RE: W3SVC, SMTP, IISAdmin services stopping..hacking?

From: Lisa Cozzens [MSFT] (lcozzens_at_online.microsoft.com)
Date: 05/29/03 

Date: Thu, 29 May 2003 21:25:19 GMT

1. Make sure you've applied the following fix:
815021 MS03-007: Unchecked Buffer in Windows Component May Cause Web Server
Compromise
http://support.microsoft.com/?id=815021
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
That SEARCH request is indicative of an attempt to exploit the
vulnerability closed by that fix.

2. Check your URLScan configuration
(C:\Winnt\System32\inetsrv\urlscan\urlscan.ini). The default configuration
of URLScan blocks SEARCH requests such as this one. If you see
UseAllowVerbs=1 under [Options], make sure that SEARCH does *not* appear in
the [AllowVerbs] section. If you see UseAllowVerbs=0 under [Options], make
sure that SEARCH *does* appear in the [DenyVerbs] section. For more
information on configuring URLScan:
326444 HOW TO: Configure the URLScan Tool
http://support.microsoft.com/?id=326444
Also, make sure that URLScan is listed as a global ISAPI filter. (Open
Internet Services Manager -> right click on your server name -> Properties
-> click on Edit button next to Master WWW Service -> ISAPI Filters tab ->
check that URLScan appears in the list.) If URLScan no longer appears in
the global ISAPI filter list, you should reinstall it.

3. While you're at it, go ahead and install the latest cumulative security
rollup patch for IIS:
811114 MS03-018: May 2003 Cumulative Patch for Internet Information Services
http://support.microsoft.com/?id=811114
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
This rollup does not contain the fix for the problem you're seeing, but it
does contain a number of other very important security fixes for IIS. You
should install it on any server running IIS as a security "best practice."

Hope this helps,
Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Lisa" <ljohnson@sagesol.com>
> Sender: "Lisa" <ljohnson@sagesol.com>
> Subject: W3SVC, SMTP, IISAdmin services stopping..hacking?
> Date: Wed, 28 May 2003 09:48:10 -0700
> Lines: 9
> Message-ID: <433401c32538$ec3c0aa0$a601280a@phx.gbl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> Thread-Index: AcMlOOw8Zt5ff4dTSE+fxnHrGzCp3Q==
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Newsgroups: microsoft.public.inetserver.iis.security
> Path: cpmsftngxa06.phx.gbl
> Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:286
> NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> We've had the following entries in our IIS 5.0 log. They
> correlate to the same time as IIS Admin, W3SVC,SMTP, and
> other web related services stop on our OWA server. The
> server in question has both the IIS Lockdown and URLScan
> applied. Any ideas?
>
> 195.36.244.243, -, 5/20/2003, 8:15:12, W3SVC1, YYY,
> 192.168.xxx.x, 32, 39, 210, 411, 0, SEARCH, /, -,
>
>

-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2003 Microsoft Corporation. All rights reserved.