Re: IIS Exploit...

From: Bob Johnson (bobat_private)
Date: Wed May 09 2001 - 05:46:30 PDT

  • Next message: yousuc: "IIS and Windows NT/2000"

    Chris Hobbs wrote:
    >
    > Well, not too much info here - regrettably my snort rules file got
    > zeroed out when whitehats.com changed their format. So, all I have is my
    > IIS logs - however, it's pretty straightforward what happened:
    >
    > 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
    > 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
    > 19:01:02 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 502
    > 19:01:06 210.45.192.25 GET /scripts/root.exe 502
    > 19:01:10 210.45.192.25 GET /scripts/root.exe 502
    > 19:01:14 210.45.192.25 GET /scripts/root.exe 502
    > 19:01:14 210.45.192.25 GET /scripts/root.exe 502
    >
    > That goes on for quite some time - it ended up creating several files in
    > every directory on the website - index.asp, index.htm, default.asp, and
    > default.htm.
    >
    
    These exploits have been hitting huge blocks of addresses.  One version
    was described yesterday in a CERT bulletin:
    
    http://www.cert.org/advisories/CA-2001-11.html
    
    That one is relatively benign, it seems to only alter the web pages:
    there are others that install evil tools on the target IIS server.
    
    > IP address resolves to a university in China, so I suspect the odds of
    > getting assistance are about nil.
    >
    > Moral of the story: I upgraded to SP6A on this NT4 box 10 days ago.
    > Running IIS 4.0 still. I assumed that SP's applied patches to the web
    > server as well as the OS - either this isn't the case, or something new
    > developed in those last 10 days.
    
    The SP only updates you to the patches that were released before the
    SP.  You still need to apply all patches released since then.  The
    easy way to do that is to visit http://windowsupdate.microsoft.com
    and let it tell you what you need.
    
    - Bob
    



    This archive was generated by hypermail 2b30 : Thu May 10 2001 - 17:04:14 PDT