Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sadmind/iis worm code anyone??

From: Jens Hektor <hektor () RZ RWTH-Aachen DE>
Date: Fri, 08 Jun 2001 22:06:12 +0200
Oliver Mannion wrote:


Several of our IIS machines have recently been attacked by the sadmind/iis
worm - it seems to be getting around again. Now I'm curious as to the
workings of the worm, does anyone have a copy they could please email to
me?


What the machines look like is pretty well documented under
CERT® Advisory CA-2001-11:
        http://www.cert.org/advisories/CA-2001-11.html

Have seen some of those machines. The code is not so much interesting,
I think you can get similar codes 'round the corner. Just had a look on the
logs (easy to find with the above URL) to learn more about my network.

So watch out for a machine scanning you for http that responds positive
to "telnet $attacker 600" and get a copy yourself.

Bye, Jens
        

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, network operation & security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866
Previous By Date Next
Previous By Thread Next

Current thread: