RE: Possible way to avoid unknown IIS vulnerabilities

From: Michael Katz (mikeat_private)
Date: Thu Aug 09 2001 - 22:20:19 PDT

Next message: Nick FitzGerald: "Re: Code Red II inspired by both Code Red and sadmind/IIS"

Previous message: Joseph Spears: "RE: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95?"
In reply to: Mark A Lewis: "Possible way to avoid unknown IIS vulnerabilities"
Next in thread: Mike Lewinski: "Re: Possible way to avoid unknown IIS vulnerabilities"
Reply: Mike Lewinski: "Re: Possible way to avoid unknown IIS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, August 08, 2001 11:31 PM, Mark Lewis wrote:

> While poking around in my logs following Code Red I started noticing that
> there were no entries indicating any attempts. Not fully believing this I
> went ahead and got Snort back up and running and waited 10 min and I already
> had 17 hits. After thinking a bit I came to the conclusion that the cause
> for this is host headers. Now, how this applies to future vulnerabilities is
> this: most of these script based attacks generate random IPs, so if you use
> host headers even if only one site is present it would require a name to
> tell the web server which dir to send the request to. Not sure how effective
> this would be against Unicode type exploits, but I feel it would have helped
> with CR. Should be able to accomplish the same thing with Apache too.....
> Any thoughts or experiences?

Mark,

Using host headers on IIS servers will likely protect you from more than 90% of the attacks that are currently circulating, as most of them rely on scanning and exploitation via http://yourIPaddress.  This is particularly true for Code Red v1 and v2, the sadmind/IIS worm, the new Code Red II worm and the common scripted scans for decoding vulnerabilities.  However, you should take the following into consideration: 1) It won't protect you from people who use search engines to find potentially vulnerable servers and attackers who have targeted your server; 2) You should not allow this additional layer of protection to lull you into a false sense of security - secure configuration of IIS including removal of unused server extension mappings and default virtual directories and application of current patches is still needed; and 3) Your server will no longer log any of the scans and attempts that use the IP address.  In the absence of IDS, web server access logs are a useful tool for knowing what is out there and what is trying to get into your server.

Michael Katz
mikeat_private
Responsible Solutions, Ltd.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: Code Red II inspired by both Code Red and sadmind/IIS"
Previous message: Joseph Spears: "RE: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95?"
In reply to: Mark A Lewis: "Possible way to avoid unknown IIS vulnerabilities"
Next in thread: Mike Lewinski: "Re: Possible way to avoid unknown IIS vulnerabilities"
Reply: Mike Lewinski: "Re: Possible way to avoid unknown IIS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:38:04 PDT