Defaced Commentary - 8000 Machines hit by sadmind/IIS worm
On Tuesday, May 8, Attrition staff received email containing a list of
8836 IP addresses that were said to be victims of the "sadmind/IIS Worm".
For details on this worm, you can read a little more about it on the CERT
web site which actually managed to release a timely advisory:
http://www.cert.org/advisories/CA-2001-11.html
To expand on the advisory, this Worm will write to four different
files if it succesfully compromises a remote system:
files (each 289 bytes):
- default.asp
- default.htm
- index.asp
- index.htm
Of the 8836 IP's we received, 2247 of them resolved. From here, we broke
the list down into a few major types of machines/names; ADSL boxes, Cable
Modems, DHCP servers, DNS machines, DSL boxes, Mail hosts, personal machines,
"regular" servers (that we would normally consider 'mirror' material) and
"in-addr" addresses. The following list shows a quick breakdown by numbers,
as well as how many of each we confirmed as defaced:
Count Type Defaced
----- ---- -------
276 adsl not tested
129 cable not tested
12 dhcp 12 (100%)
59 dns 26 (44%)
150 dsl 100 (66%)
358 hostnames 188 (52%)
160 in-addr not tested
213 mail 79 (37%)
890 personal not tested
2247 total
We have taken two copies of the defacements and listed several of the hosts.
http://attrition.org/mirror/attrition/2001/05/09/www.bruceflint.com/
Mass with "hostnames" and "dns" hosts
http://attrition.org/mirror/attrition/2001/05/09/mail.ogd.com/
Mass with "mail" hosts
Given that we do not know the date of the list, the rather large
percentage that were compromised, and the source of the list, it is
believed that all of the IPs were compromised and defaced at one point
or another. For that reason we are including the full list of (sorted)
IPs with the HTML version of this commentary. It can be found at
http://attrition.org/security/commentary/ shortly after you receive this
mail.
The content of the defaced message:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
---
© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not
altered, and the author and attrition.org is credited. The opinions expressed
in this text are not necessarily the opinion of all Attrition staff members.
To subscribe to this list, send mail to majordomo@attrition.org with
subscribe defaced-commentary in the BODY of the mail.