According to published docs on the worm it attacks "windowsupdate.com" which maps to ip's in 204.79.188.0/24 However checks to my cache logs show that nothing ever goes to plain old http://windowsupdate.com . Everything goes to download.windowsupdate.com , www.download.windowsupdate.com or something else. Even www.windowsupdate.com points elsewhere. In fact a glance though cache logs so nothing going anywhere near the 204.79.188.0/24 network. Even better the 204.79.188.0/24 is a /24 all by itself advertised as a /24. Does this mean: 1. It's safe to null route this network. 2. Microsoft will withdraw the advertisement for the network if the going gets tough. I notice that there is no route for the network on route-server.cw.net already. Thoughts? -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
Is anyone else finding difficulties trying to access any microsoft sites ? None, of there sites will load, and this has been like this for about the last 40 minutes now ? Anyone on other networks having the similar issue ? Or has the worm struck them early? Very strange for Microsoft to have so much downtime .. Jithen
Is anyone else finding difficulties trying to access any microsoft sites ?
None, of there sites will load, and this has been like this for about the last 40 minutes now ?
Anyone on other networks having the similar issue ? Or has the worm struck them early? Very strange for Microsoft to have so much downtime ..
Jithen
I would say its just their servers are overloaded with people trying to find out about the worm and/or download the patch for it, thanks to the frenzy that the media is whipping up. I started noticing Windows Update slowing down to a crawl yesterday, and havn't even bothered to see if its still there today :) Regards, Simon
If anyones interested ... There is a nessus plugin that will identify hosts that are vulnerable but not yet infected (a tcpdump port 135 will show you that). the plugin is here http://cgi.nessus.org/plugins/dump.php3?id=11808 you can get it by running nessus-update-plugins the plugin itself is msrpc_dcom.nasl You can run it via nessus or from the command line thusly: 'nasl -t 192.168.2.3 msrpc_dcom.nasl' if the machine is vulnerable you'll get 'success', this method may be more usefull if you wish to script it or combine with something other than nmap for the port 135 scanning. I believe ISS and e-eye scanners for windows will find it aswell (ISS will run ok under wine apparently). -- Donovan Jones Network Engineer Comnet Networks +64-4-569 0060 http://www.comnet.co.nz
May be related to US power outage, 50 000 000 people without power. Hotmail
wont load neighther.
Quoting Jithen Singh
Is anyone else finding difficulties trying to access any microsoft sites ?
None, of there sites will load, and this has been like this for about the last 40 minutes now ?
Anyone on other networks having the similar issue ? Or has the worm struck them early? Very strange for Microsoft to have so much downtime ..
Jithen
_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
------------------------------------------------------------- This mail sent through UnixCo Webmail: http://www.unix.co.nz/
On Friday, 15 August 2003, at 05:02AM, barry(a)unix.co.nz wrote:
May be related to US power outage, 50 000 000 people without power. Hotmail wont load neighther.
That power outage knocked out bits of the North Eastern US and most of South-Western Ontario (including my house -- still no power here, just laptops and cellphones). To the best of my knowledge most Microsoft-branded services are served out of Redmond, and Hotmail is in the Bay Area somewhere (used to be in an MFN/AboveNet facility in San Jose, but I seem to remember they moved a while ago). Most large exchange facilities in New York seem to have survived on battery and diesel power, and I don't believe the outage stretched as far as Virginia (where it might have stood a fighting chance of impacting some high concentrations of network operators). So probably not related to the power outage. Joe
Joe Abley wrote:
That power outage knocked out bits of the North Eastern US and most of South-Western Ontario (including my house -- still no power here, just laptops and cellphones). To the best of my knowledge most Microsoft-branded services are served out of Redmond, and Hotmail is in the Bay Area somewhere (used to be in an MFN/AboveNet facility in San Jose, but I seem to remember they moved a while ago).
Most large exchange facilities in New York seem to have survived on battery and diesel power, and I don't believe the outage stretched as far as Virginia (where it might have stood a fighting chance of impacting some high concentrations of network operators).
So probably not related to the power outage.
It's also interesting to note that a good chunk of Microsoft's Web content is served from Linux boxes. "Akamaighost" apparently runs on Linux. Here's an example: http://uptime.netcraft.com/up/graph?site=a100.ms.a.microsoft.com Looks like Windows Update arrives to you via Linux as well. -- Juha
It's also interesting to note that a good chunk of Microsoft's Web content is served from Linux boxes. "Akamaighost" apparently runs on Linux.
I've been watching http://uptime.netcraft.com/perf/graph?orderby=outage_time&site=www.microsoft.com Amusing points of note; there appears to be about a 4-hour outage, which I suspect is related to the switch to akamai and not the NY power situation. The graph from NY/NY has a BIG gap in it. They missed the outage (red on all the other graphs) and interpolated the graph so it's now a darker green bar.. http://uptime.netcraft.com/up/graph?site=www.microsoft.com looks like they've been having a lot of trouble keeping the servers up since May too.. I guess they're hoping akamai can take some of the load off. --- This email has been sent on 100% RECYCLED electrons!
www.windowsupdate.com is "Akamai"d from IHUG = 206.112.112.X from Xtra = 63.236.1.X etc What are ISP's doing before midnight tonight? so their network is not affected. I guess getting 1000's of customers to remove the virus from their machines is impossible. Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what? Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz On Fri, 2003-08-15 at 15:33, Simon Lyall wrote:
According to published docs on the worm it attacks "windowsupdate.com" which maps to ip's in 204.79.188.0/24
However checks to my cache logs show that nothing ever goes to plain old http://windowsupdate.com . Everything goes to download.windowsupdate.com , www.download.windowsupdate.com or something else. Even www.windowsupdate.com points elsewhere.
In fact a glance though cache logs so nothing going anywhere near the 204.79.188.0/24 network. Even better the 204.79.188.0/24 is a /24 all by itself advertised as a /24.
Does this mean:
1. It's safe to null route this network.
2. Microsoft will withdraw the advertisement for the network if the going gets tough. I notice that there is no route for the network on route-server.cw.net already.
Thoughts?
On Fri, 15 Aug 2003, Craig Whitmore wrote:
www.windowsupdate.com is "Akamai"d
from IHUG = 206.112.112.X from Xtra = 63.236.1.X etc
What are ISP's doing before midnight tonight? so their network is not affected. I guess getting 1000's of customers to remove the virus from their machines is impossible.
Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what?
I'm sure it'll be allright now that Microsoft has started using Linux. http://uptime.netcraft.com/up/graph?site=a23.ms.a.microsoft.com ~$ telnet 206.112.112.69 80 Trying 206.112.112.69... Connected to 206.112.112.69. Escape character is '^]'. Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 161 Expires: Fri, 15 Aug 2003 10:06:57 GMT Date: Fri, 15 Aug 2003 10:06:57 GMT Connection: close Google for 'akamaighost'. -- Juha Saarinen
What sort of impact are we expecting?
Does the virus use maximum bandwidth the user has, or does it send a
predefined packet size?
Barry
----- Original Message -----
From: "Juha Saarinen"
On Fri, 15 Aug 2003, Craig Whitmore wrote:
www.windowsupdate.com is "Akamai"d
from IHUG = 206.112.112.X from Xtra = 63.236.1.X etc
What are ISP's doing before midnight tonight? so their network is not affected. I guess getting 1000's of customers to remove the virus from their machines is impossible.
Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what?
I'm sure it'll be allright now that Microsoft has started using Linux.
http://uptime.netcraft.com/up/graph?site=a23.ms.a.microsoft.com
~$ telnet 206.112.112.69 80 Trying 206.112.112.69... Connected to 206.112.112.69. Escape character is '^]'.
Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 161 Expires: Fri, 15 Aug 2003 10:06:57 GMT Date: Fri, 15 Aug 2003 10:06:57 GMT Connection: close
Google for 'akamaighost'.
-- Juha Saarinen _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On Fri, 2003-08-15 at 21:56, Craig Whitmore wrote:
What are ISP's doing before midnight tonight? so their network is not affected. I guess getting 1000's of customers to remove the virus from their machines is impossible.
I've just cleared my mail from nznog so this info is a few hours late but is still relevant. The worm only checks the clock on start up so worms running before midnight last night will not start DOS until they are restarted. This means that instead of a flood of traffic at midnight we should see a steadily increasing trickle, which may turn into a flood. Anyone confirm this is actually happening. We managed to get most of the infected machines closed down or patched by Friday afternoon and I have been unable to see any evidence of the DOS on our network so far. That may change on Monday morning... BTW since this is a SYN flood attach and supposedly uses randomly forged source addresses the traffic can be filter where you know what source addresses should be. We are now doing this within our network to try and keep any DOS traffic off the backbone. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.
participants (11)
-
Barry Murphy -
barry@unix.co.nz
-
Craig Whitmore -
Donovan Jones -
Jithen Singh -
Joe Abley -
Juha Saarinen -
Russell Fulton -
Simon Byrnand -
Simon Lyall -
zcat