Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another unicode hacked box

From: wait3r <wait3r () THE-PENTAGON COM>
Date: Wed, 9 May 2001 04:50:17 -0500
This is the 'new' sadmin/IIS worm, it spreads using rcp, through vulnerable
sadmin hosts. It also scans for vulnerable IIS boxes, which it then
proceeds to deface.
Made up of sadmin-brute, grabbb, and a couple of perl scripts.
It leaves the bindshell (from the sadmin exploitation) open on 800/tcp, and
also (for propagation purposes) adds '+ +' to ~root/.rhosts.

cya,


----------------------------------------------
Original Message
From: "Jon Zobrist"<kgb () USSR COM>
Subject: Another unicode hacked box
Date: Tue, 8 May 2001 22:31:53 -0600


We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit

by

an attack pretty much identical to this one on securityfocus.

http://www.securityfocus.com/archive/88/170407

The box was in the DMZ and completely open for internet parties.

It appears we were hit on March 6,7, and 8th, 2001...
The attacker attempted to deface our web pages by uploading index.html and
index.asp both of which include the crude english "fuck USA Government" and
the message "fuck PoinsonB0x", it also includes a contact email address of
sysadmincn () yahoo com cn

I'm not sure if this warrants contacting the FBI or not, it appears clean

up

will be reinstalling completely.

Jon Zobrist
Manager Information Systems
Avaltus, Inc.
801-303-2101
jzobrist () avaltus com



_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com
Previous By Date Next
Previous By Thread Next

Current thread: