New exploit?

• Previous message: Al Blake: "Re: SPS wont use kerberos"
• Next in thread: Bernard: "Re: New exploit?"
• Reply: Bernard: "Re: New exploit?"
• Reply: Ken Schaefer: "Re: New exploit?"
• Reply: Roger Abell [MVP]: "Re: New exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 31 May 2004 02:46:35 -0700

Recently one of my IIS boxes got rooted - all active sites were
defaced and more importantly the hackers managed to get access to some
databases which reside above website's roots (eg: website root is at
c:\web\html, and the db resides in c:\web\data).

In the logs the following info:
cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
cs-bytes time-taken
GET /database.mdb - 200 64 2679028 425 248891
GET /Default.htm - 200 0 360 362 0
GET /database.mdb - 206 0 4827107 484 530766

None of the above files existed then they suddenly appear there.

Win2k SP4, IIS5, urlscan is installed, directoy browsing is turned
off, no write permissions to the directories... Some sites have ssl
on.

Anyone can shed some light what might have happened?

• Previous message: Al Blake: "Re: SPS wont use kerberos"
• Next in thread: Bernard: "Re: New exploit?"
• Reply: Bernard: "Re: New exploit?"
• Reply: Ken Schaefer: "Re: New exploit?"
• Reply: Roger Abell [MVP]: "Re: New exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: New exploit? ... you can configure urlscan to filter .mdb extension. ... > Recently one of my IIS boxes got rooted - all active sites were ... > databases which reside above website's roots (eg: website root is at ... (microsoft.public.inetserver.iis.security) Re: New exploit? ... > Recently one of my IIS boxes got rooted - all active sites were ... > databases which reside above website's roots (eg: website root is at ... current on post Sp4 patching. ... (microsoft.public.inetserver.iis.security)