Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Dummies got a sample page

From: Karl Hill <Karl.Hill () ociofc usda gov>
Date: Thu, 31 May 2001 08:26:07 -0600 (MDT)
This was the now infamous sadmind worm. ummm...and for this worm to have
penetrated your system, you were missing a patch from back in october of 1999.
as far as the services go, the worm wouldn't have done that...unless of course
there is a new variant...hmm...even then, could it disable services from a
command line? certainly not if it was running as IUSR_MACHINENAME. i've
actually started noticing defacements in /scripts/[index.asp, index.htm,
default.asp, default.htm] that had gone unnoticed by the system administrators
for almost a month. anyway, i'm sure the worm is now archives (at security
focus?) but if you can't find it and would like to see what you got hit with,
i'll pop you out a copy. oh duh, i never mentioned that it was using the
unicode directory transversal bug...heh.
~ Karl

<EOF>
===============================================
Karl Hill    | Computer Specialist
970.295.5293 | USDA Office of Cyber Security
"...firewalls are speed bumps not brick walls."


-----Original Message-----
From: James Edwards [mailto:jedwards () mail sdsu edu]
Sent: Wednesday, May 30, 2001 11:41 AM
To: incidents () securityfocus com
Subject: Dummies got a sample page


Today I discovered that the sample pages installed when IIS is 
installed had been defaced (Ya' know the standard "F*** USA 
Government"). Hadn't noticed earlier since the real pages for the web 
site were untouched. I noticed that the firewall installed on the NT 
4.0 SP6a server wasn't responding, and so I checked "Services". They 
had *all* been set to "Disabled", so naturally the firewall services 
weren't running.  The system has (and had) all of the current 
services packs and security patches installed. The site is running 
Cold Fusion. Any suggestions as to what flavor of attack was 
employed, and the best methods of countering it would be appreciated.


TIA
-- 
===================
Jim
mailto:jedwards () mail sdsu edu

_____________________
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents.

-- Nathaniel Borenstein
Previous By Date Next
Previous By Thread Next

Current thread: