Re: Russian IIS hack? Malicious Javascript code

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/24/04


Date: Thu, 24 Jun 2004 19:35:00 GMT

On 23 Jun 2004 18:08:55 -0700, utwes@hotmail.com (Wes Carberry) wrote:

>Paul:
>
>I'm not so sure it was a hacker alone and that it wasn't a worm. A
>server that I help to maintain was also "attacked" 6/22/04 at 5:21am
>CST. 7 .dll files were deposited in the winnt\system32\inetsrv
>directory named iis7xy.dll where x is a random number that appears to
>be between 1-3 and y is a random character or number.
>
>Additionally, this attack changed IIS settings to include one (or
>several) of those files as a Document Footer to all documents served
>by this particular server.

How about telling us the method of attack? You know it was attacked,
how do you know and what logs do you have?

Jeff

>I think your question still applies, though, and I'd have to consider
>this a Windows vulnerability since we're behind a firewall and
>patched. I'd be interested to see if anyone can come up for a cause
>of this.
>
>Wes
>
>Paul Lynch <paul.lynch@nospam.com> wrote in message news:<gumhd01faq0m59akfr4pkfshprhqo5no4d@4ax.com>...
>> <snip>...'how did this stuff get onto my server and what can I do to
>> secure my server and stop it happening again ?'
>>
>> I'd suggest you start here :
>>
>> http://securityadmin.info/faq.asp#hackerstoc
>>
>>
>> Regards,
>>
>> Paul Lynch
>> MCSE