Unix/SadMind

Category: Viruses and Spyware Protection available since:10 May 2001 00:00:00 (GMT)
Type: Unix worm Last Updated:06 Mar 2011 17:16:02 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Aliases

  • sadmind/IIS
  • Solaris/Sadmind.worm
  • Backdoor.Sadmind
  • SunOS/BoxPoison

Affected Operating Systems

Linux

Recovery Instructions:

Please follow the instructions for removing worms.


The worm will create two directories, /dev/cuc and /dev/cub. /dev/cuc contains the worm files and /dev/cub contains infection logs. Both these directories and their contents should be deleted.

The worm prepends the line '/bin/nohup dev/cuc/start.sh >/dev/null 2>&1 &' to /etc/rc2.d/S71rpc. This line should be removed.

A line '+ +' will have been appended to the .rhosts file in root's home directory. This line should be removed.

There will be a file /tmp/.f containing the text 'pcserver stream tcp nowait root /bin/sh sh -i'. A copy of inetd will be running using this file as the
configuration file. This means there is an open root shell on tcp port 600. This file should be deleted and the inetd process killed.

After 2000 infections the worm will replace all files named index.html with a new html page which displays the text 'fuck USA Government fuck PoizonBOx'.
These files will need to be replaced from backup.

There will be several worm processes running on the system. These can be killed manually or the machine can be restarted. Most of the processes are easy to spot because they are scripts which exist in the /dev/cuc directory. Examples are /dev/cuc/sadmin.sh, /dev/cuc/uniattack.sh and /dev/cuc/time.sh.

The worm may also install perl on the system. This can be removed with the package managment tools.

To avoid reinfection the system should be patched. There is a patch available to prevent the sadmind exploit at http://sunsolve.sun.com.

Patches for the IIS vulnerability can be obtained from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.

download Try Sophos products for free
Download now