Re: virus or hack?

From: Paul Schmehl (pauls@utdallas.edu)
Date: 08/18/01 

Message-ID: <03e901c12795$4e90b000$220a400a@officeeagle>
From: "Paul Schmehl" <pauls@utdallas.edu>
To: "Onet Security" <security@onapps.net>, "Virus Focus (E-mail)" <focus-virus@securityfocus.com>, "'Focus-Ms (E-mail)" <focus-ms@securityfocus.com>
Subject: Re: virus or hack?
Date: Fri, 17 Aug 2001 22:24:14 -0500

----- Original Message -----
From: "Onet Security" <security@onapps.net>
To: "Virus Focus (E-mail)" <focus-virus@securityfocus.com>; "'Focus-Ms
(E-mail)" <focus-ms@securityfocus.com>
Sent: Friday, August 17, 2001 2:48 PM
Subject: virus or hack?

> One of our NT 4 servers running IIS 4 has several directories in which a
net
> set of index.asp, index.htm, default.asp, and default.htm. These appeared
> in site directories that where empty or almost empty. Here is the html
text
> listed in the files (slightly censored)
>
> <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
> align="center"><font size=7 color=red>** CHINA Government</font><tr><td><p
> align="center"><font size=7 color=red>** PoizonBOx<tr><td><p
> align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html>
>
> Is this causes by a code red type worm or is this just a simple hack?

It's neither. It's the SunOS/Poisonbox.worm which uses the Unicode
vulnerability to deface web pages.
http://vil.nai.com/vil/dispVirus.asp?virus_k=99085

You need to patch your server. MS01-26 is the appropriate patch for that
one, but you should run MS01-44, because there's a buffer overflow in the
ssinc.dll which I predict will have its own worm in about 10 to 12 more
days. MS01-44 is a cumulative rollup patch that includes patches for all
the recent buffer overflow problems that IIS has had, including ssinc.dl.

Your server must be at SP6a before you run the MS01-26 or 44 patches.

BTW, I would be very concerned if I were you. Poisonbox came out in early
May. Among other things, it drops a renamed copy of cmd.exe (root.exe) in
the /Scripts folder, and on an unpatched box allows a hacker to do just
about anything they want. (Ever heard of POSIX on NT?) I wouldn't be at
all surprised to find that your box is owned. If I were you, I'd drop
whatever I'm doing and get that server offline NOW!!

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-044.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-044.asp

Paul Schmehl pauls@utdallas.edu
Supervisor, Support Services
University of Texas at Dallas
AVIEN Founding Member

Relevant Pages

  • virus or hack?
    ... Subject: virus or hack? ... One of our NT 4 servers running IIS 4 has several directories in which a net ... in site directories that where empty or almost empty. ... Is this causes by a code red type worm or is this just a simple hack? ...
    (Focus-Microsoft)
  • Re: Processor is at 100%
    ... I ran a virus check against the systems' C: ... drive and came up empty. ... patch is run would it be fixed when the patch does get applied? ... problem children of the world smart enough to protect their virus infections ...
    (microsoft.public.win2000.networking)
  • RE: virus or hack?
    ... Subject: virus or hack? ... You were hit with the poisonbox directory traversal hack. ... One of our NT 4 servers running IIS 4 has several directories in which a net ... in site directories that where empty or almost empty. ...
    (Focus-Microsoft)
  • Re: HEADSUP!!! USB MFC committed..
    ... +/* HACK stable below... ... Devices attached to the EHCI controller still appear in kernel messages ... present with the -current patch, ... I still get hangs (and then panics) after a period of time ...
    (freebsd-stable)
  • [PATCH] Re: Improved console UTF-8 support for the Linux kernel?
    ... Here is the patch that makes compose keys work. ... I consider it a hack... ... both the keyboard and the display separately. ... extern unsigned char inverse_translate(struct vc_data *conp, ...
    (Linux-Kernel)
Quantcast