Security Incidents mailing list archives

Re: Dummies got a sample page

From: Anders Thulin <Anders.X.Thulin () telia se>
Date: Fri, 01 Jun 2001 09:58:35 +0200


Karl Hill wrote:

as far as the services go, the worm wouldn't have done that...unless of course
there is a new variant...hmm...even then, could it disable services from a
command line? certainly not if it was running as IUSR_MACHINENAME.


  The sadmind/IIS worm won't do anything lika that: it just adds {index,default}.{asp,htm}
files all over the place.

  But the same hole can be (and has been) used for more 'manual' intrusions,
which, of course, provides for more opportunities for action.

  The one I've seen was very obvious in the WWW logs once you started looking
for it. If the logs are still intact, you might try looking for any invocation
of WINNT/system32/TFTP.EXE or NC.EXE

-- 
Anders Thulin     Anders.X.Thulin () telia se     040-661 50 63
Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden

Current thread:

RE: Dummies got a sample page Ryan Russell (Jun 01)
- <Possible follow-ups>
- Re: Dummies got a sample page Anders Thulin (Jun 01)