> Can anyone translate and shed a little more light on this? Sorry for my lousy Danish (I haven't studied it, but it's close enough to Swedish which is my second language) but here is a quick and dirty translation of the page contents (the words in quotes are direct translations to give you a feeling about the FUD/technical level of the document): A Windows program by the author of the Slapper Worm is used in attacks ====================================================================== During the last few days eSec has registered a great increase in attacks against Danish web servers. A trojan "robot program" is planted on the web server during the attack which is based on a known security hole in Microsoft IIS. The program uses IRC to contact the "master" and enables the computer to be used as remotely controlled "zombie" in a network that is capable of producing a "horrible" DoS attack against others. The program is also able to fetch and execute new programs via HTTP. The program uses the following irc servers to communicate with the hacker in a specially crafted messages in IRC chat. <The list of hosts omitted> The program is named lsass.exe which is a valid Windows program but the size of the trojan version is 9788 bytes. If the latest Microsoft cumulative hotfix has been applied, the server is not vulnerable to the attempt of sending this file to it. The program presents itself as Kaiten Win32 API version 2002 by contem@efnet The "Slapper Worm" which is currently attacking Apache is signed by the "contem@efnet" -- the same author or group. Something in the content of the program suggests that the author knows the German language. eSecs <statement,considerations>: This is yet another example of the trend that we have seen during the last six months. The compromised Web servers are used to distribute games, films, music etc. The web server continues to operate because the attackers do not paint graffitis on the home pages and reveal the compromise that way. -- http://www.iki.fi/ljs ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:37:01 PDT