On Tuesday, May 8, Attrition staff received email containing a list of 8836 IP addresses that were said to be victims of the "sadmind/IIS Worm". For details on this worm, you can read a little more about it on the CERT web site which actually managed to release a timely advisory:

http://www.cert.org/advisories/CA-2001-11.html

To expand on the advisory, this Worm will write to four different files if it succesfully compromises a remote system:

files (each 289 bytes): default.asp default.htm index.asp idnex.htm

Of the 8836 IP's we received, 2247 of them resolved. From here, we broke the list down into a few major types of machines/names; ADSL boxes, Cable Modems, DHCP servers, DNS machines, DSL boxes, Mail hosts, personal machines, "regular" servers (that we would normally consider 'mirror' material) and "in-addr" addresses. The following list shows a quick breakdown by numbers, as well as how many of each we confirmed as defaced:

Count Type Defaced ----- ---- ------- 276 adsl not tested 129 cable not tested 12 dhcp 12 (100%) 59 dns 26 (44%) 150 dsl 100 (66%) 358 hostnames 188 (52%) 160 in-addr not tested 213 mail 79 (37%) 890 personal not tested 2247 total

We have taken two copies of the defacements and listed several of the hosts.

http://attrition.org/mirror/attrition/2001/05/09/www.bruceflint.com/ Mass with "hostnames" and "dns"

http://attrition.org/mirror/attrition/2001/05/09/mail.ogd.com/ Mass with "mail"

Given that we do not know the date of the list, the rather large percentage that were compromised, and the source of the list, it is believed that all of the IPs were compromised and defaced at one point or another. For that reason we are including the full list of (sorted) IPs with the HTML version of this commentary. It can be found at http://attrition.org/security/commentary/ shortly after you receive this mail.

The content of the defaced message:

fuck USA Government

fuck PoizonBOx

contact:sysadmcn@yahoo.com.cn

- The information and commentary is Copyright 2001, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members.

Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staff@attrition.org

To subscribe to Defaced Commentary, send mail to majordomo@attrition.org with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail.