From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: Thu, 24 Jun 2004 19:35:00 GMT
On 23 Jun 2004 18:08:55 -0700, firstname.lastname@example.org (Wes Carberry) wrote:
>I'm not so sure it was a hacker alone and that it wasn't a worm. A
>server that I help to maintain was also "attacked" 6/22/04 at 5:21am
>CST. 7 .dll files were deposited in the winnt\system32\inetsrv
>directory named iis7xy.dll where x is a random number that appears to
>be between 1-3 and y is a random character or number.
>Additionally, this attack changed IIS settings to include one (or
>several) of those files as a Document Footer to all documents served
>by this particular server.
How about telling us the method of attack? You know it was attacked,
how do you know and what logs do you have?
>I think your question still applies, though, and I'd have to consider
>this a Windows vulnerability since we're behind a firewall and
>patched. I'd be interested to see if anyone can come up for a cause
>Paul Lynch <email@example.com> wrote in message news:<firstname.lastname@example.org>...
>> <snip>...'how did this stuff get onto my server and what can I do to
>> secure my server and stop it happening again ?'
>> I'd suggest you start here :
>> Paul Lynch