On Thu, 31 May 2001, Karl Hill wrote: > This was the now infamous sadmind worm. ummm...and for this worm to have > penetrated your system, you were missing a patch from back in october of 1999. > as far as the services go, the worm wouldn't have done that...unless of course > there is a new variant... The worm came after they had been doing the defacements by hand (well, with a perl script.) The defacement contents were identical in the vast majority of the cases where the defacers were the cnhonkers group. The later (apparantly) decided to go ahead and fully automate it in the form of a worm. However, we were given evidence from a number of defacements that were not limited to strictly uploading a new web page. On some machines, they decided to move in a bit more, leaving other files behind, reconfiguring things, etc.. And as I mentioned in another note, we saw them using a couple of other IIS techniques later other than the Unicode hole, but the defacement contents were the same. Ryan
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 15:37:01 PDT