Re: Russian IIS hack? Malicious Javascript code

From: Jeff Cochran (
Date: 06/24/04

Date: Thu, 24 Jun 2004 19:35:00 GMT

On 23 Jun 2004 18:08:55 -0700, (Wes Carberry) wrote:

>I'm not so sure it was a hacker alone and that it wasn't a worm. A
>server that I help to maintain was also "attacked" 6/22/04 at 5:21am
>CST. 7 .dll files were deposited in the winnt\system32\inetsrv
>directory named iis7xy.dll where x is a random number that appears to
>be between 1-3 and y is a random character or number.
>Additionally, this attack changed IIS settings to include one (or
>several) of those files as a Document Footer to all documents served
>by this particular server.

How about telling us the method of attack? You know it was attacked,
how do you know and what logs do you have?


>I think your question still applies, though, and I'd have to consider
>this a Windows vulnerability since we're behind a firewall and
>patched. I'd be interested to see if anyone can come up for a cause
>of this.
>Paul Lynch <> wrote in message news:<>...
>> <snip>...'how did this stuff get onto my server and what can I do to
>> secure my server and stop it happening again ?'
>> I'd suggest you start here :
>> Regards,
>> Paul Lynch