http://www.newsbytes.com/news/01/169660.html By Brian McWilliams, Newsbytes ALEXANDRIA, VIRGINIA, U.S.A., 01 Sep 2001, 12:34 AM CST A Web server operated by Veridian Corporation has been infected with the Sadmind Worm, according to a report by a French hacking information site. In an online article published Monday, Kitetoa.com claimed that it had discovered evidence that Veridian's site was compromised by Sadmind, a self-propagating worm that replaces the homepage on infected sites with a profane, anti-American message in red letters on a black background. Officials from Veridian, a U.S. government contractor that specializes in network security management, were not immediately available for comment. Kitetoa has published a image of the Veridian defacement at its Web site. The page at Veridian's site, http://www.veridian.com/upload/, was not viewable today. The Sadmind worm, first identified in May, turns vulnerable Sun Microsystems servers running the Solaris operating system into robots that deface sites running unpatched versions of Microsoft's Internet Information Server (IIS) software. According to Netcraft.com, Veridian is running Microsoft's IIS version 5 on Windows 2000. Last week, the Defense Intelligence Agency announced that it is awarding a contract to Veridian to assist the agency in analyzing network intrusions on Department of Defense networks. Kitetoa has a penchant for showing up high-profile Internet companies. In March this year, Kitetoa discovered that two servers operated by online ad giant DoubleClick had been compromised by hackers. In response to the Kitetoa report, DoubleClick representatives confirmed that attackers had placed a back-door program on the company's server at doubleclick.net, and had viewed files on another server at abacusonline.doubleclick.net. A year ago, Kitetoa reported that software maker Bull Groupe's Web site had left exposed an internal sales and marketing database containing confidential customer information. This year, the Sadmind worm has vandalized more Web sites than any human hacking group. According to statistics gathered by the Safemode.org defacement archive, the worm has infected at least 874 sites since June. The second most prolific defacer is a crew known as BHS, which has racked up 436 defacements since November of last year. Once the Sadmind worm has penetrated a Sun machine by exploiting a known vulnerability in Solaris, it scans the Internet for Windows NT or Windows 2000 systems running IIS. When it finds a system vulnerable to the Unicode exploit, the worm defaces the machine's home page. Other prominent companies with servers recently infected by the worm include Quote.com, Informix Corp. and Upside Media, according to Safemode records. Veridian Corporation is at: http://www.veridian.com . The Kitetoa report on Veridian is at: http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin7/veridia n1.shtml . The image of the Veridian defacement is at: http://www.kitetoa.com/Images4/Veridian.com/veridian.gif . Information on the Sadmind worm can be found here: http://www.cert.org/advisories/CA-2001-11.html . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 04:26:15 PDT