RE: W3SVC, SMTP, IISAdmin services stopping..hacking?

From: Mike Larson (mlarson_at_alamo-group.com)
Date: 05/30/03 

Date: Thu, 29 May 2003 16:22:20 -0700

Well you told me how my hacker got in.
003-05-11 22:07:05 216.77.239.34 - 192.168.33.10 80
SEARCH / - 411 210 43 172 HTTP/1.1 216.81.226.252 - - -

How come hfnetchk and windows update make no mention of
this patch? Why is this patch not included with he
cumulative patch. Cumulative implies all needed patches
for said system.

>-----Original Message-----
>1. Make sure you've applied the following fix:
>815021 MS03-007: Unchecked Buffer in Windows Component
May Cause Web Server
>Compromise
>http://support.microsoft.com/?id=815021
>http://www.microsoft.com/technet/security/bulletin/MS03-
007.asp
>That SEARCH request is indicative of an attempt to
exploit the
>vulnerability closed by that fix.
>
>2. Check your URLScan configuration
>(C:\Winnt\System32\inetsrv\urlscan\urlscan.ini). The
default configuration
>of URLScan blocks SEARCH requests such as this one. If
you see
>UseAllowVerbs=1 under [Options], make sure that SEARCH
does *not* appear in
>the [AllowVerbs] section. If you see UseAllowVerbs=0
under [Options], make
>sure that SEARCH *does* appear in the [DenyVerbs]
section. For more
>information on configuring URLScan:
>326444 HOW TO: Configure the URLScan Tool
>http://support.microsoft.com/?id=326444
>Also, make sure that URLScan is listed as a global ISAPI
filter. (Open
>Internet Services Manager -> right click on your server
name -> Properties
>-> click on Edit button next to Master WWW Service ->
ISAPI Filters tab ->
>check that URLScan appears in the list.) If URLScan no
longer appears in
>the global ISAPI filter list, you should reinstall it.
>
>3. While you're at it, go ahead and install the latest
cumulative security
>rollup patch for IIS:
>811114 MS03-018: May 2003 Cumulative Patch for Internet
Information Services
>http://support.microsoft.com/?id=811114
>http://www.microsoft.com/technet/security/bulletin/MS03-
018.asp
>This rollup does not contain the fix for the problem
you're seeing, but it
>does contain a number of other very important security
fixes for IIS. You
>should install it on any server running IIS as a
security "best practice."
>
>Hope this helps,
>Lisa
>
>--------------------
>> Content-Class: urn:content-classes:message
>> From: "Lisa" <ljohnson@sagesol.com>
>> Sender: "Lisa" <ljohnson@sagesol.com>
>> Subject: W3SVC, SMTP, IISAdmin services
stopping..hacking?
>> Date: Wed, 28 May 2003 09:48:10 -0700
>> Lines: 9
>> Message-ID: <433401c32538$ec3c0aa0$a601280a@phx.gbl>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="iso-8859-1"
>> Content-Transfer-Encoding: 7bit
>> X-Newsreader: Microsoft CDO for Windows 2000
>> Thread-Index: AcMlOOw8Zt5ff4dTSE+fxnHrGzCp3Q==
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>> Newsgroups: microsoft.public.inetserver.iis.security
>> Path: cpmsftngxa06.phx.gbl
>> Xref: cpmsftngxa06.phx.gbl
microsoft.public.inetserver.iis.security:286
>> NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
>> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>>
>> We've had the following entries in our IIS 5.0 log.
They
>> correlate to the same time as IIS Admin, W3SVC,SMTP,
and
>> other web related services stop on our OWA server. The
>> server in question has both the IIS Lockdown and
URLScan
>> applied. Any ideas?
>>
>> 195.36.244.243, -, 5/20/2003, 8:15:12, W3SVC1, YYY,
>> 192.168.xxx.x, 32, 39, 210, 411, 0, SEARCH, /, -,
>>
>>
>
>-----
>Please do not send email directly to this alias. This is
an online
>account name for newsgroup participation only.
>
>This posting is provided "AS IS" with no warranties, and
confers
>no rights. You assume all risk for your use.
>
>© 2003 Microsoft Corporation. All rights reserved.
>
>.
>

Loading