mailing list archives
The good old days (was Re: M$SQL cleanup incentives)
From: Sean Donelan <sean () donelan com>
Date: Mon, 24 Feb 2003 03:13:37 -0500 (EST)
On Sat, 22 Feb 2003, William Allen Simpson wrote:
I see. So you're still filtering port 25 from the Morris sendmail worm.
Funny thing, I was a researcher visiting at Cornell, and had just left
in the car for the 9.5 hour drive home when it struck. I've often
wished I'd stuck around for a few more hours for the excitement.
Anyway, we didn't need to put in a long term block, as everyone took
down their systems and cleaned them. I didn't even find out about the
problem until over a day later, by which time it was long gone.
Ah, the days when we all cooperated....
In 1988 we had ad-hoc responses, with people posting to various USENET
newsgroups or some mailing lists still working, about what they were
seeing and how to fix it. There was no CERT, BBN (and others)
disconnected from the net (and took many people downstream with them),
even though most people knew each other they didn't all have alternate
contact information, and most of the methods the Morris worm used in 1988
are still being used *effectively* today.
1) Backdoor in SENDMAIL
2) Buffer overflow in Fingerd
3) Password guessing in Rsh/Rexec
Some people blocked the ports used. Some people still block ports such
as Finger (79) and rsh/rexec (513/514). But generally ports were blocked
by the local institution, not on the ARPANET.
The version numbers change, the executables change, but the basic problems
haven't changed in 30 years.
We still have backdoors, buffer overflows and pasword guessing. We still
have ad-hoc response by people sharing solutions on mailing lists. The
people who cut themselves off from the open process are still slower to
get stuff fixed. And we still have weak methods for contacting people
through alternate methods.
I wish it was as easy as paying a managed security company to watch out
for me. But unfortunately, paying several thousand dollars for the
privilege of getting "confidential alerts" which look amazingly similar
to what I wrote on a public mailing list a few hours earlier is a bit
Re: scripts to map IP to AS? jlewis (Feb 20)
Re: scripts to map IP to AS? Johannes Ullrich (Feb 20)
Re: scripts to map IP to AS? David G. Andersen (Feb 20)