[WEB4LIB] RE: SunOS/BoxPoison virus

[Dan Lester]

http://vil.nai.com/vil/virusSummary.asp?virus_k=99085 tells how it
spreads from Solaris (7 or earlier, unpatched) to IIS.   Although this
is new (last 13 days), the Solaris vulnerability goes back to late 99,
according to Sun.  We've checked our Sun box and it isn't
contaminated, but it did hit http://lester.boisestate.edu/
yesterday.  I've left an affected page up at
http://lester.boisestate.edu/images/   Basically, it puts a new,
identical page to that shown in every occupied directory under your
IIS root web, putting copies in as index.htm, index.asp, default.htm,
and default.asp, thus covering all the bases that most boxes would
use.   I left the nasty page in the images directory since no one
would ever put a page there anyway.

The fixes are relatively simple (replacing pages from backup) and
there is no apparent contamination to the IIS server.

But those running Solaris should check carefully, as after it hits
2000 IIS servers it then trashes index pages on the Sun box too.

And some ask why I support capital punishment.....   And why I'm about
to put ZoneAlarm or something on the boxes in question.  Suggestions
for the firewall?

cheers

dan


Monday, May 21, 2001, 1:19:15 PM, you wrote:

ME> Ugh, just discovered we have gotten this, too....

ME>  Margaret Escherich
ME>  Senior Librarian/Webmistress
ME>  Oakland Public Library
ME>  http://oaklandlibrary.org

>> -----Original Message-----
>> From: web4lib at webjunction.org
>> [mailto:web4lib at webjunction.org]On Behalf Of Julie James
>> Sent: Saturday, May 19, 2001 6:23 PM
>> To: Multiple recipients of list
>> Subject: [WEB4LIB] RE: SunOS/BoxPoison virus
>>
>>
>> It's a worm
>> http://vil.nai.com/vil/dispVirus.asp?virus_k=99085
>> "
>> Method Of Infection
>> Infected machines scan random IP addresses looking for other systems to
>> infect. When one is found, a buffer overflow exploit is used to compromise
>> that computer which then propagates the virus as well.
>> "
>> ~~~
>> Julie James
>> Technology Consultant
>> The Library of Virginia
>> 804/692-0800
>> jjames at lva.lib.va.us
>>
>> -----Original Message-----
>> From: Mary Pugh
>> To: Multiple recipients of list
>> Sent: 5/19/01 2:54 PM
>> Subject: [WEB4LIB] SunOS/BoxPoison virus
>>
>> Bad News Bears! We were hit with the SunOS/BoxPoison vius on our Dynix
>> WebPac server. Our virus scanner caught it before any real damage. I
>> have
>> checked the McAfee and the CERT advisory and I still don't understand
>> how
>> this virus is spread. I did not pay great attention to the bulletin I
>> received because we use NT and not Sun. It appears we needed a patch for
>>
>> our IIS and that is now fixed. But how does this thing work, where did
>> it
>> spread from?
>>
>>
>> Mary Pugh                               Orcas Island Library District
>> Network Administrator                   500 Rose Street
>> 360.376.4985                            Eastsound, WA 98245
>> 360.376.5750 fax                        www.orcaslibrary.org




-- 
Dan Lester, Data Wrangler  dan at RiverOfData.com
3577 East Pecan, Boise, Idaho  83716-7115 USA
www.riverofdata.com  www.postcard.org  www.gailndan.com