Worm hits thousands of Solaris and IIS servers

"We've received reports from over 100 sites. These indicate that several thousand Web sites running [Microsoft's] Internet Information Server (IIS) software were defaced and that over 200 Solaris machines were compromised," CERT Internet Security Analyst Chad Dougherty said.

Attrition.org, which monitors Web site defacements, said in a statement that it has received a list with 8836 IP addresses of systems that were hit by the "sadmind/IIS worm." Although Attrition.org could only confirm 405 defacements, specialists connected to the computer security Web site believe that all systems behind the addresses were compromised at one point or another.

CERT, which issued a warning on the worm on Tuesday, said it is continuing to receive reports of both IIS and Solaris machines being struck by the worm. The organisation, part of Pittsburgh's Carnegie Mellon University, advises systems administrators to check if the server software has been patched.

The worm penetrates a server running Sun Microsystems' Solaris operating system, taking advantage of a two-year old security flaw. The Solaris system is set up to scan the Internet for vulnerable IIS and Solaris servers. Anti-American Web pages are posted to vulnerable IIS systems, using a security hole that was uncovered seven months ago. Solaris servers are used by the worm to propagate itself.

Software patches from Sun and Microsoft have long been available to fix the problems. However, the slew of defacements shows that not every Web site administrator is diligent in plugging security holes.

Join the newsletter!

Error: Please check your email address.

More about Attrition.orgCarnegie Mellon University AustraliaCERT AustraliaComputer Emergency Response TeamMellonMicrosoftSun Microsystems

Show Comments
[]