This was the now infamous sadmind worm. ummm...and for this worm to have penetrated your system, you were missing a patch from back in october of 1999. as far as the services go, the worm wouldn't have done that...unless of course there is a new variant...hmm...even then, could it disable services from a command line? certainly not if it was running as IUSR_MACHINENAME. i've actually started noticing defacements in /scripts/[index.asp, index.htm, default.asp, default.htm] that had gone unnoticed by the system administrators for almost a month. anyway, i'm sure the worm is now archives (at security focus?) but if you can't find it and would like to see what you got hit with, i'll pop you out a copy. oh duh, i never mentioned that it was using the unicode directory transversal bug...heh. ~ Karl <EOF> =============================================== Karl Hill | Computer Specialist 970.295.5293 | USDA Office of Cyber Security "...firewalls are speed bumps not brick walls." -----Original Message----- From: James Edwards [mailto:jedwardsat_private] Sent: Wednesday, May 30, 2001 11:41 AM To: incidentsat_private Subject: Dummies got a sample page Today I discovered that the sample pages installed when IIS is installed had been defaced (Ya' know the standard "F*** USA Government"). Hadn't noticed earlier since the real pages for the web site were untouched. I noticed that the firewall installed on the NT 4.0 SP6a server wasn't responding, and so I checked "Services". They had *all* been set to "Disabled", so naturally the firewall services weren't running. The system has (and had) all of the current services packs and security patches installed. The site is running Cold Fusion. Any suggestions as to what flavor of attack was employed, and the best methods of countering it would be appreciated. TIA -- =================== Jim mailto:jedwardsat_private _____________________ The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. -- Nathaniel Borenstein
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 14:24:25 PDT