----- Original Message ----- From: "Derek D. Martin" <[EMAIL PROTECTED]> To: "Rich Cloutier" <[EMAIL PROTECTED]> Cc: "gnhlug" <[EMAIL PROTECTED]> Sent: Wednesday, October 03, 2001 12:06 AM Subject: Re: Website defacement (was: Anti-terrorism bill...)
> On Tue, Oct 02, 2001 at 10:54:59PM -0400, Rich Cloutier wrote: > > [snip] > > > separate. (In fact, the source of the virus was from within the private > > (user) network in the first place. > > Maybe. You seem to be refering specifically to Nimda, but none of the > discussions other than yours were Nimda specific. Yes I was. I had used it as an example of a "non-harmless" attack, and one that I have personal experience with. People started responding to my example, so the discussion got Nimda-specific. > Besides that, Nimda > can spread from server to client, and from system to system if shares > are accessible. If the client is the source of infection, then (at > least lately) it's almost certainly by e-mail client bugs, and that > problem can quite effectively be dealt with by filtering incoming > executable attachments. But many sites don't have the balls to decide > they don't need to receive executable attachments in e-mail. This > makes no sense to me, given the monumental risk, and the reletively > diminutive benefit. There are also different/better ways to deliver > executables which are genuinely useful. At the time of the attack, the inhouse mail server was not being used; individual users get their email directly from the ISP. > > > > Nice sentiment. Who *wants* to be compromised? The fact is that 41 percent > > of the server market IS Microsoft (although probably that figure will > > decline sharply. I know that the "guy across the hall" is now looking into > > other options.) > > And that is the ultimate goal of the attacker(s), which is why in a > previous message I said that if there were a target it was Microsoft. > The sites affected were merely incidental casualties, not the REAL > target. While the ends DO NOT justify the means, if there is good to > come of this, that would be it. It's possible that Microsoft was the target. I guess we won't know until we find whoever wrote/propagated the virus. > > > The Microsoft infrastructure that is out there still needs to be > > protected until it can be replaced. > > Yes but protection implies action, and many (if not ALL) of the > affected sites were affected because their admins sat on their hands > (well, o.k., they were too busy rebooting all the windows servers to > patch them). There have been patches for most, if not all of the > problems that Nimda attacks for YEARS. They're largely the same bugs > that have been exploited by other recent worms, and (without taking > the time to look up the specifics -- yeah, I'm lazy too) IIRC most of > those bugs have had patches released by Microsoft over two years ago. > But people don't apply them. One problem (as it was related to me) is that the security patches for these holes are UNDONE by Microsoft Service Packs for Win2K and IIS. You would think (and shame on the admin for not double checking) but you would think that a Service Pack released AFTER a security patch would contain the patch, wouldn't you? This of course makes too much sense for Microsoft to implement. > > I understand there's now one cumulative patch for all of these bugs. > Still, I would not be surprised to see another worm of similar > magnitude that exploits (at least some of) the same holes. Based on the above, I would not be surprised either. Rich Cloutier SYSTEM SUPPORT SERVICES President, C*O www.sysupport.com ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
