Top 10 stats update:

[Sancho]

Originally posted by Lephturn:
...it would have been compromised just as easily (and possibly to much more dangerous effect) if it had been a *nix box without security precautions taken.

You said earlier this was an IIS worm?  Tell me how exactly this worm would just as easily affect a unix box running say apache or thttpd?  Remember, they don't run IIS.  

[AKDejaVu]

Sancho,

Apache has its problems too.  I haven't stopped by their web site lately, but I know for a fact that they can no longer claim that it has never been hacked.  The same group got into there that did the worm lephturn is talking about.

Besides, xNUX is great when you don't have any other real use for your computer.  Personally, I'd rather not let a dual xeon system go to wast simply being a small internet server... and i don't want to have to set up yet another PC to do the job that it can do in addition to everything else.

So... LINUX, UNIX, Windows or whatever is just as much trouble security-wise for an inexperienced user.  The server used to be LINUX... I do have experience with it.

I was actually hoping that if you didn't have anything of interest on the box itself, people would just leave it alone.  Of course, that is not the case.  People are so hell bent on proving superiority through malicious acts that it was unreasonable for me to be even remotely optimistic.  My own naivite came back to haunt me.

So.. I'll bring the box back up with a little tighter security.  Of course, in order to share the information, you create a window of opportunity for someone to prove just how clever they are by hacking in.  Its a risk I'm always willing to take.  I'll just learn my lessons as I go.

AKDejaVu

[Sancho]

Well, I hope you caught em before they wiped away all that great top 10 data.  I've enjoyed looking at the numbers myself from time to time.  Your site inspired me to roll my own temporary score page a few tours back when I was score whoring in the jug.  It was fun making the script, but no fun flying for score.  

I'm curious what they did to you?  Defacement? Turn server into porn/warez server? Use it to DOS somebody?

[Creamo]

Perhaps someone from the top ten list of Chute killers???

Damn, Dammned.    

[Lephturn]

Sancho,

No, not this PARTICULAR worm.  There are plenty of common exploits and worms to hack *nix/Apache too.  And most of them rely on the same types of mis-configuration or the exploitation of bugs where patches do exist.  At least if you are running 2k and IIS you have a really easy way to keep up to date and patches applied with MS's Windows Update and their update notification thing.  It works damn well.  Don't get me wrong, Linux has it's place too... my point was that it's more important that the administrator of the machine be proficient and take some care than it is what OS your running.

BTW, this was a simple defacement combined with a Denial of Service worm, and it was done probably by a new worm being called "code red".  Here is a link to the complete analysis.  http://lephturn.dnsalias.net/stuff/idaworm.txt

So it's very unlikely that anybody targeted Deja directly, it's just that his IP # just happened to get scanned by the worm.  The IP that "attacked" him is most probably just another compromised machine.

[hblair]

Sorry to hear of your problems Dejavu, I hope you get it back like ya want it. I really enjoy reading your top 10 pages, as does everyone else.

[Jase]

LOL Rip, leather panties  

[Hajo]

Excuse my crudeness:

It's a dam shame that some imbecile, with the IQ of a knat has to ruin someones work, and the enjoyment of those who frequent Dejas' pages.

Deja, I really enjoyed and appreciated your work.  I am sorry that some low life love muffin had to intrude where he didn't belong.

Again, I apologize for my rudeness, but it really upsets me when someone decides he or she has to interfere, ruin, etc someones work, and the enjoyment the communtiy took in viewing Dejas' work.

[Lephturn]

Let me repeat this just so everyone is clear.

There is no "person" that targeted Deja's page.  This is an automated worm released by Chinese hackers that is doing the "hacking" by exploiting a buffer overflow.  This thing just scans psuedo-random IP addresses and automatically "hacks" any that have not applied the security patch which has been available for over a month.  The compromised machines then begin scanning and compromising other machines, as well as sending data to whitehouse.gov to try and overload them.  Deja just got unlucky because the automated attack program hit his IP and he hadn't patched it yet.

I just want to make sure everybody understands that this wasn't targeted at Deja's site by anybody, and it was not a directed attack on his site by any member of the community.  

[ 07-20-2001: Message edited by: Lephturn ]

[Nifty]

Originally posted by Lephturn:
Let me repeat this just so everyone is clear.

There is no "person" that targeted Deja's page.  This is an automated worm released by Chinese hackers that is doing the "hacking" by exploiting a buffer overflow.  This thing just scans psuedo-random IP addresses and automatically "hacks" any that have not applied the security patch which has been available for over a month.  Deja just got unlucky because the automated attack program hit his IP and he hadn't patched it yet.

I just want to make sure everybody understands that this wasn't targeted at Deja's site by anybody, and it was not a directed attack on his site by any member of the community.  

Leph is right.  Just got a release from CERT about the Code Red worm.  It's not a problem here as we patched our webserver the day the vulnerability patch came out.

Here's the Microsoft Security Bulletin for those of you running IIS on NT or 2000 machines.

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

[Hajo]

Thanks!

will dload