One of our servers got hit. Still trying to figure out what to do about that. posted by LeiaS at 9:07 AM on September 18, 2001
My servers are getting blasted already. Good thing they're OpenBSD. posted by jakd at 9:21 AM on September 18, 2001
This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.
This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.
Oops, sorry for the double post. Back button mishap. posted by cfj at 9:47 AM on September 18, 2001
i hate microsoft. i thought code red was bad, but i'm afraid to look at my referrer logs when i will have the chance... posted by moz at 10:01 AM on September 18, 2001
You just reposted the original link twice.
Love, a safe little Mac User. (Oh, yeah.)
But I sympathize, really. ;-) posted by mirla at 10:02 AM on September 18, 2001
I know. My bad. posted by cfj at 10:06 AM on September 18, 2001
Even safe little Mac users aren't safe -- even though you won't get infected, you will still get hit with the traffic to all your favorite websites, no matter what server you are running them on. My safe little Apache sites got hammered this morning and the traffic keeps on coming. Worms don't discriminate. We all get screwed because of Microsoft's security holes.
One security email I received noted that it started just about to the minute of exactly one week since the first plane hit the WTC. posted by LeiaS at 11:24 AM on September 18, 2001
damn... just looked at my logs and... damn. posted by lotsofno at 1:37 PM on September 18, 2001
This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.
Call me crazy but these are two old virus exploits in a new package. Why aren't all these corporate IIS servers patched yet? If CodeRed wasn't a call to get a sys admin off his ass and do the necessary patching I don't know what is.
Also, filtering out executable files should be standard in corporate america. Forcing everyone to use zip is a good idea. At least then you can't plead ignorance when you made the effort to unzip the file, copy it someplace, and run it.
The fact that so many businesses don't do anything about security just encourages virus writers. posted by skallas at 1:55 PM on September 18, 2001
In support of the theory (re: LeiaS's email):
We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack.
Of course, I also heard this was a hoax to cover up the slowdowns caused by Carnivore ;) posted by kd at 1:56 PM on September 18, 2001
Honestly, I have a hard time feeling sorry for all the people out there who are hit with this, seeing as they are still vulnerable to a bug found on October 17, 2000. Maybe this is the Darwinian equivalent in the computer world -- you don't patch your servers, and they don't survive. posted by delfuego at 2:31 PM on September 18, 2001
I know that our server that was affected was up to date at least as of Code Red (it is not my duty to keep up with the patches). We ran the Microsoft tool for checking that all patches were up to date then (and probably since, I just am not aware of exact times). Is Nimda finding an unknown exploit? posted by LeiaS at 2:41 PM on September 18, 2001
Is Nimda finding an unknown exploit?
It also uses an IE exploit to launch an outlook email. The last thing you want to do is put the IP of the vulnerable server into IE. I don't know if MS's tool checks for IE vulnerabilities. posted by skallas at 3:40 PM on September 18, 2001
This is a very aggressive attacker. Reports are that the Nimda worm tries to exploit 16 different known vulnerabilities in IIS, contains an FTP component (that is used to install a DLL) and an SMTP server to send emails with attachments, and maybe worst of all, exploits an IE bug that allows a multipart MIME file to execute and infect a machine, simply by viewing a web page.
The clones of this worm are gonna be *really* interesting to see... posted by aramaic at 6:04 PM on September 18, 2001
cfj:
this patch seems to be the most recently recommended for the problem at hand. posted by moz at 6:33 PM on September 18, 2001
Why doesn't somebody cook up a worm that causes physical damage somehow to unpatched IIS servers? That would seem to get admins off thier asses. posted by canoeguide at 2:53 AM on September 19, 2001
Maybe this is the Darwinian equivalent in the computer world -- you don't patch your servers, and they don't survive.
Yes, but unlike Darwinian natrual selection, when one species kicks the bucket, it usually doesn't turn around and beat the hell out of all of the stronger species around it... posted by fooljay at 10:52 AM on September 19, 2001
Trend Micro posted a free cleaner for "Nimda". This cleans the infected *.exe(s), and deletes the many *.eml, for starters. It did not seem to remove the added javascript from *.htm(l) and *.asp though. It got us back up.
The other major virus companies I have tried simply delete all infected files - some fix! I personally tried Norton, InoculateIT, and McAfee to no avail. What do they want the big money for?
Subscribe
posted by LeiaS at 9:07 AM on September 18, 2001