Title: RE: hack or virus?
This
is the result of a hole that was discussed last year, MS00-078. And two years
ago by Sun #00191. You could fix it by deleting the files, but if the patch
isn't applied, you will find the paged replaced again within a few hours.
They
need patch the hole that's been discussed in just about every forum for the last
few months. It's being called the file less virus trend. And since this exists,
there are most likely other breaches as well which allows execution on the
server itself. It's called a few things, but SadMind was the most popular
reference to it. On that machine, all default locations that have default/index
asp and htm have been replaced with this new page.
There
is another variant going around for a few weeks now that changes the county from
USA to another one. The files have to be deleted/restored from a
backup. And the breach files need to be deleted.
Here's
some info on it:
By the
way, one thing that we noticed is the amount of Proxy servers that have been
affected by this. Seems a ton of people went out and patched their Web servers
and forgot all about their other machines that use IIS.
-Joe
-----Original Message-----
From:
Pete Karhatsu [mailto:[EMAIL PROTECTED]]
Sent: Thursday,
September 06, 2001 12:11 PM
To: NT System Admin
Issues
Subject: RE: hack or virus?
That would be a hack. They replace the Default/index.htm files
with this. Just need to lock down IIS a bit more....
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 06, 2001 11:07 AM
To: NT System Admin Issues
Subject: hack or
virus?
We have someone that came to us about hosting a site for
them. When we went
to look at their site, before
we moved it over to us, we found it wasn't
what they
had put on their site.
http://www.e-z-learning.com is the
site. Is this a hack or a virus? I
have seen this before on someone's site that wanted us to host for
them, but
I thought it was someone playing games at
the time.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
