Re: #Include with parent paths

From: Daniel Hartley (dhartley@data2you.net)
Date: 01/14/03 

From: "Daniel Hartley" <dhartley@data2you.net>
Date: Mon, 13 Jan 2003 16:21:47 -0800

Thanks for the help.

I downloaded and ran hfnetchk, and it gave 2 warnings saying hhctrl.ocx, and
sp3res have file versions greater than expected. What does this mean, or
how is this possible?

Thanks,
Dan

"Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
news:UAHd$P1uCHA.2460@cpmsftngxa06...
> > Thanks for the response.
> >
> > When I installed Windows 2000 Adv Server the first time, I failed to
> do
> > any patching right away. And sure enough, within 5 minutes of having
port
> > 80 open to the world, the server was compromised by Nimda. So I
> reformatted
> > and started from scratch, making sure to do the patches before exposing
> the
> > server and everything seems to be working fine now.
>
> Unfortunately, that's not at all uncommon. My normal procedure for
bringing
> up a new box is:
> 1. Unplug the network cable.
> 2. Install Windows 2000.
> 3. Set WWW Publishing Service to Disabled.
> 4. Plug in the network cable.
> 5. Install all necessary service packs/security patches.
> 6. Set WWW Publishing Service to Automatic.
>
> If you have all the necessary patches on CD-ROM, that's even better. You
> can fully patch the machine before connecting it to the network.
>
> > 2 questions though.
> >
> > 1) Why does enabling parent paths through IIS pose a security risk?
>
> For maximum security, you should be able to limit the files that a web
> client can view through your IIS server. If a file isn't in
> \inetpub\wwwroot and isn't in a virtual directory linked into IIS, a web
> client shouldn't be able to view that file. If you enable parent paths,
> this is not the case. For example, if you have a file called insecure.asp
> in c:\inetpub\wwwroot, you can view a file called veryimportantfile.txt in
> C:\Winnt through the web by including the following line in insecure.asp:
> <!-- #include file="../../winnt/veryimportantfile.txt"-->
>
> This is a security risk -- you're able to view a file in a
> non-IIS-accessible directory. With parent paths disabled, the ../../
> notation doesn't work, so you can only view files in IIS-accessible
> directories.
>
> > 2) What do I need to do keep up to date with security updates and
patches?
> > I use the Windows Update feature frequently, but is this all I need to
do?
> > Do all security updates show up through Windows Update?
>
> Windows Update is good. Hfnetchk is better for keeping servers up-to-date
> on security patches:
> Q315665 HOW TO: Use the Hfnetchk Hotfix Checker Tool
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315665
>
> Q303215 Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is
> Available
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q303215
>
> Thanks,
> Lisa
>
> >
> > Thanks again,
> > Dan
> >
> > "Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
> > news:eOs#WNCuCHA.2424@cpmsftngxa09...
> > > Hi Dan,
> > >
> > > What's going on is that someone was trying to hack into your server by
> > > taking advantage of some security holes that existed in old versions
of
> > > IIS. Fortunately, it looks like your server is properly patched, so it
> > > didn't let the attacker in.
> > >
> > > It's hard to tell whether this was an automated attack or whether it
was
> > > actually someone specifically targeting your system. Some of the
> requests
> > > are classic symptoms of a Nimda-infected machine making automated
> attacks
> > > against random IP addresses, but others are unusual and aren't part of
> any
> > > standard worm attack that I've seen. They might indicate that a hacker
> > > specifically went after your system.
> > >
> > > At any rate, these requests have nothing to do with whether or not
> parent
> > > paths were disabled. Disabling parent paths simply means that you
can't
> > use
> > > parent paths from within your ASP code. These requests aren't coming
> from
> > > ASP code -- they're coming from someone or some machine that's just
> > hitting
> > > IIS directly.
> > >
> > > For more information on the hole this hacker was trying to exploit,
see:
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > > bulletin/MS00-057.asp
> > > As you can see, a patch has been available to protect against these
> kinds
> > > of attacks since August of 2000.
> > >
> > > Hope this helps,
> > > Lisa
> > >
> > > --------------------
> > > > From: "Daniel Hartley" <dhartley@data2you.net>
> > > > Subject: #Include with parent paths
> > > > Date: Thu, 9 Jan 2003 10:35:11 -0800
> > > > Lines: 53
> > > > X-Priority: 3
> > > > X-MSMail-Priority: Normal
> > > > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > > > Message-ID: <#RdHX3AuCHA.2028@TK2MSFTNGP11>
> > > > Newsgroups: microsoft.public.inetserver.iis.security
> > > > NNTP-Posting-Host: 66-17-15-254.bkfd.arrival.net 66.17.15.254
> > > > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
> > > > Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:13952
> > > > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> > > >
> > > > Hi,
> > > > I've recently learned that having parent paths enabled for
> > > > websites/virtual directories is a security risk (even though it is
> > enabled
> > > > by default). However, I can't seem to find out exactly why. Anyone
> > know?
> > > > I suspect it has something to do with hackers trying to run system
> > > programs
> > > > or scripts but don't know for sure. After reading this, I disabled
> that
> > > > option in IIS for all my websites/virtual directories (only 1
project
> > used
> > > > parent paths), and looked closely at my older IIS log files (from
when
> > > > parent paths were still enabled) to see if I could find if someone
was
> > > > trying to exploit this security risk. I ran into this which looks
> > awfully
> > > > suspicious:
> > > >
> > > > #Software: Microsoft Internet Information Services 5.0
> > > > #Version: 1.0
> > > > #Date: 2002-11-25 13:35:53
> > > > #Fields: date time c-ip cs-username s-ip s-port cs-method
cs-uri-stem
> > > > cs-uri-query sc-status cs(User-Agent)
> > > > 2002-11-25 13:35:53 211.23.169.108 - 123.123.123.123 80 GET
> > > > /msadc/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:36:00 211.23.169.108 - 123.123.123.123 80 GET
> > > > /scripts/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:36:36 211.23.169.108 - 123.123.123.123 80 GET - - 501
> > > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:36:51 211.23.169.108 - 123.123.123.123 80 GET
> > > > /msadc/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:36:57 211.23.169.108 - 123.123.123.123 80 GET
> > > > /scripts/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:37:33 211.23.169.108 - 123.123.123.123 80 GET - - 501
> > > > Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:37:40 211.23.169.108 - 123.123.123.123 80 GET
> > > > /....../config.sys - 404 Mozilla/3.0+(compatible)
> > > > 2002-11-25 13:37:40 211.23.169.108 - 123.123.123.123 80 GET
> > > > /....../etc/hosts - 404 Mozilla/3.0+(compatible)
> > > >
> > > >
> > > > (Hope that looks ok, this is from an IIS log file from November, I
> > changed
> > > > our server's IP to123.123.123.123)
> > > >
> > > > This looks pretty scary to me. Can anyone shed some light on
exactly
> > > what's
> > > > going on, and is this a result of having parent paths enabled?
> > > >
> > > > Thanks,
> > > > Dan
> > > >
> > > >
> > > > ---
> > > > Outgoing mail is certified Virus Free.
> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > Version: 6.0.438 / Virus Database: 246 - Release Date: 1/7/2003
> > > >
> > > >
> > > >
> > >
> > > -----
> > > Please do not send email directly to this alias. This is an online
> > > account name for newsgroup participation only.
> > >
> > > This posting is provided "AS IS" with no warranties, and confers
> > > no rights. You assume all risk for your use.
> > >
> > > © 2002 Microsoft Corporation. All rights reserved.
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.438 / Virus Database: 246 - Release Date: 1/7/2003
> >
> >
> >
>
> -----
> Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers
> no rights. You assume all risk for your use.
>
> © 2002 Microsoft Corporation. All rights reserved.
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003