Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

[Markus Kern <markus-kern () gmx net>]

"Stanley G. Bubrouski" wrote:
> On Thu, 6 Sep 2001, Markus Kern wrote:

<snip>

> > I absolutely understand your concerns. Personally I wouldn't want
> > anyone else to execute code on my machines either but a patch has been
> > available for months now. Every admin who cares about her systems has
> > already fixed them ( I'm aware that it may be difficult to apply patches
> > in some cases because they might break other stuff but after over two
> > months such problems should be solved).
> > The others who didn't care about Code Red are very likely not to care
> > about Code Green / CRclean either, yet they're still causing problems
> > for the community.
>
> It's not about "well if he doesn't patch his system he doesn't care," that
> is just ignorant.  

When the patch has been available for a few months I believe this to be a
pretty safe assumption.

> Do you think the people at Microsoft/MSN didn't care
> when they were infected because they didn't install a patch released
> months before?  That is absurd. 

Admittedly there may be cases where people simply miss some machines on
their network but if this happens regularly the admin isn't doing his job
very well IMHO.

> Do you think people with infected machines on the internet even know they
> are infected? Probably not.

No, they obviously don't. Someone who knows that he is infected and doesn't
fix his system or at least block the outgoing scans is irresponsible.
Code Red generates so much traffic that it should be easily spotted by a 
competent administrator.

> Do you think they'd be overjoyed to hear they were infected with another worm
> to remove the first? Probably not.

I bet some suits would actually like the idea because they don't have to spend
money on fixing the problem themselves. Unfortunately this creates the dangerous
situation where people don't patch their systems because "some counter-worm
will come along and do it for us".

> Will this stop other people like you from doing similar things? Probably not?

No, why should I even try to stop people from doing things I do myself?

> Do you care about the dataloss a worm that reboots machines without an admins
> permission causes? Apparently not.

CRclean doesn't reboot the machine it only restarts IIS.
I admit that I didn't think of dataloss due to IIS restarts. I even call
ExitProcess() in the exploit code which now seems like a really bad idea to me.
A graceful IIS shutdown would be much better and shouldn't cause any dataloss
with a well designed data base application.

regards,
Markus Kern