Defacement worm hits 9000 websites

The defacement worm which started making its way around the web at the start of the week may be responsible for defacing almost 9000 websites over the last few days - all by itself.

A Computer Emergency Response Team (CERT) newsflash noted a marked increase in network reconnaissance activity, which it attributed to the sadmind/ISS worm scanning for vulnerable ISS boxes.

The worm uses known exploits to take control of a Solaris server and then uses that as a platform to break into and automatically deface Microsoft IIS boxes with the message: "Fuck USA government".

The worm also claims to come from a Chinese source, but there is no way of confirming this and it may well be a ploy to increase the tension between the US and China after the supposed cyber war.

CERT said that "several thousand" servers may well have been defaced by the worm and acknowledged reports that over 200 unpatched Solaris servers have been infected over the last few days and are actively searching for vulnerable IIS machines.

To support these announcements, staff at web defacement mirror Attrition.org received an email containing a list of 8836 IP addresses that were said to be victims of the worm.

The group managed to resolve 2247 of these addresses, confirming that they had been defaced by the worm. The others were unavailable but this could be because they have been taken down for repairs after the worm hit.

Attrition said: "Given that we do not know the date of the list, the rather large percentage that were compromised, and the source of the list, it is believed that all of the IPs were compromised and defaced at one point or another."

This may lead us to believe that the US versus China cyber war is continuing on its own even after the 'cease fire'. Or that some canny coder out there is trying to wind up hackers on both sides of the water and kick off another media field day about a virtual third world war.