Dreamsmith's Forge
About Fiction Poetics Spirituality Rants Software Quotes Links

Software

 

AIM or Yahoo! Messenger:
GTDreamsmith

Code Red Hall of Shame

First, a bit of explanation...

Although personally I consider it irresponsible to run a website on Microsoft IIS instead of Apache or some other more secure alternative, that alone will not get you into the Hall of Shame. Granted, if you can't figure out how to install, configure, and maintain a Unix server running Apache, you're clearly too incompetent to be a system administrator, but for the purposes of this page, I'm looking for incompetence above and beyond the norm.

On June 18th, 2001, Microsoft announced in a security bulletin that there was a vulnerability in IIS that could allow remote attackers to run any code they liked on their server. Compentent system administrators know that keeping track of and installing relevant security patches is part of their job -- any system administrator who does not do this is not doing their job and should be fired immediately. However, it should be noted that Microsoft's original announcement about this vulnerability in the ISAPI Extention of IIS did not make it clear that this was a problem even if your site doesn't use the ISAPI Extention, so the fact that this patch when uninstalled by many system administrators is excusable.

The real action began on July 16th, when the initial (and relatively benign) version of the Code Red worm was sighted in the wild. By July 19th, it had become so widespread that every competent system administrator on the planet was aware of it, and by the 20th at the latest every compentently administered server that was vulnerable had been patched.

However, nearly a month later, I am still getting frequent attacks in my weblogs, both here and at work. Many of these attacks come from systems with a dynamic IP, probably someone's home computer, so this does not surprise me. What surprises me is when the attacks come from an established corporate website. What utterly astounds me is when it comes from the corporate website of a company in the IT business! What leaves me fuming mad is when it comes from companies in the IT business who claim on their websites to be experts in security or e-commerce! These are snake-oil merchants of the worst sort, and I have the webserver logs to prove it (stats available off my Code Red page).

With that, I give you the Code Red Hall of Shame...

< -------------------------------- >

By far the worst offender in my webserver logs is a Bloomington, Minnesota company called CS Solutions, Inc. They claim to be experts in E-commerce, as well as Networking and System Administration. The webserver administered by these "experts" has attacked my webserver over 100 times in the last two weeks! The first attack came on August 4th, well after every compentent system administrator had patched any vulnerable system in their organization. Would you trust these morons with your credit card number? I want their customer list, just so I know what websites to avoid!!!

Oh, and their FAQ includes a wonderful statement from the All Your Base Are Belong To Us School of Grammar: "At CSSI we DON'T believe our client's need for technology solutions are to our undue advantage." Either replace "need" with "needs" or "are" with "is", guys. You might want to fix the HTML while you're patching your webserver, but at 134 attacks and counting, I'm not holding my breath. In any case, anyone's need for technology solutions ought to be to the advantage of your competition! Alas, I imagine there are plenty of people being fooled into doing business with you and other snake-oil merchants like you...

< -------------------------------- >

I wasn't able to get as much information about La Crosse Software. The only email address on their uninformative website would appear to link them with Erb's, an IT company in eastern Iowa. There's a joke amongst Minnesotans: "What does IOWA stand for?" "Idiots Out Walking Around." Perhaps this is further evidence of the fact. In any case, their server attacked mine 7 times during a 24 hour period starting on the 6th -- again, well after when compentent system administrators had patched the holes in their systems.

< -------------------------------- >

Err, umm, these people aren't in the IT field, but, well, come on! Benji Movies? Please tell me they're kidding... Well, if nothing else, they need to have a serious talk with whoever they've hired to run their website. Unlike many companies, that one wisely did not include a "Site hosted by..." link on the page. Were they afraid to take credit for their lack of system administration skills, or did they simply not want their good name associated with Benji? Can't blame them, either way...

I love the link on The Risks of TV, by the way, but you missed the most important one: a television can be connected to a VCR, whereby one could be tortured by watching Benji Movies! Talk about cruel and unusual punishment...

< -------------------------------- >

"NNY Online: Northern New York's new choice for Internet services." What was the old choice, please? They attacked me twice, once on August 6th and again on the 9th.

< -------------------------------- >

And here we have "Connect2 Internet Networks: Staten Island's largest Internet Service Provider, and Microsoft's choice as Educational Partner for the Tri-State area." Microsoft may want to rethink that choice. Then again, they're the people who gave us IIS to begin with, not to mention Outlook, the mail program that never met a virus it didn't like... well, okay, there was one. Anyhow, Connect2 Internet Network's webserver attacked me on August 6th and again on the 9th. Trying to compete with those other Tri-State area geniuses, NNY Online?

< -------------------------------- >

MoneyZone.com! I feel so safe, knowing my financial interests are being managed by a company with a huge gaping backdoor in its webserver. There's a link for website design, but it's currently broken. Mozilla tells me "The operation timed out when attempting to contact www.imagethinkers.com.", but maybe it'll be back up by the time you read this. Good luck. Anyhow, MoneyZone.com attacked me twice on August 8th.

< -------------------------------- >

W.J. Riley Plumbing & Heating includes an "ask the plumber" link. I just have one question: who hosts your website? Could you please tell them to stop attacking my webserver? Okay, that was two questions. So I can't count. At least I can administer a decent webserver, unlike these morons. Their server just attacked mine today! It's August 17th, and they still haven't patched their webserver?! By the way, it says send mail to feedback@rileyplumbing.com, but rileyplumbing.com doesn't resolve -- tell them to reboot the DNS server while they're patching the webserver...

< -------------------------------- >
The real sad part about this is, I've only managed to get though those sites that have attacked mine multiple times or have done it within the last 24 hours. I'm less than 30% of the way through my attack report! Oh well, I'm stopping here for now -- this page will be expanded this weekend, stay tuned!
< -------------------------------- >

Do you have your own Code Red Hall of Shame? Send me a link and I'll include it here?

Would you like to make your own? Need a good program to comb your logs for attacks? I'll be adding LogJack: Code Red Special Edition to my software downloads this weekend.