RE: MSIIS servers patched/de-doored, but C and D keep coming back

From: Mike Horne (mike.horneat_private)
Date: Mon Aug 13 2001 - 17:58:14 PDT

Next message: K P: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"

Previous message: Booke, Raymond: "Code Red II hit in July???"
In reply to: Garreth Jeremiah/Markham/IBM: "MSIIS servers patched/de-doored, but C and D keep coming back"
Next in thread: K P: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

from http://www.incidents.org/react/code_redII.php :

Finally, we'd like to thank Jason Fossen for testing the workings
of the Code Red II registry settings and providing insightful information
regarding these. Jason made the interesting discovery that if a virtual
directory which already exists (e.g. /scripts and /msadc) is modified
in the registry, then the next time IIS restarts the modifications are
overwritten with the authoritative info from the metabase. That is, direct
changes to the registry for previously existing virtual folders (/scripts
and
/msadc) are not picked up by IIS and the added permissions aren't reflected
in
the GUI. On the other hand, if a virtual directory is created in the
registry
which did not previously exist (e.g. /c and /d) then these changes are
written
to the metabase, hence, making the changes survive restarts of IIS.  Jason
speculates that this registry-to-metabase flushing may exist for backwards
compatibility with older versions of IIS. All tests were performed on
Windows2000 Advanced Server SP2.

-----Original Message-----
From: Garreth Jeremiah/Markham/IBM [mailto:gjeremiaat_private]
Sent: Tuesday, 14 August 2001 8:28 a.m.
To: incidentsat_private
Subject: MSIIS servers patched/de-doored, but C and D keep coming back


I have been receiving a number of reports suggesting that on certain
devices, after full patching and cleaning - the /C and /D keep coming back
after a reboot.

Anyone explain what is happening?  Is this an IIS thing or a Windows thing?

( note some of these macheines were runnign the French Version of Win2K )

Thanks
______________________________
Garreth J Jeremiah.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: K P: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"
Previous message: Booke, Raymond: "Code Red II hit in July???"
In reply to: Garreth Jeremiah/Markham/IBM: "MSIIS servers patched/de-doored, but C and D keep coming back"
Next in thread: K P: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 10:58:28 PDT