from http://www.incidents.org/react/code_redII.php : Finally, we'd like to thank Jason Fossen for testing the workings of the Code Red II registry settings and providing insightful information regarding these. Jason made the interesting discovery that if a virtual directory which already exists (e.g. /scripts and /msadc) is modified in the registry, then the next time IIS restarts the modifications are overwritten with the authoritative info from the metabase. That is, direct changes to the registry for previously existing virtual folders (/scripts and /msadc) are not picked up by IIS and the added permissions aren't reflected in the GUI. On the other hand, if a virtual directory is created in the registry which did not previously exist (e.g. /c and /d) then these changes are written to the metabase, hence, making the changes survive restarts of IIS. Jason speculates that this registry-to-metabase flushing may exist for backwards compatibility with older versions of IIS. All tests were performed on Windows2000 Advanced Server SP2. -----Original Message----- From: Garreth Jeremiah/Markham/IBM [mailto:gjeremiaat_private] Sent: Tuesday, 14 August 2001 8:28 a.m. To: incidentsat_private Subject: MSIIS servers patched/de-doored, but C and D keep coming back I have been receiving a number of reports suggesting that on certain devices, after full patching and cleaning - the /C and /D keep coming back after a reboot. Anyone explain what is happening? Is this an IIS thing or a Windows thing? ( note some of these macheines were runnign the French Version of Win2K ) Thanks ______________________________ Garreth J Jeremiah. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 10:58:28 PDT