Worm exploits Solaris to attack IIS sites

U.S.-based Computer Emergency Response Team (CERT) warned of a new computer worm that exploits vulnerabilities in common Internet server software to help it automatically deface Web pages.

U.S.-based Computer Emergency Response Team (CERT) warned today of a new computer worm that exploits vulnerabilities in common Internet server software to help it automatically deface Web pages.

UNITED KINGDOM (ZDNet UK) - Dubbed the sadmind/IIS -- after the exploits used -- the worm targets computers running Sun's Unix-based operating system Solaris to attack insecure versions of Microsoft's Web server Internet Information Server (IIS).

The worm exploits a two-year-old vulnerability in Solaris systems and then installs software which in turn attacks servers running Microsoft's IIS software that have not been updated with a patch to fix a seven-month old security hole. Once the payload software has been installed on the Solaris system, it searches for IIS-based servers elsewhere on the Internet -- possibly, say security experts, by scanning or by using a pre-set range of IP addresses. Once the software has found an IIS-based server with the vulnerability still unpatched, it defaces any Websites hosted on that server.

Reports to computer security mailing lists indicate that a significant number of that Solaris machines were compromised using the sadmind exploit over the weekend. A number of Web site administrators running IIS also report experiencing defacements.

Paul Roger, Network security analyst for computer security company MIS, said the worm results in a page defacement signed with e-mail address for an account at Yahoo! China and a message reads: "f*ck USA Government f*ck PoizonBOx".

The release of the worm coincides with an increase in activity by crackers supporting the two sides in the U.S. spy plane controversy. Last week saw an escalation of political defacements by Chinese and U.S. crackers over the international incident.

Two Web site administrators contacted ZDNet UK over the weekend to report that their sites were cracked and defaced with the worm's identifying message.

According to Gunter Ollman, a security consultant for Internet Security Systems (ISS), the CERT alert is a cause for some alarm. He said other CERT warnings have preceded a spate of hacking based on the vulnerability they described. "I think we will see this go on for some time," he added.

Ollman said that this type of exploit is not difficult to automate and believes that many companies may fall foul because it is easy to leave a system vulnerable to old exploits when installing new system components.

This is not the first computer worm designed to automatically deface pages. In March another worm known as Lion was released to attack Linux machines running BIND DSN software and automatically deface Web pages hosted on the same server.