On Tue, Oct 02, 2001 at 10:54:59PM -0400, Rich Cloutier wrote: > > From: "Thomas M. Albright" <[EMAIL PROTECTED]> > To: "GNHLUG" <[EMAIL PROTECTED]> > Sent: Tuesday, October 02, 2001 7:27 PM > Subject: Re: Website defacement (was: Anti-terrorism bill...) > > > > If the web site id that important to the business, there should be a > > dedicated web-server, so if there is a break-in, it's *just* the web > > server hit, > > Wrong-o, o armchair quarterback! Any web site serving other than static > content, if it uses Microsoft, will have IIS on it. The Nimda virus spread > to ALL the servers on the network thru IIS
...if they are also running vulnerable Windows code, and if they are not on the other side of the firewall from the Windows machine, properly configured to protect them from it. NOT having your web server on a DMZ is just dumb. Having much else out there besides servers providing internet services is probably not necessary, and to be discouraged if avoidable. > separate. (In fact, the source of the virus was from within the private > (user) network in the first place. Maybe. You seem to be refering specifically to Nimda, but none of the discussions other than yours were Nimda specific. Besides that, Nimda can spread from server to client, and from system to system if shares are accessible. If the client is the source of infection, then (at least lately) it's almost certainly by e-mail client bugs, and that problem can quite effectively be dealt with by filtering incoming executable attachments. But many sites don't have the balls to decide they don't need to receive executable attachments in e-mail. This makes no sense to me, given the monumental risk, and the reletively diminutive benefit. There are also different/better ways to deliver executables which are genuinely useful. > Nice sentiment. Who *wants* to be compromised? The fact is that 41 percent > of the server market IS Microsoft (although probably that figure will > decline sharply. I know that the "guy across the hall" is now looking into > other options.) And that is the ultimate goal of the attacker(s), which is why in a previous message I said that if there were a target it was Microsoft. The sites affected were merely incidental casualties, not the REAL target. While the ends DO NOT justify the means, if there is good to come of this, that would be it. > The Microsoft infrastructure that is out there still needs to be > protected until it can be replaced. Yes but protection implies action, and many (if not ALL) of the affected sites were affected because their admins sat on their hands (well, o.k., they were too busy rebooting all the windows servers to patch them). There have been patches for most, if not all of the problems that Nimda attacks for YEARS. They're largely the same bugs that have been exploited by other recent worms, and (without taking the time to look up the specifics -- yeah, I'm lazy too) IIRC most of those bugs have had patches released by Microsoft over two years ago. But people don't apply them. I understand there's now one cumulative patch for all of these bugs. Still, I would not be surprised to see another worm of similar magnitude that exploits (at least some of) the same holes. -- --------------------------------------------------- Derek Martin | Unix/Linux geek [EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
