Thursday, January 10, 2002

Well, after some browsing around on the message boards at The Fortean Times, it appears that what got them was a worm:
Unix/SadMind is an internet worm which propagates using a buffer overrun exploit on Solaris systems in the sadmind program, part of the Solstice AdminSuite.

When the worm attacks a system it will append the text "+ +" to the .rhosts file belonging to root. It will then copy the worm (using rcp) to the new machine and extract into a new /dev/cuc directory. /etc/rc.d/S71rpc will be changed so the worm is started when the system is started and then that file will be run to make the worm active immediately.

When the worm is active it will scan random class B networks looking for vulnerable machines to infect next. In parallel it will scan for Microsoft IIS web servers and will attempt to deface the front page with a message in red text on a black background stating 'fuck USA Government, fuck PoizonBOx'.

(screen shot on the page) Sophos virus analysis: Unix/SadMind

No comments: