Re: Russian IIS hack? Malicious Javascript code

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/24/04


Date: Thu, 24 Jun 2004 19:35:00 GMT

On 23 Jun 2004 18:08:55 -0700, utwes@hotmail.com (Wes Carberry) wrote:

>Paul:
>
>I'm not so sure it was a hacker alone and that it wasn't a worm. A
>server that I help to maintain was also "attacked" 6/22/04 at 5:21am
>CST. 7 .dll files were deposited in the winnt\system32\inetsrv
>directory named iis7xy.dll where x is a random number that appears to
>be between 1-3 and y is a random character or number.
>
>Additionally, this attack changed IIS settings to include one (or
>several) of those files as a Document Footer to all documents served
>by this particular server.

How about telling us the method of attack? You know it was attacked,
how do you know and what logs do you have?

Jeff

>I think your question still applies, though, and I'd have to consider
>this a Windows vulnerability since we're behind a firewall and
>patched. I'd be interested to see if anyone can come up for a cause
>of this.
>
>Wes
>
>Paul Lynch <paul.lynch@nospam.com> wrote in message news:<gumhd01faq0m59akfr4pkfshprhqo5no4d@4ax.com>...
>> <snip>...'how did this stuff get onto my server and what can I do to
>> secure my server and stop it happening again ?'
>>
>> I'd suggest you start here :
>>
>> http://securityadmin.info/faq.asp#hackerstoc
>>
>>
>> Regards,
>>
>> Paul Lynch
>> MCSE



Relevant Pages

  • Re: Strange Log File Entries
    ... >> my the IP address of my IIS server. ... looks like an old worm. ... > successfully blocked that worm attack. ... the commands were successful despite the 502.] ...
    (microsoft.public.inetserver.iis.security)
  • Re: Strange Log File Entries
    ... looks like an old worm. ... probably not successful. ... your web server configured correctly, per the hardening windows 2000 and IIS ... successfully blocked that worm attack. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Seperate Partition?
    ... >>codes to attack. ... >by the Code Red II worm. ... Nimda did NOT depend on Code ... Code Red was a buffer overrun in the Index Server ...
    (microsoft.public.inetserver.iis.security)
  • Tcp/ip failing when server rebooted.
    ... I have an SBS 2003 that suffered an attack - possibly a worm ... - and since this time whenever the server is rebooted and ...
    (microsoft.public.windows.server.sbs)
  • Re: Russian IIS hack? Malicious Javascript code
    ... be between 1-3 and y is a random character or number. ... this attack changed IIS settings to include one (or ... several) of those files as a Document Footer to all documents served ... by this particular server. ...
    (microsoft.public.inetserver.iis.security)