RE: virus or hack?

From: Sanjiv Menezes (sanj@sliq.com)
Date: 08/18/01


From: "Sanjiv Menezes" <sanj@sliq.com>
To: "Onet Security" <security@onapps.net>, "Virus Focus (E-mail)" <focus-virus@securityfocus.com>, "'Focus-Ms (E-mail)" <focus-ms@securityfocus.com>
Subject: RE: virus or hack?
Date: Fri, 17 Aug 2001 19:01:39 -0400
Message-ID: <NDBBICFFPKFAOMFINKMAIECHCLAA.sanj@sliq.com>

You were hit with the poisonbox directory traversal hack. The generic
version of this hack is fairly harmless. You will find something in your IIS
logs hitting on "../../../cmd.exe". Apply the dir. traversal patch and
remove the offending files.

-S

-----Original Message-----
From: Onet Security [mailto:security@onapps.net]
Sent: August 17, 2001 3:49 PM
To: Virus Focus (E-mail); 'Focus-Ms (E-mail)
Subject: virus or hack?

One of our NT 4 servers running IIS 4 has several directories in which a net
set of index.asp, index.htm, default.asp, and default.htm. These appeared
in site directories that where empty or almost empty. Here is the html text
listed in the files (slightly censored)

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>** CHINA Government</font><tr><td><p
align="center"><font size=7 color=red>** PoizonBOx<tr><td><p
align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html>

Is this causes by a code red type worm or is this just a simple hack?
Thanks.

David A. Smith
Server Operator
Technical Support
On-Net Internet Services, Inc
dasmith@onet.net
(317) 876-6000



Relevant Pages

  • virus or hack?
    ... Subject: virus or hack? ... One of our NT 4 servers running IIS 4 has several directories in which a net ... in site directories that where empty or almost empty. ... Is this causes by a code red type worm or is this just a simple hack? ...
    (Focus-Microsoft)
  • Re: My Shark has a virus!
    ... Virus data file v1000 created on Aug 18 2003. ... Number of infected files: 23 ...
    (AIX-L)
  • Re: Which anti-virus is everyone using
    ... So, since I need to renew or change, I thought I would ping the group, ... Reputation Services) and may even be potentially useful for mainstream ... THEY can hack you locally then. ... Then, if you get a virus, it is pretty assured that it was something YOU ...
    (sci.electronics.design)
  • Re: virus or hack?
    ... Subject: virus or hack? ... > in site directories that where empty or almost empty. ... You need to patch your server. ...
    (Focus-Microsoft)
  • RE: unusual tmp files !!
    ... I did the test, No virus, no hack, no problem found.. ... log and temp files and related stuff,, Im still not sure ... "Dragonrealm" wrote: ...
    (microsoft.public.windowsxp.general)