Forgot your password?
typodupeerror
News

Slashback: Exactitude, Fortitude, Picnic 149

Posted by timothy
from the sanchitha dept.
Slashback tonight with another assortment of corrections, amplifications, looks backward (and even looks forward to looks backward). In this last case, it looks like you may even get fed.

You mean we have to reprint all the invitations? Reader Ian Cowley wrote with a slight correction about the end of an era:

"Your article on slashdot.org about the billionth second of the epoch is sort of (but not entirely) flawed.

Yes, UNIX systems will report 1000000000 seconds at 01:46:40 on 9th September. Which of course means the 1 billionth number will be 01:46:39.

But, these systems do not account for leap seconds. According to TAI (international atomic time), the 1 billionth second since the beginning of January 1st 1970 will occur at 01:46:17 on 9th September 2001, as 22 leap seconds have been inserted since 1970 (the first was 1972, the last 1999).

So celebrations of the 1000000000th second should be at 01:46:17, whilst 01:46:40 can be reserved for celebrating 1000000000 displayed on UNIX system clocks."

Errr ... thanks. We'll just have to start at "Unix Day, Observed."

What price the capture and humiliation of virus spreaders? JayHerrick writes: "We have posted a small bit of JSP that reports the number of times our server has been queried for a 'default.ida' page. It's stylish, it's cool, and it'll probably get Pepsi all mad at us because we ripped the Code Red logo off one of the bottles." Equally stylish, despite the name, is a small tool named codeRedNeck, described by reader mindriot thus: "As CodeRed probes port 80 of a machine, CodeRedNeck first answers on that port and then goes silent, thus forcing the worm to wait until the connection times out." He advises: "Read the original idea by Tom Liston. Heise also has more on this."

Even More Auspicious dates. No matter which date you choose to mark it, Linus' little kernel-that-could is about to mark its tenth birthday. ikluft writes:

"The "Linux10" Linux 10th anniversary picnic and BBQ will be held on Saturday, August 25 from 11AM to 6PM at Sunnyvale Baylands Park in Sunnyvale, California. Details and directions can be found at Linux10.org. If you can attend, please use the RSVP form so the organizers know how much food and soft drinks to provide (only provided if you RSVP.)

Linux10 is being organized as a family event -- bring the kids. In support of that goal, it is also a no-media event. Linux and Open Source enthusiasts who work for the media may attend and participate while off-duty.

Linux10 will gladly link to other Linux 10th anniversary events. Let us know the URLs for those events."

Reader big_drew adds: "The event is free (food, softdrinks, cds -- sorry, no free beer, but byo is ok)" and says "If you can't make it out to CA, you can still get the t-shirt (profits will be used to fund the picnic)."

Anyone want to organize a picnic in the vicinity of Knoxville, TN? :) I can bring some pasta salad and watermelon.

Ten candles all around here, too. Simon Spero writes: "As noted in http://www.w3.org/History.html, today, August 6th, is the 10th anniversary of the first public release of the CERN Web Software."

This discussion has been archived. No new comments can be posted.

Slashback: Exactitude

Comments Filter:
  • Anyone planning a celibration in the DC Metro area? Being disabled, I will not be able to make anything that more than an hour away from me.
  • I would love to get something together in Knoxville, but I'm not sure who posted it (big_drew or should be timothy because of the non-italics).

    Either case please feel free to call me (Jeb) at 368-5322, email at (jebc at c4solutions.net), or get more contact info at my company's website [c4solutions.net].

    Always love to hear from some slashdotters in the area, and if you ever get bored (or for the picnic) we have a kegerator (sp?) at our office that we are always at downtown.
  • according to this article [bbc.co.uk] on the BBC News [bbc.co.uk] web site.

  • Party! (Score:1, Funny)

    by genkael (102983)
    I think this event dictates a party with much beer.
    • Is that party as in beer, or free as in party?

      Shit, I'm drunk already.
      • Re:Party! (Score:1, Funny)

        by Anonymous Coward
        That would have been funnier as: "Party as in beer, or party as in Republican." -1, US Centric.
  • JSP Garbage (Score:3, Offtopic)

    by Anonymous Coward on Monday August 06, 2001 @08:12PM (#2165359)
    Behold PHP:

    <p><b>This webserver has been attacked by CodeRed 2
    <font color="#ff0000">
    <? $cr=passthru("grep -c XXXXXXXX /usr/local/apache/logs/access_log");
    echo $cr;
    ?>
    </font> Times</b>

    CC
    • Can anyone explain why, when doing a grep -c for default.ida, I get exactly twice the number of reported results in my access_log than I do in my error_log?
      • Never mind....the 2x was a coincidence and threw me off....the original Code Red put a malformed header error in the error_log, whereas the new one throws a 404 and puts the default.ida in the error_log.

        I'm still ingesting the first caffeine for the day...
    • I use MRTG [ee.ethz.ch] with a tiny Python script to count the number of attacks. The results are here [homeip.net].
    • Re:JSP Garbage (Score:5, Informative)

      by JediTrainer (314273) on Monday August 06, 2001 @08:28PM (#2165408)
      You might want to note that this can take long to run. I've had approx 1800 attacks on my machine, with a log file of about 55MB, and running this command right in the web page would make each request take about 10-15 seconds.

      Multiply that by 1 request per second and you're toast. I'd suggest strongly that you use something else to generate your statistics OFFLINE, such as this excellent perl program [kryptolus.com] which also generates quite a nifty, sortable report!

      To the author of that, by the way, a warm thank you! I'm using it myself!
      • People, the word is "timer". Sheesh, just update the statistics every few minutes...then it doesn't matter if people are hammering your server. Anyway, is PHP compiled down to anything? Because JSPs/Servlets are pretty damn fast.
      • Maybe he just needs an excuse to get a faster system. Everything else is being blamed on Code Red...
      • Re:JSP Garbage (Score:2, Interesting)

        by mcdurdin (26478)
        I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?
        • by ralmeida (106461) on Monday August 06, 2001 @09:16PM (#2165547) Homepage

          I'd second that -- I've now had almost 14000 attacks on my server in the last 7 days. Apart from blowing out all the logs, it has cost me about $40 in bandwidth as well. Where can I send the bill?

          Send Bill Gates to that place...

        • Hi! How are you?

          I send you this bill in order to have your advice.

          See you later. Thanks.
          • HA,HA,HA!

            THANKS for that, I needed a laugh tonight.

            That one is the first in a (so far) three part "series", I've recieved tonight, how about you?

            By the way...

            Just WAHT is the payload of that loaded attachment anyhow? I just delete them, and move on.
            • The payload is a random file from their computer, with the virus tacked onto the front. Remove the first however many (about 128K) bytes, and you get a peek into the world of an idiot that clicks on everything they are sent via email.

              Sadly, nothing I've been sent by SirCam has been interesting.
      • Have a cron job reset your logs once a day, grab the current number of attacks, adjust the PHP script to use this offset and you're all set.

        Of course, I do mine manually from my desk at work when I get bored :-)

      • Thanks :)

        Version 0.8 [kryptolus.com] is available which can now automatically detect and process gzipped logs
    • You may wish to be a little more clever than that, grep'ing the entire log-file every time someone invoked the script is not a good way to determine it you've been hit or not.

      Proposition 1:The number of times your web-server is attacked is a compositional function of the log entries.

      What prop. 1 tells you is, that to you may directly apply the "divide and conquer" strategy to the problem, analysing parts of the log-file seperatly and composing the application of your counting function to each part by the binary operator "+".

      This tells you, that once you have visited a part of the log-file, you will never have to visit that again, so maybe your program should look something like:

      1. Forward till the place I got to last in the logfile
      2. Look at every entry after that, counting attacks
      3. Add that to the current total (with a default value of 0)
      4. Set the indicator to where I got to in the log-file
      5. Print the total

      Of course, you need to look out for synchronization in this version of the program, but it won't grind your server to a halt when 3-4 people press the "Number of code-red worms deflected" link at the same time

      • Re:JSP Garbage (Score:2, Interesting)

        by quartz (64169)
        Too complicated. And PHP is for wussies anyway. :-) Who needs logfiles? Real men write mod_perl apps embedded in the web server and intercept default.ida queries even before they can make it to the logfile. That way you can keep a separate customized log just for Code Red :-), and then you're free to do fancy reports w/o hogging the server.
        • Too complicated. And mod_perl is fir wussies anyway.:-) Who needs logfiles? Real men write their own modules in assembly embedded in the web server using self modifying code.
      • Try a servlet that does steps 1-4 in a background thread, and step 5 on demand.
      • Just take the total and write it to a file that contains only the total. Every time that the page is loaded, have it check the timestamp. If it's less than n hours old, show the cache. Otherwise, re-grep the log and write the result to the cache and start anew.

        That's how I do it [waldo.net], anyhow.

        -Waldo
        • Re:Much Easier... (Score:3, Interesting)

          by Pathwalker (103)
          Why bother writing your own caching code when you can just let your Webserver [roxen.com] do it for you?

          With Roxen's cache [ofdoom.com] tag, I just threw <cache minutes=15> </cache> tags around the cpu intensive parts of mine [ofdoom.com] and let Roxen handle the rest.

          I do have a cron job that parses the logs every 15 minutes, and updates the backend database. (I could have done that from the web page as well, but then my samples wouldn't be taken every 15 minutes).
    • I have an improvement to the JSP code cited in the article. It uses a highly scalable thread scheduling algorithm and is 100% compatible with the J2EE specification.

      <%@ page language="java" %>
      <jsp:useBean id="counter" class="org.slashdot.fp.CodeRedCounter" />

      HELLO!
      Welcome to http://www.worm.com!
      Hacked By Chinese!
    • grep -i root.exe would be a much more interesting number.
    • OK, now after stripping the log file line down to the IP, save it to a file and run this to sort them by number of attacks.

      Hack away at it...my log file is getting -big- (75MB), we've got 4 IP's here but only 650 attempts so far, and 200 from one machine alone.

      <html><body><pre>
      <?
      $fil = fopen("CR2log","r");
      while (!feof($fil)) {
      $IP = fgets($fil,64);
      $IPcnt[$IP]++;
      }
      arsort($IPcnt);
      print("<html><body><table>");
      while (list($key,$val) = each($IPcnt)) {
      print("($val)\t$key\n");
      }
      ?>
      </body></html>

  • by Swaffs (470184) <(gro.oduf) (ta) (ffaws)> on Monday August 06, 2001 @08:14PM (#2165367) Homepage
    How could you have a free Linux party without free beer? Or is this just another attempt to get people to understand what the "free" in Free Software really means?
  • Stopping Code Red II (Score:1, Interesting)

    by Anonymous Coward
    Been too busy working to think on this but since Code Red II installs a web accessable cmd.exe, how hard would it be to listen for Code Red II (set up a fake default.ida) and then respond by sending a query that tells NT to shut down.

    Does anyone think that sending a shutdown command to an attacking machine is unreasonable? Any ideas on how to do it (my NT command line knowledge is minimal).

    • But it requires admin/power user privs and the rootshells spawned run under webserver user privs, which is to say you can call it but it won't do much.
      Word on the street has it that the first Code Red worm contained a buffer overflow of its own: querying a default.ida with an overflow string of 64K of garbage would crash it out. Doubt the newer varieties have the same problem, but then again, k1dd10t5 aren't known for their innovative coding style...
  • by bendude (135729) <ben@fPASCALuckthewar.com minus language> on Monday August 06, 2001 @08:38PM (#2165436)
    Anyone interested in a Melbourne, Australia, Linux 10th anniversary picnic and BBQ on Saturday, August 25.

    Having used so many flimsy excuses for a piss up, I think it would be a shame to let this one go.

  • I wonder if Linus will show up at the party?
    And they better have alot of Soda, as most Linux geeks I know are wider than they are tall.
  • At www.waldo.net/misc/codered [waldo.net] I set this up this afternoon. I've personally alerted the owners of several of these IPs, but I hope that the public viewing may lead to them disconnecting their machines. <fingers crossed>

    Oh, yeah, I did it in PHP, of course. :)

    -Waldo
    • Don't you think it's irresponsible to list the IPs of owned hosts in public?

      The kiddies will find them anyway, but there's no need to make it easy for them

      BTW my CR2 stats page (written in perl, to feed the language flamefest) shows 980 code red II hits vs. 160 code red I hits.

      The IP list is generated and stored more privately, looking for a good way to notify them...

      • Don't you think it's irresponsible to list the IPs of owned hosts in public?

        Not really. Not to say that I didn't put some thought into it -- I did. But anybody that has a machine connected to the Internet for any length of time (and I mean any, as some folks have found out) is going to get their own list quite rapidly. I'd considered how to best notify them, but I found that it was simply impossible to notify the majority of them. I live in a tight-knit tech community here in Charlottesville, Virginia, and I primarily hope that one of the many local folks that check in on my site regularly will recognize some of the IP addresses as their own or those of their associates. Idealistic? Perhaps. But what put me over the edge into deciding that is a reasonable action is that so many machines are infected at this point that I figure it's worth trying something. Every little bit helps.

        -Waldo
  • My first child is going to be born around when Linux turns 10. Cool.
  • by Nightpaw (18207) <<ude.ogacihcu> <ta> <essej>> on Monday August 06, 2001 @09:20PM (#2165555) Homepage
    Did anyone else read that as the Slashdot-endorsed opposite of Fear, Uncertainty, Doubt?

    Or am I on drugs?
  • I'd love a little Windows app that listens on port 80 and responds to any attempt to connect with code designed to use CR2's backdoors to disable the IIS service on the infected machine. Disable as in stop it and turn off the service completely. Thoughts?
    • Re:CR2 response (Score:3, Insightful)

      by s390 (33540)
      Er, a bit dodgy if well-meaning. In many jurisdictions, using the CR2 backdoor at all would make you potentially liable for a cracking offense, no matter that you disabled a zombied server out of the best intentions for greater good. Unauthorized access is... felony.

      Suppose the infected system provided suicide-prevention access, or battered-women's services, and your code shut it down completely, and someone got hurt, or dead - your little hack could get you in a major civil or even criminal hole that you'd regret.

      Think twice before messing with anyone else's server, especially through any automated script. But that said - if you could shut down the worm, patch the server, remove the backdoors, and post a message to /var/log/messages to notify the admin - that _might_ be helpful and low risk. But you'd have to remain prepared to defend yourself and _prove_ that you didn't add a backdoor.

      At minimum, you'd have to keep complete TCP/IP traffic logs for such interdictions for seven years or whatever the longest Federal, State, or Local statute of limitations requires. You'd also need to escrow these and all your code with your attorney immediately.
      • > post a message to /var/log/messages

        Holy crap. It's affecting *nixes now?
        Come on. Your average NT admin won't bother looking at the webserver logs, much less the event logs: the fact that their web servers are completely owned by the worm yet they're not doing anything is proof enough of this. Maybe a post to the _desktop_ would get through, but not likely. Log the IP and the attack and contact their ISP.
        That's all I've been doing. Anything more and you can look forward to explaining to a bunch of lawyers why your eally weren't a Bad Guy.
        Never forget that lawyers and plaintiffs have neither a sense of common decency nor common sense.
      • nevermind that the pages are overwritten with "hacked by chinese".
      • Re:CR2 response (Score:4, Insightful)

        by IronChef (164482) on Tuesday August 07, 2001 @03:45AM (#2116980) Homepage

        Crack one IIS box, and you're a felon. Crack a million, and you're... some anonymous virus-writing guy that will never be brought to justice.
      • How can GET requests to a publically running webserver be a crime?

        Please explain, then think twice whether you've ever http:ed to an IP without asking permission beforehand ... umm ... come to think of it, I've never asked the Slashdot crew for permission to GET an index file here ...

      • Hypothetically, Couldn't a "virus" be writen in such a way as to disable the original and replace it with a server that sends thid "Fix" to anyone attemption to reinfect it? Sort of like a anti-Code Red worm?
      • Hmm...

        Perhaps 'Good Samaritan' laws would come into effect here?

      • Automated script ... unauthorized access ... felony.

        (*lets that sink in*)

        So that means if I had the money right now, I could hire 500 head of lawyer and, wielding my trusty apache logfiles, start 500 lawsuits against the people who, by means of gross administrative irresponsibility, have machines which are running automated scripts which are attempting to gain unauthorized access to my machine (and failing), and win each of those lawsuits because doing so is a felony?

        That would be sweet justice. However, I don't think the case would hold up, regardless of who sued who.
        • ...start 500 lawsuits against the people who, by means of gross administrative irresponsibility, have machines which are running automated scripts which are attempting to gain unauthorized access to my machine...

          One lawyer would do. And it might be interesting to try this. They did, after all, attack your system. Call it a reverse class-action.
        • Hell, I'm still waiting for the class action suit against M$ for being the main reason/propagator of this Worm.

          Jaysyn
        • Why not? It could work in a country where burglars sue homeowners in slip-and-falls...
  • by Speare (84249) on Monday August 06, 2001 @10:06PM (#2165751) Homepage Journal

    Did I get my math right?

    About a billion seconds ago, the first man walked on the moon. (~31 years)

    About a billion minutes ago, the first man was said to have walked on water. (~1860 years, sorta close to the 0 CE mark)

    About a billion hours ago, the first man walked through what we now call Europe. (~111600 years, homo sapiens in upper pleistocene)

    About a billion days ago, the first man walks. (over 2.6 million years, a bit before the oldest known homo habilis)

    About a billion years ago, the first multicelled animals form. (eukaryotes supplant prokaryotes)

    About a billion decades ago, the Milky Way galaxy began to form.

  • Whilst I appreciate and admire the attention to detail that Ian has displayed regarding the epoch milestone I don't think that it really matters.


    The way I see it, the milestone being celebrated is that the epoch is rolling over to 1000000000, not that it's been 1000000000 seconds since the epoch started. If we were celebrating the latter then Ian would have a good point and we'd all have to modify our alarms accordingly. But I think the rollover point is a more significant milestone than the true count of seconds.

    All this really means though is that we have two celebrations within 22 seconds of each other. I certainly don't have a problem with that ;-)

  • by cvincent (99204)
    I keep stats of more than just Code Red, using scanalyze [project802.net] and a small php script [project802.net]. Its sometimes fun to see what kind of activity your machine is getting.
  • Slashback tonight with another assortment of corrections, amplifications, looks backward (and even looks forward to looks backward). In this last case, it looks like you may even get fed.

    Am I the only one that thinks that timothy's writing is incomprehensible? I don't know what it is, but I have read every slashback post about 3 times just to figure out what he is trying to say. Just wanted to know if I am alone.....
  • Is it too late to begin marketing solutions to the 'S1B' problem? There must be some dilbert-style manager out there who'd pay me a few grand to stay up till about 2:00 am and make sure all his machines survive the 'rollover'...

    -db
  • Your article on slashdot.org about the billionth second of the epoch is sort of (but not entirely) flawed.

    I was the slashdotter who submitted the original article [slashdot.org]. And just for the record, I never said anything about a billion seconds from 1970-01-01, I just pointed out that "soon the magic numbers will say all 9s".

    At the time, I felt like a complete dork for even noticing the proximity of UNIX timestamp "987654321", but I felt like it'd be wrong of me not to share, so I did, and threw in the bit about UNIX timestamp "999999999" just for kicks. It was only the second story I'd ever submitted to /., and the only one to get accepted (the first was announcing the release of Mozilla M16, but I'd jumped the gun).

    Now that I know that there's someone out there who cares enough to correct my back-of-an-envelope calculations by bringing in leap seconds makes me feel like less of a dork.

    (By the way, my title as submitted was "descending unix timestamp"; it was Timothy who changed the title to "The Quickly Descending Unix Timestamp", which wrongly implies that the timestamp's value is getting smaller over time, IMHO.)

    Anyway, maybe now that I can prove I'm not the biggest nerd out there I'll start getting dates again....

    • Think of a big wooden stamp with all zeros written across it, each zero wet with red ink, slowly arcing toward a big piece of ricepaper, propelled by a large, unseen hand, ready to impress those Ohs in a clean straight line across the paper ...

      Descending! Descending! I guess not everyone pictures that exactly the same way ;)

      Mea culpa, mea maxima culpa. Rapidly *increasing* seemed wrong when about to hit so many zeros ...

      cheers,

      timothy

      p.s. Happy teaching / new home.
      • Call me a karma whore if you want, but I think it's good to see a slahdot mainstay responding to comments about him.....
      • Descending! Descending! I guess not everyone pictures that exactly the same way ;)

        When I said descending I was thinking as in: "sort the following nine digits in descending order."

        But then many ./ers apparently took it to mean "getting smaller over time." Although the more accurate word for that would have been "decreasing" or maybe "diminishing".

        Let's have fun with definitions straight outta my brain!

        • descending - higher things precede lower (usu. spatially, though sometimes temporally)
        • decreasing - values getting closer to some minimum value over time
        • diminishing - reduction in size over time

        Anyway, I didn't mean to nitpick about the title. I just thought it was ironic that some folk complained about the title when it hadn't been mine.

        • Unfortunately, this is hard to avoid. A lot of people email me (and the other editors) answers / reactions to various stories as if we were the ones who submitted them. (Ask Slashdots, particularly.)

          Unless we've messed up the formatting for a particular story, though, reader-submitted text is always quoted and italic (except, say, for features ...), and the plaintext is ours. Titles are our responsibility / fault, although many of them are the same words as the submitters'.

          To be clear -- that "descending" title was my fault, and you can point anyone who complains to you about it to this comment ;)

          timothy

  • by Scott Robinson (108176) on Tuesday August 07, 2001 @12:25AM (#2166222) Homepage

    Umm, I hate to be the damper in evil plans for Code Red ...

    ... but according to incidents.org [incidents.org] and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target. Specifically this means that if one thread is stuck waiting for a slow connection to a particular target, the wait will not slow down the rest of the threads from continuing their scanning function."

    Any servers which "wait" are just wasting their own processor and memory.

    Scott.

    • They may be nonblocking, but each open connection will tie up system resources until timeout. There's only so much connection a machine can initate/accept.
      I doubt that CR will ever reach the OS-imposed limit, but IANAE.
      • 600 if you're running a Chinese NT installation; not that you're not being a good Samaritan, but best case, you're tying up 1/300th of what it's trying to do for a while. Extrapolate this to a few hundred "chatty" Code Red boxes sending off a few hundred threads apiece (if you're on a broadband line, this is not so outlandish) and you're looking at potentially DoSing yourself.
    • by Anonymous Coward

      according to incidents.org and other virus websites, Code Red uses non-blocking socket connections "uses a nonblocking socket to connect to each target

      I knew we should've listened to Steve Gibson on the dangers of non-blocking sockets!

      Anonymous cowards couldn't hit the broad side of a barn.

    • Only the newer version of Code Red uses non-blocking socket connections, which means that waiting will still slow down the spread of the older variant of code red.

      Correct me If I'm wrong ( and I know someone will) but, I think the only Code Red version that uses non-blocking sockets is the 'B' variant of version 2.
  • This has got to be the coolest thing I'e seen in a while...well, code-wise anyway:

    The concept is simple. The attacker scans networks looking for a "live" connection. We give them that :-) and we use TCP/IP's stubbornness against them. When the scanner attempts to make a connection to a port with a SYN packet, we send them back a SYN/ACK and then simply ignore them. Because they've "completed" a three-way handshake, their TCP/IP stack assumes that they have a good connection and tenaciously attempts to hang onto it, retrying the connection until they finally time out.

    I'm sure it'll be modified to work as an all-purpose portscan-blocker in no time flat.

Money doesn't talk, it swears. -- Bob Dylan

Working...