If you were infected, you were lucky (this time):

Cleanup
=======
- disconnect system from network
- shutdown system
- power system down
- reboot system.
- apply patches (see above)
- reconnect to network and monitor system

The worm does not write to disk and stays in memory. A simple reboot will
clean an infected machine. Note that due to the high volume in traffic
this worm generates, any vulnerable system connected to the internet is
likely to be infected within minutes.

posted by js at 18:09

Stats from the root name servers:

MASSIVE DDOS ATTACKS ALL OVER U.S. We are monitoring massive Distributed Denial of Service attacks all over the U.S. tonight starting at around 11:30 PM CST. As many as 5 of the 13 root nameserver have been down, up to 10 with massive packet loss (xx%):

Internet Status to Root Name Servers
Date: Fri Jan 24 21:37:00 PST 2003

Place Address Packet Loss Time: Min/Avg/Max
Root b.root-servers.net 53% 25/40/48
Root c.root-servers.net 0% 82/82/82
Root e.root-servers.net 20% 16/29/33
Root f.root-servers.net 26% 17/27/32
Root h.root-servers.net 20% 91/101/108
Root i.root-servers.net 26% 190/199/205
Root j.root-servers.net 26% 81/91/96
Root k.root-servers.net 64% 172/188/201
Root l.root-servers.net 0% 5/5/6
Root m.root-servers.net 33% 160/171/205
GTLD b.gtld-servers.net 26% 52/63/67
GTLD c.gtld-servers.net 31% 85/93/95
GTLD d.gtld-servers.net 13% 88/100/103
GTLD f.gtld-servers.net 22% 38/50/57
GTLD i.gtld-servers.net 0% 198/200/203
GTLD k.gtld-servers.net 24% 90/100/105
GTLD l.gtld-servers.net 33% 128/138/171


All backbone providers are suffering major packet loss (XX%):

Place Address Packet Loss Time: Min/Avg/Max
AboveNet ns.above.net 28% 53/64/66
AGIS ns1.agis.net 26% 62/74/78
AlohaNet nuhou.aloha.net 35% 84/94/98
ANS ns.ans.net 26% 83/97/100
BBN-NearNet nic.near.net 28% 91/114/572
BBN-BARRnet ns1.barrnet.net 26% 16/26/32
Best ns.best.com 35% 79/89/95
Concentric nameserver.concentric.net 35% 18/31/56
CW ns.cw.net 28% 88/98/105
DIGEX ns.digex.net 31% 78/86/91
ENTER.NET dns.enter.net 28% 91/104/108
Epoch Internet ns1.hlc.net 33% 37/48/52
Flash net ns1.flash.net 17% 80/92/94
GetNet ns1.getnet.com 20% 40/52/56
GlobalCrossing name.roc.gblx.net 24% 85/97/104
GoodNet ns1.good.net 31% 83/92/97
GridNet grid.net 20% 80/92/101
IDT Net ns.idt.net 20% 91/104/121
Internex nic1.internex.net 26% 18/31/35
MCI ns.mci.net 22% 91/103/107
MindSpring itchy.mindspring.net 15% 75/88/106
NAP.NET ns2.nap.net 20% 73/85/94
PacBell ns1.pbi.net 0% 89/89/90
Primenet dns1.primenet.net 20% 31/41/45
PSI ns.psi.net 0% 82/84/160
RAINet ns.rain.net 31% 40/49/53
SAVVIS ns1.savvis.net 31% 88/99/102
SprintLink ns1.sprintlink.net 11% 15/27/35
UUNet,AlterNet auth00.ns.uu.net 26% 89/98/103
Verio-West ns0.verio.net 22% 31/42/47
Verio-East ns1.verio.net 22% 86/96/101
VISInet ceylon.visinet.ca 20% 102/116/188
MoonGlobal-ClubNET ns.clubnet.net 0% 0/1/2
MoonGlobal-Netway dns.nwc.net 4% 6/6/7
MoonGlobal-Netxactics verdi.netxactics.com 4% 6/6/7
InterWorld ns.interworld.net 0% 4/4/5

posted by mt at 12:39

Looks like a worm caused some problems yesterday, especially for South Korea. A Code Red variant - I didn't notice any slowdowns or mysterious log entries...

Called "Sapphire" or "SQL Slammer," the worm carries a self-regenerating mechanism that enables it to multiply quickly across the Internet, said Mikko Hypponen, manager of anti-virus research at F-Secure, the Helsinki-based computer security firm.

"It is so good at replicating that it generates massive amounts of traffic that will slow down networks," Hypponen said. "The end user never sees it. They only experience the slowdown on the Net."

Security experts blamed the worm for crashing almost all Internet services in South Korea.

posted by mt at 12:34

Article on NYTimes (free registration), linked by Slashdot- Just making sure everyone saw this...

A security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building.

posted by js at 12:18

From the latest edition of Security Under Scrutiny:

If we stop rewarding wannabe hackers with fame & power security WILL improve. To do otherwise is to give people like Perry and Horn cash rewards for killing more wives and quadriplegic sons and innocent nurses.

If that isn't an excerpt that catches your eye I don't know what is. In edition four of this debate encouraging series, sockz attempts to draw parallels between the dissemination of vulnerabilities by professionals to a publisher who was found in a court ruling to be held responsible for the birth of a hitman. While I ultimately disagree with the conclusions he draws, it is definitely an interesting read.
posted by js at 11:06

From the NYTimes:

There were sham auctions on E-bay and Yahoo! Stolen credit cards from across the world. Shipments to more than 100 branches of the company Mail Boxes Etc. in places like North Dakota, New York and Texas. There were also hundreds of Federal Express deliveries to a company in Singapore.

"The primary suspect was creating a very confusing trail for all of us," an American investigator said. "This is one of the most sophisticated ones I've seen."

Last month, Pakistani and American investigators arrested Khurram Iftikhar, a 25-year-old Pakistani college dropout. The case, investigators say, demonstrates the increasing sophistication of Internet surveillance technology by investigators and the global reach of online fraud.

posted by mt at 11:24