WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
11 May, 2001
Symantec Enterprise Security Solutions protect against the sadmind/IIS worm and associated exploits

Affected:
Systems with unpatched Sun Solaris OS versions up to and including Solaris 7
Systems with unpatched versions of Microsoft's IIS 4.0 and 5.0

Overview:
Symantec Corporation advises its customers to be aware of a backdoor worm program, known as the backdoor.sadmind and the sadmind/IIS worm. The sadmind/IIS worm has appeared in the wild and is affecting systems that are running unpatched versions of the Solaris Operating System. The worm gains root access on the Solaris platform which, in turn, is used to launch attacks against unpatched versions of Microsoft IIS 4.0 and 5.0 web servers to modify the web page with harsh language against the U.S. government and against the U.S. hacker group PoizonBOx.

Details:
Per the CERT, CA-2001-11, the sadmind/IIS worm exploits a buffer overflow vulnerability in the sadmind program, used to remotely control system administration on Solaris operating systems. The sadmind vulnerability was initially discovered and reported in December 1999 (CERT CA-1999-16). Once the Solaris system is compromised, the worm installs software that creates and scans a list of random IP addresses to search for Microsoft systems running IIS web server 4.0 or 5.0. The worm further scans an additional list of randomly generated IP addresses for portmap to identify other Solaris systems to compromise and use as additional launch platforms.

Symantec Corporation has categorized this as a high-risk vulnerability. All customers currently running Solaris systems and/or Microsoft IIS 4.0 and 5.0 web servers should install the Sun issued and Microsoft issued patch immediately.

Risk Impact:
High
This vulnerability is currently being actively exploited.

Security Solution:
Microsoft issued a security bulletin 17 Oct 2000, MS00-078, on the IIS vulnerability, "Web Server Folder Traversal". Patches are available for download at:

Sun has also issued a security bulletin, December 29, 1999, Sun Microsystems, Inc. Security Bulletin Number: #00191 for the sadmind vulnerability currently being exploited by this worm. Patches are available to download for all vulnerable version of Sun Solaris OS.

If you are running an unpatched version of either Sun Solaris or Microsoft IIS 4.0 or 5.0, you should immediately download and apply the appropriate security patches.

Symantec Enterprise Solutions:
Enterprise Security Manager (ESM), Symantec's vulnerability management and assessment systems, can detect the presence of vulnerable sadmind versions as well as vulnerable IIS web servers. Symantec's NetProwler, a network intrusion detection tool, detects attempts to attack Microsoft IIS web servers. Security Update 6 (SU6) will ensure NetProwler is capable of detecting attempts to attack the Sun Solaris operating system via the sadmind worm vulnerability. NetProwler SU6 is downloaded using the product's auto update feature. Norton AntiVirus definitions will protect against this threat. Click here for details.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by the SARC. Reprinting the whole or part of this Alert in medium other than electronically requires permission from Symantec.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Symantec, Enterprise Security Manager (ESM), NetProwler, and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Monday, 14-May-01 17:03:38