Mailinglist Archive: opensuse (4053 mails)

< Previous Next >
Re: [SLE] code red question....
  • From: Rick Green <rtg@xxxxxxxx>
  • Date: Tue, 7 Aug 2001 14:11:12 -0400 (EDT)
  • Message-id: <Pine.LNX.4.21.0108071339300.7402-100000@xxxxxxxxxxxxxxx>
On Tue, 7 Aug 2001 jfweber@xxxxxxxxxxx wrote:

> ** Reply to message from Gideon Hallett <diogenes@xxxxxxxxxx> on Tue, 7 Aug 2001 17:24:21 +0000
>
>
> ** Nonetheless, it's interesting reading.
> **
> ** I've had 272 probes today alone; many of them from other cable modem users
> ** within my ISP's network. It gives you an idea of how much care your local ISP
> ** takes over their broadband security.
Stop and think a moment about this statement. Just how much 'care' do
you want your ISP to exercise, and what does that 'care' look like?
Most of us complain bitterly when our ISPs filter packets in any way,
limiting our use of the internet to what _they_ think is necessary and
appropriate. Our local cable provider, Comcast, began filtering all port
80 incoming packets yesterday morning. The local LUG mailing list went
ballistic! It turns out that there are quite a few web servers sitting on
cable modems, with dynamic DNS update schemes in place to get around the
DHCP re-negotiations. People are running business on their cable modems,
despite the user agreements they signed which stipulated 'end-user client
applications only'. Comcast is just implementing an already-stated
policy.
The problem, IMO, is not lax ISPs, it is people who buy a system and
expect it to be 'plug-and-play'. In the amateur Radio world, these are
called 'Appliance Operators'. With all the publicity about security in
general and Code Red in particular, someone really has to have their head
in the sand to be running an unpatched IIS these days.
One of our local (self-proclaimed)techno-junkies came up with a script
which takes advantage of the 'back door' that CR2 leaves open. When a
scan from a CR2-infected machine is logged, an http GET is posted to the
address which will result in a message being displayed on the systems
console:
"THIS MACHINE HAS BEED HACKED! TAKE IT OFFLINE IMMEDIATELY!"

I'm sure there is a creative soul out there who can figure a way to use
that back door to ACTUALLY take the machine offline. I would consider that
a positive step, and a sort of internet Robin Hood kind of thing to
do... If you come up with a method, publish it far and wide!

PARANOID THOUGHT OF THE DAY: What does the M$-provided patch actually
do? Does it contain a back-door for M$ use???

>
> as a "sort of" update.. local news report just said folks w/ Cisco DSL
> modems are finding they get shut off by code REd2 ( apparently code red
> updated by someone) It seems CR2 thinks Cisco DSL modems re "webservers"
Cisco DSL modems just may be webservers. Many of their products these
days have built-in webservers for remote administration. I wouldn't be
surprised if a buffer-overflow exploit containing intel binary executable
code would crash a non-intel webserver with an overflowable buffer...

--
Rick Green

"I have the heart of a little child, and the brain of a genius.
... and I keep them in a jar under my bed"


< Previous Next >
Follow Ups
References