RE: virus or hack?

From: Jon Zobrist (kgb@ussr.com)
Date: 08/18/01


From: "Jon Zobrist" <kgb@ussr.com>
To: "Onet Security" <security@onapps.net>
Subject: RE: virus or hack?
Date: Fri, 17 Aug 2001 17:11:57 -0600
Message-ID: <JBEIIIICMHNKLGFOEAFDEEGPCIAA.kgb@ussr.com>

This is the sadmin/Unicode worm
It infects Solaris servers first, then launches attacks from Solaris to IIS
servers.

info at
http://vil.nai.com/vil/virusChar.asp?virus_k=99085

Sun's notice
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&typ
e=0&nav=sec.sba

even more info
http://209.100.212.5/cgi-bin/search/search.cgi?searchvalue=sadmin

-Jon

-----Original Message-----
From: Onet Security [mailto:security@onapps.net]
Sent: Friday, August 17, 2001 1:49 PM
To: Virus Focus (E-mail); 'Focus-Ms (E-mail)
Subject: virus or hack?

One of our NT 4 servers running IIS 4 has several directories in which a net
set of index.asp, index.htm, default.asp, and default.htm. These appeared
in site directories that where empty or almost empty. Here is the html text
listed in the files (slightly censored)

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>** CHINA Government</font><tr><td><p
align="center"><font size=7 color=red>** PoizonBOx<tr><td><p
align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html>

Is this causes by a code red type worm or is this just a simple hack?
Thanks.

David A. Smith
Server Operator
Technical Support
On-Net Internet Services, Inc
dasmith@onet.net
(317) 876-6000



Relevant Pages

  • Re: Microsoft Security Advisory MS 03-007
    ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request using ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Focus-Microsoft)
  • RE: Microsoft Security Advisory MS 03-007
    ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Bugtraq)
  • Re: Microsoft Security Advisory MS 03-007
    ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Bugtraq)
  • Microsoft Security Advisory MS 03-007
    ... It's likely that most servers that can be patched ... threat to a lot of the servers if you only consider the IIS ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ... WebDAV requests are processed in the httpext.dll. ...
    (Focus-Microsoft)
  • RE: Microsoft Security Advisory MS 03-007
    ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... through, and if it carried the exploit, compromise could occur. ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Focus-Microsoft)