1  ...  10  11  12  13  14  15  ...  35  |   Order by default

Jun 19, 2006, 6:42pm

[View Quote] > After discussion with the Devteam, they have agreed to reinstate the "box"
> method versus the "Sphere" method for the visual view. The change should be
> in effect later today.
>
> May the scavenger hunt continue :-)
>
> Cryonics
>

Thank you!
That was a really generous solution by the company!

--
Andras
"It's MY computer" (tm Steve Gibson)

Jun 20, 2006, 7:19pm

Hi Folks,

I just wanted to warn you the newsgroup will have a few hiccups while the transition to the 4.1 universe is made for the authentication.
I'll try my best to minimize those mishaps!

Thanks for your understanding,
--
Andras
"It's MY computer" (tm Steve Gibson)

Jun 21, 2006, 6:00pm

The new authentication is in place so new AW members can access the newsgroups too :)
Beta testers please wait at least until Friday to get access to the Beta group!

Thank you for you patience,

[View Quote] Follow Up set to Community ng
--
Andras
"It's MY computer" (tm Steve Gibson)

Jul 28, 2006, 8:00am

[View Quote] > As crazy as it may sound for some, I believe I should have the right, as a
> world owner, to set the minimum visibility to 200m.
>

Using the Admin tool:
Make an attribute dump of your world, edit the atdump.txt file.
Item 72 is the min visibility - change it to 200.
Load the attribute back to your world.

--
Andras
"It's MY computer" (tm Steve Gibson)

Aug 2, 2006, 10:00am

[View Quote] > Less than a 1% chance that they will ever use your code.
> And for the record - I'm not implying its a bad code. :)
>

Thanks god!
Otherwise they had to debug his code forever :)

--
Andras
"It's MY computer" (tm Steve Gibson)

Aug 2, 2006, 7:33pm

[View Quote] > One of these days I really will have to see about writing my own set of AW
> like technologies and free myself from these bad descisions,...
>

Waiting for "one of those days" :)


--
Andras
"It's MY computer" (tm Steve Gibson)

Jun 23, 2001, 5:32pm

Do you really have that address at here.com? Because if not - you better change it before you will be reported for abuse to your ISP.

Andras

FYI:
From the Munging FAQ:

>http://www.faqs.org/faqs/net-abuse-faq/munging-address/


4d. How should I NOT mung my address?
(AOLers! Be sure to read Section 5, "Instructions for AOL
members")

- IMPORTANT! Do not make up domain names! Most of them actually
exist, and your fakery could cause them a lot of woe. Certain
domains are already virtually useless because of folks using them
in mungs and forgeries. Plus, new domain names are being added
all the time, and you never know if someone might want to use your
mung; your actions today -do- have an effect on the future! It is
almost as harmful to add something directly after the at sign, and
doing so may not prevent the delivery of messages anyway.
DON'T: yourname at NOSPAM.your-isp.com
DON'T: yourname at REMOVE-THIS.com
DON'T: yourname at your-isp.ORG (instead of COM)
DO: yourname at your-isp.INVALID (Use -only- .INVALID to do this!)

- Do not use a totally faked address, especially one that looks
real.
DON'T: not-your-real-name at some-other-isp.com


[View Quote]

Jun 23, 2001, 5:23pm

Finally - a place where you really belong!
Welcome home Eep :)
Andras

[View Quote]

Jul 6, 2001, 9:47pm

[View Quote]

Jul 8, 2001, 10:00pm

Nuns you've gotta Love them...

There were some guys sitting behind a couple of nuns at a football game. The men decided to badger the nuns, to get them to move. So the first one says
to the others (loud enough for the women ahead to hear), "I think I want to move to Utah, there are only 100 Catholics living there..."

The second guy speaks up and says, "I want to go to Montana, there are only 50 Catholics living there..."

The third guy speaks up and says, "I want to go to Idaho, there are only 25 Catholics living there..."

One of the nuns turns around and looks the third guy in the eye and calmly says, "Why don't you go to hell, there aren't any Catholics there."

Jul 9, 2001, 10:51am

Call Bill Gates - that is the RichEdit control.
Andras

[View Quote]

Aug 7, 2001, 3:33pm

Everyone who is running IIS4 or higher on W2K or NT4 probably interested to read this article.
600,000 server infected so far :(
Andras


-------- Original Message --------
Subject: Complete Analysis of CodeRedII
Date: Mon, 6 Aug 2001 00:39:07 -0700
From: Steve Gibson <support at grc.com>
Newsgroups: grc.news,grc.news.feedback
Followup-To: grc.news.feedback

Folks,

Here's the clearest and most complete analysis I've seen so far.

-------------------------------------------------------------------

Code Red II Worm Analysis Update
=================================
The new worm that was first noticed yesterday has been
analyzed. Here is a summary of the facts based on the
excellent analyses referenced at the bottom of this page.


EXPLOITED VULNERABILITY
------------------------
This worm uses the same mechanism as the original Code
Red worm to infect vulnerable servers. That is, the
worm looks for IIS servers that have not patched the
unchecked buffer vulnerability in idq.dll or removed
the ISAPI script mappings. See the Code Red Patch FAQ
at http://www.incidents.org/react/code_red.php for
information on patching systems to remove the vulnerability.

Except for using the buffer overflow mechanism in order
to get the worm code executed on a vulnerable IIS server,
this new worm is entirely different from the original Code
Red CRv1 and CRv2 variants.

Note: According to eEye, the worm code will be successfully
executed only on a Win2000 system running a vulnerable IIS
server, WinNT-based IIS servers will simply crash when
attempting to execute the worm code. Our experiments and
reports received from users confirm this finding.


BACKDOOR
--------
The most damaging property of this new worm is that the worm
creates a back door on an infected server, leaving the system
wide open to any attacker.

The worm copies %windir%\CMD.EXE to the following locations:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe

This provides a means for a remote attacker to execute
arbitrary commands on the compromised server.

In addition, the worm creates a trojan copy of explorer.exe
as described below. Due to the actions of the trojan
explorer.exe, IIS will make the C: and D: root directories
accessible to a remote attacker even if the root.exe
command shell program is removed from the scripts and
msadc directories.


TROJAN EXPLORER.EXE
--------------------
The worm carries its own copy of explorer.exe. The worm
places its own copy of explorer.exe at c:\explorer.exe
and d:\explorer.exe. By placing the trojan file in these
locations, Windows will find and run the trojan rather
than the real explorer.exe because of the way Windows
seaches for executables by default. Specifically, unless
the system has been patched against the "Relative Shell
Path" vulnerability, the trojan explorer.exe will be
executed when the next user logs into the system. (See
http://www.microsoft.com/technet/security/bulletin/MS00-052.asp)

Upon execution, the trojan first runs the real explorer.exe
(thus the user will not notice any problems) and then goes
on to modify the system registry as outlined below.

First, the trojan program adds the value SFCDisable=0xFFFFFF9D
to HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin.
This registry setting completely disables the Windows File
Protection (WFP) mechanism. WFP prevents the replacement of
certain monitored system files. See the following for more info:
http://support.microsoft.com/support/kb/articles/Q222/1/93.ASP

Next, the trojan sets the following "Virtual Roots" in the registry:
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
\scripts to
,,217
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
\msadc to
,,217
These "217" settings ensure that the scripts and msadc directories
(which contain the root.exe copy of cmd.exe) have read/write/execute
permission.

Finally the trojan sets these two "Virtual Root" values as well:
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c to
c:\,,217
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d to
d:\,,217
These mappings, which do not normally exist, map the root C: and D:
drives to a place where IIS can find them, namely /c and /d. The
permissions here are also set to read/write/execute.

Quoting eEye's analysis, the purpose of these mappings are described:
--------
Basically the above code creates a virtual web path (/c and /d) which
maps
/c to c:\ and /d to d:\. The writer of this worm has put in this
functionality to allow for a backdoor to be placed on the system so
even if
you remove the root.exe (cmd.exe prompt) from your /scripts folder an
attacker can still use the /c and /d virtual roots to compromise your
system. The attacks would basically look like:

http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was
still
there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir (Where dir could be
any
command an attacker would want to execute).
----------

Note that the trojan explorer.exe need only be executed once for
these registry changes to be made. Thus, all the backdoors are
enabled, and continue to be enabled, forever after, regardless
of whether or not explorer.exe is running.

To emphasize, note that even killing the trojan explorer.exe process
will not remove the back doors. Further, even killing the
explorer.exe
process and removing the copies of root.exe and deleting the registry
settings will not eliminate the backdoors. If the trojan explorer.exe
is executed again (e.g. when the next person logs in), the registry
settings will be reinstated, making the C: and D: drives again
externally accessible. Finally, note that even deleting the registry
settings, removing the copies of root.exe, and removing the trojan
explorer.exe is not sufficient to clean the system. During the
time the system was backdoored any other attacker could have
installed new backdoors that are not associated with this worm.

The trojan process sleeps most of the time, but wakes
to loop through these registry key modification steps every
10 minutes. This way, even if an administrator notices the
registry settings and deletes them, the trojan will reinstate
the settings a few minutes later.


PROPAGATION
-----------
How aggressively the worm attempts to propagate itself
depends on whether or not Chinese is the language installed on
the system. If Chinese, the worm creates 600 threads and
attempts to spread for 48 hours. If non-Chinese, the worm
creates 300 threads and attempts to spread for 24 hours.
After the infection-spreading interval, the system is
forcibly rebooted. The reboot flushes the memory resident worm,
and leaves the backdoors and the explorer.exe trojan in
place.


TARGET SELECTION
-----------------
The 300 or 600 worm threads all work simultaneously to
propagate the infection. Each chooses a random target IP
and then uses one of the following masks with the given
probabilities.The masked parts of the IP are replaced
with the host computer's own IP information. Thus, the
worm mostly confines its targeting to IP addresses close
to the host computer's own.

0.0.0.0 (probability 12.5%) => random
255.0.0.0 (probability 50.0%) => same class A
255.255.0.0 (probability 37.5%) => same class B

Target IPs which are excluded are 127.x.x.x and 224.x.x.x,
and no octet is allowed to be 0 or 255. In addition, the
host will not attempt to re-infect itself.


INFECTION PROCESS
-----------------
Before each attempt to connect to a new target, the worm
checks the local time to see if the year is less than 2002
and if the month is less than 10. If either of these checks
return false, then the worm ceases the propagation cycle
and reboots the server. Note that this implies that all worms
will cease propagating by Oct. 1, 2001.

To aid performance, the worm uses a nonblocking socket to connect
to each target. Specifically this means that if one thread is
stuck waiting for a slow connection to a particular target,
the wait will not slow down the rest of the threads from continuing
their scanning function.

After making a successful connection with a target (the three way
handshake has completed), the worm thread uploads all of the
worm code at once, looks for an acknowledgement, and then moves on
to attempting to infect other hosts.

When a worm first arrives on a target and begins execution, the
worm checks to see if the host has already been infected, and if
so, disables itself. Specifically, the worm checks to see a CodeRedII
atom has been placed using "GlobalFindAtomA". If the worm finds that
the atom exists then it goes to sleep forever. If the CodeRedII atom
does not exist, the worm creates the atom and continues execution.


DOWNLOADS
---------
Corecode provides a .zip file containing a IDA Pro project file
and a plaintext disassembly for both the worm and the trojan
explorer.exe at:
http://www.eikon.tum.de/~simons/ida_root/

To download the eEye analysis and their disassembly files:
http://www.eeye.com/html/advisories/coderedII.zip

The worm binary can be found at the Unixwiz site:
http://www.unixwiz.net/techtips/CodeRedII.html


REFERENCES
-----------
Corecode's Analysis:
http://archives.neohapsis.com/archives/incidents/2001-08/0092.html

NAI's Analysis:
http://vil.nai.com/vil/virusChar.asp?virus_k=99177

eEye's Analysis:
http://www.eeye.com/html/advisories/coderedII.zip

SecurityFocus Analysis:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0066.html


ACKNOWLEDGEMENTS
-----------------
We are very grateful to Jesper Johansson for reviewing this
report and providing many helpful suggestions and technical details.

Many thanks are due to corecode, who stayed up all night and provided
the very first analysis of the worm binary to the public.

We'd also like to recognize Stephen Friedl of Unixwiz for performing
a higher level analysis last night and posting his findings to the
web
before any other concrete information was available.

Also, we thank Matt Scarborough for testing the worm on WinNT
to confirm that these systems crash rather than running worm
code successfully.

--
_________________________________________________________________
Steve Gibson, at work on: < a million loose ends >

Aug 8, 2001, 5:12am

[View Quote] You won't believe but %95 of those infected machines running IIS probably without the knowledge of the machine's owner! They have no webpages at all - just the standard "Under construction" default from MS.
Most likely those ppl installed W2K without disabling the IIS install (it is installed by default). Of course they don't care about any security advisory (MS patches, etc) so it is easy to infect them.
Thanks to M$ to make "secure" OSs :((

>
> Actually this is an interesting snippet from my server log. I dunno if
> someone has been trying to attack me with CodeRed or what, but what I DO
> know is that www.worm.com does NOT look very promising...
>
<snip CodeRed V1>

This was the CodeRed 1 trying to infect you. The IP you received this request is an already infected machine.

Andras

Aug 8, 2001, 9:26am

[View Quote] Try to open his IP in your web browser :)

>
> EEW! get it off!!!!!! ;-) I wonder who it was...

Your log should contain the requestor's IP. The fellow who wanted to infect you has no clue about it! This worm spread without human intervention.
Andras

Aug 13, 2001, 4:36am

[View Quote] Could you extend the banning period for a lifetime for this Lonezeri jerk please???
Thanks,
Andras

Aug 13, 2001, 11:29am

[View Quote] Proof please! You don't just go out accusing someone of lying!

> They seem to lie on the uni stats page, AW doesn't have over one and a half million
> users,

That is NOT a lie. If you add all the citizens who once registered - you'll end up around 300,000 users just by those numbers (yes - I deducted the "VIP" accounts and so the free cits coming with world's purchase.) Add all those turists (appr. 500,000+) who visited at least one world and you get a much higher number. They never stated that all of their users are still ACTIVE users!

> so why shouldn't they lie a bit more to get solidarity from the
> community, huh?

Did you ever hear the word "integrity"?

> I'm just pointing out a possibility,

Possibilities with no underlying facts are just rumours. I thought in their country there is still a law to consider someone innocent until proved guilty.

> maybe you want me to
> flame you everytime you point out something similar, huh??? man, I was just
> being honest, unlike you obviously!

Looks like I have to call you a liar :)

>
> KAH
>
>

Aug 25, 2001, 12:57am

[View Quote] Search results for earliest built object:

Citizen: 106479
Location: 1343N 998W 0a (Teleport) (View Map)
Built: October 18, 1996, 5:09 pm (Eastern Time)
Model: street1.rwx
Description: "Andras's bumpy street"

Total search time: 3.8157 seconds.

You have built 1,083 objects in AlphaWorld.

Not bad considering I'm not a builder :)
Andras

Aug 23, 2001, 6:04pm

[View Quote] 0.92% WOW! I think there is really no room left in AW :)

Andras

Sep 10, 2001, 5:59pm

[View Quote]

Sep 10, 2001, 5:59pm

[View Quote]

Sep 11, 2001, 4:16am

[View Quote] You are mixing apples and oranges. The mentioned AV software is just as good as their signature files. None of them has the StockQuote Bot and none of it detects it's presence.
OTOH ZA deals with the action of the programs and it detects the trojan in action if properly configured. If you allow only the AW ports access for a bot the only way it can leak info is through chat or whisper. No telegrams can sent from a bot and for file transfer or email the bot will be blocked because different ports required to do those actions.

Chris,
If AW Ear wants to access the internet (i.e. leak some data from your puter) ZA will ask you. I see no justified action which requires internet access for AW Ear so just simply block it. So the answer to your question is YES - ZA will PROTECT you despite insanity's comment.

Andras

>
[View Quote]

Sep 12, 2001, 6:53pm

The program does NOT access the internet.
Andras

[View Quote]

Sep 11, 2001, 3:53pm

[View Quote] Do you think we plan to move to the US? Or do you think only americans has internet? tsk tsk tsk :((

Andras

Sep 16, 2001, 5:09pm

[View Quote] I promise JFK: If you start your bull* on my NG with falsely accusing ppl, I'll ban you forever!!

Enough is enough!!!

Andras

Sep 17, 2001, 6:12pm

The page you are attempting to access has been removed
because it violated Angelfire's Terms of Service.

Click here to read our Terms of Service

To report a violation of our Terms of Service, click here


It worked :)

[View Quote]

Sep 17, 2001, 2:16pm

[View Quote] Sending 32 lines for a measle single line junk - tsk tsk tsk
Andras

Sep 19, 2001, 12:37am

[View Quote]

Sep 22, 2001, 6:17am

[View Quote] Sig separator should be: dash dash space newline

Sep 24, 2001, 7:31pm

[View Quote]

Sep 25, 2001, 5:58am

[View Quote] Thank you very much for your cooperation!
Andras

1  ...  10  11  12  13  14  15  ...  35  |   Order by default