RE: virus or hack?

From: Jon Zobrist (kgb@ussr.com)
Date: 08/18/01


From: "Jon Zobrist" <kgb@ussr.com>
To: "Onet Security" <security@onapps.net>
Subject: RE: virus or hack?
Date: Fri, 17 Aug 2001 17:11:57 -0600
Message-ID: <JBEIIIICMHNKLGFOEAFDEEGPCIAA.kgb@ussr.com>

This is the sadmin/Unicode worm
It infects Solaris servers first, then launches attacks from Solaris to IIS
servers.

info at
http://vil.nai.com/vil/virusChar.asp?virus_k=99085

Sun's notice
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&typ
e=0&nav=sec.sba

even more info
http://209.100.212.5/cgi-bin/search/search.cgi?searchvalue=sadmin

-Jon

-----Original Message-----
From: Onet Security [mailto:security@onapps.net]
Sent: Friday, August 17, 2001 1:49 PM
To: Virus Focus (E-mail); 'Focus-Ms (E-mail)
Subject: virus or hack?

One of our NT 4 servers running IIS 4 has several directories in which a net
set of index.asp, index.htm, default.asp, and default.htm. These appeared
in site directories that where empty or almost empty. Here is the html text
listed in the files (slightly censored)

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>** CHINA Government</font><tr><td><p
align="center"><font size=7 color=red>** PoizonBOx<tr><td><p
align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html>

Is this causes by a code red type worm or is this just a simple hack?
Thanks.

David A. Smith
Server Operator
Technical Support
On-Net Internet Services, Inc
dasmith@onet.net
(317) 876-6000