That root.exe sploit is actually the Solaris sadmind/ IIS Unicode worm. I've been on several incident responses at client sites and have seen it. It zombifies a Solaris box using the sadmind exploit (shame on them) and then scans a range of addresses for IIS b0x3n that are vulnerable to the Unicode exploit (again, shame!). It copies cmd.exe to the scripts directory and runs a search and change for index.htm index.asp default.htm and index.asp and changes them to an anti -USA government (and anti spiderbox) message. Christopher Gerg Network Security Engineer Berbee 608.298.1116 Page: 608.376.4658 Email: gergat_private Fax: 608.288.3007 Berbee...putting the E in business -----Original Message----- From: Joshua Dodds [mailto:jdoddsat_private] Sent: Friday, May 11, 2001 4:05 AM To: BUGTRAQat_private Subject: Re: Windows 2000 .printer remote overflow proof of concept exploit.... > >It's out there. I've seen logs indicating the attacker put a "root.exe" file >on the IIS5 host and then were able to issue a command to run this file via >the overflow. I don't have any more specific information on the contents of >the root.exe file or the exact script used, etc. at this time. root.exe is just cmd.exe copied to root.exe! doh! -jd
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 05:59:18 PDT