recent sadmin worm

From: Vitaly Osipov (vosipovat_private)
Date: Mon May 14 2001 - 08:58:49 PDT

Next message: fuska: "Re: What "methods" are being used"

Previous message: David Ford: "Re: [rootat_private: student6 05/14/01:16.02 system check]"
Next in thread: Vitaly Osipov: "Re: recent sadmin worm"
Reply: Vitaly Osipov: "Re: recent sadmin worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Hi all,
>
> I've got a copy of this (popular :) ) Solaris-Microsoft worm... and I am
> really surprised by it's IIS exploit - it's just an old unicode thing...
> people should thank heavens that the anonymous writer did not add a new
IIS
> 5.0 web printer bug :)
>
> by default the worm itself sits in /dev/cuc - check it if you have a
Solaris
> box :)
>
> if somebody is interested in developing signatures/whatever, I attach here
> worm's iis defacement script. The worm itself, btw, is rather small (20 kb
> in zip if you exclude things like wget, gzip and nc - it carries them as
> well, so "full version" is ~700kb)
>
> regards,
> Vitaly.
>

application/x-zip-compressed attachment: uniattack.zip

Next message: fuska: "Re: What "methods" are being used"
Previous message: David Ford: "Re: [rootat_private: student6 05/14/01:16.02 system check]"
Next in thread: Vitaly Osipov: "Re: recent sadmin worm"
Reply: Vitaly Osipov: "Re: recent sadmin worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 15:09:06 PDT