Don't forget that these machines are all actively broadcasting their presence to the world, also, by their continued scanning. If you have a web server on a hard-hit subnet (say, 24.x.x.x), your logs are most likely full of IPs of compromised machines trying to infect new hosts.

The backdoor is amazingly easy to use, and you can do just about anything with it. If you're nice, those things include alerting the owner of the system or shutting down IIS to prevent further damage. Another fun activity is searching peoples' machines for mp3s or other interesting files. The possibilities are endless!

My question is this: How did all of these machines remain unpatched? This was all over the news, so nearly everyone should know about it. I can think of two main reasons a machine would still be vulnerable: ignorance (i.e., the people don't know they're running IIS), or stupidity...
posted by whatnotever at 7:00 PM on August 5, 2001

whatnot--Much of the blame rests with Microsoft for their poor choices about what services to run as default. Some guy with a cable modem gets a copy Windows 2000 server from his brother in law and installs it on his pc. He knows it lets him browse the web, but he doesn't know that by default it has also installed an extravagantly outfitted and shockingly insecure version of a web server on his little peecee.

Is the worm writer off the hook? Nope, infact he's the only one acting out of malice and/or other selfish motives.

Is the ersatz sysadmin off the hook? Nope, he's running software that's over his head and endangering himself as well as others.

But still, Micrsoft could have prevented the lion's share of these occurences by making their installations default to having communication services turned off until the operator explicitly asked for them to be turned on. If someone can't figure out how to turn them on, then they probably aren't qualified to insure their safe operation.

From here forward it must be considered foolhardy and negligent to install an unpatched version of an operating system on a box with a live internet connection. Yes, this means that if you need to install on a box with a live connection, you must insure the your installation source is installing files that are fully up to date. Even then, communication services should default to off unless absolutely unavoidable circumstances preclude this, such as an installation pushed across a network connection (in which case if all communication services were turned off you wouldn't be able to control the box once you installed the operating system).
posted by NortonDC at 7:28 PM on August 5, 2001

Aha! I thought the "get" request looked different.
The lion's share of the requests my unix webserver is receiving in a vain attempt at exploiting this vulnerability are coming from DHCP given addresses on broadband suppliers.
I think we have underestimated the sheer number of maniputable systems that sit on fast pipes, administrated by people who are learning how to run IIS and other services in their house "cuz it's kewl." I'd expect a backlash of TOS action by ISPs.
posted by machaus at 8:05 PM on August 5, 2001

Aha! I thought the "get" request looked different.
The lion's share of the requests my unix webserver is receiving in a vain attempt at exploiting this vulnerability are coming from DHCP given addresses on broadband suppliers.
I think we have underestimated the sheer number of maniputable systems that sit on fast pipes, administrated by people who are learning how to run IIS and other services in their house "cuz it's kewl." I'd expect a backlash of TOS action by ISPs.
posted by machaus at 8:05 PM on August 5, 2001

sorry, something wacky was happening there with the site.
posted by machaus at 8:16 PM on August 5, 2001

Muh-hey, um CLEARLY this is the just vengeance of an omniscient and omnipotent God who will only bring about heaven on earth when all machines are cleansed of IIS and running Apache with the BURNING and the PAIN FOR netadmins and the FINAL CLEANLINESS! Say LINUX! Say Linux!

Sorry - sorry, shit, I thought I was on Slashdot for a moment there.
posted by GriffX at 8:21 PM on August 5, 2001

NortonDC: WTF? Microsoft is culpable because they didn't make their server software pirate-friendly? You've got to be kidding me.

Having IIS off on server SKUs by default would be of very little value. Starting a service (viz., IIS) is *trivial* -- keeping up with patches evidently isn't. Presumably, if someone has the server version, they have it for a reason (except your brother-in-law, of course :-)
posted by JasonSch at 9:30 PM on August 5, 2001

JasonSch-read what I wrote:
"Much of the blame rests with Microsoft for their poor choices about what services to run as default."

And, oddly enough, getting software from ones brother in law does not require piracy. What a naughty assumption. I'm shocked at you, positively shocked.

Yes, starting services is trivial. However it would keep the ignorant and apathetic from unknowingly running IIS, as they are prone to do now. Beyond those that run Server inappropriately, it would make it much safer to install the OS from unpatched installation sources by lowering the number of vulnerabilities, reducing the risk during the window between installation and patching.

Small steps that could have a dramatic impact during attack storms, like now.
posted by NortonDC at 9:48 PM on August 5, 2001

<pedant> You can't get 'root' access on a Microsoft box. </pedant>
posted by wackybrit at 9:50 PM on August 5, 2001

Yes, on Microsoft machines, the account is "Poor Bastard whose Management drank the Microsoft Kool-Aid under the mistaken assumption that world-class marketing goes hand-in-hand with world-class software design".
posted by websavvy at 10:07 PM on August 5, 2001

Norton, that site damned well will have an impact; it's listing sites which have been compromised with the backdoor. It's painting a giant target on them. That strikes me as being rather irresponsible.
posted by Steven Den Beste at 11:33 PM on August 5, 2001