Oliver Mannion wrote: > Several of our IIS machines have recently been attacked by the sadmind/iis > worm - it seems to be getting around again. Now I'm curious as to the > workings of the worm, does anyone have a copy they could please email to > me? What the machines look like is pretty well documented under CERTŪ Advisory CA-2001-11: http://www.cert.org/advisories/CA-2001-11.html Have seen some of those machines. The code is not so much interesting, I think you can get similar codes 'round the corner. Just had a look on the logs (easy to find with the above URL) to learn more about my network. So watch out for a machine scanning you for http that responds positive to "telnet $attacker 600" and get a copy yourself. Bye, Jens -- Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen Computing Center Technical University Aachen, network operation & security mailto:hektorat_private-Aachen.DE, Tel.: +49 241 80 4866
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 16:45:25 PDT