OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Russ (Russ.CooperRC.ON.CA)
Date: Wed May 09 2001 - 09:34:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Some of you may have already noticed a marked increase in the number
    of IIS defacements over recent weeks. Apparently this is due to a
    Solaris-based worm which, after compromising a vulnerable Solaris
    box, propagates itself and attempts to attack IIS boxes it can find.

    The IIS vulnerability it exploits is to use ..\ navigation to copy
    cmd.exe into the \scripts directory as root.exe and then perform a
    series of commands to replace index.asp (although I've been told that
    some default.asp pages have been overwritten by this code also).

    This IIS vulnerability was first addressed by MS00-057 (Aug.10,2000).
    MS00-078 (Oct.17,2000) reminded folks to get the MS00-057 fix, and
    MS00-086 (Nov.6,2000) fixed it also. Each of these Microsoft Security
    Bulletins referred to variations on the same issue, or additionally
    affected platforms.

    - From what we've seen most of the machines that are being compromised
    are NT 4.0 IIS 4.0 boxes that have never had appropriate patches
    applied to them (Service Pack installed by no patches). More than a
    few are development boxes, plus quite a few Outlook Web Access boxes.

    Unfortunately, CERT Advisory CA-2001-11 refers to MS00-078 for the
    patch, when it should really point to MS00-86 since it fixes the same
    components and affords additional protection against vulnerabilities
    discovered after MS00-057 was released. The CERT Advisory also makes
    reference to MS01-023 for some unknown reason. The best information
    we have suggests that MS01-023 has nothing to do with this worm or
    the current spate of defacements.

    For more information read;
    http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

    and for background;
    http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
    http://www.microsoft.com/technet/security/bulletin/MS00-057.asp

    Keep current on your patches by checking the following URLs
    regularly;

    Windows NT 4.0 with SP6a and IIS 4.0
    http://www.microsoft.com/technet/security/current.asp?productID=16&ser
    vicePackId=7
    Windows 2000 with SP1 and IIS 5.0
    http://www.microsoft.com/technet/security/current.asp?productID=17&ser
    vicePackId=1

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.2

    iQCVAwUBOvlVdRBh2Kw/l7p5AQFZegP9FRoWAPdYc54UKcNp+6VBAGiOy6G+JXUz
    TjgInQnWPicTRW4h94ZV6K6GF+v7Dp0hKuvYY9cluCd//yMyxBHwoPp2JkbM7tqx
    BPG37dtK9jcRAapUXtJ7bZhq6SKkLZslLnTHUmOEoJd6q0Jykio3C+hCNJyxVBFy
    IkBh1Xg577g=
    =kbov
    -----END PGP SIGNATURE-----