Defaced Commentary - 8000 Machines hit by sadmind/IIS worm



On Tuesday, May 8, Attrition staff received email containing a list of 8836 IP addresses that were said to be victims of the "sadmind/IIS Worm". For details on this worm, you can read a little more about it on the CERT web site which actually managed to release a timely advisory:

http://www.cert.org/advisories/CA-2001-11.html

To expand on the advisory, this Worm will write to four different files if it succesfully compromises a remote system:

files (each 289 bytes):


Of the 8836 IP's we received, 2247 of them resolved. From here, we broke the list down into a few major types of machines/names; ADSL boxes, Cable Modems, DHCP servers, DNS machines, DSL boxes, Mail hosts, personal machines, "regular" servers (that we would normally consider 'mirror' material) and "in-addr" addresses. The following list shows a quick breakdown by numbers, as well as how many of each we confirmed as defaced:

  Count Type			Defaced
  ----- ----                    -------
    276 adsl			not tested
    129 cable			not tested
     12 dhcp			12 (100%)
     59 dns			26 (44%)
    150 dsl			100 (66%)
    358 hostnames		188 (52%)
    160 in-addr			not tested
    213 mail			79 (37%)
    890 personal		not tested
   2247 total

We have taken two copies of the defacements and listed several of the hosts.

http://attrition.org/mirror/attrition/2001/05/09/www.bruceflint.com/
Mass with "hostnames" and "dns" hosts

http://attrition.org/mirror/attrition/2001/05/09/mail.ogd.com/
Mass with "mail" hosts

Given that we do not know the date of the list, the rather large percentage that were compromised, and the source of the list, it is believed that all of the IPs were compromised and defaced at one point or another. For that reason we are including the full list of (sorted) IPs with the HTML version of this commentary. It can be found at http://attrition.org/security/commentary/ shortly after you receive this mail.

The content of the defaced message:


                         fuck USA Government

                            fuck PoizonBOx

                      contact:sysadmcn@yahoo.com.cn




---
© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.