荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: lvyou (≈≈≈≈≈≈≈), 信区: Virus
标 题: Code Green kills Code Red !
发信站: 荔园晨风BBS站 (Sat Sep 8 11:49:57 2001), 转信
Code Green kills Code Red
------------------------------------------------------------------------
--------
posted 12:50pm EST Thu Sep 06 2001 - submitted by Ron Kassen
NEWS
Code Green, written by Herbert HexXer, has the ability to scan servers
infected with Code Red. It then automatically downloads service packs
from Microsoft, supposedly fixing the vulnerable machine. Crclaen is
another similar worm/utility that performs the same tasks, but only
affects the boxes by which it has been scanned.
Security experts are not promoting this as a solution because it makes
unauthorized changes to a network, which could cause more damage than it
fixes.
Check out The Register, which has links to the e-mail messages that
the writers posted pertaining to these pieces of code and the extreme
caution they advise when using them.
RON'S OPINION
Although these gentlemen were trying to do good, unauthorized changes to
network servers without understanding why they exist at their current
state could do more damage to networks than good. In the comments to a
previous news item, someone wrote in that he had not patched his servers
against Code Red because he had not applied a service pack due to
hardware constraints. How many other servers are out there with the same
implementation? Is this really a good way to patch servers? What do
we do with a machine that cannot be patched against Code Red for some
reason?
It is important to note that these programs were not released, but
that the code was merely posted. Both writers heavily caution users of
this code against blindly using it, and hopefully this caution will be
heeded.
Another concern that I have is that Microsoft operating systems
typically don't patch well in some circumstances, and for this reason it
would be unwise to let some program just automatically attempt
changes no matter how good they are.
USER COMMENTS 27 comment(s)
Asking for trouble (1:05pm EST Thu Sep 06 2001)
Yup. - by ..
What? (1:06pm EST Thu Sep 06 2001)
Why not just scan for vulnerable servers and email the admin, if he is
intent on doing some good?
If course, you couldn't make even that little program into a worm,
that would still be very illegal. - by ...
Up theirs! (1:29pm EST Thu Sep 06 2001)
Anyone that hasn't patched by know needs to have it patched for them. If
they're whining that a hardware constraint ---still--- is preventing
them from fixing their install, they should pull the box off the net!
- by Robguy
Intentionally not patching (1:39pm EST Thu Sep 06 2001)
is asking for trouble.
Code Red isn't just a worm. It's a worm that uses an exploit that people
are capable of using too. If you don't fix the exploit, you're
leaving the entire filesystem open to hackers. I know, I've seen it
done.
If auto-patching can be problematic, maybe Code Green should create an
informational text file on the desktop and then shut down the web
server. Not everyone who runs IIS runs a mail server, so getting an
admin e-mail isn't as easy at it sounds.
- by format c:
Commendable (1:51pm EST Thu Sep 06 2001)
What a nice hacker. I like this for 2 reasons. #1, this guy is a nice
guy and is eliminating a serious problem. #2, it gives IT folk a way
of testing whether or not there systems are vulnerable to Code Green. If
you don't want Code Green running on your box, maintain your damn
system. Hey MS, get your shit together. This is getting annoying. - by
Steven
Thats because (1:58pm EST Thu Sep 06 2001)
Microsoft OS's suck.
Buy UNIX, you'll be glad you did.
- by The Scavenger
hmm (2:21pm EST Thu Sep 06 2001)
give me one example of a terrible virus for......get ready....AMIGA!!! -
by YodaIsGod
What's wrong with an anti-virus (2:33pm EST Thu Sep 06 2001)
Honestly, wouldn't it be more challenging and rewarding to create
anti-virii that seek out unstable/bad code and automatically apply
benevolent fixes? Why do "bad" hackers feel their only purpose in life
is to create anarchy. Every "evil" has it's anti, so I think it is about
time a group of benevolent hackers start working towards this end,
patching up any system that have security holes, software virii and
bad just plain bad code.
Asside from that, where do I buy Unix? Honestly, I haven't seen it
available in many places. What can I run on it, I haven't seen the
huge library of software in the Unix section at my local BestBuy? - by
Johnny
Scavenger... (2:36pm EST Thu Sep 06 2001)
http://www.cs.iastate.edu/~ghelmer/unixsecurity/unix_vuln.html
'nuff said. - by God?/i>
the best solution is... (2:50pm EST Thu Sep 06 2001)
1. format your harddrives to Ext2 and install Linux...
2. get apache for a server software...
3. watch your wallet get fatter because you are not heaping buckets of
money in to M$FT's bank for their crapware OS... - by RipVanWinkle
Re: Anti-Virii (sic) (3:20pm EST Thu Sep 06 2001)
This reminds me of the old Buggs Bunny cartoon, where Elmer Fudd has a
mouse in his house.
First, they sell him a cat to catch the mouse. then there's a dog to get
rid of that pesky cat. Then a lion to scare away the now entrenched
dog. When the lion gets to be unbearable, they bring in an elephant to
clean house. Finally, when they determine that elephants make horrible
house-mates, they send in (the original!) mouse to freak out the
elephant.
At each the step, the costs to Mr. Fudd (the consumer) mount. He is
never satisfied with the solution. He has no way out of the loop without
breaking it, and this salesman only sells him re-tread solutions.
Please don't start using Viruses to stop viruses. We'll end up with an
AIDS*-like epidemic on our servers.
* Quick Quiz:
AIDS was started by:
A. Africans eating infected chimpanzee meat (NY Times Science Section
this week)
B. Polio-cure seekers, by accident in the 1950's. (Old-school Wetsern
Medicine Bashers)
C. White supremicists to kill all blacks & gays (Paranoid delusion at
best)
D. A super-evil ultra-brain in order to gear up the world's laboratories
to research DNA-transmitted disease (Acts of the Apostles) - by
HungryWolverine
To Johnny... (3:21pm EST Thu Sep 06 2001)
At my local Best Buy, I can pick up any of three flavors of Linux -
RedHat, Mandrake, and SuSE - all of which are "UNIX" enough for me - for
under $80.00...
You can also download Sun Microsystem's Solaris "UNIX" operating
system for free to run on Intel boxes of 4 or less processors (or was it
8 or less?)...
As for the applications, they're out there, you just have to hop on
the net and look for them.
A couple good places to start are Linux TUCOWS and FreshMeat...
And StarOffice 5.2 is a great office productivity package that does a
good job of handling Microsoft Office documents, and runs on multiple
platforms (Win, Linux, Sun, IBM AIX, etc.)...
- by K. Adams
Clueless M$ drivers (3:36pm EST Thu Sep 06 2001)
I agree with RobGuy and "format c:". If a sysadmin with NT boxen
hasn't patched 'em or taken 'em offline by now they are abetting the
spread of these worms. Stomp 'em into a pile o' bloody rags. - by
Malathud
What if there isn't (4:13pm EST Thu Sep 06 2001)
a patch? I have a Cisco 675 router for my DSL connection. I contracted
Red Worm since it acts as a DHCP box. There isn't a permanant patch. I
got a call from Cisco asking me to call them and discuss upgrade
"options".
Looks like Cisco has taken lessons from MS. - by OldGeek
Cisco 675 (5:31pm EST Thu Sep 06 2001)
First of all, Old Geek, you can't "contract" Red Worm on your Cisco box,
but you can become a victim of incessant attempts to do so. Simply
unplugging the modem clears the attacks -- at least temporarily.
Since you're online today, I assume you also know the simple workarounds
to both disable Web services and alter the Web port returns your
modem (router) to enough functionality for most people.
If you require Web access as God and Cisco originally intended (IOW, you
don't like using Telnet from designated IPs only), Cisco indeed has a
CBOS 2.4.3 (#?) update posted, and has for several days, at least (Qwest
has a page hosting the d/l, too).
However, on your last point, I will agree, as applying the newest CBOS
strips the 67x series of modems (routers) of a critical ability to run
mixed IP networks without the need for a complex firewall/router.
Cisco will instead try to sell you an 8xx series modem (router) for
several hundred dollars to regain that capability that you already had
and paid for when you bought your 67x (even if you got it "free" with
your DSL).
Aren't they nice? - by Frederico
MS scanner (5:50pm EST Thu Sep 06 2001)
Just wanted to point out that MS actually does provide a free
patch/vulnerability scanner
HFNetChk http://www.microsoft.com/downloads/release.
asp?releaseid=31154
As I mentioned in my Aug 27 techrepublic.com Locksmith Column
As for the "What?" comment, I wouldn't go e-mailing administrators if
I were you, someone just got arrested for doing that, seems the
authorities took it as an extortion threat of the kind those Russian
hackers perpetrated. After all, that's exactly what they did, e-mail
people about problems on their systems and offer to fix them.
And, oh yes, as for the MS no, Linux yes crowd, there are lots of
problems with linux also, MS just gets more attention because it's
much more widely installed:
According to Security Focus Bugtraq
2001 vulnerabilities (discovered in the calendar year so far, not
cumulative)
MandrakeSoft Linux Mandrake 7.2 33
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 27
Debian Linux 2.2 26
Sun Solaris 8.0 24
Sun Solaris 7.0 24
Microsoft Windows 2000 24
MandrakeSoft Linux Mandrake 7.0 22
SCO Open Server 5.0.6 21
RedHat Linux 6.2 i386 20
MandrakeSoft Linux Mandrake 6.1 20
MandrakeSoft Linux Mandrake 6.0 20
Wirex Immunix OS 7.0-Beta 19
Sun Solaris 2.6 19
RedHat Linux 6.2 sparc 18
RedHat Linux 6.2 alpha 18
Debian Linux 2.2 sparc 18
Debian Linux 2.2 arm 18
Debian Linux 2.2 alpha 18
Debian Linux 2.2 68k 18
- by locksmith
Reminds me of the Ramien worm. (5:52pm EST Thu Sep 06 2001)
The Ramien worm would fix all the security problems with an unpatch
Redhat server, but would replace all of the index.html file with its
webpage.
This solution is worse than the cure. - by E J
Staroffice (6:16pm EST Thu Sep 06 2001)
Well that bit of software blows goats big time, it is the most crapest
work processor that I have ever seen, it takes over th deskop and is a
pain in the arse to install of the network - by God
Unix Security (7:03pm EST Thu Sep 06 2001)
Sure, UNIX as a whole is far more prone to security problems. There
are hundreds of flavors, they are far more widespread in networking
environments (with the exception of medium-sized corporations), and they
have been around for decades.
So when you compare this to a single vendor, numerically you have a
lopsided result. And when you compare security issues without regard
to severity, numerically, you'll have some interesting numbers facing
UNIX.
The fact is that there are literally hundreds of versions of UNIX, and
each has it's own vulnerabilities. Often these vulnerabilities are minor
or limited to non-root permissions. With Windows, the ability of
remotely exploiting admin privilages is trivial and common.
Many argue that Windows just gets picked on more because it's more
widely installed (?), but it's all a matter of relativity. EVERY
system can be hacked! The determinate is time: If your house has
deadbolts and a comprehensive security system (UNIX), most theives won't
even bother. But if your neighbor leaves the keys under the doormat
because it's more convenient that way, you can bet they'll get robbed
when the thief is going down the street jiggling handles.
It's all relative. - by - GregM
But we're off the point... (7:17pm EST Thu Sep 06 2001)
Why does every tech post always regress to "My OS is better than yours!"
(even though we all know UNIX really IS better than NT/2K D)?
This story is discussing the ethics of creating an 'antibody' of sorts
to combat a worm/virus. With CodeRed, the immediate problem was the
defacement. The secondary and ongoing problem is the constant and
unchecked scanning that ALL servers must now endure thanks to the
remaining unpatched machines.
If more people decide to start creating a worm that has a positive
intent, they're still creating a damaging and self-replicating worm.
This would just add to the lag that slowed networks to a crawl for
several days (costing billions worldwide in lost revenue/productivity)
and would not even be the silverbullet fix it was designed to be.
So "There's no right way to do a wrong thing" (MLK?) is a good way to
look at this ethically.
Everyone who administers a system that is on the world wide network
has a responsibility to maintain their corner of the web. I imagine
we'll see the emergence of 3rd party security companies offering ISP's a
routine scan of common security holes for monthly fees...
So when is it okay to scan, attempt to exploit just to show it can be
done, or patch the server yourself? ONLY when the owners/admins of the
machines/networks are informed prior to the attempt AND permission is
granted. It's like someone breaking into your house to show it can be
done... You WOULD press charges regardless of their actual intent.
- by - GregM
Harware compatability not an issue (7:30pm EST Thu Sep 06 2001)
Actually there is some incorrect info in Ron's opinion... The fix for
the code red virus doesn't have to be applied via a service pack. A
machine can be patched with microsoft's security update which will not
affect hardware compatability at all. - by PotLegalizer
OldGeek... (8:00pm EST Thu Sep 06 2001)
Cbos version 2.4.3 is out. It's a permanent fix for the code red worm
and cisco 67x routers...
http://www.qwest.com/dsl/customerservice/virusjump.html
I have it if you can't get it via your dsl provider... - by God?/i>
God and Fredrico (8:51pm EST Thu Sep 06 2001)
I just ordered the CD. I received an e-mail from QWest offering that
so I went for it. I am short of coasters.
I implemented the short term solution some time back and that has worked
well.
I understood the attack differently, I did wonder how they managed to
update the CMOS over the internet, but since that is the only virus I
ever wanted to write I didn't really think about it. Your computer
BIOS is the only place for a virus. That can work regardless of OS.
That is if you want to write that crap.
Anyway thanks for your thoughts.
- by OldGeek
Code Red/Green (9:01pm EST Thu Sep 06 2001)
Sounds like a bad game of NetHack that got out of control... :-)
While the premise of an anti-virus-virus is not necessarily a bad thing,
the main problem, as it has been previously pointed out, is the cure
may be worse than the disease.
Unless a network is specifically designed for distributive autonomous
updates - it's best to leave it alone and let the SysAdmin figure it out
or get bent over the chair by his boss and the virus...
- by Amused Old Hack
oldgeek (9:12pm EST Thu Sep 06 2001)
There isn't enough room in the BIOS to account for a specific OS, the
best thing to do to a BIOS is wipe it out or write in junk data so their
PC won't boot. - by chip@geek.com
Award's on to that trick already (11:23pm EST Thu Sep 06 2001)
new Award BIOSes default to Flash-disabled, and require you to
manually enable it, then it disables it when it finishes a legitimate
upgrade. The system won't boot more than once with the switch flipped on
(or it will pause every time and ask if you really want to leave it
that way).
And as far as the holy wars go, I tried installing Red Hat 7.1 on my
latest frankenbox, and it failed miserably. Windows 2000 likes it
though. Computers - go figure. - by Onibroc
Failed install (11:35pm EST Thu Sep 06 2001)
Onibroc, what problems did you run into? What were the issues? Was it
a WinModem? Proprietary system (brand new Compaq or something...)
used? Hardware compatibility? Let me know: r_linux@hotmail.com (my
'Passport'! hehe...)
- by - GregM
--
想要把你忘记真的好难 思念的痛在我心里纠缠 朝朝暮暮的期盼 永远没有答案
为何当初你选择一刀两断 听你说声爱我真的好难 曾经说过的话风吹云散
站在天秤的两端 一样的为难 唯一的答案 爱一个人好难
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 202.104.105.207]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店