Re: IIS Exploit...

[Bob Johnson <bob () ENG UFL EDU>]

Chris Hobbs wrote:
> Well, not too much info here - regrettably my snort rules file got
> zeroed out when whitehats.com changed their format. So, all I have is my
> IIS logs - however, it's pretty straightforward what happened:
>
> 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
> 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
> 19:01:02 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 502
> 19:01:06 210.45.192.25 GET /scripts/root.exe 502
> 19:01:10 210.45.192.25 GET /scripts/root.exe 502
> 19:01:14 210.45.192.25 GET /scripts/root.exe 502
> 19:01:14 210.45.192.25 GET /scripts/root.exe 502
>
> That goes on for quite some time - it ended up creating several files in
> every directory on the website - index.asp, index.htm, default.asp, and
> default.htm.

These exploits have been hitting huge blocks of addresses.  One version
was described yesterday in a CERT bulletin:

http://www.cert.org/advisories/CA-2001-11.html

That one is relatively benign, it seems to only alter the web pages:
there are others that install evil tools on the target IIS server.

> IP address resolves to a university in China, so I suspect the odds of
> getting assistance are about nil.
>
> Moral of the story: I upgraded to SP6A on this NT4 box 10 days ago.
> Running IIS 4.0 still. I assumed that SP's applied patches to the web
> server as well as the OS - either this isn't the case, or something new
> developed in those last 10 days.

The SP only updates you to the patches that were released before the
SP.  You still need to apply all patches released since then.  The
easy way to do that is to visit http://windowsupdate.microsoft.com
and let it tell you what you need.

- Bob