UPDATE: Microsoft's Network Cracked Three Times in Two Weeks

[William Knowles <wk () C4I ORG>]

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=16055

Windows IT Security News
Mark Joseph Edwards
November 8, 2000

Adding insult to injury, Microsoft's network was once again cracked
for the second time in two weeks. The most recent break-in was
perpetrated last Friday by a Dutch cracker using the name "Dimitri",
who gained entry to the Microsoft Events Web server, which is used to
inform the public of the company's scheduled events. A message on the
site says the Web is being retired and directs users to the new site.

Dimitri gained access to the server by exploiting a known problem in
Internet Information Server (IIS), which Microsoft created a patch for
(MS00-057) in August of this year. The company subsequently added a
related fix to the patch (MS00-078) in October and urged
administrators worldwide to ensure the new IIS patch was applied.
However, Microsoft apparently failed to apply the patch to at least
one of its own exposed IIS servers.

The bug exploited by Dimitri pertains to the use of specially
formatted URLs that contain UNICODE characters, which allow a remote
user to traverse Web folders on the logical drive. The end result is
that an attacker could perform any action that a locally-logged on
user could perform.

According an IDG news report, Dimitri claimed to have viewed sensitive
architectural characteristics of Microsoft Web servers, learning that
they belong to a domain called "Houston" where each system is set up
with the same disk image. In addition Dimitri uploaded a text file to
the site that contained the phrase "Hack the planet", and claims to
have downloaded files that contain administrative user names and
passwords. The cracker claims that as a result of the break-in he also
gained access to Microsoft's download site and where he could have
inserted Trojans into the company's downloadable software.

Microsoft didn't become aware of the break-in until Dimitri had
contacted IDG News--the news service susequently contacted Microsoft
to report the intrusion. A Microsoft spokesperson confirmed the
break-in, stating the company's security teams would recheck their
systems to ensure that patches had been applied. However, Microsoft
security teams apparently didn't recheck the systems quick enough. On
Tuesday, four days after the intial break-in and Web site defacement,
the Microsoft Events server remained unpatched and Dimitri struck
again. This time the Dutch hacker uploaded a file named
oopsididitagain.htm that said "Patching your systems is very hard
huh". A second line said "MSG to Britney Spears: I loved your concert
in the netherlands [sic]." A mirror of the the latest crack is
available in the Attrition.org archives.


http://www.attrition.org/mirror/attrition/2000/11/07/events.microsoft.com/OopsIdidItAgain.htm


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".