Aliases
-
sadmind/IIS
-
Solaris/Sadmind.worm
-
Backdoor.Sadmind
-
SunOS/BoxPoison
Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing worms.
The worm will create two directories, /dev/cuc and /dev/cub. /dev/cuc contains the worm files and /dev/cub contains infection logs. Both these directories and their contents should be deleted.
The worm prepends the line '/bin/nohup dev/cuc/start.sh >/dev/null 2>&1 &' to /etc/rc2.d/S71rpc. This line should be removed.
A line '+ +' will have been appended to the .rhosts file in root's home directory. This line should be removed.
There will be a file /tmp/.f containing the text 'pcserver stream tcp nowait root /bin/sh sh -i'. A copy of inetd will be running using this file as the
configuration file. This means there is an open root shell on tcp port 600. This file should be deleted and the inetd process killed.
After 2000 infections the worm will replace all files named index.html with a new html page which displays the text 'fuck USA Government fuck PoizonBOx'.
These files will need to be replaced from backup.
There will be several worm processes running on the system. These can be killed manually or the machine can be restarted. Most of the processes are easy to spot because they are scripts which exist in the /dev/cuc directory. Examples are /dev/cuc/sadmin.sh, /dev/cuc/uniattack.sh and /dev/cuc/time.sh.
The worm may also install perl on the system. This can be removed with the package managment tools.
To avoid reinfection the system should be patched. There is a patch available to prevent the sadmind exploit at http://sunsolve.sun.com.
Patches for the IIS vulnerability can be obtained from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.