RE: hack or virus?
Title: RE: hack or virus? That would be a hack. They replace the Default/index.htm files with this. Just need to lock down IIS a bit more -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 11:07 AM To: NT System Admin Issues Subject: hack or virus? We have someone that came to us about hosting a site for them. When we went to look at their site, before we moved it over to us, we found it wasn't what they had put on their site. http://www.e-z-learning.com is the site. Is this a hack or a virus? I have seen this before on someone's site that wanted us to host for them, but I thought it was someone playing games at the time. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: hack or virus?
Looks like a hack.. the site is running IIS4 on NT. According to netcraft the page was change today ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 11:07 AM To: NT System Admin Issues Subject: hack or virus? We have someone that came to us about hosting a site for them. When we went to look at their site, before we moved it over to us, we found it wasn't what they had put on their site. http://www.e-z-learning.com is the site. Is this a hack or a virus? I have seen this before on someone's site that wanted us to host for them, but I thought it was someone playing games at the time. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: hack or virus?
SunOS/BoxPoison.worm http://vil.mcafee.com/dispVirus.asp?virus_k=99085; Had it once... http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: hack or virus?
Hack and a rather old one. Major patching needs to be done. After the format and rebuild that is. I think this is the one where it infected Sun boxes and then the Sun boxes infected NT boxes. It came out right after the US/China spy plane incident, so obviously they haven't patched in quite a while. JayW [EMAIL PROTECTED] 09/06/01 11:07AM We have someone that came to us about hosting a site for them. When we went to look at their site, before we moved it over to us, we found it wasn't what they had put on their site. http://www.e-z-learning.com is the site. Is this a hack or a virus? I have seen this before on someone's site that wanted us to host for them, but I thought it was someone playing games at the time. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: hack or virus?
Hacked. It set off my trend office scan -Original Message- From: Gavin Landon [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 06, 2001 9:07 AM To: NT System Admin Issues Subject: hack or virus? We have someone that came to us about hosting a site for them. When we went to look at their site, before we moved it over to us, we found it wasn't what they had put on their site. http://www.e-z-learning.com is the site. Is this a hack or a virus? I have seen this before on someone's site that wanted us to host for them, but I thought it was someone playing games at the time. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: hack or virus?
Title: RE: hack or virus? This is the result of a hole that was discussed last year, MS00-078. And two years ago by Sun #00191. You could fix it by deleting the files, but if the patch isn't applied, you will find the paged replaced again within a few hours. They need patch the hole that's been discussed in just about every forum for the last few months. It's being called the file less virus trend. And since this exists, there are most likely other breaches as well which allows execution on the server itself. It's called a few things, but SadMind was the most popular reference to it. On that machine, all default locations that have default/index asp and htm have been replaced with this new page. There is another variant going around for a few weeks now that changes the county from USA to another one. The files have to be deleted/restored from a backup.And the breach files need to be deleted. Here's some info on it: http://securityresponse.symantec.com/avcenter/security/Content/2001_05_11.html By the way, one thing that we noticed is the amount of Proxy servers that have been affected by this. Seems a ton of people went out and patched their Web servers and forgot all about their other machines that use IIS. -Joe -Original Message-From: Pete Karhatsu [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 06, 2001 12:11 PMTo: NT System Admin IssuesSubject: RE: hack or virus? That would be a hack. They replace the Default/index.htm files with this. Just need to lock down IIS a bit more -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 11:07 AM To: NT System Admin Issues Subject: hack or virus? We have someone that came to us about hosting a site for them. When we went to look at their site, before we moved it over to us, we found it wasn't what they had put on their site. http://www.e-z-learning.com is the site. Is this a hack or a virus? I have seen this before on someone's site that wanted us to host for them, but I thought it was someone playing games at the time. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
