The worm code that has been targeting Sun Microsystems Inc.’s Unix servers and then using them to attack Web servers based on Microsoft Corp.’s software may have successfully compromised and defaced thousands of Web sites, according to security analysts who are tracking its progress.
In a statement issued last Thursday, Chad Dougherty, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said the organization had received reports about the worm from more than 100 companies. The reports “indicated [that] on the order of several thousand servers using Microsoft’s Internet Information Services (IIS) were defaced” and that more than 200 Sun servers have been compromised, he said.
Dougherty noted that the latter figure “doesn’t include any extrapolation of compromised Solaris machines from the IIS [defacement] logs,” which potentially could mean that even more Sun machines were hit. CERT, a security research and information service, posted an advisory about the worm earlier this week.
Attrition.org, a Web site that documents defacements of Web pages, posted a notice last night saying it had confirmed attacks by the worm against a total of 405 IP addresses. Another 1,842 addresses on a purported victims list that was sent to the site via e-mail proved to be valid but hadn’t been tested for defacements, the notice added.
Nonetheless, Attrition.org said it “is believed that all of the [Internet Protocol addresses] were compromised and defaced at one point or another.” The e-mail that the Attrition.org staff received from an unknown source actually contained a total of more than 8,800 IP addresses that had supposedly been attacked, but only 2,247 could be “resolved,” the notice said.
The self-propagating worm, which has been dubbed “sadmind/IIS,” takes advantage of a security hole in Sun’s Solaris operating system that was discovered two years ago and another one in Microsoft’s IIS Web server software that was uncovered last fall, according to CERT.
As described by CERT, the worm hits the Solaris server first and gives an attacker root-level access to the infected machine. It then uses the system to launch attacks against IIS-based Web servers, defacing them with a crude rant against the U.S. government and what appears to be a Chinese e-mail address.
Software patches that are supposed to fix the problems have long been available from both Sun and Microsoft. But several users have acknowledged that the worm hit their Web sites because they hadn’t installed the relevant patches on their servers.
