There was a pro-China hacker that got his way into several places last night with that same message. They hit a company that specializes in B2B direct email marketing campaigns during one of its send routines, switched a few scripts, and sent that HTML as an email to at least tens of thousands+ of unsuspecting recipients. I'd offer more, but my employer reads this. Maybe bkdelong can provide us some inside 411.
posted by Hankins at 1:47 PM on May 7, 2001

attrition.org has some information on this new cyber us/china blitzkrieg. sadly, most of the cracked boxes appear to be running IIS... imagine that.
posted by o2 at 2:09 PM on May 7, 2001

Thanks....that was a big help there. I appreciate it.
posted by bradth27 at 2:20 PM on May 7, 2001

They got one of my boxes as well. It was running IIS. They are using FireDaemon. You can get the Microsoft Patch here. Looking at the server, it appears that it was all automated so they probably hit a bunch of servers. This one that they hit would have been pretty hard to find.
posted by iscavenger at 4:09 PM on May 7, 2001

Thanks a lot, again. I will go to the update site for the patch as soon as I get to work tomorrow. Right now, I have a 17 month chewing on my ankle as I write.
posted by bradth27 at 5:21 PM on May 7, 2001

They managed to get Pace University School of Business too.
posted by tomorama at 6:21 PM on May 7, 2001

I was incredibly surprised at how many sites got hit with this defacement. We must have had over 100 reports in the last week by readers, users and visitors to Web sites. Even some admins reported it to us. Someone sent us their logs and it looks like the defacement was done by line commands using something called root.exe. All it took was one line to deface most sites which explains why it's been EVERYWHERE.
posted by bkdelong at 6:25 PM on May 7, 2001

Some chinese script kiddie hit our site -- I work for a major non-profit -- and left a weird little scrawl about American Hegemonism. It even had music, which was a strange touch.

Yeah... we were running IIS 4, but that doesn't mean our site should get defaced...

I mean, this guy used Frontpage to make his defaced page -- jeez!
posted by ph00dz at 6:33 PM on May 7, 2001

So did WebEx and the TerraServer.
posted by bkdelong at 6:51 PM on May 7, 2001

We've had this attack like this tried on our boxes about a month ago. It's an internet worm which is exploiting some well know vulnerabilities in solaris as well as IIS.

Here's the CERT advisory about it.
posted by lagado at 5:29 AM on May 8, 2001