RE: hack or virus?

Thu, 06 Sep 2001 10:21:30 -0700 

When I went to the site, my antivirus software pickup a html.sadmin.a 
virus in my temporary internet files that references this site.

Rick Huber






"Louis, Joe" <[EMAIL PROTECTED]>
09/06/2001 11:52 AM
Please respond to "NT System Admin Issues"

 
        To:     "NT System Admin Issues" <[EMAIL PROTECTED]>
        cc: 
        Subject:        RE: hack or virus?


This is the result of a hole that was discussed last year, MS00-078. And 
two years ago by Sun #00191. You could fix it by deleting the files, but 
if the patch isn't applied, you will find the paged replaced again within 
a few hours. 
 
They need patch the hole that's been discussed in just about every forum 
for the last few months. It's being called the file less virus trend. And 
since this exists, there are most likely other breaches as well which 
allows execution on the server itself. It's called a few things, but 
SadMind was the most popular reference to it. On that machine, all default 
locations that have default/index asp and htm have been replaced with this 
new page. 
 
There is another variant going around for a few weeks now that changes the 
county from USA to another one. The files have to be deleted/restored from 
a backup. And the breach files need to be deleted.
 
Here's some info on it:
http://securityresponse.symantec.com/avcenter/security/Content/2001_05_11.html
 
By the way, one thing that we noticed is the amount of Proxy servers that 
have been affected by this. Seems a ton of people went out and patched 
their Web servers and forgot all about their other machines that use IIS. 
 
-Joe

 -----Original Message-----
From: Pete Karhatsu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 06, 2001 12:11 PM
To: NT System Admin Issues
Subject: RE: hack or virus?

That would be a hack. They replace the Default/index.htm files with this. 
Just need to lock down IIS a bit more.... 
-----Original Message----- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 06, 2001 11:07 AM 
To: NT System Admin Issues 
Subject: hack or virus? 

We have someone that came to us about hosting a site for them.  When we 
went 
to look at their site, before we moved it over to us, we found it wasn't 
what they had put on their site. 
http://www.e-z-learning.com is the site.  Is this a hack or a virus?   I 
have seen this before on someone's site that wanted us to host for them, 
but 
I thought it was someone playing games at the time. 


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to