Mailinglist Archive: opensuse (4053 mails)

< Previous Next >
Re: [SLE] code red question....
  • From: Dave Smith <Dave.Smith@xxxxxx>
  • Date: Tue, 7 Aug 2001 21:07:52 +0100
  • Message-id: <20010807210752.E653@xxxxxxxxxxxxxx>
On Tue, Aug 07, 2001 at 08:37:00PM +0000, diogenes@xxxxxxxxxx wrote:
> What I meant to say was this: your ISP is *not* going to protect you from
> this sort of thing. Having worked for one, I know that it really isn't their
> job unless you pay them to do it.

Which is sort of how it should be - I don't want my ISP filtering packets.
I've paid for a proper internet connection, and that's what I should get.

However, they should also accept some responsibility to inform users whose
machines have been infected. Since I've only been getting around 30-ish
hits per day (I'm not sure why, since I thought Code Red generated IP
addresses randomly, so there should be no reason why the fact that I only
have a dialup connection should reduce the number of hits), I've been
reporting all of the hits I've had to the ISP involved, where I've been to
reverse-resolve an IP address.

Some ISPs don't seem to have any kind of abuse reporting mechanism (or at
least, not that I can find on their site), whereas others give you a form
reply saying basically "We can't be bothered to reply, so you'll never
know whether we even bothered to do anything". The only personal-ish
replies I got were from my own ISP, Demon, who told me that they were
contacting the offending machines (it was a real reply, since they used
my name), and the best was from, surprisingly enough, a Polish ISP, who
told me what was going to happen next, and that they'll update me when
something's happened.

They might also consider it prudent to do some monitoring of IP packets,
to check for obvious infections - I would have thought that an ISP should
be able to see pretty easily that a machine had been infected - just watch
each IP address it owns for a minute or so, looking for suspect packets.
However, they should *never* block packets unless they have a confirmed
infection, and in this case, IMHO, they should consider suspending a
person's account until the hole is fixed.

> On Tuesday 07 August 2001 6:11 pm, Rick Green wrote:
> > I'm sure there is a creative soul out there who can figure a way to use
> > that back door to ACTUALLY take the machine offline. I would consider that
> > a positive step, and a sort of internet Robin Hood kind of thing to
> > do... If you come up with a method, publish it far and wide!

Since I believe that the worm gains root priviledge, I guess 'format c:'
would be pretty effective...

I can't remember whether it was on this list, but on one of the linux lists
I'm on, someone suggested writing a "Code Red Antidote" that scans IPs looking
for vulnerable machines, and when it finds one, gets root priviledges and
installs the M$ patch...

> Most ISP AUPs have explicit prohibitions against such behaviour; mine
> certainly takes a dim view of any action that results in a denial of service;
> grounds for immediate termination of contract.

Of course, in the UK, there are many ISPs which you can join without paying
(you just pay per minute for the connection), so just find an ISP that you
don't intend using ever again...
[I'm not advocating doing this, BTW, as it'd probably open you up to
prosecution, among other things]

> > PARANOID THOUGHT OF THE DAY: What does the M$-provided patch actually
> > do? Does it contain a back-door for M$ use???

No more/less likely than a back-door shipped in Windows itself...


--
David Smith Tel: +44 (0)1454 462380 (direct)
STMicroelectronics Fax: +44 (0)1454 617910
1000 Aztec West TINA (ST only): (065) 2380
Almondsbury Home: 01454 616963
BRISTOL Mobile: 07932 642724
BS32 4SQ Work Email: Dave.Smith@xxxxxx
Home Email: David.Smith@xxxxxxxxxxxxxxxxxxxx

< Previous Next >