RE: Dummies got a sample page

From: Karl Hill (Karl.Hillat_private)
Date: Thu May 31 2001 - 07:26:07 PDT

Next message: McCammon, Keith: "ISP Filtering (Survey of Sorts)"

Previous message: Ryan Russell: "Re: Dummies got a sample page"
Maybe in reply to: James Edwards: "Dummies got a sample page"
Reply: Ryan Russell: "RE: Dummies got a sample page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was the now infamous sadmind worm. ummm...and for this worm to have
penetrated your system, you were missing a patch from back in october of 1999.
as far as the services go, the worm wouldn't have done that...unless of course
there is a new variant...hmm...even then, could it disable services from a
command line? certainly not if it was running as IUSR_MACHINENAME. i've
actually started noticing defacements in /scripts/[index.asp, index.htm,
default.asp, default.htm] that had gone unnoticed by the system administrators
for almost a month. anyway, i'm sure the worm is now archives (at security
focus?) but if you can't find it and would like to see what you got hit with,
i'll pop you out a copy. oh duh, i never mentioned that it was using the
unicode directory transversal bug...heh.
~ Karl

<EOF>
===============================================
Karl Hill    | Computer Specialist
970.295.5293 | USDA Office of Cyber Security
"...firewalls are speed bumps not brick walls."


-----Original Message-----
From: James Edwards [mailto:jedwardsat_private]
Sent: Wednesday, May 30, 2001 11:41 AM
To: incidentsat_private
Subject: Dummies got a sample page


Today I discovered that the sample pages installed when IIS is 
installed had been defaced (Ya' know the standard "F*** USA 
Government"). Hadn't noticed earlier since the real pages for the web 
site were untouched. I noticed that the firewall installed on the NT 
4.0 SP6a server wasn't responding, and so I checked "Services". They 
had *all* been set to "Disabled", so naturally the firewall services 
weren't running.  The system has (and had) all of the current 
services packs and security patches installed. The site is running 
Cold Fusion. Any suggestions as to what flavor of attack was 
employed, and the best methods of countering it would be appreciated.


TIA
-- 
===================
Jim
mailto:jedwardsat_private

_____________________
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents.

-- Nathaniel Borenstein

Next message: McCammon, Keith: "ISP Filtering (Survey of Sorts)"
Previous message: Ryan Russell: "Re: Dummies got a sample page"
Maybe in reply to: James Edwards: "Dummies got a sample page"
Reply: Ryan Russell: "RE: Dummies got a sample page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 31 2001 - 14:24:25 PDT