Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II

Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com...ered.worm.html

I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine. Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server? Thanks for any help or suggestions.

Steve.

In article <X8FOb.6922$(E-Mail Removed)>,
(E-Mail Removed) says...
> Does leaving port 80 open for serving web pages leave me vulnerable?

Yep.


--
Conor

"The vast majority of Iraqis want to live in a peaceful, free world.
And we will find these people and we will bring them to justice." --
George Bush

In article <X8FOb.6922$(E-Mail Removed)>,
(E-Mail Removed) says...
> Does leaving port 80 open for serving web pages leave me vulnerable? A few
> hours after telling BlackICE to allow port 80 traffic in I got an alarm with
> this event: HTTP_Code_Red_II
>
> Norton alerted me to the virus soon after and deleted it. Here's there
> write-up on it if anyone's interested:
> http://securityresponse.symantec.com...ered.worm.html
>
> I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
> behind a Linksys router that is forwarding port 80 to my machine. Anyone
> know how this is possible that someone gave me a virus over my apache web
> server? Do I have a security hole or is this threat something I have to live
> with if I'm going to have a web server? Thanks for any help or suggestions.
>
> Steve.
>
>
>
>


allowing _any_ daemon (server for you microsoft weenies) to run on _any_
port leaves you _vulnerable_. "how vulnerable" is dependant upon the
daemon/server. _all_ programs have the _potential_ to be exploited. if
you don't know what you're doing, don't run a server/daemon, even if
you're running "black ice", nothing more than a IDS anyway.... even a
personal firewall.... if you're explicitly telling the firewall/IDS to
ignore port 80 traffic, you're leaving that particular service "out
there". if you don't know what you're doing, you don't keep up on
server/daemon patching and you're not running a proper IDS and actually
watching the friggin logs, you'll get hacked... it's only a matter of
time (in some cases, a 0day exploit).



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg wrote:
[snip]
> allowing _any_ daemon (server for you microsoft weenies) to run on _any_

http://en.wikipedia.org/wiki/Daemon

while i'm sure there are plenty of reasons to make fun of microsoft
weenies, it helps to get your facts straight first... a daemon's
windows counterpart is the service not the server... a server is a
server regardless of the platform... it's an architectural concept (as
in client/server), not and operating system specific one...

agree with the rest of the post though, more or less... accepting
unprompted traffic (opening up a port for a server) means a greater
risk of exposure to malicious code... if you don't know how to mitigate
the risk you should consider less risky enterprises...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"

"Noyb" <(E-Mail Removed)> wrote in
news:X8FOb.6922$(E-Mail Removed):

> Does leaving port 80 open for serving web pages leave me vulnerable? A
> few hours after telling BlackICE to allow port 80 traffic in I got an
> alarm with this event: HTTP_Code_Red_II

If you have set up Blackice correctly which is ACCEPT all IP(s) on PORT 80,
enabled *Auto Blocking*, which turns on the IDS to tell the BI FW to block
stuff coming down Port 80 if detected such as HTTP_Code_Red_II, the machine
should be protected from that aspect. If you got the alert, then BI should
have blocked the attack.

I got plenty of attacks using BI on my IIS Webserver machine and nothing
came through.

>
> Norton alerted me to the virus soon after and deleted it. Here's there
> write-up on it if anyone's interested:
> http://securityresponse.symantec.com...odered.worm.ht
> ml

And how can the Code Red attack an Apache Webserver, since the attack only
affects IIS 4.0 or 5.0, according to the link above that have not been
patched?

>
> I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
> behind a Linksys router that is forwarding port 80 to my machine.
> Anyone know how this is possible that someone gave me a virus over my
> apache web server?

If you're sitting out there without the Webserver and the XP O/S locked
down/harden and running with an Admin Account, then I don't see why you
cannot be attacked. All I can tell you is that Code Red won't come down
port 80 past BI, if BI is configured porpely.

> Do I have a security hole or is this threat
> something I have to live with if I'm going to have a web server?
> Thanks for any help or suggestions.
>

Too many people with a home network can hardly protect a machine period
for everyday home usage on the Internet let alone put up a Webserver. And
yet they try to do it.

I suggest you do your homework before proceeding further. And I would start
with the XP Pro Resoruce Kit book.

The buck stops at the O/S, including the router, FW, and AV.

Duane

"Noyb" <(E-Mail Removed)> wrote in message
news:X8FOb.6922$(E-Mail Removed)...
> Does leaving port 80 open for serving web pages leave me vulnerable? A few
> hours after telling BlackICE to allow port 80 traffic in I got an alarm
with
> this event: HTTP_Code_Red_II

Oh yus. Make sure you are fully patched or run Apache on a stripped down
Linux Machine.

In article <zMJOb.4950$(E-Mail Removed)>,
(E-Mail Removed) says...

> while i'm sure there are plenty of reasons to make fun of microsoft
> weenies, it helps to get your facts straight first... a daemon's
> windows counterpart is the service not the server... a server is a
> server regardless of the platform... it's an architectural concept (as
> in client/server), not and operating system specific one...
>

to a n00b, what's the difference? if you're running a "service", a
"server" or a "daemon", you're providing "something" to be given out to
someone. a "server" is a machine which provides either a "service" or a
"daemon". there, fixed that... can't fix your ability to prove your
"weenie-ness" however.

> agree with the rest of the post though




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh

>
>to a n00b, what's the difference? if you're running a "service", a
>"server" or a "daemon", you're providing "something" to be given out to
>someone. a "server" is a machine which provides either a "service" or a
>"daemon". there, fixed that... can't fix your ability to prove your
>"weenie-ness" however.
>

Why do you *always* have to make everything a ****ing contest between MS
and Linux? Can't you just leave it alone?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Lars M. Hansen <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh
>
>>
>>to a n00b, what's the difference? if you're running a "service", a
>>"server" or a "daemon", you're providing "something" to be given out to
>>someone. a "server" is a machine which provides either a "service" or a
>>"daemon". there, fixed that... can't fix your ability to prove your
>>"weenie-ness" however.
>>
>
> Why do you *always* have to make everything a ****ing contest between MS
> and Linux? Can't you just leave it alone?
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)
>

LOL <g>

Duane

On Sun, 18 Jan 2004 23:20:14 -0500, Colonel Flagg
<(E-Mail Removed)> wrote:

>> Does leaving port 80 open for serving web pages leave me vulnerable? A few
>> hours after telling BlackICE to allow port 80 traffic in I got an alarm with
>> this event: HTTP_Code_Red_II

>allowing _any_ daemon (server for you microsoft weenies) to run on _any_
>port leaves you _vulnerable_. "how vulnerable" is dependant upon the
>daemon/server. _all_ programs have the _potential_ to be exploited.

I don't run a daemon/server/service thingumybob on my machine but may
do in the future so am interested in this thread.

I appreciate that when running a server there are different levels of
service but if your service is a read only does that not make one
reasonably safe.

Geoff Lane
Welwyn Hatfield Computer Club - Hertfordshire, UK
www.whcc.co.uk - Online facilities for non locals