Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Dummies got a sample page

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 31 May 2001 14:42:47 -0600 (MDT)
On Thu, 31 May 2001, Karl Hill wrote:


This was the now infamous sadmind worm. ummm...and for this worm to have
penetrated your system, you were missing a patch from back in october of 1999.
as far as the services go, the worm wouldn't have done that...unless of course
there is a new variant...


The worm came after they had been doing the defacements by hand (well,
with a perl script.)  The defacement contents were identical in the vast
majority of the cases where the defacers were the cnhonkers group.  The
later (apparantly) decided to go ahead and fully automate it in the form
of a worm.  However, we were given evidence from a number of defacements
that were not limited to strictly uploading a new web page.  On some
machines, they decided to move in a bit more, leaving other files behind,
reconfiguring things, etc..

And as I mentioned in another note, we saw them using a couple of other
IIS techniques later other than the Unicode hole, but the defacement
contents were the same.


                                        Ryan
Previous By Date Next
Previous By Thread Next

Current thread: