Security Incidents mailing list archives
Re: Another unicode hacked box
From: wait3r <wait3r () THE-PENTAGON COM>
Date: Wed, 9 May 2001 04:50:17 -0500
This is the 'new' sadmin/IIS worm, it spreads using rcp, through vulnerable sadmin hosts. It also scans for vulnerable IIS boxes, which it then proceeds to deface. Made up of sadmin-brute, grabbb, and a couple of perl scripts. It leaves the bindshell (from the sadmin exploitation) open on 800/tcp, and also (for propagation purposes) adds '+ +' to ~root/.rhosts. cya, ---------------------------------------------- Original Message From: "Jon Zobrist"<kgb () USSR COM> Subject: Another unicode hacked box Date: Tue, 8 May 2001 22:31:53 -0600
We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit
by
an attack pretty much identical to this one on securityfocus. http://www.securityfocus.com/archive/88/170407 The box was in the DMZ and completely open for internet parties. It appears we were hit on March 6,7, and 8th, 2001... The attacker attempted to deface our web pages by uploading index.html and index.asp both of which include the crude english "fuck USA Government" and the message "fuck PoinsonB0x", it also includes a contact email address of sysadmincn () yahoo com cn I'm not sure if this warrants contacting the FBI or not, it appears clean
up
will be reinstalling completely. Jon Zobrist Manager Information Systems Avaltus, Inc. 801-303-2101 jzobrist () avaltus com
_____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
Current thread:
- Another unicode hacked box Jon Zobrist (May 08)
- Re: Another unicode hacked box Johan Augustsson (May 10)
- Re: Another unicode hacked box jamie rishaw (May 10)
- <Possible follow-ups>
- Re: Another unicode hacked box Matt Scarborough (May 08)
- Re: Another unicode hacked box wait3r (May 10)