Re: The Worm: How you doin'?

Mon, 06 Aug 2001 09:20:17 -0700 

The default install of IIS creates a /scripts virtual directory in the
default host on the web server, and included in the real path on the server
is a program called root.exe which essentially gives command line access.
I've seen quite a few log entries in my servers showing attempts at
/scripts/root.exe.  This is actually more of a volatile situation than just
including a link in an email.  If an unknowing IIS admin fails to remove
this junk (or at least fails to remove the exec permission), anyone on the
network can do whatever they please to that server.  It's actually merciful
that the China page which can be created this way only replaces the
index.htm and default.htm files, rather than trashing the entire server.

I haven't bothered to scout around too much, but I would bet there are a
Large number of IIS web servers sitting in this state.  There is no virus
involved here at all; it's an open door which the admin himself creates,
oftentimes unknowingly.

Shawn

----- Original Message -----
From: "Joel Hammer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 06, 2001 6:13 AM
Subject: Re: The Worm: How you doin'?


> > ***DON'T DO THIS!!! I'M ENTIRELY SERIOUS***
> >
> > http://infected_system/scripts/root.exe?/del /f /s /q c:\*.*
> >
> > ***REPEAT: DON'T DO IT. IT WILL LAND YOU IN JAIL. AND IT MAY BE
> > WRONG***
> >
>
> I don't understand this http.
> Does this mean that the worm runs a  script (a cgi script?) which erases
the
> hard drive?
>
> I must confess that I have not gotten the number of hits I originally
> stated. A slight typo in a sed script (left off -n) led me to to double
the
> number of hits recorded. So, it is only about 500 hits since Aug 4 5:00 am
> and about 250 unique ip's.
> They are however, continuing unabated. The sites also display an error
> page, saying that there is no default page to display. The site is under
> construction.
> Joel
>
> _______________________________________________
> http://linux.nf -- [EMAIL PROTECTED]
> Archives, Subscribe, Unsubscribe, Digest,
Etc ->http://linux.nf/mailman/listinfo/linux-users
>


_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc 
->http://linux.nf/mailman/listinfo/linux-users

Reply via email to