Full Disclosure mailing list archives
RE: RE: DCOM RPC exploit
From: "Steve W. Manzuik" <steve () entrenchtech com>
Date: Sun, 27 Jul 2003 18:39:39 -0700
There is no such thing as a "good" worm.
That of course, depends on your perspective. I can't remember who but I remember someone commenting on writing a worm that exploits IIS, installs Apache, then removes IIS. ;-) What I meant by "good" was more from the interesting and wow effect. To me, at least the worms are forcing people to patch boxes. Yes, I understand that admins are busy but come on -- we have battled with patching boxes as long as I can remember -- when are people (not just admins) going to catch on that this is important. No one is going to change the fact that we have insecure code.
People used to make the same argument about spam. Ah, just delete it. It's no big deal. But if we have Code Red (all variants) and Nimda and Slammer and Slapper and so forth and so on, do you really want to argue that that has no effect on bandwidth? What would the Internet be like if all that excess traffic wasn't there?
I really should do some bandwidth analysis on a few networks but I never really thought the Code Reds and Nimdas of the world were that intensive. Sapphire for that matter, did cause bandwidth issues, especially for those who were not patched. So you point is well taken.
Read what you wrote, Steve. "The effect is pretty much zero", yet this comes right after "I see a ton...." If you didn't have the crap in your logs, what could you be doing with your time? The effect isn't zero. You've simply learned to live with a degraded system where Internet worms are the norm and you no longer realize what it was like not to have to deal with the crap.
In relation to the Code Red traffic I see a ton of -- I do believe that the effect is at least next to zero.
It's not scary, Steve. It's a PITA. It's not like admins are sitting around twiddling their thumbs waiting for the next worm battle. There's plenty to do in IT without the "distraction" of worms and malicious code and all the other crap that idiots put out there.
I understand that admins are busy people -- I used to be one. But in reality are there that many boxes still out there with the ports required for exploitation open? Again, I should probably put my beer down (but its almost Vegas week) and do some actual research. I am fully aware that you can exploit this over IIS if it is enabled.
Hell, maybe I will write one myself. ;-)If you do, then I'll add you to my list of true assholes. :-)
Paul, if I haven't gotten on your list of true assholes yet I am not trying hard enough. I would have thought that I got there years ago. ;-) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit Steve W. Manzuik (Jul 26)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)
- Re: RE: DCOM RPC exploit Ron DuFresne (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Paul Schmehl (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Nick FitzGerald (Jul 27)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)