[37413] in North American Network Operators' Group
RE: Solaris/IIS worm hits 9000 boxes in 48 hours
daemon@ATHENA.MIT.EDU (Petri Stephen)
Fri May 11 17:20:16 2001
Message-ID: <56FFA01C212CD511BF8D00D0B712450C01B5160D@2mtcxch02.nycps.k12.ny.us>
From: Petri Stephen <Stephen.Petri@nycboe.net>
To: 'Ian Cooper' <icooper@equinix.com>, nanog@merit.edu
Date: Fri, 11 May 2001 17:07:29 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
That list of IP addresses is from Tuesday. I know of a number of machines
that were compromised that were not on that list. I can only imagine what
the number has climbed to since Tuesday.
Stephen Petri
-----Original Message-----
From: Ian Cooper [mailto:icooper@equinix.com]
Sent: Friday, May 11, 2001 4:26 PM
To: nanog@merit.edu
Subject: Re: Solaris/IIS worm hits 9000 boxes in 48 hours
At 16:14 5/11/2001 -0400, Petri Stephen wrote:
>http://www.theregister.co.uk/content/6/18882.html
>
>......The quite reliable hacker tracker attrition.org is reporting that
>nearly nine thousand machines had been auto-defaced by the sadmind/IIS worm
>as of Tuesday, making it one of the most effective little scripts ever
>loosed on the Net.......
Quite. However, since this is NANOG you missed the most interesting parts:
"Attrition has posted the IPs of all the boxes known to have been hit..."
"What's ironic here is that the worm exploits two separate holes which were
reported and patched ages ago. Call it proof-of-concept that sysadmins
spend an awful lot of time on activities other than absorbing security
bulletins."
