Security Incidents mailing list archives
Re: Dummies got a sample page
From: Anders Thulin <Anders.X.Thulin () telia se>
Date: Fri, 01 Jun 2001 09:58:35 +0200
Karl Hill wrote:
as far as the services go, the worm wouldn't have done that...unless of course there is a new variant...hmm...even then, could it disable services from a command line? certainly not if it was running as IUSR_MACHINENAME.
The sadmind/IIS worm won't do anything lika that: it just adds {index,default}.{asp,htm} files all over the place. But the same hole can be (and has been) used for more 'manual' intrusions, which, of course, provides for more opportunities for action. The one I've seen was very obvious in the WWW logs once you started looking for it. If the logs are still intact, you might try looking for any invocation of WINNT/system32/TFTP.EXE or NC.EXE -- Anders Thulin Anders.X.Thulin () telia se 040-661 50 63 Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden
Current thread:
- RE: Dummies got a sample page Ryan Russell (Jun 01)
- <Possible follow-ups>
- Re: Dummies got a sample page Anders Thulin (Jun 01)