You can find the binaries on digitaloffense.net. http://www.digitaloffense.net/worms/ Its one of several worms included on the site. On the IIS side pay particular attention to uniattack.sh and uniattack.pl. These are the programs that exploit the IIS boxes. I've done a bit of research on this worm on both Unix and NT sides. Feel free to contact me directly if you have any specific questions. The worm started to hit hard slightly over a month ago now. It'd be interesting to learn if any new occurrences are using modified versions of the original code. Regards, Doug Douglas W. Barbin, CISSP, CFE Senior Consultant W: 703.338.4003 E-Fax: 240.331.6030 601 Madison Street, Suite 200 Alexandria, VA 22314 www.guardent.com PGP: 64CB ACA8 0474 B9AF 1B24 6756 FA80 A274 55A3 4122 ______________________________________________________ G U A R D E N T Enterprise Security and Privacy Programs -----Original Message----- From: Oliver Mannion [mailto:oliverat_private] Sent: Thursday, June 07, 2001 10:03 PM To: incidentsat_private Subject: Sadmind/iis worm code anyone?? Hi all, Several of our IIS machines have recently been attacked by the sadmind/iis worm - it seems to be getting around again. Now I'm curious as to the workings of the worm, does anyone have a copy they could please email to me? Warm Regards Oliver Mannion Software Developer
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 15:20:24 PDT