A new worm virus - sadmine/IIS - is exploiting a two-year-old vulnerability in Solaris to propagate itself over the Internet, and a seven-month-old MicrosoftInternet Information Services (IIS) security hole to deface Web sites around the world, according to a CERT advisory.
Although little is known of this virus as yet, the virus appears to use an infected Solaris server to infect both other vulnerable Solaris servers and Microsoft servers running IIS. Once the worm has spread to Windows 2000 IIS boxes, it then trashes the IIS Web pages.
Administrators wanting to check for the virus on a Solaris box should look for a rootshell listing on TCP port 600; directories dev/cub and dev/cuc, containing logs of compromised machines and tools for propagation, respectively; and scripts associated to the worm running on the machine. Also watch out for '+ +', which is added to the .rhosts file in the root user's home directory.
Compromised IIS machines will end up with the following text replacing their Web pages: "f*** USA Government f*** PoizonBOx contact: sysadmcn@yahoo.com.cn."
A patch for Microsoft IIS is available here, while Sun's Solaris patch is available here.
Symantec is aware of the virus, although it has not yet issued any protection as it is still waiting to receive a copy of the virus. It has, however, rated the distribution of the virus as "medium".
Share
