I have found the same thing. We realized yesterday afternoon that a rogue laptop on our network was running a out of the box 2k install. It had been infected with code red II. It didn't take us long however to discover that it also had been hit with the sadmind/IIS worm much earlier and had gone unnoticed. Out of curiosity we scanned several other 2k machines on our network and found the same thing, sadmind/IIS. So yes, sadmind/IIS is much more prevalent than we realize. Those who have code red probably should check for sadmind/IIS as well. Best, Patrick Stokes On Thu, 9 Aug 2001, Stephen W. Thompson wrote: > Follow my line of thinking here. > > In many cases, we're getting reports of Code Red for machines that are > not running Win2k -- Win9x or a unix variant. We jump to the > conclusion that the reports were in error. > > However, lots of the reports are not coming from signature-checking > sources (e.g., IDS), but rather are simply seen to be hitting port > 80/tcp on a machine that isn't a (perhaps public) webserver. > > So are a lot of the reports simply a distraction? I don't think so. > I've noticed we have a good amount of the sadmind/IIS worm presence on > our network. (See http://www.cert.org/advisories/CA-2001-11.html for > one writeup.) Recall that this is the worm that hits Solaris boxes > with a sadmind buffer overflow, and then those machines go after IIS > with a Unicode directory traversal vulnerability. > > If I'm correct, that implies a) sadmind/IIS is more prevalent than > we'd realized and, possibly b) that there might be a variant of > sadmind/IIS that succeeds on non-Solaris machines unlike the original > variant. Any corroboration on (b) from anyone? > > En paz, > Steve, (tired) security analyst > -- > Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP > thompsonat_private URL=http://pobox.upenn.edu/~thompson/index.html > For security matters, use securityat_private, read by InfoSec staff > The only safe choice: Write e-mail as if it's public. Cuz it could be. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:25:24 PDT