Fog Creek Software
Discussion Board




New IIS Hole Pt 2

http://www.incidents.org/

http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&safe=off&threadm=F5E81692-8CC7-471B-9751-3A9C69ECB013%40microsoft.com&rnum=1&prev=/groups%3Fq%3D217.107.218.147%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26sa%3DN%26tab%3Dwg

Furthermore, and this is hearsay, a friend claims that they visited microsoft.com and were surprized to see the same code appended on the Microsoft page.

I've yet to see anything detailed about what this is - either there is a brand new IIS exploit, or it could be negligent admins connecting with exploited systems (or using IE to browse the new from their server). Pretty spooky nontheless.

Dennis Forbes
Thursday, June 24, 2004

Sounds like there is speculation that it is coming in over an SSL exploit.  Was your friend running SSL?  I'm just about to put my first IIS box into production.  This is the last thing I want to deal with. 

christopher baus (www.baus.net)
Thursday, June 24, 2004

Indeed they do have SSL running.

Dennis Forbes
Thursday, June 24, 2004

This is yet another reason to run a logging reverse proxy. 

Hmm...  Maybe the way to track this down is to put an IIS box out there with a proxy in front of it logging all the requests.  When a the response includes the javascript, shut the connection down and go looking at the logs. 

christopher baus (www.baus.net)
Thursday, June 24, 2004

Is it this?

http://news.com.com/Corporate+Web+servers+infecting+visitors%27+PCs/2100-7349_3-5247187.html?tag=nefd.top

Nate Silva
Friday, June 25, 2004

Here's Microsoft's response: http://www.microsoft.com/security/incident/download_ject.mspx

r1ch
Friday, June 25, 2004

IIS

Internet Infection Server

Thanks Microsoft
Friday, June 25, 2004

And all the admins that are complaining that this is all MS's fault because they had all of IIS's patches applied need to find new jobs (and may find themselves urged to do so by their employers).

This was OS-level stuff, folks - MS04-011.

Greg Hurlman
Friday, June 25, 2004

I just looked over that patch.  There are about 10 different fixes in there.  I would like to know how exactly the systems were infected.

christopher baus (www.baus.net)
Friday, June 25, 2004

<i>And all the admins that are complaining that this is all MS's fault because they had all of IIS's patches applied need to find new jobs (and may find themselves urged to do so by their employers).

This was OS-level stuff, folks - MS04-011.

Greg Hurlman  </i>

Not so fast. Microsoft may be urging people to apply this patch, however I had a system that was infected even though the patch had been applied (it was fully patched). Many of the forum posting that I have read indicated that other fully patched machines were also comprimised.

My best guess is that this is an exploit for an unreported hole in IIS.

w
Friday, June 25, 2004

Got URLs?  I'm not trying to refute you; I just want to read for myself.

Greg Hurlman
Friday, June 25, 2004

Did that patch fix the hole in IIS that allowed the rogue code onto the servers -- or did it also fix the hole in IE that infects people who browse the sites?

I was under the impression that it only fixed the server-side hole.

Nate Silva
Friday, June 25, 2004

Yea

I've yet to see a document that states:

"This is the exploit used to install code on the server"

christopher baus (www.baus.net)
Friday, June 25, 2004

I'm surprised to hear that it's an SSL hole. In MS04-011, they say that the SSL hole is just a "denial of service" one, not a "remote code execution" one.

PaulJ
Saturday, June 26, 2004

*  Recent Topics

*  Fog Creek Home