New IIS Hole?
A friend found his apparently-fully-patched-up IIS box was suddenly serving some extra data on the end of pages, and discovered that the "Document Footer" feature was mysteriously turned on in IIS, with the following text being appended on documents. Has anyone seen this? Is it new, is it old, is it maybe so? Yes it's offtopic from the normal, but it's a heads up if this is a newly emerging vulnerability (I can't find any reference to this technique mentioned anywhere).
you wacky Canadian bastards.
muppet is now from madebymonkeys.net
Eh? No doot, it's aboot time you came down off the ruff and accept the virtues of hockey and beer.
Well the IP looks like it's in Minsk, Russia, so yea I doubt it's very benevolent.
That's really strange. I wonder if the box was hacked and not just IIS. What other ports are open? Maybe somebody turned on the footer remotely.
christopher baus (www.baus.net)
It's exploiting the swiss cheese like IE through an IFrame exploit. It would be interesting to see the code it's trying to download. Probabably from Russia with love no doubt.
unsafe at any speed
"Thinking your safe on the web with IE is a little like thinking sending your daughter to prom with a group of bikers is ok."
Thank you all for the comments. The method of intrusion is still completely unknown, so it's entirely possible that it was something completely unrelated to IIS where the user then took advantage of IIS while in control. I would guess that, as mentioned above, it's a multifront attack, and the script injected then takes advantage of IE faults to do something else (such as then assaulting other web servers), and so on (because really I've always wondered how IE faults were a problem if you stayed with "trusted sites" [i.e. not browsing warez sites] ... it looks like this is exactly how it's a problem - a trusted sites get hijacked with the fault).
One method of intrusion could be an easy-to-guess password, which then allows access using Terminal Server/Remote Desktop, or the PPTP VPN service. Even if your friend believes he has secure passwords, there may be accounts (local or domain) with weak passwords that he was not aware of. E.g., local (as opposed to domain) administrator account, accounts created by backup software...
What that code does is not immediately as important as finding out the method of exploit so that when the server is rebuilt from scratch it will not be compromised again.
Not sure if this is related, but a few days ago my shortcut to notepad.exe was replaced with a shortcut to some random exe under c:\windows, and this is on a fully patched machine.
Just Guessing - yes, getting the server secured is important but I guess that the people that visited his website probably would probably want know what they're infected with as well.
Dennis, why not have your friend turn this info into E-Eye or one of those other security groups that investigate these things (and sometime pull Microsoft's pants down in front of the world). If this is truly new it would be helpful to get a fix.
Don't Blame Me
Didn't hear about any Apache/Linux boxes having this trouble
As far as I've seen, this only happens to sites that AREN'T patched (or patched but not rebooted). And you should report this to MS in any case so they can constructively get a handle on it vs. "pulling pants down".
Fog Creek Home