS
> > servers that continue to dish out the Code Red Worm weeks after the
> > first infestation still include domains that are sufficiently large
> > enough that they should know better.

> > This is getting absurd. I have this nagging feeling that a lot of folks
> > have installed NT and don't know they have an active IIS server running.
> > I could be wrong, but never the less, there's that nagging feeling... I
> > have no qualms against blocking stupid. I'd be happy to share lists.

> > dp

> When the worm first started, we tried to contact the web server
> operators. Many of
> them had no clue that they were running a web server. Many were on DSL &
> cable
> modems.

> We've found that IIS often gets unknowingly installed when the user is
> installing some other
> MS package.

... thereby boosting IIS's numbers in the various surveys, I assume.

- Show quoted text -

Quote:> --Mike

 
 
 

Is it time for a black hole list for

Post by cjt & trefoi » Mon, 06 Aug 2001 14:34:57




> > badly managed servers running IIS? I'm beginning to think so. These IIS
> > servers that continue to dish out the Code Red Worm weeks after the
> > first infestation still include domains that are sufficiently large
> > enough that they should know better.

> > This is getting absurd. I have this nagging feeling that a lot of folks
> > have installed NT and don't know they have an active IIS server running.
> > I could be wrong, but never the less, there's that nagging feeling... I
> > have no qualms against blocking stupid. I'd be happy to share lists.

> It is to be assumed that many NT administrators
> who run IIS are not aware that per default
> various vulnerable IIS features are turned on
> which they never use. Who would
> assume that IIS per default runs a print server
> even if no printer is installed?

> BTW, M$ does not even manage to put up
> their own security fixes on their own servers.
> www.windowsupdate.microsoft.com was down
> a few days ago due to the Code Red worm.

> Thomas

Is that the server on which they put the fix for others to download?  
Its domain name suggests it might be.  If so, that could make dealing with the
virus especially difficult.
 
 
 

Is it time for a black hole list for

Post by bit-buc.. » Mon, 06 Aug 2001 23:50:11



[deletia]

:> BTW, M$ does not even manage to put up
:> their own security fixes on their own servers.
:> www.windowsupdate.microsoft.com was down
:> a few days ago due to the Code Red worm.

: Is that the server on which they put the fix for others to download?  
: Its domain name suggests it might be.  If so, that could make dealing with the
: virus especially difficult.

Actually I'm waiting for someone to write a worm/virus that attacks
Microsoft's sites directly from M$ based machines/applications by using
their own exploits against them. Be kinda neat if the code even checked
something like the different M$ bug tracking and security exploit sites
and updated itself.

I don't like worms/viruses, and I'm not advocating that anyone do this,
but I think it would be a truly hilarious lesson in humility and security
for M$. It would be damn funny and make a huge splash on the news I think.

fpsm
--
| Fredrich P. Maney                            maney at maney dot org |
| "Sometimes, fear has a good and useful purpose."                    |
|                          --Fredrich P. Maney                        |
|   Do NOT send me HTML formatted E-mail or copies of netnews posts!  |
|  Address in header is a spamtrap. Use one in signature for replies! |

 
 
 

1. Black Hole / Sink Hole Routing

All,

I applied black hole / Sink hole routing to our Cisco router that redirect
all packets that have known "virus/worm" pattern to null device. It is very
helpfull to drop all packets that contain NIMDA, NACHI, etc

Is it possible to do the same action by using IPTABLES?

Your answer is very appreciated and waited for.

Thx & Rgds,

Awie

2. CDE errorlog during logout -> only one login possible before CDE hangs

3. Irix 5.2 Bug List\Hole List

4. XANIM...whare is the home page?

5. SYN packets dropping into a black hole

6. HTML for COLA

7. the black hole of lpr

8. UNREAL PORT

9. Electric Vehicles are a black hole.

10. Strange mail black hole

11. Memory Black Hole

12. gimp running in 24-bit color: black hole ?

13. Black hole routing with Linux 2.0 kernel?