Security Incidents mailing list archives
RE: Dummies got a sample page
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 31 May 2001 14:42:47 -0600 (MDT)
On Thu, 31 May 2001, Karl Hill wrote:
This was the now infamous sadmind worm. ummm...and for this worm to have penetrated your system, you were missing a patch from back in october of 1999. as far as the services go, the worm wouldn't have done that...unless of course there is a new variant...
The worm came after they had been doing the defacements by hand (well, with a perl script.) The defacement contents were identical in the vast majority of the cases where the defacers were the cnhonkers group. The later (apparantly) decided to go ahead and fully automate it in the form of a worm. However, we were given evidence from a number of defacements that were not limited to strictly uploading a new web page. On some machines, they decided to move in a bit more, leaving other files behind, reconfiguring things, etc.. And as I mentioned in another note, we saw them using a couple of other IIS techniques later other than the Unicode hole, but the defacement contents were the same. Ryan
Current thread:
- RE: Dummies got a sample page Ryan Russell (Jun 01)
- <Possible follow-ups>
- Re: Dummies got a sample page Anders Thulin (Jun 01)