[ Thanks to gh0ul
for this link. ] Readers here and around the web have
advocated a variety of "white hat" approaches to dealing with Code
Red infected machines. This story, though not dealing with Code
Red, illustrates some of the perils that can come from seemingly
innocuous attempts to help. As one reader has pointed out already,
it's also worthwhile to examine the documents provided in this
article and get a better sense of balance than the article itself
provides:
"A good deed may lead to prosecution for Brian K. West,
a 24 year old sales and support employee for an internet service
provider in SE Oklahoma. Mr. West has become a statistic for the
Computer Analysis Response Team because he alerted a local business
to a serious security flaw in their website.
On February 1, 2000, one of West's co-workers created a banner
advertisement to be placed on the Poteau Daily News website as part
of a legitimate advertising campaign for his employer. To test how
how the finished ad would look on the site, West clicked the 'Edit'
button on Microsoft's Internet Explorer. This action brought up
Microsoft FrontPage and should have created a local copy of the web
page, allowing West to do a mock-up of the site on his own
computer.
In this case, however, Microsoft FrontPage displayed some
unusual files due to a server misconfiguration. After some
confusion, West realized that the webserver hosting the Poteau
Daily News site required no authentication to edit any file on the
site. The lack of authentication meant that anyone could edit the
Poteau Daily News website by using FrontPage, without ever having
to provide a password. Clearly, this was a massive security
hole."
