BEWARE there is something very nasty happening to ALOT of customers PC's at the moment!!

after booting up, they get the following message on their windows

system shutdown. this system is shutting down ......

....this has been intitiated by nt authority/system etc etc

basically its reboting the pc, over and over again.....

the NTL gods are frantically investigating this...

ill keep ya posted

God almighty!!!


What the hells going on!!

Luckly at the mo this pcs connected to adsl,

it would appear this is the cause...

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Isn't it the RPC vul?
Disabling this is only one small thing in securing an M$ box.

EDIT: Yes it is, checked the link. :p

Further EDIT: Why the hell have NTL put something on the service status about it?
It's NOTHING to do with them.
This will only lead to customers phoning up and complaining for lost work etc. :rolleyes:

Well finally having ME as my OS has a positive advantage!


Incog.:)

Originally posted by Roger K


Further EDIT: Why the hell have NTL put something on the service status about it?
It's NOTHING to do with them.


ummm :erm: thats not strictly true....tho i cant elaborate any more at the mo sorry :erm:

So....this is originating from within NTL?

I've heard various stories about this all over the net though so it's not just happening to NTL customers.

Originally posted by Mark W
ummm :erm: thats not strictly true....tho i cant elaborate any more at the mo sorry :erm:
So what has it got to do with ntl ??

Inline with I would imagine just about every residential ISP out there customers are responsible for the security of their own PCs *not* the isp (its in the user policy/terms if you want to go looking) . If people cant be bothered keeping up to date with the latest updates from their OS vendors then how is that the ISPs responsibility ?? Or are you advocating that your ISP net nannies you by blocking certain protocols at the border routers ??

ummm...it seemed to happening to ntl customers only - tho that seems to have changed now...

oh, and dont call tech support about it - with 96 calls in the queue (and climbing rapidly) we are in meltdown :cry:

Originally posted by Mark W
ummm...it seemed to happening to ntl customers only - tho that seems to have changed now...

oh, and dont call tech support about it - with 96 calls in the queue (and climbing rapidly) we are in meltdown :cry:

So get an IVR stuck up and reword the server status page to reflect the fact its nothing to do with a specific ISP :D

Originally posted by fraz
So get an IVR stuck up and reword the server status page to reflect the fact its nothing to do with a specific ISP :D

an IVR is already up....

ntlhome customers may currently be experiencing problems with their PC arising from a possible Windows vulnerability. We are currently investigating the specifics, but customers may experience their machine rebooting over and over again. In order to prevent your machine from repeatedly rebooting please remove the power from your broadband modem.
Please call the server status line on 0800 052 4315 for further updates.

Its also affecting Virgin dial up users (course they're on the same network)

/me gives up. Its an OS vulnerability that isn't ISP/network specific . If you're running an affected OS regardless of ISP then patch your kin system!!!!!!!!!!!!!!!

Everyone should get on to Microsoft.. Say they've lost loadsa dead important stuff.. Might get some freebies, Infact im going to ring them now :p

Originally posted by Mark W
it would appear this is the cause...

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
So should I install the above patch? Bearing in mind I am on a standalone home PC behind an up to date firewall.

Originally posted by Ramrod
So should I install the above patch? Bearing in mind I am on a standalone home PC behind an up to date firewall.

Wouldnt hurt to update would it although as long as your firewall is correctly configured then go crack a beer.:smokin:

Problem is, if you're being hit, you can't stay online long enough to get the patch :D

Originally posted by fraz
Wouldnt hurt to update would it although as long as your firewall is correctly configured then go crack a beer.:smokin: Already there m8:D
....btw....how do I know if I need the 32 or 64 bit win xp edition?:confused:

Are you running a 64bit version of XP on a 64bit CPU?
Not likely :P

Originally posted by fraz
/me gives up. Its an OS vulnerability that isn't ISP/network specific . If you're running an affected OS regardless of ISP then patch your kin system!!!!!!!!!!!!!!!

lol....well i did pass your comment on ages go...but its still there :(

Originally posted by Xaccers
Are you running a 64bit version of XP on a 64bit CPU?
Not likely :P erm.....so what you are saying is I need is the 32 bit version:confused:

Anybody know if there are any issues with win98 and this threat, good old MS haven't identified it in either the affected or non-affected categories though my guess would be non-affected if me isn't.

I've not seen any probs on my pc but my connection did go out for a few hours earlier :shrug:

My web browsing is really slow tonight, I'm not running anything else in the background. Its strange 'cos downloading speed is fine, its just the WWW

Could it be my proxy misbehaving?:( :shrug:

Originally posted by dellwear
My web browsing is really slow tonight, I'm not running anything else in the background. Its strange 'cos downloading speed is fine, its just the WWW

Could it be my proxy misbehaving?:( :shrug:

doubt it i got the same and i'm on dial up

Originally posted by Ramrod
erm.....so what you are saying is I need is the 32 bit version:confused:

There is no 64_bit version of XP, just some extended libs that allow it to be run on an Itanium or Opteron processor. Currently the only real 64_bit OS is any one of the unicies, including Linux.

Regards,

Ben

(who long ago stopped feeling smug about windows vunerabilities :)

Be very aware...
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html

Blueyonder have posted information on there service status saying all there packages are slow!

Incidently, anyone got a version of XP SP1 which will install on a not so legit version of XP Pro? ;)

Fine for me...

Bps Stortford / Cambridge area.

EDIT: SOLUTION FOUND... :D

Terrible browsing speeds here in wirral area

There's an XP bug thats hit the services at the moment if you check the NTL service page.

Ive had mates complaining about this for a few hours.

My guess is its a virus doing the rounds and its hitting some big boy servers.

Originally posted by SteRiley
There's an XP bug thats hit the services at the moment if you check the NTL service page.

Ive had mates complaining about this for a few hours.

My guess is its a virus doing the rounds and its hitting some big boy servers.

I'd have a quick wiz round the net to see if I can find any information on it but it is so painfully slow.:rolleyes:

Wonder if it'll be any better in the morning?

I despise bloody viruses.

NTL Have posted news that the following virus is doing the rounds and is a possible cause to tonights problems:

W32.Blaster.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

It hits your 135 port which i have recived a load of requests from tonight that my routers stopped thankfully.

http://slashdot.org/article.pl?sid=03/08/11/2048249

Originally posted by SteRiley
It hits your 135 port which i have recived a load of requests from tonight that my routers stopped thankfully.

Really? *goes off to check firewall logs:D

Originally posted by dellwear
Really? *goes off to check firewall logs:D

did that - usual, my son hammering my firewall with his P2P - he is not sharing with me..... lol

Another NTL joke as it says that this worm/virus was discovered today!

The patch has been available since mid July!

http://isc.incidents.org/

NTL joke? It's a flaw in a Microsoft OS that was patched by Microsoft in July. What on earth have ntl got to do with it? Should they go round and port scan everyone's PC for vulnerabilities?

The *exploit* of the flaw is new in the last few hours, in fact a google for msblast.exe (the filename) came up as blank for me about 4 hours ago, since when ntl have put a status up for it as a large number of calls have come in apparently. We're quick off the mark IMHO.

11/08/2003 23:35:52,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:35:06,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:32:38,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:31:36,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:31:35,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:31:07,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:31:06,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:30:57,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:28:40,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:28:27,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:28:19,"Rule ""Default Block EPMAP"" stealthed
11/08/2003 23:26:02,"Rule ""Default Block EPMAP"" stealthed

Nortons been busy this evening!:D :D

I feel a thread merge coming on...:D

Why do over 99% of the attacks come from NTL (including Virgin) customers?

http://www.informationweek.com/story/showArticle.jhtml?articleID=13000581:rolleyes:

oh joy spent 4 hours at mates house trying to sort it stumbled home now and found this :rolleyes:

After spending a few hours trying to figure out wtf was going on with my PC shutting itself down with a reported RPC service error I figured out it is because of a fekin virus attack. This one doesn't require you to d/l anything or open any emails... it just appears by magic :shrug: (With a little help from another M$ hole)

NTL have issued an alert in their service page, but I thought it might be worth repeating it here...


ntlhome Internet Customers using Windows XP/2000/NT
ntlhome customers may currently be experiencing problems with their PC arising from a Windows vulnerability.

This looks to be related to a new internet virus/worm discovered today.

For detailed info and ways to restore service please see the following links.

The following link will direct you to a Microsoft page with instructions on how to install a patch which will restore service :-

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

This link contains more specific information about the worm and instructions on how to remove it :-

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Windows XP users may also want to enable the inbuilt firewall option. Instructions on how to do so can be found at :-

http://support.microsoft.com/default.aspx?scid=kb;en-us;q283673

:rofl: Oops :rofl: Still, you know where to look to keep abreast of PC Problems :D

Originally posted by Lord Nikon
:rofl: Oops :rofl: Still, you know where to look to keep abreast of PC Problems :D

yep i do oh well have the task of patching there yes 2 peeps os's and getting firewall and antivirus for them

*gotta start charging for my services damn it :D

m pc has been fine been up for a few days updated defintions firewall at full strength patched xp

*is glad he is sensible at always having antivrus and firewall software looking after his pc

not any old crap either :p

Hence my use of Sygate Pro and Norton Systemworks (set to update daily)

Running tests at a few places, system is Stealthed all the way through no ports open, all attacks logged, Norton keeps on top of windows errors and keeps me virus free... once a month I check at housecall from trend micro just to be certain the AV system wasn't compromised etc lol

It seems to be getting worse:
http://isc.incidents.org/port_details.html?port=135

Maybe its just best to turn the PC off and leave it off for a few days till it goes away...lol

Don't think it will, it's programmed to infect machines until June 2004. :disturbd:

It's just less then a month since the hotfix for that came out. Looks like we need to keep applying those hotfixes! Thank goodness for my router (which is set up to explicitly block those ports).

well, hats off to my housemate Pritch and his homemade router - its done the biz and kept me XP safe :D

:beer: :beer:

Aaahh....I love Linux.
</smug mode>

For those of you feeling complacent. Take a look at my router log :D

IP Port
220.108.64.50 137
66.156.224.88 137
80.5.234.145 135
80.6.26.155 135
81.212.101.126 137
80.6.24.1 135
80.6.41.100 135
80.6.38.84 135
80.6.19.116 135
80.5.171.23 135
80.6.19.188 135
210.82.112.58 57680
4.46.170.151 137
80.6.41.98 135
80.5.216.205 135
80.4.7.6 135
80.6.34.36 135
80.5.140.92 135
80.4.194.150 135
63.201.48.35 135
212.160.18.64 137
203.58.22.85 137
81.49.216.130 137
80.6.43.37 135
81.34.140.84 137


and lots more of the same.
Looks like 135 attacks have taken over from 137 attacks.

I bet all those that got a router (with NAT FW) so they can play XBL are glad too...

I still can't believe that they haven't fired some senior people in that company.
They charge like £200 for a copy of Windows and make the worst OS known to man.
I've lost count of the number of large-scale exploits M$ systems have had in the last year.

What a load of BS.

...and they complain that people hate them and that Open Source is their biggest threat...damn right it is. :afire:

Originally posted by Alan Waddington
For those of you feeling complacent. Take a look at my router log :D

IP Port
220.108.64.50 137
66.156.224.88 137
80.5.234.145 135
80.6.26.155 135
81.212.101.126 137
80.6.24.1 135
80.6.41.100 135
80.6.38.84 135
80.6.19.116 135
80.5.171.23 135
80.6.19.188 135
210.82.112.58 57680
4.46.170.151 137
80.6.41.98 135
80.5.216.205 135
80.4.7.6 135
80.6.34.36 135
80.5.140.92 135
80.4.194.150 135
63.201.48.35 135
212.160.18.64 137
203.58.22.85 137
81.49.216.130 137
80.6.43.37 135
81.34.140.84 137


and lots more of the same.
Looks like 135 attacks have taken over from 137 attacks.

Same here

80.4.127.211 139
80.4.195.246 135
80.4.161.49 135
80.4.165.187 135
196.44.174.222 137
80.4.127.211 139
12.148.162.155 135
213.104.180.24 135
80.4.90.141 135
64.230.150.61 137
80.4.127.211 139

- and many more

NAT doing it's job thank goodness!

I have to say, I'm feeling pretty dissapointed that my router logs show no access attempts, *sniff* my pc must not be good enough :( :D

Originally posted by Steve_NTL
Everyone should get on to Microsoft.. Say they've lost loadsa dead important stuff.. Might get some freebies, Infact im going to ring them now :p

Wouldn't think so - MS released a patch for this vunerability around 28th July. If people haven't patched the system then that is not MS's fault.

My system is now patched.
After declaring ages ago that I wouldnt run a firewall I have recently installed one......30 mins ago
Norton internet security (got it with Mainboard) had 22 attempted hacks so far and one "default block sokets de trois v1. Trojan")
Maybe I was wrong and I should be running a firewall all the time.

Originally posted by Roger K
I still can't believe that they haven't fired some senior people in that company.
They charge like £200 for a copy of Windows and make the worst OS known to man.
I've lost count of the number of large-scale exploits M$ systems have had in the last year.

What a load of BS.

...and they complain that people hate them and that Open Source is their biggest threat...damn right it is. :afire:

The main reason you tend to see more MS exploits is because hackers / script kiddies, etc target this OS more. This is because it is mainstream.

Linux has some pretty major exploits as well (don't believe the hype that it is secure, etc). After installing Mandrake and running their update utility there were at least 50Mb of security updates avail. Do a search on Google for Linux exploits - for those who are too lazt take a look here http://www.linuxsecurity.com/advisories/

Should Linux become the mainstream home user OS then the number of serious exploits / viruses / trojans will explode.

Secondly a fix for this exploit has been out for some time.

This (https://grc.com/x/ne.dll?bh0bkyd2) may be of some use to people.
....click on the buttons marked common ports, file sharing, all service ports etc........

Originally posted by hawkmoon
The main reason you tend to see more MS exploits is because hackers / script kiddies, etc target this OS more. This is because it is mainstream.


Very true but it is also easier to "crack".
As you will know, it is much harder to compromise a Linux machine because of the different way processes are run in the environment.

Originally posted by Roger K
Very true but it is also easier to "crack".
As you will know, it is much harder to compromise a Linux machine because of the different way processes are run in the environment.

All it requires is an unpatched server (web, ftp, telnet, etc), a buffer overflow and privallige elevation to root and they're in. They can cause as much damage as they want.

Don't kid yourselfs that linux is secure. It's not. Just that few people have "got it in" for linux.

I use linux, unix and windows systems, and no matter what I always look out for the latest patches. I'd be a fool to just sit there with a smug "ah, I'm okay I use linux" attitude. Of all things I concentrate very carefully on Apache patches as that's the one thing exposed to the outside world on my system.

And has everyone ensured they've got the ICMP patch for their linux based routers? Very few people know about that one and many assume a dedicated linux router/firewall is rock solid and never needs patching, yet this will open their entire network up.

Originally posted by BenH
There is no 64_bit version of XP, just some extended libs that allow it to be run on an Itanium or Opteron processor. Currently the only real 64_bit OS is any one of the unicies, including Linux.


Other than...

Windows Server 2003 Enterprise 64bit edition (http://www.microsoft.com/windowsserver2003/evaluation/overview/enterprise.mspx) (note that it replaces the old 'limited' edition which might be the library version you mention, see here (http://www.microsoft.com/windowsserver2003/64bit/default.mspx))
Windows XP 2003 64bit edition (http://www.microsoft.com/windowsxp/64bit/default.asp)

;)

In fact many unix systems are actually 32bit with 64bit libraries unless you explicitly install the 64bit kernels (just take a look at 64bit AIX). The 64bit kernels often cause major headaches, so most run with 32bit kernels and just run 64bit apps on the system. Not really a true 64bit OS.

XP 64bit and 2003 Server 64bit use 64bit kernels/subsystem and the Win64 API from the ground up AFAIK. 32bit apps run with WOW32 which is a subsystem to run 32bit (Win32) under 64bit (a bit like the old WOW used to run 16bit on 32bit NT, but nothing like Win9x which was 16bit DOS hacked to run 32bit on top of it and Windows on top of that ).

Originally posted by DeadKenny
All it requires is an unpatched server (web, ftp, telnet, etc), a buffer overflow and privallige elevation to root and they're in. They can cause as much damage as they want.

Don't kid yourselfs that linux is secure. It's not. Just that few people have "got it in" for linux.

I use linux, unix and windows systems, and no matter what I always look out for the latest patches. I'd be a fool to just sit there with a smug "ah, I'm okay I use linux" attitude. Of all things I concentrate very carefully on Apache patches as that's the one thing exposed to the outside world on my system.

And has everyone ensured they've got the ICMP patch for their linux based routers? Very few people know about that one and many assume a dedicated linux router/firewall is rock solid and never needs patching, yet this will open their entire network up.

Yup this is the point I was trying to make. All OS's have their vunerabilities, etc.

Many Linux / Unix users have become lax because of this perceived security that Linux has gained. Site like astalavista, neworder, etc are full of exploits and vunerabilities for all OS's including Linux, Win, FreeBSD, etc.

As Linux achieves more attention for home users then I think we will start to see more virus / trojan activity as well as more vulnerability exploits, etc.

I think that the difference is that Linux is proabably more secure out-of-the-box so to speak than NT / XP is, but both can be made pretty secure with some work and the application of the constant security updates that both formats see.

Originally posted by DeadKenny
Other than...

Windows Server 2003 Enterprise 64bit edition (http://www.microsoft.com/windowsserver2003/evaluation/overview/enterprise.mspx) (note that it replaces the old 'limited' edition which might be the library version you mention, see here (http://www.microsoft.com/windowsserver2003/64bit/default.mspx))
Windows XP 2003 64bit edition (http://www.microsoft.com/windowsxp/64bit/default.asp)

;)



Ahh, but has anyone been dumb enough to use it on production systems yet :-)


In fact many unix systems are actually 32bit with 64bit libraries unless you explicitly install the 64bit kernels (just take a look at 64bit AIX). The 64bit kernels often cause major headaches, so most run with 32bit kernels and just run 64bit apps on the system. Not really a true 64bit OS.


Yes it does tend to be easier to use 32_bit kernels, however the 64_bit is there and ready to use if you want it and has been for a while. Still the greatest problem I've ever faced is explaining to people that 'Yes the computers clock is only running at 400Mhz, but that its a 64_bit sparc.



XP 64bit and 2003 Server 64bit use 64bit kernels/subsystem and the Win64 API from the ground up AFAIK. 32bit apps run with WOW32 which is a subsystem to run 32bit (Win32) under 64bit (a bit like the old WOW used to run 16bit on 32bit NT, but nothing like Win9x which was 16bit DOS hacked to run 32bit on top of it and Windows on top of that ).

Well its nice to know that you windows boys are finally catching up at last; but I think I'll stick to a system that I own rather than MS :)

Regards,

Ben

Originally posted by DeadKenny
All it requires is an unpatched server (web, ftp, telnet, etc), a buffer overflow and privallige elevation to root and they're in. They can cause as much damage as they want.

Don't kid yourselfs that linux is secure. It's not. Just that few people have "got it in" for linux.

I use linux, unix and windows systems, and no matter what I always look out for the latest patches. I'd be a fool to just sit there with a smug "ah, I'm okay I use linux" attitude. Of all things I concentrate very carefully on Apache patches as that's the one thing exposed to the outside world on my system.

And has everyone ensured they've got the ICMP patch for their linux based routers? Very few people know about that one and many assume a dedicated linux router/firewall is rock solid and never needs patching, yet this will open their entire network up.

Might also be fair to say that as more is known about the linux code/kernal that the challenge is not there. And the fact that everyone hates Micro$oft.

I gave my Micro$oft account manager some grief today though!:D

Originally posted by BenH
Ahh, but has anyone been dumb enough to use it on production systems yet :-)


Big corporates must be evaluating it at least otherwise there's no reason for a software company like the one I work for to be developing and testing on 64bit platforms because our customers request it.

There's no reason why it's a problem. We're talking the NT line here and after all 32bit NT (proper operating system) was way more robust than nasty 16bit DOS/Windows (spawn of the devil ;)), so not much reason why 64bit XP/Server2003 (NT really) is no less robust as 32bit. As with unix, it drops down to 32bit as necessary anyway (slightly better at it than the old 16bit WOW which was more emulation, whereas this relies on the 64bit processor ability to run 32bit... I think).

Originally posted by Tricky
Might also be fair to say that as more is known about the linux code/kernal that the challenge is not there. And the fact that everyone hates Micro$oft.

I gave my Micro$oft account manager some grief today though!:D

Yes this is also likely a major factor in it, plus you can be certain that all XP Pro installs will have the same vunerability, which can't strictly be said for Linux as major distro's often do things slightly differently than each other, even down to tweaks in the kernal.

Originally posted by DeadKenny
All it requires is an unpatched server (web, ftp, telnet, etc), a buffer overflow and privallige elevation to root and they're in. They can cause as much damage as they want.

Don't kid yourselfs that linux is secure. It's not. Just that few people have "got it in" for linux.


Sure, if your lax in your updates, run as root all the time, dont check for root kits and leave ports wide open then you are screwed. However all the servers you mentioned are turned off initially and if you wanted to turn them on you had better know what your doing. If not then your incompetant or lazy and who cares.

Linux is more inherently secure than the other leading os, mostly because of the security models used. MS sets up their systems to fully integrate into their not so secure infrastructure such as windows update; their programs are riddled with bugs that they have no intention of fixing and hides the running services that can be compromised such as Messenger and allows a user to have administrative priveliges.

It also supports the script kiddies favorite language - VB.


This is not to say that Linux does not have its own problems, the difference is that these exploits are much, much harder to impliment especially against a user who has a clue about security. Also when an exploit is discovered it is paxtched as rapidly as possible. You can also install SE Linux, which promptly deals with the script kiddies, the so called L33T hackers and quite a few of the competant ones, at the possible expense of opening your system up to the NSA :-)



I use linux, unix and windows systems, and no matter what I always look out for the latest patches. I'd be a fool to just sit there with a smug "ah, I'm okay I use linux" attitude. Of all things I concentrate very carefully on Apache patches as that's the one thing exposed to the outside world on my system.


And who has the largest number of patches, not including the 150 linux distros which MS loves to factor in on its FUD? And in regard to Apache (given that it mainly runs on Linux), how many patches vs IIS? AIRC the last major exploit was discovered about 18 months ago and had a working patch released within hours.



And has everyone ensured they've got the ICMP patch for their linux based routers? Very few people know about that one and many assume a dedicated linux router/firewall is rock solid and never needs patching, yet this will open their entire network up.

We use a Borderware firewall based off BSD, theres a reward of $100,000 for the person who cracks it. If you fancy your luck just say :-)

Regards,

Ben

Originally posted by hawkmoon
Yes this is also likely a major factor in it, plus you can be certain that all XP Pro installs will have the same vunerability, which can't strictly be said for Linux as major distro's often do things slightly differently than each other, even down to tweaks in the kernal.

Theres also the fact that as its open source its inherently more secure as the exploits are out there in the open for everyone to see and fix. As opposed to closed source which tries to sweep its mess under a carpet of secrecy.

There is no security in obscurity as any CISSP should be able to tell you.

Regards,

Ben

The thread on .com (http://www.nthellworld.com/forum/showthread.php?s=&threadid=45196&perpage=15&pagenumber=1) is good

Originally posted by BenH
And who has the largest number of patches, not including the 150 linux distros which MS loves to factor in on its FUD? And in regard to Apache (given that it mainly runs on Linux), how many patches vs IIS? AIRC the last major exploit was discovered about 18 months ago and had a working patch released within hours.


I do an update on my RedHat system every month or two and there are more updates than on Windows Update in the same period of time. Half of those RedHat updates are usually described as security fixes. It doesn't really indicate much either way though.

As for IIS vs Apache patches, I don't think IIS has needed a patch for some time, but I'm not going to argue IIS is better (regardless of who has the more patches) because I do prefer Apache myself anyway (running on linux).

The difference with patches is MS "fixes the barn door after the horse has bolted", which is part of the problem, whereas the linux community fixes it usually before it's an issue.

Or rather MS spends a huge amount of time and money regression testing so their fixes are not going to break systems and cost people a lot of money, whereas on linux they fix it and then fix those bugs, then fix those bugs, and you have to wait until someone comes up with a decent fix or you fix it yourself (that's the problem of open source, it's a "do it yourself or wait, test in production" strategy).

MS has often fixed the problem well before it's an issue but as soon as they make the problem public the kids go off and write their virus/trojans/worms knowing a lot of people don't patch. Add to that the fact their fix may be written but not tested so needs time for testing, that gives them time to write the stuff.

I can confirm that engineers are dealing with the problem as I type.

I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

Originally posted by downquark1
I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

It should be - if you go to windows update there is a link under Other Options called View installation history. Look for a security update with the number 823980 next to it. If you see it in the list then you have been patched.

Originally posted by downquark1
I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

It should have done, but it's worth checking it actually installed. Windows Update sometimes fails.

If the router is a NAT router, then you should be protected. My router is all that's currently protecting my 2nd machine (W2K), which is currently being defragged before any more updates are applied.

Originally posted by DeadKenny
Or rather MS spends a huge amount of time and money regression testing so their fixes are not going to break systems and cost people a lot of money, whereas on linux they fix it and then fix those bugs, then fix those bugs, and you have to wait until someone comes up with a decent fix or you fix it yourself (that's the problem of open source, it's a "do it yourself or wait, test in production" strategy).


Oh come on, how many patches have been recalled for any one linux distro? How many patches crash the server?

I only recall one patch for SuSE 7.3 that had tro be recalled, infact I'm so confident of SuSE doing a good job that all my servers are set to automatically update. Something I would never dream of doing on one of the few remaining NT boxes. MS couldn't care less if one of their patches broke your system for a few hours, after all you cant sue them thanks to the EULA, whereas the open source community cannot dare take that attitude, and quite frankly wouldn't as they take pride in their work.

Sure one or two projects may ignore a bug report, currently there is one in gnomecanvas thats been there for 8 months giving me a headache. People are working on it but it'll take time to come through and in the meantime I can figure out a workaround. While I was writing M$ based apps, I came across quite a few bugs and was faced by a wall of silence by microsoft. They dont care, and they dont need to care, hence part of the reason for the growth of Linux.

Prehaps you should consider changing your distro, after all RH can only handle about 20-30 users at once :D

Regards,

Ben

Originally posted by BenH
Theres also the fact that as its open source its inherently more secure as the exploits are out there in the open for everyone to see and fix. As opposed to closed source which tries to sweep its mess under a carpet of secrecy.

There is no security in obscurity as any CISSP should be able to tell you.

Regards,

Ben

Yes this maybe true, but yet again most of the time it is no different to MS, the exploit can only be patched once the vunerability / bug has been detected and by the time it has been detected it is usually a little late as it has already been exploited.

Or are you trying to claim that open source software is bug free?

As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.

There are certaily serious issues with Linux, for example IIRC samba versions between 2.0.x and 2.2.7 (I think) had a vunerability that could allow an anonymous attacker to acquire super-user rights - it took them a long-time to block this exploit as you can see with the version numbers.

There are plenty others that allow attackers to get root or super-user rights.

Boths OS's have vunerabilities and eploitable bugs.

The only advantage that Linux really has it that it is more secure out-of-the-box than Windows, but with a little work both can be made pretty secure.

The same goes for IIS and Apache aswell.

Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog ;)

Originally posted by Incognitas
Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog ;) ....the voice of reason:D

Reuters (http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=3266448)

Originally posted by hawkmoon
Yes this maybe true, but yet again most of the time it is no different to MS, the exploit can only be patched once the vunerability / bug has been detected and by the time it has been detected it is usually a little late as it has already been exploited.

Or are you trying to claim that open source software is bug free?


Certainly not, I do however say that Linux and its mature/Beta grade software has far fewer bugs than its closed source equivalent because of A) Its huge tester base B) The open nature of the code allows others to identify the nature of the bug and correct it if they are able and C) There is a far greater incentive for the programmer to doi a good job. With the code available for all to see, then the programmers ego could be done serious harm by bodging something together :)



As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.


How many bug fixes and security updates do those service packs hold? The fundamental difference betwen a linux security update and the windows equivalent is that in the Linux case the programmer has spotted one of their own mistakes and corrected it; whereas in MS's case its a matter of them not being able to keep the bug under wraps any longer


There are certaily serious issues with Linux, for example IIRC samba versions between 2.0.x and 2.2.7 (I think) had a vunerability that could allow an anonymous attacker to acquire super-user rights - it took them a long-time to block this exploit as you can see with the version numbers.


Can you point me at any references for this? I've just started using Samba 3 extensively to serve as a replacement for PDC's



There are plenty others that allow attackers to get root or super-user rights.


There are indeed, most requiring an unimaginable level of stupidity on the users part 'Just set everything in inet.d to 777' or physical access to the system; in which case your doomed no matter what your OS.


Boths OS's have vunerabilities and eploitable bugs.


Yes they do, but for one their fixable, for the other you have to wait on bended knee for a fix.

Also could you please start differentiating between bugs and exploits, an overrun that causes X to crash is not the same as allowing code to be executed without the users knowledge.


The only advantage that Linux really has it that it is more secure out-of-the-box than Windows, but with a little work both can be made pretty secure.

The same goes for IIS and Apache aswell.

Linux can be made obscenely secure, hence the reason the NSA and many other intelligence agencies uses it. Windows, despite MS's shared source initiative, remains replete with undiscovered and deliberately included exploits because of the philosopy of MS.

Regards,

Ben

Originally posted by Incognitas
Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog ;)

Tradition?

:D

Best,

Ben

Originally posted by hawkmoon

As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.


Yes but all or most of the Windows flaws are problems with Microsoft software, the bugs in Linux we hear of are usually with third party software such as Apache, not the actual Linux "system".

So, if we take the amount of bugs in Windows and all third party software and compare that to the amount for Linux and third party software, Linux will have quite a few less.

You can certainly feel safer using Linux (I'm using Mandrake 9.1 right now with Mozilla) because most script kiddies will only know how to compromise a Windows system and it takes a bit more knowledge to break into a Linux OS.
Plus, you are more safe from virus and trojans.

As mentioned earlier in the thread, Linux comes pretty secure out of the box anyway, I'm not running any servers on this machine - the most important thing is making sure the system if up to date and the root password is strong.

Plus when a new linux kernel is released, that is what it is... new

Looking at this recent exploit that has come to light...

Affected Versions....

NT 4 circa 1995?
Windows 2000 2000
Windows XP 2001
Windows 2003 2003

So the issue has existed for 8 years accross 4 platforms..

How much legacy code do they blindly copy between versions?

Originally posted by BenH
Tradition?

:D

Best,

Ben

Personally I don't really see it as a "mine is better than yours argument"

I just see the merits of both Windows and Linux - I've got both running here.

As for the advisory in Samba - you can find it here. https://rhn.redhat.com/errata/RHSA-2003-137.html

Samba versions above 2.2.8 don't have this exploit.

Don't get me wrong - I am not in the Windows is better than Linux camp, nor vice-versa.

My point is that all OS's have flaws, both minor and serious.

Already Linux is starting to see an increase in the number of viruses.

Even BSD-based OS's have their flaws and exploits. I remember one that related to a vulnerability with certain SSH installs, though I can't remember what the vulnerability was though.

When more and more crackers and hackers turn their attention to Linux then I think you will see an increase in the number of vulnerabilies / exploits.

Nobody can anticipate every interaction that code can have under every situation and this is why vulnerabilities such as the RPC one can exist in an OS for years before coming to light.

Originally posted by hawkmoon

As for the advisory in Samba - you can find it here. https://rhn.redhat.com/errata/RHSA-2003-137.html

Samba versions above 2.2.8 don't have this exploit. [/B]

Looks like it was RH only. SuSE have a similar advisory, but instead detail it to be a buffer overrun with the possibility that it might be publically available. With a mention of the weak encryption generated by a VNC cookie that is well known.

Hardly an internet stopper, but something to keep an eye on.

Thanks,

Ben

Originally posted by hawkmoon
My point is that all OS's have flaws, both minor and serious.


So you keep repeating, despite noone disagreeing with you.



Already Linux is starting to see an increase in the number of viruses.


3 last year none serious, the only one that was ever any trouble was Bliss back in '97, and that was only a threat untill Alan Cox ripped it apart.

Linux represents a very unhealthy enviroment for any virus, theres no VB macros, no unlocked ports, seperation of users and administrators and lack of binary executables, let alone executables that run without permission.

For an interesting and accurate article on linux viruses, rather than speculation, try this:

http://librenix.com/?inode=21



Even BSD-based OS's have their flaws and exploits. I remember one that related to a vulnerability with certain SSH installs, though I can't remember what the vulnerability was though.


And then they are fixed as soon as they are uncovered, as opposed to being hidden. You are completely ignoring the tremendous difficulty in exploiting one of these flaws and the lack of technical knowledge within the cracker community that would be required to exploit them.


When more and more crackers and hackers turn their attention to Linux then I think you will see an increase in the number of vulnerabilies / exploits.


1) Linux is a Hacker OS, its growth is in part due to this. 2) Hackers dont crack systems or write viruses _ever_. Theres no challenge, no profit in destroying something bad when you can create something better and give it away. 3) Hackers despise crackers. Crackers are the lowest form of life, who belive that by exploiting some slight loophole they show how clever they are when in fact its been shown time and time again that they are nothing more than arrogant little ****s who have some very basic technical knowledge centred around VB and microsoft. You show some scumbag script kiddie some C and they fall apart.

The only ones that have the kind of skill needed to crack Linux or any other kind of Unix are usually far too busy running security companies or writing virus TK's to be used against windows due to some kind of beef they have against MS.

Even if they were to start writing viruses to be used against Linux, it would still be reliant on the user to do something truely stupid in order to allow the virus to propegate.


Nobody can anticipate every interaction that code can have under every situation and this is why vulnerabilities such as the RPC one can exist in an OS for years before coming to light. [/B]

The problems with RPC have been known about for years. I seem to recall the CDC writing about the topic time and time again. This vunerability is however new(ish) it is not the first RPC vunerability, and it will be far from the last.

Ben

LOL.

Everything is open for exploitation whether it be Microsoft, Linux, Mac. Just cos Microsoft are the largest people think it shouldn't happen.

It's probably also fair to say that people who run Linux are likely to keep up to date with all the patches and bug fixes that are released.
While some Windows users do, unfortunately a large proportion don't. This is the main reason why Windows virii propagate so well.

Originally posted by duncant403
It's probably also fair to say that people who run Linux are likely to keep up to date with all the patches and bug fixes that are released.
While some Windows users do, unfortunately a large proportion don't. This is the main reason why Windows virii propagate so well.

The principle problem with windows update is the sheer number of patches you need to install. Broadband is pratically a requirement for Xp users.

SuSE however, well look here:

http://www.suse.co.uk/uk/private/support/security/index.html

There have been 9 updates in the last five months, 10 if you include the kernel patch I'm expecting sometime today and is already available via YaST.

What more do I need to say?

Regards,

Ben

I'm sure you'll have seen in the news mention of the latest worm that's doing the rounds on the internet - W32.Blaster.Worm. This particular nasty will cause your machine to shut down and is designed to launch a DDoS attack against WindowsUpdate from the 16th. It is causing a whole lotta traffic on port 135 as the worm seeks to propagate itself.

We sat up late last night developing a small app that would use the port-forwarding abilities of a router firewall. Basically the incomming port 135 requests are router to port 10000 before they reach the machine so that Windows ignores them, and the app sends out a Net Send message to the connecting IP advising them they they appear to infected with W32.Blaster and would they please go to a webpage for more info.

It does have the side-effect of messaging back those Messenger spammers that lurk around the net as well, but that's only a plus in my opinion. :D

Most of the scans I get are from other NTL IPs, which indicates that the worm bases it's scanning on the local machine's IP, but there have been a few others. As a guide to how bad it's getting, I received 20 scans this morning while I was in the bath, and I wasn't in there that long. :)

We may release the app when it's complete, but in the meantime check your firewall logs and let us know how many connection attempts you've had on port 135 over the past few days.

Its great that people are developing ways to combat this worm. But I would hope people would be getting the security update from MS and running the MSblaster fix from symantec. I personally fixed two machines last night this way.

One thing that surprised me was that when I closed MSBlaster.exe from the processes list, approx 3 mins later the machine still shut down, the command had restarted itself, this made removal of the virus a tad tricky......eventually though I got the machine to stay on long enough to remove the infection.

I dont know how many people would be interested in your application, I may be, but firstly I'd have to enquire who you work for

Keep up the good work
TW2001

well, as of lastnight, this was the fix we were giving out last night.... version 5 i think :erm:

Ntl:home customers may currently be experiencing problems with their PC arising from a Microsoft Windows vulnerability. The virus/worm in question which exploits this vulnerability is called W32.Blaster.Worm and it will affect Windows XP (all versions), Windows 2000 and Windows NT.

In order to prevent your machine from repeatedly rebooting please carry out the following:

1. (Broadband customers only) Unscrew CATV (Co-axial) cable at the rear of the cable modem or set-top box †“ this is normally a thick white cable (not required for dial-up)
2. Re-start PC.
3. †œOpen Task Managerââ‚à ‚¬Ã‚ÂÂ� by holding down the CTRL and ALT keys and press the Delete key once.
4. Click on Process tab, and find Msblast.exe.
5. Highlight the file and click 'end process' at the bottom right
6. Say 'Yes' to the warning.
7. Now close Task Manager (by the cross in the top right)
8. Click on †œstart⠀ Â� and choose †œFindâà ƒÆ’¢â€šÂ¬Ã‚ � or †œSearchà¢ÃƒÆ’¢â€šÂ¬Ã‚Âà ‚Â� then choose files or folders.
9. In the †œlook inââ‚ ¬Ãƒâ€šÃ‚ÂÂ� box choose †œMy Computerââ‚à ƒâ€šÃ‚¬Ãƒâ€šÃ‚ÂÂ�
10. In the †œnamed⠀ Â� box type msblast.exe then click on †œfind nowââ‚Âà ‚¬Ãƒâ€šÃ‚ÂÂ� or †œsearchà¢ÃƒÆ’¢â€šÂ¬Ã‚Âà ‚Â�
11. If any items are found right click on these and choose delete.
12. If using Windows XP enable the in built firewall (see below)
13. (Broadband customers only) Screw the CATV cable back into the modem or set-top box, (not required for dial-up)
14. (Broadband customers only) Re-start Cable Modem or Set-Top Box, (not required for dial-up)
15. Re-start PC
16. Download the Microsoft Patch (from the link below) choosing †œsave this program to diskâ₠¬Ã‚Â�
17. In the †œsave asâ₠¬Ãƒâ€šÃ‚Â� window choose †œdesktopà¢ÃƒÂ¢Ã¢â‚¬Å¡Ã‚¬Ã‚ Â� from the dropdown †œsave inâ₠¬Ãƒâ€šÃ‚Â� box
18. Open the file from your desktop and follow the on-screen instructions.
19. Restart your machine when requested to do so by the patch.

Microsoft Download Links

Windows XP (all versions)

Windows 2000

Windows NT

You should now find that your PC and connection are restored to a working state.

Enable the in built firewall in XP windows

1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
4. If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.

If you are not using Windows XP you may wish to visit
http://www.ntlworld.com/zonealarm/ to obtain advise on another firewall option.


For further information on this issue please see:

Ntl:home Server Status Page
or

Microsoft Knowledge Base

If you continue to experience problems of the same nature, please call the Technical Support Bureau on your relevant support number.

Originally posted by distortal
let us know how many connection attempts you've had on port 135 over the past few days.

I had 140 in the space of an hour...

Originally posted by timewarrior2001
I dont know how many people would be interested in your application, I may be, but firstly I'd have to enquire who you work for

I run a website design company but, because it grew from a hobby, I also have an interest in PC Security. I get to play with nice pirces of kit at my company's expense and I currently lurk behind a D-Link DI-614+.

The program came about from a discussion with a friend of mine who writes shareware in VB and who was getting hammered as well. It started out as an intellectual excersise really, and once we found a way to get a message back to infected people then it kinda grew from there into a small app you can run on your desktop.

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.

Just doing our part :)

I did consider 'net send'ing to folks during the worst of the Bugbear attacks, but refrained after having had a bad experience after replying to the sender of an email virus.

In that case, the receipent of my well-meaning note, thought that I'd caused the virus infestation of his PC, rather than being the receipient of the virus email that he had sent. He thoughtfully copied his flame to the postmaster at my ISP. Fortunately my ISP had better sense then to get involved.

On a more positive note, the Messenger service displays your machine name rather than you IP address (I think), so Mr Angry would be unlikely to be in contact.

Yours cautiously,
Alan

Originally posted by duncant403
I had 140 in the space of an hour...

Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

Originally posted by distortal

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.


Hmm, I can see plenty of wannabe hackers taking advantage of this then, going through thier firewall logs and finding out who's PC they can visit.

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

I'm starting to feel a bit jealous, I've had none as of this morning. But then again I am behind layered firewalls beginning with a D-Link 614+ and ending with SuSE firewall.

Ah Well :-)

Regards,

Ben

Originally posted by zoombini
Hmm, I can see plenty of wannabe hackers taking advantage of this then, going through thier firewall logs and finding out who's PC they can visit.

I had hoped that people would have wised up after the Bugbear attacks.

Originally posted by distortal
I run a website design company but, because it grew from a hobby, I also have an interest in PC Security. I get to play with nice pirces of kit at my company's expense and I currently lurk behind a D-Link DI-614+.

The program came about from a discussion with a friend of mine who writes shareware in VB and who was getting hammered as well. It started out as an intellectual excersise really, and once we found a way to get a message back to infected people then it kinda grew from there into a small app you can run on your desktop.

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.

Just doing our part :)

Excellent, I have a few friends that are computer illiterate and think that a virus scanner and firewall are for paranoid people.
How I could have strangled them last night when they came screaming for help.
Your app may have come in handy, then they could sort it for themselves.

I've just got a jump in port 4444 scans, and for some reason I'm getting a lot of port 3's from a single IP and 62002's from another - anyone else seeing this?

Originally posted by BenH
I'm starting to feel a bit jealous, I've had none as of this morning. But then again I am behind layered firewalls beginning with a D-Link 614+ and ending with SuSE firewall.


In the router config, go to the Status tab, click on Log and then the grey Log Settings button. Tick all the checkboxes, enter smtp.ntlworld.com as the SMTP server and an email address in the other box. You should receive an email every time the log fills up - which it will. :D

Originally posted by distortal
In the router config, go to the Status tab, click on Log and then the grey Log Settings button. Tick all the checkboxes, enter smtp.ntlworld.com as the SMTP server and an email address in the other box. You should receive an email every time the log fills up - which it will. :D

One of the first things I did when I got the router, the only activity is when I either ssh into my box or connect via my handheld. No activity on ports 135 or 4444 what so ever.

Looks like I've beaten the odds so far on the probes, still I'll check again tonight and run netstat JIC

Regards,

Ben

Originally posted by BenH
The principle problem with windows update is the sheer number of patches you need to install. Broadband is pratically a requirement for Xp users.

SuSE however, well look here:

http://www.suse.co.uk/uk/private/support/security/index.html

There have been 9 updates in the last five months, 10 if you include the kernel patch I'm expecting sometime today and is already available via YaST.

What more do I need to say?

Regards,

Ben

Well that is funny - Broadband was a requirement for both my Redhat and Mandrake installs. After install the first udates (security) added up to around 40 - 60Mb for each Distro!

Fine if you want to sit back being complacent thinking it will never happen to me - so be it.

This is the last I am going to say on the matter as it is clear that you seem to think your are invunerable to any exploit or virus!

I'm responding to 135 and 4444 with the messages so they don't appear in the router logs, but I'm getting loads of scans on port 3 which, according to GRC.com, is "compressnet, Compression Process". I seem to get a block of scans/attempts all from the same IPs, currently 80.0.190.120 and 80.1.192.146 - what the...?

Originally posted by hawkmoon

Fine if you want to sit back being complacent thinking it will never happen to me - so be it.

This is the last I am going to say on the matter as it is clear that you seem to think your are invunerable to any exploit or virus!

Now your putting words into my mouth. At no point have I said that I am invuneranble to exploits and viruses, at no point have I said that I am complacent. I am anything but and have just spent the morning updating several SuSE pro servers and one SLOX machine.

I have been saying that due to the nature by which Linux has been created and the security models used, that it offers far, far superiour protection against viruses and has far fewer actually useful exploits than its competitor. You have been responding with inane statements and worthless generalities, at no time countering the points I raised.

Edit: For the spectators :) The 40 - 60 Meg downloads our helldesk slave is refering to include things such as an optimised kernel (20Megs easy), Product updates (not security related), Drivers that are not allowed to be commercially distributed (such as nVidia), Font packs (such as MS's) a few additonal programs that they would have liked to include on the disks but left off by mistake or due to lack of space and updates and security patches for _every_ piece of software that the update manager can detect.

This doesnt even remotely compare with windows update which only offers critical fixes and MS only product updates, complete with altered EULA's.

Regards,

Ben

Originally posted by distortal
I'm responding to 135 and 4444 with the messages so they don't appear in the router logs, but I'm getting loads of scans on port 3 which, according to GRC.com, is "compressnet, Compression Process". I seem to get a block of scans/attempts all from the same IPs, currently 80.0.190.120 and 80.1.192.146 - what the...?

Anybody else waiting for the scream? :D

Regards,

Ben

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

No that was yesterday, between 1700 and 1800.

Well between 14.36 and 15.36 I have had 56 on pot 135 and I catn seem to get Kazza lite or piolet to connect, but overnet seems to work fine. Do you think it could be connected?

well i'm glad now that i'm with an isp that knows what they are doing and not ntl, as soon as this virus started lurking its head my isp (plusnet) blocked the two ports involved on there end so that even vunerable machines wont get infected as no data can get through. They then let us know that they had done this and recomended on getting the updates as well.

If anyone wants to move over to them now let me know as they do a referal scheme which gives you a discount off your bill for refereing someone else to them :-)

K

Ps about linux, the reason you dont see many updates for them is because they update entire distros frequently, suse 8.2 is only a few months old 8.1 is less than a year old etc

Originally posted by BenH
Anybody else waiting for the scream? :D

Is there something I should know? :)

The program is available online btw:
http://www.tnk-bootblock.co.uk/prods/downloads/MasterBlaster.zip

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

I've lost count of the number I've had - stopped counting at 50 (in 25 minutes). Have scanned my pc for viruses and it's ok, and have up to date McAffee - will that do? :confused:

Originally posted by BenH


Edit: For the spectators :) The 40 - 60 Meg downloads our helldesk slave is refering to include things such as an optimised kernel (20Megs easy), Product updates (not security related), Drivers that are not allowed to be commercially distributed (such as nVidia), Font packs (such as MS's) a few additonal programs that they would have liked to include on the disks but left off by mistake or due to lack of space and updates and security patches for _every_ piece of software that the update manager can detect.



If you take another read of what I wrote very carefully you will notice that I said that the 40-60Mb updates WERE SECURITY RELATED! The full update including non-security related came to over 150Mb! Oh and there was no optimized kernal included in those downloads.

Just for the record I do not do helpdesk. Not all support analysts are helpdesk. I am actually part of system services which looks after servers - no user interaction at all.

my mate had the this last nite all sorted within a few minutes thanks to the valuable info here :D (well i had to sort it for him) all because he took his firewall off because it blocked him on msn what a dope:rolleyes: btw anyone know why i keep gettin icmp echo requests (ping) from an 81 range ip, had 7 today and about the same last nite ,zonealarm is showing them in the log ....atb marc

Originally posted by distortal
Is there something I should know? :)


Well you last post ended rather ominously, kind of 'the router has just burst into flames' ending :)



The program is available online btw:
http://www.tnk-bootblock.co.uk/prods/downloads/MasterBlaster.zip

Well Done!! Regretably I'm severely alergic to VB :D

Regards,

Ben

Originally posted by hawkmoon
If you take another read of what I wrote very carefully you will notice that I said that the 40-60Mb updates WERE SECURITY RELATED! The full update including non-security related came to over 150Mb! Oh and there was no optimized kernal included in those downloads.


Then prehaps you should switch your distro. I had to do a clean install of SuSE 8.2 last week due to me rendering it unbootable playing about with the kernel. Install and update took me a total of 45 mins.

And again, I note that you are completely ignoring the points I raised in my previous posts.


Just for the record I do not do helpdesk. Not all support analysts are helpdesk. I am actually part of system services which looks after servers - no user interaction at all.

I can well imagine that they wouldn't let you interact with customers.

Excuse me! Is this the thread for merged:W32 Blaster Virus?Only it's hard to tell due to the fact of you two being all macho about OS's.How about continuing this spat in private?

Thank you.

Incog.:cool:

Originally posted by Lord Nikon
Plus when a new linux kernel is released, that is what it is... new

Looking at this recent exploit that has come to light...

Affected Versions....

NT 4 circa 1995?
Windows 2000 2000
Windows XP 2001
Windows 2003 2003

So the issue has existed for 8 years accross 4 platforms..

How much legacy code do they blindly copy between versions?

If it aint broke don't fix it... well until someone spots the flaw 8 years down the line ;).

I get extremely concerned about the number of kernel updates with Linux (many security related, especially the ICMP flaw). This is the core of the operating system and should be solid and stable with no need to update on a regular basis. What's so cool about having a "new" kernel all the time? I update a lot of stuff on RedHat without worrying too much, but the kernel updates I investigate thoroghly just to see what's been changed.

That's what I like about the NT line of Windows. It's still good old solid NT kernel underneath that I can trust and each version builds on it's core stability. The bugs are all with the add-ons. Sure, they are considered "part" of the OS because Microsoft wrote them all (or at least bought the companies that did ;)). It's no different with Linux apart from who "owns" what. It's still a core kernel and OS and then other apps on top.

As a developer in a commercial environment, I hate open-source. It really slows down the development process and you end up fixing everyone elses bugs just to get things working, which ultimately costs the company more in man-hours. I've experienced this a lot and I'd much rather the company pays for a commercial product, thoroughly tested by professionals, with certification and decent QA (rather than testing by 1000s of 12 year olds who don't have huge salaries and a job at stake as their incentive to ensure quality ;)

Originally posted by Incognitas
Excuse me! Is this the thread for merged:W32 Blaster Virus?Only it's hard to tell due to the fact of you two being all macho about OS's.How about continuing this spat in private?



It happens every time a security flaw occurs in Windows.

I use Windows (NT,2k,XP), Linux, Solaris and AIX, and they all have their flaws including security flaws. I know which I prefer, but that's my preference. However you won't find Windows users getting smug about their OS every time a security hole is found in Linux.

Just the way it is really. Bill has made a heck of a lot of money, many of us have nicely paid jobs thanks to him, and I guess some people can't accept that.

:shrug:

Originally posted by DeadKenny
It happens every time a security flaw occurs in Windows.

I use Windows (NT,2k,XP), Linux, Solaris and AIX, and they all have their flaws including security flaws. I know which I prefer, but that's my preference. However you won't find Windows users getting smug about their OS every time a security hole is found in Linux.

Just the way it is really. Bill has made a heck of a lot of money, many of us have nicely paid jobs thanks to him, and I guess some people can't accept that.

:shrug:

Well done that man. Well, Bill pays my wages and we also get hit by the same things as everyone else here. Viral etc. As I said before, everything is open to exploitation whether it be Microsoft, Linux, Solaris.

Originally posted by Chimaera
Have scanned my pc for viruses and it's ok, and have up to date McAffee - will that do? :confused: Hope so, thats what I've got:D
....you do have McAfee firewall as well?

Originally posted by BenH
Then prehaps you should switch your distro. I had to do a clean install of SuSE 8.2 last week due to me rendering it unbootable playing about with the kernel. Install and update took me a total of 45 mins.

And again, I note that you are completely ignoring the points I raised in my previous posts.



I can well imagine that they wouldn't let you interact with customers.

Can you keep the personal insults out of this please.

What my job entails and whether I am good at customer care / services is not really any of your business. I have done low level tech support and worked my way up to a more senior position with a very good proven track record.

Plus trying to cast aspersions on my abilities is not the best way to win an argument - as they say those who resort to insults tend to have lost the argument.

Yes I am ignoring the points as I just don't desire to argue with you about how perfect Linux is anymore! It is getting very boring.

Originally posted by Incognitas
Excuse me! Is this the thread for merged:W32 Blaster Virus?Only it's hard to tell due to the fact of you two being all macho about OS's.How about continuing this spat in private?

Thank you.

Incog.:cool: Absa-fu*kin-lutely:D

Originally posted by Incognitas
Excuse me! Is this the thread for merged:W32 Blaster Virus?Only it's hard to tell due to the fact of you two being all macho about OS's.How about continuing this spat in private?

Thank you.

Incog.:cool:

Sorry Incog - didn't really mean to drag this into a Win v Linux war.

I just get a little sick and tired of fixing problems by those who have got complacent and think that nothing serious will happen to them, regardless of whether they run Win, Unix, BSD-based or Linux.

Originally posted by darant
Well done that man. Well, Bill pays my wages and we also get hit by the same things as everyone else here. Viral etc. As I said before, everything is open to exploitation whether it be Microsoft, Linux, Solaris.

This is what I have been trying to say.

Trust me I am not a foaming at the mouth Windows can do no wrong devotee - I know it has major flaws, just as all OS's have.

I obviously made a mistake and took the bait - and for that I appologize to everyone else on this thread. :o

This is definately the last I am going to say on the matter.

Right back on topic - sort of anyway.

I hope the majority of you have patched yourselves now.

The same exploit that the blaster virus uses can also be used by a third party to open a remote desktop session - once they have changed the password for the admin account (which is another reason why you should rename the default admin account).

Also the next gen of RPC exploit viruses will have much more devestating payloads - although this one will very likely hit MS pretty hard.

It's still going like crazy. I consistently get about 20 in ten minutes. I am very happy with my router ;)

Originally posted by DeadKenny
I get extremely concerned about the number of kernel updates with Linux (many security related, especially the ICMP flaw). This is the core of the operating system and should be solid and stable with no need to update on a regular basis. What's so cool about having a "new" kernel all the time? I update a lot of stuff on RedHat without worrying too much, but the kernel updates I investigate thoroghly just to see what's been changed.


The kernel is under constant development 24 hours a day as a result the development cycle is way, way faster than a commercial program hence their can be 2 kernels released in a single week. However you do not have to install them or even patch them. One of our Postgre servers is still running on 2.4.6/SuSE 7.3 without any stability problems and has been running non-stop since it was turned on 18 months ago.



That's what I like about the NT line of Windows. It's still good old solid NT kernel underneath that I can trust and each version builds on it's core stability. The bugs are all with the add-ons. Sure, they are considered "part" of the OS because Microsoft wrote them all (or at least bought the companies that did ;)). It's no different with Linux apart from who "owns" what. It's still a core kernel and OS and then other apps on top.


Solid, Stable, Trust and NT do not belong in the same sentance. NT is essentially a fancy microkernel similar to the Herd, Linux is monolithic. Monolithic kernels are inherently stable due to the lack of intercommunication betwen the processes. Sure they've come a long way from NT4 to NT5.1, but the uptimes dont even begin to compare.

Also you've failed to say why MS marketing department (which lets face it is the real sucess of the company) had NT 5 renamed to 2000...



As a developer in a commercial environment, I hate open-source. It really slows down the development process and you end up fixing everyone elses bugs just to get things working, which ultimately costs the company more in man-hours. I've experienced this a lot and I'd much rather the company pays for a commercial product, thoroughly tested by professionals, with certification and decent QA (rather than testing by 1000s of 12 year olds who don't have huge salaries and a job at stake as their incentive to ensure quality ;) [/B]

And here we come to the rub, let me guess, your a .NET developer. The same .NET that Gartner pointed out was a huge security nightmare.

Well I'm also a developer, mainly for 8 and 16 bit microprocessors using C and ASM for R&D companies and I can categorically state that open source software is by far superiour to its closed source equivalent. GCC and GDB are frikkin godsends (and this is from an Atheist). OOo outperforms Office without breaking a sweat. MySQL and Postgre walk all over SQL Server because they actually follow the ANSI standards, likewise with Mozilla and likely Chandler. A couple of months back I saved an art department £30K by showing them the GIMP for 15 mins rather than Photoshop. Heck you can now even get groupware free thanks to skyrix from http://opengroupware.org . Apache runs some 60+% of the worlds webservers, compared to IIS 30%. The list goes on and on.

As for your claims of testing, well I guess you never heared of the OSDL? Or the way IBM, Oracle, Novell, SUN et all are fully behind linux and do alot of the testing in conjunction with the major distros. Infact the only major software company that isnt backing Linux is your paymaster. Their too busy being afraid of it and using others to spread FUD.

The only 12 year olds writing wild code are the script kiddies making your paymasters customers/victims life unplesant. :)

Regards,

Ben

Originally posted by hawkmoon
Can you keep the personal insults out of this please.

What my job entails and whether I am good at customer care / services is not really any of your business. I have done low level tech support and worked my way up to a more senior position with a very good proven track record.

Plus trying to cast aspersions on my abilities is not the best way to win an argument - as they say those who resort to insults tend to have lost the argument.

Yes I am ignoring the points as I just don't desire to argue with you about how perfect Linux is anymore! It is getting very boring.

So in other words, you cannot give any intelligent counters to the points I raised, I'm a nasty horrible person, and your running away.

How very irritating, as I would like to know where I said that Linux was perfect, but I would guess that you would have ignored that as well and continue whining about how horrible a person I am.

Originally posted by Incognitas
Excuse me! Is this the thread for merged:W32 Blaster Virus?Only it's hard to tell due to the fact of you two being all macho about OS's.How about continuing this spat in private?

Thank you.

Incog.:cool:

Its a continuation of a thread from about 2 merges ago.

My apologies for the amount of noise its generating, its just that I do not like to see people post half truths and overgeneralisations, and then to walk away from it without backing up their statements in detail.

If it bothers you that much then you can request the intervention of a Moderator or killfile a poster from your control panel.

Regards,

Ben

So why is W32 Blaster Virus the main part of the thread title?:shrug:

Incog :cool:

Originally posted by DeadKenny
However you won't find Windows users getting smug about their OS every time a security hole is found in Linux.


They'll be dancing in their seats if a far ranging exploitable hole is ever uncovered and then takes days rather than the customary hours for a patch to be release.

Now for a little fact. As a direct result of the open source model that your so scornful of, patches for security exploits are released an average of 6 - 10 times faster than the windows equivalent.


Just the way it is really. Bill has made a heck of a lot of money, many of us have nicely paid jobs thanks to him, and I guess some people can't accept that.

:shrug:


I can fully accept that Bill, Paul and Steve has made an astounding amount of money. They are true icons of the capitalist system that I support. Despite their desire for communism in the computer market.

I can also accept as a direct result of microsofts anti competitive and anti capitalist corporate policy that they've held the computer industry back by about 10 years.

I can also accept that like with all technology, windows and microsofts time is coming to an end with the advent of something new and better, called GNU/Linux.

And I can also accept that in about 20 - 30 years from now, GNU/Linux time would have passed and something else will take its place. Probably based on the OS model, possibly not.

The real problem is the people who can not and will not accept that. But I have no doubt that the markety will provide for them :shrug:

Regards,

Ben

Originally posted by BenH
And here we come to the rub, let me guess, your a .NET developer. The same .NET that Gartner pointed out was a huge security nightmare.


You guessed wrong ;)

The company I work for writes enterprise level software with a large emphasis on portable code in strict C++ (mainly using the raw language and STL), that runs under both unix and Windows (NT line) operating systems. There's no hint of .Net in there and there's not likely to be with the current business strategy. The back-end (majority of the software) is completely platform independent and the UI is a split between platform independent web server code (runs on any web server, CGI based XML/XSL transform engine) and a Windows specific user application.

We're talking mission critical here in some cases which is why we have no customers requesting linux support. All the unix platforms are Solaris, AIX, HP-UX, etc. Windows platforms are server level (2000, 2003 server, clusters, etc). Client side is partly whatever runs a browser (yes, we support Mozilla), and 2k/XP for the Windows app.

We have a strict rule of keeping 3rd party software to a minimum because of the support nightmare we have with them. Open source software has cost a fortune due to the complexities of getting their software fixed. They won't fix it, and why should they when we didn't pay for it and they're not getting paid either, so they expect us to fix it. Commercial software we've used comes with a maintenance contact, one call and a bunch of enthusiastic well paid developers get on the case and a fix can arrive next day. Same with Microsoft if you pay them enough on support, but consider how much it costs a highly paid developer to waste time trying to fix it themselves over many months (trust me, I've suffered the pain).


Gimp vs Photoshop... https://www.cableforum.co.uk/images/local/2003/09/4.gif

Apart from Photoshop not being specifically "Windows", even Mac users would disagree that Gimp is the choice over Photoshop :D.

Though obviously if they're using Photoshop for way under what it's designed for, then there's a cost saving but the same could be said of picking 'Paint' over Photoshop (or even PaintShopPro). All depends what you're using it for, but it's not a fair comparison.


Also you've failed to say why MS marketing department (which lets face it is the real sucess of the company) had NT 5 renamed to 2000...


Who cares? It's marketing, and an inspired choice. It sold more software and makes me more money. I'd have a much harder time (and be worse off) working for a linux blinkered company rather than one who embraces all operating systems and doesn't have it in for anything "Microsoft".

Originally posted by Incognitas
So why is W32 Blaster Virus the main part of the thread title?:shrug:

Incog :cool:

It started out as RPC/Reboot virus. One of the mods quipped how smug and safe he felt behind his mandrake 9.1 (a very, very newbie friendly distro available for download if your interested) and it all started from there.

Regards,

Ben

Originally posted by BenH
I can also accept as a direct result of microsofts anti competitive and anti capitalist corporate policy that they've held the computer industry back by about 10 years.


Don't really agree with that. We'd all be bearded sandle wearing freaks still typing obscure command lines if it wasn't for Microsoft.

It's quite funny the split between the unix lovers and microsoft lovers in our company. One bunch are obssessed with cryptic commands that no one else understands, and the others wouldn't touch a command prompt with a barge poll :D. Still, we're learning off each other and I have to say the unix bunch are adopting a few MS things... because in some cases it makes life a little easier, which is what MS are about. Since adopting unix, many of the MS fans are far more aware of unix and it's roll in the industry.

There's a place for both, and the sooner we get off the smug "linux doesn't have this problem... so, ner!" attitudes the faster the industry can get on and evolve (I'm still waiting for the day a linux magazine manages to go one single issue without taking a swipe at Microsoft and actually getting down to something constructive).

time to unsubscribe.

Incog.:td:

Originally posted by BenH
So in other words, you cannot give any intelligent counters to the points I raised, I'm a nasty horrible person, and your running away.



No - I just no longer want to argue with a person who questions others abilities and insults them (as you are trying to do again here) to try and prove they are right.

If you do a little research you will see that there are pretty far ranging exploits on pretty much all OS's and many different open and closed source software products.

One pretty serious vulnerability was with SSH and an exploit that would allow a 3rd party to run code with the same privileges as the ssh process.

How about one that affected the Sun RPC XDL library that could lead to the running of arbitrary code.

I suggest you take a look at somewhere like the CVE or CERT a little more often.

Now this is the last I am saying on this as everyone on this thread is getting bored with this, as am I.

Originally posted by Incognitas
time to unsubscribe.

Incog.:td:

Sorry Incog - didn't intend this to happen.

:notopic:

Can we please try and keep this on topic as it is an important and informative thread at the moment

I don't think people should have to go through pages of off topic remarks as the thread is getting big enough as it is :)

Originally posted by DeadKenny


It's quite funny the split between the unix lovers and microsoft lovers in our company. One bunch are obssessed with cryptic commands that no one else understands, and the others wouldn't touch a command prompt with a barge poll :D. Still, we're learning off each other and I have to say the unix bunch are adopting a few MS things... because in some cases it makes life a little easier, which is what MS are about. Since adopting unix, many of the MS fans are far more aware of unix and it's roll in the industry.

There's a place for both, and the sooner we get off the smug "linux doesn't have this problem... so, ner!" attitudes the faster the industry can get on and evolve (I'm still waiting for the day a linux magazine manages to go one single issue without taking a swipe at Microsoft and actually getting down to something constructive).

Here Here- I totally agree.

We have Unix, Linux, Win and a few Macsfor page layout, oh and a couple of BSD based equilizers for the website in out network, and the two camps are very slowly starting to mellow to each other as they start learning about the other platforms.

ps. This is definately my last post - as if this continues I'm certain the mods will close the thread.

https://www.cableforum.co.uk/images/local/2003/08/3.gif I'll stop now.

Originally posted by DeadKenny
You guessed wrong ;)

We're talking mission critical here in some cases which is why we have no customers requesting linux support. All the unix platforms are Solaris, AIX, HP-UX, etc. Windows platforms are server level (2000, 2003 server, clusters, etc). Client side is partly whatever runs a browser (yes, we support Mozilla), and 2k/XP for the Windows app.


Interesting, and a little surprised that your not using Bison++. But not at all surprised that no ones requesting linux support. Its a technology thats coming rather than here. Hence the reason merryl lynch has it running on VMware and waiting for the release of 2.6 before deploying it fully. Likewise with the french and german governments



We have a strict rule of keeping 3rd party software to a minimum because of the support nightmare we have with them. Open source software has cost a fortune due to the complexities of getting their software fixed. They won't fix it, and why should they when we didn't pay for it and they're not getting paid either, so they expect us to fix it. Commercial software we've used comes with a maintenance contact, one call and a bunch of enthusiastic well paid developers get on the case and a fix can arrive next day. Same with Microsoft if you pay them enough on support, but consider how much it costs a highly paid developer to waste time trying to fix it themselves over many months (trust me, I've suffered the pain).


Nice, if your developing a new product from scratch with only a speculative market and minimal funding, then MS and other closed source vendors couldnt care less so you have to do it yourself, which is impossible with closed source software.

As for the problems with open software, did it never occur to you to pay the developer a few thousand to fix your problems. Its how we got the load balancing program for our thin client solution.


Gimp vs Photoshop... https://www.cableforum.co.uk/images/local/2003/09/4.gif

Apart from Photoshop not being specifically "Windows", even Mac users would disagree that Gimp is the choice over Photoshop :D.

Though obviously if they're using Photoshop for way under what it's designed for, then there's a cost saving but the same could be said of picking 'Paint' over Photoshop (or even PaintShopPro). All depends what you're using it for, but it's not a fair comparison.


There are apparently things that the GIMP can do that photoshop cant and vice versa. I dont know art software or what they were using it for. Hell I was literally asked 4 hours before they had to make the decision, still the GIMP, currently running under windows but will be switched to linux met their requirements and made them very happy.

[b]Also you've failed to say why MS marketing department (which lets face it is the real sucess of the company) had NT 5 renamed to 2000...
[quote]

[QUOTE]
Who cares? It's marketing, and an inspired choice. It sold more software and makes me more money.


Good for you, and the answer is because of the utter mess that is NT4. MS Marketing decided to rename it 2000 ( like windiscale became sellafield). They still had, and have still lousy sales. Hence the reason to go ahead with license 6 and why Linux is picking up their losses.

Regards,

Ben

Originally posted by hawkmoon
No - I just no longer want to argue with a person who questions others abilities and insults them (as you are trying to do again here) to try and prove they are right.


Actually if I wanted to insult you I'd be going for the throat, like your website. At the moment I just want to make sure you dont have the last word.


If you do a little research you will see that there are pretty far ranging exploits on pretty much all OS's and many different open and closed source software products.


I know this, I have told you I know this and given you reasons to why Linux is more secure, which you have ignored to continue repeating the above like a mantra.


One pretty serious vulnerability was with SSH and an exploit that would allow a 3rd party to run code with the same privileges as the ssh process.


There are two exploits still for this, neither are publically known and work is being done to resolve them, and you do not have to have a ssh server running on a linux or unix box, nor a telnet or web or ftp. NONE are enabled by default.



How about one that affected the Sun RPC XDL library that could lead to the running of arbitrary code.


Could and Might play a large part in your vocab dont they.


I suggest you take a look at somewhere like the CVE or CERT a little more often.


I do, difference is that I understand them and the threat that they pose to my machines. As I said to deadkenny, $100,000 prize if you can break the firewall that we use.



Now this is the last I am saying on this as everyone on this thread is getting bored with this, as am I.

You've already said this once.

Originally posted by grum1978
:notopic:

Can we please try and keep this on topic as it is an important and informative thread at the moment

I don't think people should have to go through pages of off topic remarks as the thread is getting big enough as it is :)

:eeek: sorry missed this.

By your command.

:D

I've had 156 hits on 135 since 18.30 & 15 on 445

Originally posted by homealone
I've had 156 hits on 135 since 18.30 & 15 on 445

Still no hits here. I was playing about with a 2k machine earlier today using zone alarm as a firewall. I activated the stealth option and that seemed to dramatically reduce the number of hits.

Prehaps worth a try.

Best,

Ben

Originally posted by BenH
Still no hits here. I was playing about with a 2k machine earlier today using zone alarm as a firewall. I activated the stealth option and that seemed to dramatically reduce the number of hits.

Prehaps worth a try.

Best,

Ben

Lol. If an unprotected system gets infected and tries to infect yours it will not know whether you have a firewall or not. All you can do is prevent hits from getting through your firewall, not prevent them from hitting it.

Related note.

As I have the alerts turned off in Zone Alarn and usually just let it do its job etc.

Where can you see the port number the hits are attacking.

Originally posted by carlingman
Related note.

As I have the alerts turned off in Zone Alarn and usually just let it do its job etc.

Where can you see the port number the hits are attacking.

I use a program called Visual Zone which is free from

http://visualize.phenominet.com/

Try it, you'll like it.

Originally posted by carlingman
Related note.

As I have the alerts turned off in Zone Alarn and usually just let it do its job etc.

Where can you see the port number the hits are attacking.

Not quite sure if this is what you're after, but under 'alerts' you have the option of showing the popup window, or logging alerts to a file. Enable either.

Thx people but have turned of the alert pop ups as it get quite annoying but however found if i look at the alerts in zone alarm the bottom box shows the port.

Only had 10 or so in the last couple of hours so not too bad.

Originally posted by Incognitas
So why is W32 Blaster Virus the main part of the thread title?:shrug:

Incog :cool: Fu*k knows....this threads got nothing to do with it:shrug: :(

Originally posted by ianathuth
I use a program called Visual Zone which is free from

http://visualize.phenominet.com/

Try it, you'll like it. McAfee firewall does much the same:)

Originally posted by carlingman
Thx people but have turned of the alert pop ups as it get quite annoying but however found if i look at the alerts in zone alarm the bottom box shows the port.

Only had 10 or so in the last couple of hours so not too bad.

If you load Visual Zone you can keep the popups turned off. Visual Zone just takes the log file from Zone Alarm and produces a much better and more detailed report. Just leave its icon sitting in the system tray and use it to open visual zone up every now and then to see what is happening. Mine is showing over a thousand hits of various types today. You can rearrange the output in many ways and call up attack details on each attack including whois and location of attacker. Go on and give it a try.

Originally posted by BenH
Still no hits here. I was playing about with a 2k machine earlier today using zone alarm as a firewall. I activated the stealth option and that seemed to dramatically reduce the number of hits.

Prehaps worth a try.

Best,

Ben

Thanks Ben

sorry - I should have said attempted hits - I'm behind a NAT router & was just relaying my log results. :)

I do, also run Zone Alarm Pro - which, so far shows no activity. :cool:

Gaz

Originally posted by ianathuth
If you load Visual Zone you can keep the popups turned off. Visual Zone just takes the log file from Zone Alarm and produces a much better and more detailed report. Just leave its icon sitting in the system tray and use it to open visual zone up every now and then to see what is happening. Mine is showing over a thousand hits of various types today. You can rearrange the output in many ways and call up attack details on each attack including whois and location of attacker. Go on and give it a try.

Thx for that, where do i find this visual zone ??

Running ZA Pro Version 3.5.169.002

Thx again.

Originally posted by carlingman
Thx for that, where do i find this visual zone ??

Running ZA Pro Version 3.5.169.002

Thx again.

http://www.visualizesoftware.com/

latest ZoneAlarm Pro is 4.0.123.012

Originally posted by carlingman
Thx for that, where do i find this visual zone ??

Running ZA Pro Version 3.5.169.002

Thx again.

http://visualize.phenominet.com/


EDIT. Homealone beat me to it. Both addresses lead to same info.

Originally posted by ianathuth
http://visualize.phenominet.com/


EDIT. Homealone beat me to it. Both addresses lead to same info.

lol

gotta say that for peeps with Linksys routers the logviewer

here (http://home.debitel.net/user/svenschaef/logview/)

is excellent - it gives you something to look at when nothing gets through to Zone Alarm!

Gaz:)

Originally posted by homealone
lol

gotta say that for peeps with Linksys routers the logviewer

here (http://home.debitel.net/user/svenschaef/logview/)

is excellent - it gives you something to look at when nothing gets through to Zone Alarm!

Gaz:)

Funny you should mention that. I just decided to upgrade to the latest version of zonealarm, and I spent the last half hour or so trying to get logviewer to work again. The logs just aren't coming through, even though I gave it server rights. (and it was working fine before I upgraded zonealarm:mad: :confused:

Edit: and the attacks are coming through to logviewer the moment I witch zonealarm off...

Originally posted by danielf
Funny you should mention that. I just decided to upgrade to the latest version of zonealarm, and I spent the last half hour or so trying to get logviewer to work again. The logs just aren't coming through, even though I gave it server rights. (and it was working fine before I upgraded zonealarm:mad: :confused:

u using version 1.57 of logviewer? Maybe try uninstall & re-install?

i.e. I had upgraded Zone Alarm before I installed Logviewer?

Mine is set at ask for access & def no server?

Originally posted by homealone
u using version 1.57 of logviewer? Maybe try uninstall & re-install?

Mine is set at ask for access & def no server?

I actually downloaded it today. Have tried uninstall/reinstall, uninstall and reboot before reinstall. etc. I'm probably overlooking something silly here, but it's not working, and the moment I switch off zonealarm, it's showing the logs... Maybe the new version of zonealarm?

edit: Using version 3.0 of logviewer

Originally posted by danielf
I actually downloaded it today. Have tried uninstall/reinstall, uninstall and reboot before reinstall. etc. I'm probably overlooking something silly here, but it's not working, and the moment I switch off zonealarm, it's showing the logs... Maybe the new version of zonealarm?

edit: Using version 3.0 of logviewer

we could actually be talking about different programs with the same / similar name?

The one I'm running is at the link

http://home.debitel.net/user/svenschaef/logview/

- what's yours? :)

Gaz

Originally posted by homealone
we could actually be talking about different programs with the same / similar name?

The one I'm running is at the link

http://home.debitel.net/user/svenschaef/logview/

- what's yours? :)

Gaz

Lol. Mine's from linksys, and it's called logviewer as well. Seeing you mentioned people with Linksys routers... :D.
Anyway I see yours is for Norton Internet Security, which I don't use. Just keep mucking about I guess. I'm sure I will press the right button at some point ;)

Originally posted by danielf
Lol. Mine's from linksys, and it's called logviewer as well. Seeing you mentioned people with Linksys routers... :D.
Anyway I see yours is for Norton Internet Security, which I don't use. Just keep mucking about I guess. I'm sure I will press the right button at some point ;)

Check out the d/l from my link - it does work with Linksys routers ( well my BEFSR41 anyway) as an SNMP logging client - much better than the Linksys log viewer- graphs, tracerts, whois - give it a go?

Gaz

Originally posted by homealone
Check out the d/l from my link - it does work with Linksys routers ( well my BEFSR41 anyway) as an SNMP logging client - much better than the Linksys log viewer- graphs, tracerts, whois - give it a go?

Gaz

Doing that right now. Sounds good.

Cheers,

Daniel

It has been suggested that although this is a virus/worm its not too bad really.

Whats it do, shut down your Windows pc & popup a few messages, anything else?

AFAIKR it does not harm any data.
It appears it is only and attempt by someone who has found a flaw in the system to get MS to do something about it, not by telling them directly and getting ignored but publicly?

I think we should be thankful the person who did this was not malicious.

At the same time it is able to make people more aware of the need to run firewalls, as thats what will be likely advised when they talk to someone more informed about PC's or get information on removing it. Hopefully this will also remove the
consequences of what it has done in telling everyone else that they are unprotected.

Although behind adequate firewall protection myself, some of the people that I know had it. Hopefully not too many people will format their PC in an attempt to remove it.

Looks like a new variant - MSBlaster, which is set to initiate a Denial of service attack on windowsupdate.com this saturday

Thing is... MS's update site is windowsupdate.microsoft.com so they messed up slightly, presumably MS will redirect the windowsupdate.com to 127.0.0.1 or something in the DNS tables so the attack will do nothing.


Hopefully.... Still, this is MS we are talking about so.....

the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

Originally posted by trebor
the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

One thing I was wondering. Having the worm shut down the pc doesn't help its propagation. Apparently, the author isn't out to cause major damage (even to Microsoft), or am I overlooking something?

Originally posted by BenH
Actually if I wanted to insult you I'd be going for the throat, like your website. At the moment I just want to make sure you dont have the last word.



FFS just grow up and act a little more mature.

There are reason why I ignored your posts mainly because I don't want to get into an argument about whether Linux is better than Windows or not - personally I don't care.

Yes I keep mentioning about exploits because you seem to be so taken up with your own abilities that it is bordering on arrogance.

As for could and might - well that is not my vocabulary, but that of the people that issue the adviseries. If you don't like it then take it up with them.

As I said before, please refrain from trying to belittle my comments by questioning my abilities - as I doubt that you are really impressing anyone with them and they are sadly very far from the truth.


To the Mods don't bother replying as I have got bored with this whole forum - delete this account as you see fit.

Originally posted by trebor

but it could get a lot worse.


My point exactly... is this a simple "point" being made or a pre- emptive strike before the next version that does the damage?

Originally posted by hawkmoon
delete this account as you see fit.

No need - everyone just step back and take a breather please.

Originally posted by trebor
the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

The worm is not supposed to harm your PC but it is unstable and often terminates an important system process when you are online, this is why infected PCs restart after a couple of minutes online.

It is designed to send copies of itself to a range of IP addresses, starting in the same range as your own. If your IP address started with 81 for example, it would attempt to distribute itself around other people whose IP addresses also start with 81.

If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

Originally posted by basa
If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

Sort of true. The worm contains the exploit code for both Win2K systems and WinXP systems - the two exploits are different. The worm (being incredibly badly written) has no way of working out whether the system it is running on is Win2K or WinXP and so runs one of the exploit codes randomly (I gather it's 60% XP code and 40% 2K code). If it runs the wrong code for your version of Windows, this causes a crash that results in the shutdown.

The worry is that a new variant of the worm will get written that does check the version of Windows you're running and so only run the correct exploit. This way you won't get the shutdowns - and so won't be aware you've got it...

http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind :)

Originally posted by duncant403
<snip>The worry is that a new variant of the worm will get written that does check the version of Windows you're running and so only run the correct exploit. This way you won't get the shutdowns - and so won't be aware you've got it...

But you will be able to download the patch no problem !! :D :D

(Unless that gets blocked .. :eek: which would be a worry !)

Anyway, why should I worry, I'm using 98SE :D :D

Originally posted by distortal
http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind :)

You could also add links to Avast! (http://www.avast.com/i_kat_67.html) AV (free and a good record) and Sygate (http://smb.sygate.com/products/spf_standard.htm) FW (also free and v good) ;) ;)

Originally posted by basa
You could also add links to Avast! (http://www.avast.com/i_kat_67.html) AV (free and a good record) and Sygate (http://smb.sygate.com/products/spf_standard.htm) FW (also free and v good) ;) ;)

Thanks - will add those shortly.
Edit: done.

Originally posted by trebor
the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

I had 1600 in my ZA log from Tuesday and Wednesday, with it not looking like it was dropping off.

My PC is set to auto run windows update and had patched itself on 20 July. Cool.

Originally posted by basa
The worm is not supposed to harm your PC but it is unstable and often terminates an important system process when you are online, this is why infected PCs restart after a couple of minutes online.

It is designed to send copies of itself to a range of IP addresses, starting in the same range as your own. If your IP address started with 81 for example, it would attempt to distribute itself around other people whose IP addresses also start with 81.

If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

The actual payload of the worm isnt intended to do serious damage to your pc, rather it appears to be gearing up for a DDOS attack against windowsupdate on the 16th. However given the publicity surrounding MS Blaster, it appears that it has already happened by users updating :D

For those of you still without protection, try the technet site which has been distributing the patch for over a month, while windowsupdate was crippling the acrobat plugin for IE because of a highly theoretical exploit, oddly enough just as M$ own pdf plugin goes into late beta.

Regards,

Ben

Originally posted by distortal
http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind :)

I could allways /. it for you. It'll be a good test of NTL's servers :devsmoke:

Regards,

Ben

Originally posted by BenH
I could allways /. it for you. It'll be a good test of NTL's servers :devsmoke:

Regards,

Ben

Don't you dare! :) The single page is on my own server, not NTL, but SlashDot... oh man. I don't want the poor box to melt :)

Originally posted by danielf
Doing that right now. Sounds good.

Cheers,

Daniel

Hi danielf - how did it go with LogViewer?

- I only got it recently & have, so far, found it invaluable for following the traffic trying to probe my ports during the - continuing - blaster worm phenomenon. :)

:notopic: and 'cos it shows outbound stuff as well, you can see the connects when you do a normal port 80, as well - quite interesting when browsing forums ;)

Originally posted by distortal
Don't you dare! :) The single page is on my own server, not NTL, but SlashDot... oh man. I don't want the poor box to melt :)

A friend of mine was /.ed a few months back. We had to drag him out of the reminants of his server :D

Originally posted by homealone
Hi danielf - how did it go with LogViewer?

- I only got it recently & have, so far, found it invaluable for following the traffic trying to probe my ports during the - continuing - blaster worm phenomenon. :)

:notopic: and 'cos it shows outbound stuff as well, you can see the connects when you do a normal port 80, as well - quite interesting when browsing forums ;)

I tried it and liked it, but am back to the linksys logviewer again (which also shows outbound traffic). I think I prefer the simplicity of the linksys one (I haven't really decided on one yet).

Oh, and it wasn't working earler as I did a clean install of Zonealarm, and forgot to add the router ip to the trusted zone...

But thanks for your help;)

Originally posted by danielf
I tried it and liked it, but am back to the linksys logviewer again (which also shows outbound traffic). I think I prefer the simplicity of the linksys one (I haven't really decided on one yet).

Oh, and it wasn't working earler as I did a clean install of Zonealarm, and forgot to add the router ip to the trusted zone...

But thanks for your help;)

thanks, just saying what works for me - & thankyou for sharing your thought's too:)

Morning!

I see the worm still going round - any predictions on how long it's going to survive? :)

BlastBack v1.10 is available and now finds and kills W32.Blaster.Worm on your machine from both HD and RAM with continuous background scans.

Here's the usual page (http://msblast.cjb.net).

Direct link to BlastBack (http://www.tnk-bootblock.co.uk/prods/misc/index.php).

Originally posted by distortal
I see the worm still going round - any predictions on how long it's going to survive? :)


The "experts" are quoting 2 or 3 years...

Originally posted by duncant403
The "experts" are quoting 2 or 3 years...

Didn't the 'experts' say something similar about putting out the Kuwait oil fires ?????????

IMO it won't take that long for everyone to clean their machines and protect them, then msblaster will have nowhere to go ??

Originally posted by basa
Didn't the 'experts' say something similar about putting out the Kuwait oil fires ?????????

IMO it won't take that long for everyone to clean their machines and protect them, then msblaster will have nowhere to go ??

According to this: http://www.pcmag.com/print_article/0,3048,a=45789,00.asp there are around 211million PCs running XP alone, maybe up to 300million running 2k/XP.

There's always going to be a few that still have the worm or have no firewall there's always somebody in the world running a new install of XP with no patches.
This is why the worm will live for so long. :)

Originally posted by basa
Didn't the 'experts' say something similar about putting out the Kuwait oil fires ?????????

IMO it won't take that long for everyone to clean their machines and protect them, then msblaster will have nowhere to go ??

Code Red is still going strong. I get attempted attacks almost daily on my web server logs, half of which come from NTL customers :eek:.

Originally posted by Ramrod
Hope so, thats what I've got:D
....you do have McAfee firewall as well?
Yes, had the privacy thing on trial but it kept stopping me from getting online - CS told me to diable it and the trial spam killer as well! :shrug:

Originally posted by Chimaera
Yes, had the privacy thing on trial but it kept stopping me from getting online - CS told me to diable it and the trial spam killer as well! :shrug: Yes, I don't have the privacy thing or spamkiller. Don't see the need.

Originally posted by Ramrod
Yes, I don't have the privacy thing or spamkiller. Don't see the need.
Neither do I Ramrod, but they kept sending me these damned e-mails offering a free trial.......
Just as well I had a go really, now I know not to buy it!! :D

Originally posted by basa
But you will be able to download the patch no problem !! :D :D

(Unless that gets blocked .. :eek: which would be a worry !)

Anyway, why should I worry, I'm using 98SE :D :D

Funny you should mention that... the MS website DID go down earlier

Originally posted by Lord Nikon
Funny you should mention that... the MS website DID go down earlier
http://www.iht.com/articles/106638.html

If you protect your PC with an anti virus checker and a firewall you won't be affected. just remember to update your VIRUS DEFINATIONS.

And well sorted basically