FWIW - incidents.org inquiring on possible IWAP_WWW account added to recent IIS compromised servers
From: Jeffrey Thomas (jthomas_at_ETAXFN.COM)
Date: 06/28/04
- Previous message: Jeffrey Thomas: "IWAP_WWW account showing up on XP boxes, not just IIS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jun 2004 11:55:18 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
IWAP_WWW is definitely not a standard IIS 5.0 account. I think WS03 (IIS 6) has similar accounts by default (or they're named closely, will have to check myself). So is this folks assuming a default IIS account has been maliciously added or is this a non-legit account added. I say IIS 5 as I've heard these were the servers involved in last weeks fiasco, but then again we've heard a lot of speculation the last few days? But since no one wants to name the guilty parties and be very specific, kind of hard to figure out what is fact or fiction (similar to how the media has this story so screwed up (aka virus, used for spamming, so on).
What versions of IIS are involved here...for sure, not guesses?
What were the patch levels involved?
How exactly did the server get compromised?
Then just maybe, we as administrators can have some confidence that we are either setting ducks for an unpatched hole or we're safe since we're fully patched. Right now, there is just a massive "fog of war" on this topic out there due to an absence of solid information, just a ton of speculation and incorrect statements by the media.
A lot more facts, lot less guessing, and a bit less secrecy and errors would do us all some good on this mess. Not to mention Redmond getting their act together on a patch for all these holes ASAP. It should be clear as day that last weeks attack is just a prelude to more attacks anyday now.
I'm only fussing/inquiring over this here as this would be the list I would expect to use to sort out fact from fiction.
J. Thomas
Here's the latest tidbit off www.incidents.org :
Handlers Diary June 28th 2004
Updated June 28th 2004 13:53 UTC (Handler: Jim Clausing)
IWAP_WWW account on compromised IIS servers
Request for Information: IWAP_WWW account
We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username 'IWAP_WWW' added.
Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find and administrator account with this username.
-------------------------------------------------------------------
Johannes Ullrich, jullrich_at_sans.org
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Jeffrey Thomas: "IWAP_WWW account showing up on XP boxes, not just IIS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
