[mrtg] Re: virus alert iis / solaris
David Eshelman
deshelman at crawford.com
Tue May 8 15:06:26 MEST 2001
sweet... right before i received your email...
i noticed some files appearing on one of our win2k boxes
Beijing, China... looks like those news articles i read
on china's hackers starting a war on us were true...
thanks for the heads up...
------------------------------------
W. David Eshelman
Associate Network Engineer
Crawford Communications, Inc.
W: 678-421-6850
C: 678-665-5545
deshelman at crawford.com
www.crawford.com
------------------------------------
- -----Original Message-----
- From: mrtg-bounce at list.ee.ethz.ch [mailto:mrtg-bounce at list.ee.ethz.ch]On
- Behalf Of Rippe, Mark (CCI-Warwick)
- Sent: Tuesday, May 08, 2001 8:15 AM
- To: 'bb at bb4.com'; 'mrtg at list.ee.ethz.ch'; 'ntop at unipi.it'
- Subject: [mrtg] virus alert iis / solaris
-
-
-
- fyi...
-
-
- = = = = = = = = = = = = =
-
- mark.rippe at cox.com
-
- "The ships hung in the sky
- in much the same way
- that bricks don't."
-
- Hitchhikers Guide to the Galaxy
- Douglas Adams
-
- -----------------------------------------------------------------
- -----------
- ---------------------------
-
-
- -----Original Message-----
- From: CERT Advisory [SMTP:cert-advisory at cert.org]
- Sent: Tuesday, May 08, 2001 1:05 AM
- To: cert-advisory at cert.org
- Subject: CERT Advisory CA-2001-11
-
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- CERT Advisory CA-2001-11 sadmind/IIS Worm
-
- Original release date: May 08, 2001
- Last revised: --
- Source: CERT/CC
-
- A complete revision history is at the end of this file.
-
- Systems Affected
-
- * Systems running unpatched versions of Microsoft IIS
- * Systems running unpatched versions of Solaris up to, and
- including, Solaris 7
-
- Overview
-
- The CERT/CC has received reports of a new piece of self-propagating
- malicious code (referred to here as the sadmind/IIS worm). The worm
- uses two well-known vulnerabilities to compromise systems and deface
- web pages.
-
- I. Description
-
- Based on preliminary analysis, the sadmind/IIS worm exploits a
- vulnerability in Solaris systems and subsequently installs software to
- attack Microsoft IIS web servers. In addition, it includes a component
- to propagate itself automatically to other vulnerable Solaris systems.
- It will add "+ +" to the .rhosts file in the root user's home
- directory. Finally, it will modify the index.html on the host Solaris
- system after compromising 2,000 IIS systems.
-
- To compromise the Solaris systems, the worm takes advantage of a
- two-year-old buffer overflow vulnerability in the Solstice sadmind
- program. For more information on this vulnerability, see
-
- http://www.kb.cert.org/vuls/id/28934
- http://www.cert.org/advisories/CA-1999-16.html
-
- After successfully compromising the Solaris systems, it uses a
- seven-month-old vulnerability to compromise the IIS systems. For
- additional information about this vulnerability, see
-
- http://www.kb.cert.org/vuls/id/111677
-
- Solaris systems that are successfully compromised via the worm exhibit
- the following characteristics:
-
- *
- Sample syslog entry from compromised Solaris system
-
- May 7 02:40:01 carrier.domain.com inetd[139]:
- /usr/sbin/sadmind: Bus Error
- - c
- ore dumped
- May 7 02:40:01 carrier.domain.com last message repeated 1 time
- May 7 02:40:03 carrier.domain.com last message repeated 1 time
- May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind:
- Segmentation
- Fault - core dumped
- May 7 02:40:03 carrier.domain.com last message repeated 1 time
- May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind:
- Segmentation
- Fault - core dumped
- May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Hangup
- May 7 02:40:08 carrier.domain.com last message repeated 1 time
- May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Killed
- * A rootshell listening on TCP port 600
- * Existence of the directories
-
- * /dev/cub contains logs of compromised machines
- * /dev/cuc contains tools that the worm uses to operate and
- propagate
-
- Running processes of the scripts associated with the worm, such as
- the following:
- * /bin/sh /dev/cuc/sadmin.sh
- * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111
- * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80
- * /bin/sh /dev/cuc/uniattack.sh
- * /bin/sh /dev/cuc/time.sh
- * /usr/sbin/inetd -s /tmp/.f
- * /bin/sleep 300
-
- Microsoft IIS servers that are successfully compromised exhibit the
- following characteristics:
-
- * Modified web pages that read as follows:
- fuck USA Government
- fuck PoizonBOx
- contact:sysadmcn at yahoo.com.cn
- *
- Sample Log from Attacked IIS Server
-
- 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
- GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
- 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
- GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
- 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
- GET /scripts/../../winnt/system32/cmd.exe \
- /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
- 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
- GET /scripts/root.exe /c+echo+\
- <HTML code inserted here>.././index.asp 502 -
-
- II. Impact
-
- Solaris systems compromised by this worm are being used to scan and
- compromise other Solaris and IIS systems. IIS systems compromised by
- this worm can suffer modified web content.
-
- Intruders can use the vulnerabilities exploited by this worm to
- execute arbitrary code with root privileges on vulnerable Solaris
- systems, and arbitrary commands with the privileges of the
- IUSR_machinename account on vulnerable Windows systems.
-
- We are receiving reports of other activity, including one report of
- files being destroyed on the compromised Windows machine, rendering
- them unbootable. It is unclear at this time if this activity is
- directly related to this worm.
-
- III. Solutions
-
- Apply a patch from your vendor
-
- A patch is available from Microsoft at
-
- http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
-
- For IIS Version 4:
- http://www.microsoft.com/ntserver/nts/downloads/critical/q26986
- 2/default.asp
-
- For IIS Version 5:
- http://www.microsoft.com/windows2000/downloads/critical/q269862
- /default.asp
-
- Additional advice on securing IIS web servers is available from
-
- http://www.microsoft.com/technet/security/iis5chk.asp
- http://www.microsoft.com/technet/security/tools.asp
-
- Apply a patch from Sun Microsystems as described in Sun Security
- Bulletin #00191:
-
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se
- cbull/191&type=0&nav=sec.sba
-
- Appendix A. Vendor Information
-
- Microsoft Corporation
-
- The following documents regarding this vulnerability are available
- from Microsoft:
-
- http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
-
- Sun Microsystems
-
- Sun has issued the following bulletin for this vulnerability:
-
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se
- cbull/191&type=0&nav=sec.sba
-
- References
-
- 1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable
- to directory traversal via extended unicode in url (MS00-078)
- http://www.kb.cert.org/vuls/id/111677
- 2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice
- AdminSuite Daemon sadmind
- http://www.cert.org/advisories/CA-1999-16.html
-
- Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter,
- Art Manion, Ian Finlay, John Shaffer
- ______________________________________________________________________
-
- This document is available from:
- http://www.cert.org/advisories/CA-2001-11.html
- ______________________________________________________________________
-
- CERT/CC Contact Information
-
- Email: cert at cert.org
- Phone: +1 412-268-7090 (24-hour hotline)
- Fax: +1 412-268-6989
- Postal address:
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh PA 15213-3890
- U.S.A.
-
- CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
- Monday through Friday; they are on call for emergencies during other
- hours, on U.S. holidays, and on weekends.
-
- Using encryption
-
- We strongly urge you to encrypt sensitive information sent by email.
- Our public PGP key is available from
-
- http://www.cert.org/CERT_PGP.key
-
- If you prefer to use DES, please call the CERT hotline for more
- information.
-
- Getting security information
-
- CERT publications and other security information are available from
- our web site
-
- http://www.cert.org/
-
- To subscribe to the CERT mailing list for advisories and bulletins,
- send email to majordomo at cert.org. Please include in the body of your
- message
-
- subscribe cert-advisory
-
- * "CERT" and "CERT Coordination Center" are registered in the U.S.
- Patent and Trademark Office.
- ______________________________________________________________________
-
- NO WARRANTY
- Any material furnished by Carnegie Mellon University and the Software
- Engineering Institute is furnished on an "as is" basis. Carnegie
- Mellon University makes no warranties of any kind, either expressed or
- implied as to any matter including, but not limited to, warranty of
- fitness for a particular purpose or merchantability, exclusivity or
- results obtained from use of the material. Carnegie Mellon University
- does not make any warranty of any kind with respect to freedom from
- patent, trademark, or copyright infringement.
- _________________________________________________________________
-
- Conditions for use, disclaimers, and sponsorship information
-
- Copyright 2001 Carnegie Mellon University.
-
- Revision History
- May 08, 2001: Initial Release
-
- -----BEGIN PGP SIGNATURE-----
- Version: PGPfreeware 5.0i for non-commercial use
- Charset: noconv
-
- iQCVAwUBOvd6LAYcfu8gsZJZAQFyUAP8DVaGiB1G7LM2FFsx5YEWEIPFD8Qt/HDI
- A+GTyi/LA2JUAVCA5GX5GCMqMOoKEczYJCAIysoacal7YOJOTZliTqCQQV1tbK+8
- 8J3IdSRBo5oKsAKeQ5M2Hg78uZPGJwOwooNoQDsKzxVJXo0Bng3YBtiIVG3flg6x
- 8IoirGdclIw=
- =+B8w
- -----END PGP SIGNATURE-----
-
-
-
- --
- Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
- Archive http://www.ee.ethz.ch/~slist/mrtg
- FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
- WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
-
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list