Was RE: disinfection tool -- now a minor rant.

From: Mark Challender (MarkCat_private)
Date: Mon Aug 06 2001 - 12:05:21 PDT

Next message: Ken Pfeil: "RE: disinfection tool"

Previous message: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
Next in thread: H C: "Re: Was RE: disinfection tool -- now a minor rant."
Reply: H C: "Re: Was RE: disinfection tool -- now a minor rant."
Reply: Marc Maiffret: "RE: Was RE: disinfection tool -- now a minor rant."
Reply: Tony Langdon: "RE: Was RE: disinfection tool -- now a minor rant."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This email struck a nerve in me.

Mr. Ng speaks of "ignorant Sysadmins" and wanting to "get the idiots
to listen."

A lot of people, me included, can't understand why professional
admins don't update their systems.

What many of us forget, though, is that NT4 is being used by millions
of small businesses who do not have professional admins and don't
have a clue what IIS4 is and why it needs to be patched.  Yet, they
are connected with DSL (Cisco 675 modems that are failing) or
fractional T1s and they don't understand why the "bad guys" want to
get into their systems.

What needs to be done is for people like us to educate those business
owners.  Contact your local paper or radio station and talk to the
news director.  Do an interview, be an expert.  Create a "hit squad"
of local sysadmins and offer to take phone calls from business
owners.  Create a Code RED fix on CD (maybe include SP6 and all post
SP6 fixes including the IIS fixes on CD with an automated QChain
script)

But, quit complaining about "stupid, ignorant sysadmins" and the
"idiots" and do something to help the situation.

Most of us were not smart sysadmins to begin with........

- -----Original Message-----
From: Mark Ng [mailto:marknat_private]
Sent: Monday, August 06, 2001 5:20 AM
To: incidentsat_private
Subject: RE: disinfection tool


Perhaps a very controversial viewpoint is using the backdoor
installed by the 
copycat code red worm to patch these systems.  The majority of
sysadmins who 
by now haven't patched (or unmapped the script mappings from) their
systems 
are mostly ignorant anyway.  Perhaps a couple of honeypot systems
built to 
automatically connect back, patch and reboot.

The only issue that creates is the problem of transparent proxies. 
Not sure 
how you'd solve that one.

This may eventually be the only way of actually getting rid of code
red 
completely.  If we live in a an ideal world, we'd eventually get the
idiots 
to listen.  However, I find that unlikely.

Mark

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO27p4d5aUxficepaEQLQDACgn//XAnrm1HFZbBtD/Ax7ODRB5AIAoOzn
dXkFl5005IccBSWdQQatpnM9
=oTd8
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ken Pfeil: "RE: disinfection tool"
Previous message: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
Next in thread: H C: "Re: Was RE: disinfection tool -- now a minor rant."
Reply: H C: "Re: Was RE: disinfection tool -- now a minor rant."
Reply: Marc Maiffret: "RE: Was RE: disinfection tool -- now a minor rant."
Reply: Tony Langdon: "RE: Was RE: disinfection tool -- now a minor rant."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:11:40 PDT