Code Red(s) being confused with sadmind/IIS worm?
ghandi at ghandi.org
ghandi at ghandi.org
Fri Aug 10 00:28:14 GMT 2001
I have found the same thing. We realized yesterday afternoon that a rogue
laptop on our network was running a out of the box 2k install. It had been
infected with code red II. It didn't take us long however to discover that
it also had been hit with the sadmind/IIS worm much earlier and had gone
Out of curiosity we scanned several other 2k machines on our network and
found the same thing, sadmind/IIS. So yes, sadmind/IIS is much more
prevalent than we realize. Those who have code red probably should check
for sadmind/IIS as well.
On Thu, 9 Aug 2001, Stephen W. Thompson wrote:
> Follow my line of thinking here.
> In many cases, we're getting reports of Code Red for machines that are
> not running Win2k -- Win9x or a unix variant. We jump to the
> conclusion that the reports were in error.
> However, lots of the reports are not coming from signature-checking
> sources (e.g., IDS), but rather are simply seen to be hitting port
> 80/tcp on a machine that isn't a (perhaps public) webserver.
> So are a lot of the reports simply a distraction? I don't think so.
> I've noticed we have a good amount of the sadmind/IIS worm presence on
> our network. (See http://www.cert.org/advisories/CA-2001-11.html for
> one writeup.) Recall that this is the worm that hits Solaris boxes
> with a sadmind buffer overflow, and then those machines go after IIS
> with a Unicode directory traversal vulnerability.
> If I'm correct, that implies a) sadmind/IIS is more prevalent than
> we'd realized and, possibly b) that there might be a variant of
> sadmind/IIS that succeeds on non-Solaris machines unlike the original
> variant. Any corroboration on (b) from anyone?
> En paz,
> Steve, (tired) security analyst
> Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
> thompson at isc.upenn.edu URL=http://pobox.upenn.edu/~thompson/index.html
> For security matters, use security at isc.upenn.edu, read by InfoSec staff
> The only safe choice: Write e-mail as if it's public. Cuz it could be.
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
More information about the unisog