[WEB4LIB] More IIS Horror Stories
Blake Carver
carver.50 at osu.edu
Tue Oct 30 19:39:51 EST 2001
I am in no way defending IIS or M$, nor am I picking on Linux, but it's not
like Linux does that much better:
"Between April and December 2000, seven default installations of Red Hat
6.2 servers were attacked within three days of connecting to the Internet.
Based on this, we estimate the life expectancy of a default installation of
Red Hat 6.2 server to be less then 72 hours. The last time we attempted to
confirm this, the system was compromised in less than eight hours. The
fastest time ever for a system to be compromised was 15 minutes."
http://project.honeynet.org/papers/stats/
Still... 72 hours is much better than 25 minutes.
-Blake
At 01:28 PM 10/30/2001 -0800, you wrote:
>eWeek's current story on IIS vulnerabilities:
><http://www.eweek.com/article/0,3658,s%253D708%2526a%253D17362,00.asp>.
>
>
>=========
>
>To see for ourselves how long a default installation of IIS would last in
>the wild, eWeek Labs connected a fresh install of Windows 2000 Server to
>the outside Internet. As an arbitrary deadline, we immediately started
>downloading the network install of Windows 2000 Service Pack 2 and
>disconnected from the network when it was done.
>
>The 110MB download took 25 minutes. For the first 15 minutes, we didn't
>see any HTTP traffic at all; in the last 10 minutes of the download, we
>were infected with Nimda twice-once from two different servers and several
>times by our own server reinfecting itself.
>
>=========
>
>Install the server, and get infected before you can download the patches.
>Cool.
>
>
>Thomas Dowling
>OhioLINK - Ohio Library and Information Network
>tdowling at ohiolink.edu
------------------------------------------
Blake Carver
Web Librarian
The Ohio State University Libraries
More information about the Web4lib
mailing list