Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

SCO Offline 713

quakeslut writes "It's Feb. 1st everyone... and all of you who have been reading Slashdot know that today MyDoom.A begins it's attack... according to Reuters, SCO has already been hit hard. Stay tuned for Tuesday when MyDoom.B hits Microsoft..."
This discussion has been archived. No new comments can be posted.

SCO Offline

Comments Filter:
  • obvious (Score:5, Funny)

    by el_salvador ( 681607 ) on Sunday February 01, 2004 @09:28AM (#8150359) Journal
    and just to be sure they get DoS'ed, you post a link to their website on slashdot.
    • Re:obvious (Score:5, Funny)

      by Zeinfeld ( 263942 ) on Sunday February 01, 2004 @09:34AM (#8150406) Homepage
      and just to be sure they get DoS'ed, you post a link to their website on slashdot.

      Apart from slashdot readers and lawyers who goes to the SCO site these days?

      Oh yes, folk who clicked on the 'Make SCO.com your home page' link.

    • SCO's off line? I guess that mean's they're just S.O.L.
    • by Anonymous Coward on Sunday February 01, 2004 @10:36AM (#8150807)
      Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves [winnetmag.com], as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."

      sheesh where do they get these people
    • Re:obvious (Score:5, Funny)

      by bizitch ( 546406 ) on Sunday February 01, 2004 @12:35PM (#8151521) Homepage
      You know the slashdot link to www.sco.com must be broken or something - I mean my browser opens and everything but nothing shows up.

      I just keep hitting refresh over and over and over again - still nothing - hmmmmmm

      Someone ought to check those links before posting ;}

    • FAKE attack? (Score:3, Interesting)

      by SparkMan ( 4115 ) *
      Not sure what's going on here but:


      C:\>ping www.sco.com
      Unknown host www.sco.com.

      C:\>ping www2.sco.com

      Pinging www2.sco.com [216.250.128.33] with 32 bytes of data:

      Reply from 216.250.128.33: bytes=32 time=71ms TTL=49
      Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
      Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
      Reply from 216.250.128.33: bytes=32 time=68ms TTL=49

      Ping statistics for 216.250.128.33:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-s
  • Why today... (Score:5, Insightful)

    by CrackedButter ( 646746 ) on Sunday February 01, 2004 @09:28AM (#8150361) Homepage Journal
    Sunday isn't even a business day? How much money will they not lose?
    • by niko9 ( 315647 )
      They seem to work hard at losing money, they don't need the help of Sunday whatsoever.

      That must be one company where everyday of the week is a case of the Monday's.

      But don't say that to loud around Lawrence.
    • by Wellspring ( 111524 ) on Sunday February 01, 2004 @09:42AM (#8150473)
      It sucks.

      I've been trying to buy three more CPU licenses for Linux, and now I can't use those machines until SCO's online store comes back up.
    • by mattboston ( 537016 ) on Sunday February 01, 2004 @09:51AM (#8150519) Homepage
      I think it's more to get the SCO admins into work so they miss the Superbowl :)
    • Re:Why today... (Score:5, Interesting)

      by Pharmboy ( 216950 ) on Sunday February 01, 2004 @10:01AM (#8150575) Journal
      Sunday isn't even a business day? How much money will they not lose?

      There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.

      I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales ;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
    • Re:Why today... (Score:4, Interesting)

      by muffen ( 321442 ) on Sunday February 01, 2004 @10:03AM (#8150588)
      Sunday isn't even a business day? How much money will they not lose?

      ...are you saying they would loose money if it was a business day?

      Well, I guess they have received "linux-fees" from 12 linux users so far... so if the DoS attack keeps the website down for a week, they might loose like USD 600 (or whatever the fee was).

      The person who wrote the worm is not very good anyways... only 25% of infected machines will perform the DoS attack (see the virus information page for McAfee and Symantec).

      Anyways, they are counting that there's about 1Million infected machines, and if 25% of those do the DoS attack, it's 250 000 machines.. which would still be the largest DDoS attack in history so far.

      One thing I don't understand is why the DNS entry hasn't been removed for www.sco.com. I mean, they have no chance in hell of stopping this thing, and keeping the DNS entry intact causes a slowdown on a lot more things than just SCO's webserver.

      I guess it's just a matter of time until www.sco.com is pointing to www.slashdot.org :)
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Sunday February 01, 2004 @10:09AM (#8150615)
      Comment removed based on user account deletion
  • by Matrix9180 ( 734303 ) * on Sunday February 01, 2004 @09:29AM (#8150363)
    SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
    • by ardiri ( 245358 ) on Sunday February 01, 2004 @09:34AM (#8150403) Homepage
      > SCO had plenty of time to prepare for this

      makes you wonder if they had anything to do with the virus itself? if someone was going to make a blatent attempt at SCO - why not make it a surprise. publicity stunt it may be, all being run on feb 1 (sunday, non business day) - its obviously worked. news all over the world has picked this up.
    • by SkArcher ( 676201 ) on Sunday February 01, 2004 @09:38AM (#8150446) Journal
      Analysis shows that all other sites on that router ring are working properly, that the net is no slower than usual and that You can still download SCO Linux [sco.com] from their site.

      SCO Linux includes all the SCO disputed IP under the GPL, so download it now and burn to CD - keep it on a shelf and if anyone tries to claim money show that SCO have given you a license to use the code under the GPL.
    • by mindriot ( 96208 ) on Sunday February 01, 2004 @09:40AM (#8150459)

      It might well be a publicity stunt; but it's not like they're completely unprepared, at least according to netcraft [netcraft.com]:

      We had expected that SCO might take www.sco.com out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response.

      That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.

      • So instead of DDOSing the webserver, they'll DDOS their DNS provider.

        Still, better than nothing I guess...

        Setting it to two, four, or even sixteen minutes wouldn't have caused them to lose much flexability, and since the DDOS "client" dings them every 60 seconds (IIRC) it would have put one half, one fourth or one sixteenth as much load on DNS.

        But I guess that's what you get when you got a lawyer running the IT department.

        Cheers,
        Greg
  • Well actually... (Score:5, Informative)

    by Chicane-UK ( 455253 ) <chicane-uk@[ ]world.com ['ntl' in gap]> on Sunday February 01, 2004 @09:29AM (#8150364) Homepage
    If you query their DNS servers, you'll see that they have removed the A records to their site.

    So the traffic just won't get to them anyway..
    • Re:Well actually... (Score:5, Informative)

      by anticypher ( 48312 ) <<moc.liamg> <ta> <rehpycitna>> on Sunday February 01, 2004 @09:48AM (#8150510) Homepage
      Not yet. I just checked all 4 of their name servers:

      AUTHORITY SECTION:
      sco.com. 6H IN NS ns.calderasystems.com.
      sco.com. 6H IN NS ns2.calderasystems.com.
      sco.com. 6H IN NS nsca.sco.com.
      sco.com. 6H IN NS c7ns1.center7.com.

      and all of them return
      www.sco.com. 1M IN A 216.250.128.12

      So their name servers are still up and running, and pointing to a valid address. Reasonably, they have a 1 minute TTL, which will give them a quick response if they do decide to point it at 127.0.0.1 or 66.35.250.150.

      the AC

      the slashdot crud filter doesn't like double semi-colons in posts
  • by victorvodka ( 597971 ) on Sunday February 01, 2004 @09:30AM (#8150371) Homepage
    A DDOS like this will have a trivial effect on a company like SCO, whose business model does not depend on its web site. For Microsoft, though, it really might cut into their bottom line and esteem as a company. Let's hope something good comes out of this idiocy.
  • Wait (Score:5, Funny)

    by 0x54524F4C4C ( 712971 ) on Sunday February 01, 2004 @09:31AM (#8150375)


    Until Saturday when MyDoom.S hits Slashdot..
  • by linuxci ( 3530 ) on Sunday February 01, 2004 @09:32AM (#8150383)
    I think SCO have took their site down themselves as the attack shouldn't have happened yet.


    From this page [sarc.com]:

    The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack


    I'm typing this and the time is currently 14:30UTC.


    For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.

  • Server (Score:5, Funny)

    by Bruha ( 412869 ) on Sunday February 01, 2004 @09:33AM (#8150390) Homepage Journal
    The server, the server, the server is on fire!

    We dont need no SCO let the #*($&# burn!

    Course it's not funny they will just say "The terrorist group "Linux Community" has claimed responsibility for the attacks" and declare us part of the axis of weasel like they did the other day on CNN.
  • by Mysteray ( 713473 ) on Sunday February 01, 2004 @09:33AM (#8150392)

    Does anyone believe that this will do anything except help SCO? It associates their enemies (IBM, Linux), with worm/virus creators and spammers. If this sort of thing keeps up, the US Legislative and Executive branches will actively take the side of SCO and MS against Linux and it's "hackers".

    What do they need a website for anyway? Their only business is lawsuits and press releases.

  • SCO move to BSD (Score:3, Informative)

    by Oen_Seneg ( 673357 ) * on Sunday February 01, 2004 @09:34AM (#8150400)
    OpenBSD journal was commenting on how SCO moved their servers to OBSD: http://www.deadly.org/article.php3?sid=20040131082 431
    Not even the might of OpenBSD web servers can stand up to a mass of infected windows boxen - watch out Microsoft, they're coming your way soon!
  • Netcraft stats (Score:5, Informative)

    by mnordstr ( 472213 ) * on Sunday February 01, 2004 @09:35AM (#8150408) Journal
  • by Glock27 ( 446276 ) on Sunday February 01, 2004 @09:39AM (#8150454)
    all I get is "Document contains no data".

    Just like the IBM lawsuit... ;-)

    I don't advocate virus attacks to further the OSS community's aims...all Linux software authors and organizations ought to be suing SCO instead. That kind of attack will cost them real money and time, and won't generate any sympathy from anyone (who's sane anyhow).

  • by twitter ( 104583 ) on Sunday February 01, 2004 @09:43AM (#8150481) Homepage Journal
    Who needs a web site when you have earned a Distributed Lack of Purchasing attack?

  • netcraft advice (Score:3, Informative)

    by oohp ( 657224 ) on Sunday February 01, 2004 @09:43AM (#8150482) Homepage
    Well they should have taken Netcraft joke advice seriously and change the www.sco.com A pointer towards 127.0.0.1 or similar.
  • by Anonymous Coward on Sunday February 01, 2004 @09:48AM (#8150507)
    According to heise.de [heise.de](in English [google.com]) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
  • by galaga79 ( 307346 ) on Sunday February 01, 2004 @09:49AM (#8150513) Homepage
    What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.

    I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.

    Is it just a lot of stupid users or I am missing something?
    • You've never worked with 'my' end users. Why worry when you can just beat the 'ITguy' dog about it.
    • by unborn ( 415272 ) on Sunday February 01, 2004 @10:17AM (#8150660)
      An infection where the user knowledgeably accepts a substance ( even if considered harmless at the moment of acceptance ) should be called "a poison", not "a virus".

      If you are given a drink that will kill you, but you drink it without knowing - that's a poison. If someone sneezes a few feets away and an airplane passes by you at the same exact moment of the other person sneezing and you can't hear the sneeze, and you get infected - then it's a virus.

      Hence, opening an executable is subjecting yourself to the possibility of poisoning. Reading your email while a flaw is exploited in your email client is a virus.
    • by Lumpy ( 12016 ) on Sunday February 01, 2004 @10:31AM (#8150773) Homepage
      a lot of stupid users? yes and no. For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding. They knew it was a gigantic hole when they added it, and many MANY times industry experts have pleaded to them to remove it. Microsoft refuses.

      Microsoft did not spread the virus but they created the tools to ensure it's spread by the non-technical.

      and people ask about the "cost" of linux, how about the extreme cost of continuing to use Microsoft products...
      • by glesga_kiss ( 596639 ) on Sunday February 01, 2004 @11:43AM (#8151193)
        For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding.

        Bollocks. The people commonly infected with viruses wouldn't even know what a file extension was, let alone the difference between an exe and a txt file.

        "The one with the W is a word file, the portrait is a graphic file etc". Give a file "virus.exe" the same icon graphic as a word file, and most users wouldn't know the difference.

        On the other hand, if you don't hide the extension, then each of us here would be constantly dealing with dumb users who have renamed "Document1.doc" to "Report" (no extension). For 99% of users, hiding extensions is a good idea.

        • So explain to me why I've had this conversation several times with my users:

          Well, of course I opened it. It says it's a JPG, and you can't get a virus from a JPG.

          I don't understand - I thought you couldn't get a virus from a text file?

          It's just a web page, it can't possibly be a virus.

          Answer: a little knowledge is a dangerous thing. Especially if you're dealing with people who have file extensions turned on at work, but off at home, or vice versa.

    • by gdav ( 2540 ) on Sunday February 01, 2004 @10:37AM (#8150813)
      The users that I support would double-click on a landmine to see what it did.
    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday February 01, 2004 @11:28AM (#8151105) Homepage Journal
      Never underestimate the power of human stupidity. I spent a whole working day doing nothing but cleaning this virus (with stinger) in the process of which I found a couple other worms as well. You ask people, why did you even look at that attachment? What made you think it was a good idea to run it? And half of them say, I didn't open an attachment! Well, bollocks to you, obviously they're clicking things without realizing what they're clicking. People need more computer training, plain and simple. I wonder if the situation would be analogous to driver training. Germany has much much driver training than the USA and consequently they can have highways where you can drive as fast as you can manage without doing anything stupid (besides drive really fast in the first place.) Of course, there, if you get caught without your reflective triangle on the autobahn, kiss your license good bye; Same if you're hogging the left lane and someone flashes their brights at you, and you don't get over.

      I wonder if more computer training would reduce the number of "accidents" like this that we have here. It seems even most persons who use the computer as a key part of their job every day have no idea what the hell they're doing. I'm not expecting them to know (much about) how it works, just to sort of get an idea of what's a good idea, and what isn't.

  • by Anonymous Coward on Sunday February 01, 2004 @09:50AM (#8150517)
    There was a story posted "Refuting tall-tales and stories about the Mydoom worms" which can be found at:
    http://www.math.org.il/mydoom-facts.txt

    It contains the Time Table for the attack along with reverse engineering analysis of the DoS component in Mydoom.

    You might also want to check:
    http://www.math.org.il/newworm-digest1.txt

    Which contains an analysis and reverse engineering bits for Mydoom.A>
  • by OverlordQ ( 264228 ) on Sunday February 01, 2004 @09:54AM (#8150539) Journal
    www.sco.com has address 216.250.128.12

    traceroute to 216.250.128.12 (216.250.128.12), 30 hops max, 38 byte packets
    1 66.182.216.1 (66.182.216.1) 44.788 ms 45.293 ms 45.307 ms
    2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.143 ms 54.774 ms 51.355 ms
    3 iah-core-02.inet.qwest.net (205.171.31.142) 54.766 ms 51.816 ms 56.265 ms
    4 dal-core-01.inet.qwest.net (205.171.8.125) 56.562 ms 56.563 ms 58.236 ms
    5 dal-core-02.inet.qwest.net (205.171.25.130) 58.450 ms 54.056 ms 58.734 ms
    6 dap-brdr-01.inet.qwest.net (205.171.225.2) 231.204 ms 99.812 ms 92.647 ms
    7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.997 ms 61.537 ms 77.399 ms
    8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 55.789 ms 60.882 ms 57.735 ms
    9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 57.992 ms 63.093 ms 58.382 ms
    10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 89.096 ms 93.724 ms 93.356 ms
    11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.825 ms 84.570 ms 85.701 ms
    12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 109.317 ms 98.882 ms 314.447 ms
    13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 104.638 ms 99.345 ms 104.216 ms
    14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 100.682 ms 105.112 ms 101.775 ms
    15 * * *

    linuxupdate.sco.com has address 216.250.128.241

    traceroute to 216.250.128.241 (216.250.128.241), 30 hops max, 38 byte packets
    1 66.182.216.1 (66.182.216.1) 48.151 ms 89.228 ms 47.732 ms
    2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.187 ms 49.542 ms 52.654 ms
    3 iah-core-02.inet.qwest.net (205.171.31.142) 53.441 ms 101.028 ms 53.714 ms
    4 dal-core-01.inet.qwest.net (205.171.8.125) 319.413 ms 57.257 ms 59.600 ms
    5 dal-core-02.inet.qwest.net (205.171.25.130) 57.595 ms 55.800 ms 57.578 ms
    6 dap-brdr-01.inet.qwest.net (205.171.225.2) 61.077 ms 56.746 ms 59.109 ms
    7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.587 ms 54.717 ms 59.362 ms
    8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 60.098 ms 61.397 ms 58.609 ms
    9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 67.524 ms 59.960 ms 71.663 ms
    10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 93.370 ms 113.441 ms 92.632 ms
    11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.880 ms 85.503 ms 85.974 ms
    12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 98.055 ms 97.907 ms 98.232 ms
    13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 99.287 ms 96.170 ms 99.050 ms
    14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 101.741 ms 104.765 ms 100.452 ms
    15 c7pub-216-250-136-254.center7.com (216.250.136.254) 106.771 ms 100.281 ms 105.686 ms
    16 linuxupdate.sco.com (216.250.128.241) 106.443 ms 107.751 ms 105.682 ms
    • by Megane ( 129182 ) on Sunday February 01, 2004 @10:15AM (#8150643)
      (thanks for the tip of trying linuxupdate.sco.com)

      traceroute to www.sco.com (216.250.128.12), 30 hops max, 40 byte packets
      . . .
      4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.902 ms 22.986 ms 20.92 ms
      5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.957 ms 20.977 ms 20.878 ms
      6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 24.012 ms 22.046 ms 20.96 ms
      7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.907 ms 23.2 ms 23.912 ms
      8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.96 ms 22.868 ms 23.999 ms
      9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.063 ms 22.648 ms 23.905 ms
      10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.954 ms 37.252 ms 47.928 ms
      11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.88 ms 37.841 ms 38.944 ms
      12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.949 ms 49.296 ms 50.948 ms
      13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.886 ms 49.851 ms 50.774 ms
      14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.912 ms 52.526 ms 51.004 ms
      15 * * *

      traceroute to linuxupdate.sco.com (216.250.128.241), 30 hops max, 40 byte packets
      . . .
      4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.947 ms 20.046 ms 20.905 ms
      5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.919 ms 29.145 ms 20.855 ms
      6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 20.951 ms 22.991 ms 23.963 ms
      7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.945 ms 22.989 ms 23.894 ms
      8 p5-1-0-3.rar1.dallas-tx.us.xo.net (65.106.4.193) 23.955 ms 25.426 ms 24.013 ms
      9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 26.979 ms 62.002 ms 27.099 ms
      10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.821 ms 37.981 ms 38.89 ms
      11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.789 ms 38.094 ms 38.888 ms
      12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 51.054 ms 50.024 ms 50.811 ms
      13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 51.001 ms 49.886 ms 50.934 ms
      14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.903 ms 53.136 ms 53.841 ms
      15 c7pub-216-250-136-254.center7.com (216.250.136.254) 50.937 ms 51.759 ms 50.787 ms
      16 linuxupdate.sco.com (216.250.128.241) 51.004 ms 52.438 ms 50.988 ms

      traceroute to ftp.calderasystems.com (216.250.128.13), 30 hops max, 40 byte packets
      . . .
      4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.892 ms 20.06 ms 23.887 ms
      5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 21.051 ms 19.935 ms 21.034 ms
      6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 23.82 ms 23.095 ms 23.868 ms
      7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.987 ms 23.063 ms 20.829 ms
      8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.989 ms 22.84 ms 23.934 ms
      9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.086 ms 25.935 ms 23.877 ms
      10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.916 ms 38.112 ms 38.925 ms
      11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.603 ms 38.096 ms 38.94 ms
      12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.947 ms 49.871 ms 50.914 ms
      13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.944 ms 49.782 ms 51.008 ms
      14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 50.836 ms 53.072 ms 53.935 ms
      15 * * *

      So either they're being merely slashdotted or they "accidentally on purpose" kicked www.sco.com's router power plug out of the wall. According to ARIN, they're all on the same /20 network, so they're probably not on a different final link from XO. They're certainly not being DoS'ed for bandwidth.

  • by marsu_k ( 701360 ) on Sunday February 01, 2004 @10:01AM (#8150576)

    Curiously, this article seems to imply that there was a political agenda behind DDoSing SCO - but to quote Mikko Hypponen of F-secure a bit more:

    "It's also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus - which is most likely included in order to facilitate sending of spam email messages."

    Similiar, albeit longer, quote from him asserting that indeed spammers were behind this worm was in the local newspaper on Friday, but it's in Finnish and I'm too lazy to translate it. But the above quote can be found here [f-secure.com].

  • Classic Trick (Score:5, Insightful)

    by cluge ( 114877 ) on Sunday February 01, 2004 @10:03AM (#8150584) Homepage
    Yes, it's a classic trick, and it's worked for thousands of years. I'ts worked for politicians and armies. It's worked for the con-artist and the cult leader. What is this trick? Miss-direction. If you think that this virus has anything at all to do with the open source community or SCO then your not keeping your eye on the ball sparky!

    1. This virus makes a machine an open relay. Considering recent legislation [spamlaws.com] and other anti-spam techniques I smell spammer bovine feces here.

    2. More and more spammers used high jacked machines for DNS, web service as well as relaying their crap. spammers Check out the nanae news group for more examples [google.com]

    3. The open source community is coming up with various anti-spam measures. Don't you think the spammers would love painting their enemy as petulant child - as they have proven themselves to be?

    MyDOOM isn't the open source community pissing on on SCO, it's spammers pissing on all of us.

    AngryPeopleRule [angrypeoplerule.com]

  • null routing to sco? (Score:3, Informative)

    by fcs-error ( 525339 ) on Sunday February 01, 2004 @10:03AM (#8150587)
    From a list that I am on, there was consideration that routes to SCO may be dropped due to the expected traffic to SCO. The plans were to null route the traffic at the edge of individual AS's.
  • by smartin ( 942 ) on Sunday February 01, 2004 @10:08AM (#8150609)
    I know some people think this virus makes the linux community look bad, but that's not really the case. It's just another windows virus in a long line of windows viruses, written somewhere by some asshole for whatever reason they see fit. Even if it turns out that the writter is a Linux fanatic, you can't hold the whole community responsibe for the actions of one individual. Personally i think it's a good thing because it does serve three useful functions (no i did not write it :)).
    1. It forces somes asshole companies of the net for a while.
    2. It raises awareness of the whole SCO fiasco and I'm not seeing much in the way if sympathy for them in the press.
    3. It shows once again that windows is a virus ridden insecure platform.

    Whats not to like.
  • by Tokerat ( 150341 ) on Sunday February 01, 2004 @10:09AM (#8150617) Journal

    ...sco.com is only down because it's on the front page of Slashdot! :-D
  • by andrewleung ( 48567 ) on Sunday February 01, 2004 @10:22AM (#8150704)
    i want to be part of DDOS attack!

    dammit! why are mac users always left out of the fun?! >_
  • by PetoskeyGuy ( 648788 ) on Sunday February 01, 2004 @12:32PM (#8151504)
    Forget about the DDOS attacks. It's a distraction. The bigger problem is that the DDOS may be able to be changed on command to any other site on the internet.

    This is a spam zombie virus. We need to work securing our comprimised systems and keeping them from joining the spam network and obeying the commands. If anyone has any real information about how this virus works as a relay and how to stop it at the network level please post it.

    So far I've found the following links. Blocking port 3127 at the router seems like it could help a lot. Any other (real) solutions would be appreciated.

    http://xforce.iss.net/xforce/alerts/id/161 [iss.net]
    http://www.savvy.net/detail.asp?category_id=7&arti cle_id=91 [savvy.net]
  • www A 127.0.0.1 (Score:5, Insightful)

    by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Sunday February 01, 2004 @12:38PM (#8151555) Homepage Journal
    Given that they knew this was coming, and knew that they didn't have the bandwidth/CPU to handle the masssive overload, why didn't SCO Just set the A record for their website to 127.0.0.1 for a couple of days?? Either that or 192.168.42.42... With the former, a virus infected machine would simply attack itself. With the later, it would try to contact a well known address which would allow sysadmins to find any infected machine (and remove the virus) by simply looking for references to the address.
  • by randomErr ( 172078 ) <ervin.kosch@gmailOPENBSD.com minus bsd> on Sunday February 01, 2004 @02:44PM (#8152535) Journal
    Is version as wide spread as version A? What, if anything, is Microsoft doing to prepare for the coming DOS attack?
  • by dtfinch ( 661405 ) * on Sunday February 01, 2004 @04:07PM (#8153146) Journal
    www.sco.com no longer resolves. They removed it from their name server yesterday. Only sco.com without the www resolves to an ip address. The attack should be almost completely averted by now because of this, but sco.com is still down.

    The only possible cause I see for them to still be offline is if they took it offline themselves, or there's been another attack that they've failed to mention to the press, but it's unlikely that they'd turn down any opportunity to slam us if that were the case. Check it yourselves. The worm specifically attacks the domain www.sco.com, which no longer exists, and the dns entry expired yesterday. All that worm traffic should be going to oblivion by now, because Windows doesn't reuse expired dns records when requery attempts fail.

    > www.sco.com
    Server: ns.calderasystems.com
    Address: 216.250.130.1

    *** ns.calderasystems.com can't find www.sco.com: Non-existent domain
    > sco.com
    Server: ns.calderasystems.com
    Address: 216.250.130.1

    Non-authoritative answer:
    Name: sco.com
    Address: 216.250.128.12

Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson

Working...