This is the 'new' sadmin/IIS worm, it spreads using rcp, through vulnerable sadmin hosts. It also scans for vulnerable IIS boxes, which it then proceeds to deface. Made up of sadmin-brute, grabbb, and a couple of perl scripts. It leaves the bindshell (from the sadmin exploitation) open on 800/tcp, and also (for propagation purposes) adds '+ +' to ~root/.rhosts. cya, ---------------------------------------------- Original Message From: "Jon Zobrist"<kgbat_private> Subject: Another unicode hacked box Date: Tue, 8 May 2001 22:31:53 -0600 >We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by >an attack pretty much identical to this one on securityfocus. > >http://www.securityfocus.com/archive/88/170407 > >The box was in the DMZ and completely open for internet parties. > >It appears we were hit on March 6,7, and 8th, 2001... >The attacker attempted to deface our web pages by uploading index.html and >index.asp both of which include the crude english "fuck USA Government" and >the message "fuck PoinsonB0x", it also includes a contact email address of >sysadmincnat_private > >I'm not sure if this warrants contacting the FBI or not, it appears clean up >will be reinstalling completely. > >Jon Zobrist >Manager Information Systems >Avaltus, Inc. >801-303-2101 >jzobristat_private > _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 19:11:43 PDT