Worm exploits Solaris to attack IIS sites

New computer worm exploits a known vulnerability in Solaris to attack Websites based on Microsoft's IIS server
Written by Will Knight, Contributor

New computer worm exploits a known vulnerability in Solaris to attack Websites based on Microsoft's IIS server

US-based Computer Emergency Response Team (CERT) warned today of a new computer worm that exploits vulnerabilities in common Internet server software to help it automatically deface Web pages.

Dubbed the sadmind/IIS -- after the exploits used -- the worm targets computers running Sun's Unix-based operating system Solaris to attack insecure versions of Microsoft's Web server Internet Information Server (IIS).

The worm exploits a two-year-old vulnerability in Solaris systems and then installs software which in turn attacks servers running Microsoft's IIS software that have not been updated with a patch to fix a seven-month old security hole. Once the payload software has been installed on the Solaris system, it searches for IIS-based servers elsewhere on the Internet -- possibly, say security experts, by scanning or by using a pre-set range of IP addresses. Once the software has found an IIS-based server with the vulnerability still unpatched, it defaces any Websites hosted on that server.

Reports to computer security mailing lists indicate that a significant number of that Solaris machines were compromised using the sadmind exploit over the weekend. A number of Web site administrators running IIS also report experiencing defacements.

Paul Roger, Network security analyst for computer security company MIS, said the worm results in a page defacement signed with email address for an account at Yahoo! China and a message reads: "f*ck USA Government f*ck PoizonBOx".

The release of the worm coincides with an increase in activity by crackers supporting the two sides in the US spy plane controversy. Last week saw an escalation of political defacements by Chinese and US crackers over the international incident.

Two Web site administrators contacted ZDNet UK over the weekend to report that their sites were cracked and defaced with the worm's identifying message.

According to Gunter Ollman, a security consultant for Internet Security Systems (ISS), the CERT alert is a cause for some alarm. He said other CERT warnings have preceded a spate of hacking based on the vulnerability they described. "I think we will see this go on for some time," he added.

Ollman said that this type of exploit is not difficult to automate and believes that many companies may fall foul because it is easy to leave a system vulnerable to old exploits when installing new system components.

This is not the first computer worm designed to automatically deface pages. In March another worm known as Lion was released to attack Linux machines running BIND DSN software and automatically deface Web pages hosted on the same server.

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards