From owner-freebsd-questions Sun Aug 5 23:54:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id CD9A837B401 for ; Sun, 5 Aug 2001 23:54:25 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f766sD801712; Sun, 5 Aug 2001 23:54:14 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Mike Meyer" , "Jim Conner" Cc: Subject: RE: just how many known viruses are there for FreeBSD? Date: Sun, 5 Aug 2001 23:54:13 -0700 Message-ID: <000f01c11e44$99f27e20$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-To: <15213.28245.595461.103253@guru.mired.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer >Sent: Sunday, August 05, 2001 9:04 AM > >That depends on your definition of "harm". It could be claimed that >the code red worm doesn't harm a system, as the only thing it does to >the disk is create a scratch file to note that it's there. However, >some versions caused the web server to start sending defaced pages, >and all versions can create a noticable system load. > >A properly administered web server won't be able to do much more than >that. I'm not sure how true that is on WNT or W2K, but the description >of some of the worms activities - writing on C: and shared libraries - >are enough to cause me to recommend avoiding those platforms. One of the big problems with the IIS that comes in the Option Pack and runs on NT4 is that all virtual processes share the same memory. This was supposed to be fixed in the IIS that came with W2K and maybe it was - but a worse problem is that buggy ASP code (ASP is kind of Microsoft's answer to PHP I guess) will make the IIS server simply stop running. This problem is SO bad that Microsoft actually wrote a program called the "IIS Exception Monitor" that runs under NT4 and is constantly checking the webserver to see if it is still running, and if it sees the webserver stop it will restart it. The exception monitor was included in the IIS that comes with Win2K but you had to get it from Microsoft support for NT4. We've had much experience with this problem because we offer NT hosting and it is not fun when you put a new virtual site on the webserver and it makes everyone elses's sites stop working just because the ASP code is buggy for that site. (which is unfortunately often the case because ASP code is basically warmed-over Visual Basic so that people can port their crappy old VB scripts to the Web) We never got the worm (because we are good boys and follow the Microsoft patches and immediately apply all of the security ones that they release) but many customers did and based on what happened to them there is no way in hell that proper administration on an IIS server on WNT or W2K platform will minimize the problems of having Code Red on your system. IIS is a horrible, horrible webserver and very much follows the rattrap model of software where you have a big, octopuslike, monolithic program that touches dozens of things that you have no idea it does and is damn near impossible to troubleshoot because everything is all crammed into a single black box and there is no separation whatsover of anything. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message