Karl Hill wrote:
> as far as the services go, the worm wouldn't have done that...unless of course
> there is a new variant...hmm...even then, could it disable services from a
> command line? certainly not if it was running as IUSR_MACHINENAME.
The sadmind/IIS worm won't do anything lika that: it just adds {index,default}.{asp,htm}
files all over the place.
But the same hole can be (and has been) used for more 'manual' intrusions,
which, of course, provides for more opportunities for action.
The one I've seen was very obvious in the WWW logs once you started looking
for it. If the logs are still intact, you might try looking for any invocation
of WINNT/system32/TFTP.EXE or NC.EXE
--
Anders Thulin Anders.X.Thulinat_private 040-661 50 63
Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 15:43:54 PDT