Security Incidents mailing list archives
recent sadmin worm
From: "Vitaly Osipov" <vosipov () wolfegroup ie>
Date: Mon, 14 May 2001 16:58:49 +0100
Hi all, I've got a copy of this (popular :) ) Solaris-Microsoft worm... and I am really surprised by it's IIS exploit - it's just an old unicode thing... people should thank heavens that the anonymous writer did not add a new
IIS
5.0 web printer bug :) by default the worm itself sits in /dev/cuc - check it if you have a
Solaris
box :) if somebody is interested in developing signatures/whatever, I attach here worm's iis defacement script. The worm itself, btw, is rather small (20 kb in zip if you exclude things like wget, gzip and nc - it carries them as well, so "full version" is ~700kb) regards, Vitaly.
Attachment:
uniattack.zip
Description:
Current thread:
- recent sadmin worm Vitaly Osipov (May 14)
- Re: recent sadmin worm Vitaly Osipov (May 15)
- Re: recent sadmin worm Ryan Russell (May 15)
- Re: recent sadmin worm Devdas Bhagat (May 15)
- Re: recent sadmin worm Nick FitzGerald (May 16)
- Re: recent sadmin worm Ryan Russell (May 15)
- <Possible follow-ups>
- Re: recent sadmin worm Vitaly Osipov (May 15)
- Re: recent sadmin worm Robert Kinsey - VIS Contractor (May 15)
- Re: recent sadmin worm Vitaly Osipov (May 15)