![]() |
![]() |
![]() |
New IIS Hole? A friend found his apparently-fully-patched-up IIS box was suddenly serving some extra data on the end of pages, and discovered that the "Document Footer" feature was mysteriously turned on in IIS, with the following text being appended on documents. Has anyone seen this? Is it new, is it old, is it maybe so? Yes it's offtopic from the normal, but it's a heads up if this is a newly emerging vulnerability (I can't find any reference to this technique mentioned anywhere).
Dennis Forbes
you wacky Canadian bastards.
muppet is now from madebymonkeys.net
Eh? No doot, it's aboot time you came down off the ruff and accept the virtues of hockey and beer.
Dennis Forbes
It probably doesn't tell you much but searching Google for some of the JavaScript turns up this:- http://www.google.co.uk/search?q=cache:GQq93-Kx2mMJ:www.angusinternational.info/newsroom/AMI_SESSIONS.rtf+Date()%3Bvar+expiry%3Dnew+Date(today.getTime()%2B600000)%3Bif(v8!%3Dnull%26%26v8!%3D%22%22)&hl=en so it seems that someone else has picked it up, whatever it is.
r1ch
Hey Dennis,
Dignified
Well the IP looks like it's in Minsk, Russia, so yea I doubt it's very benevolent.
Mr. O
That's really strange. I wonder if the box was hacked and not just IIS. What other ports are open? Maybe somebody turned on the footer remotely.
christopher baus (www.baus.net)
It's exploiting the swiss cheese like IE through an IFrame exploit. It would be interesting to see the code it's trying to download. Probabably from Russia with love no doubt.
unsafe at any speed
"Thinking your safe on the web with IE is a little like thinking sending your daughter to prom with a group of bikers is ok."
Paulo Caetano
Thank you all for the comments. The method of intrusion is still completely unknown, so it's entirely possible that it was something completely unrelated to IIS where the user then took advantage of IIS while in control. I would guess that, as mentioned above, it's a multifront attack, and the script injected then takes advantage of IE faults to do something else (such as then assaulting other web servers), and so on (because really I've always wondered how IE faults were a problem if you stayed with "trusted sites" [i.e. not browsing warez sites] ... it looks like this is exactly how it's a problem - a trusted sites get hijacked with the fault).
Dennis Forbes
One method of intrusion could be an easy-to-guess password, which then allows access using Terminal Server/Remote Desktop, or the PPTP VPN service. Even if your friend believes he has secure passwords, there may be accounts (local or domain) with weak passwords that he was not aware of. E.g., local (as opposed to domain) administrator account, accounts created by backup software...
Just Guessing
I downloaded the javascripts that it pulls down... after some redirects it downloads an executable and overwrites windows media player with it. It then launches media player using the mms:// protocol. The exe that it downloads could then of course do pretty much anything. The binary that it downloads doesn't contain any known viruses acording to my virus checker but I'm pretty sure that's what it is.
r1ch
What that code does is not immediately as important as finding out the method of exploit so that when the server is rebuilt from scratch it will not be compromised again.
Just Guessing
Not sure if this is related, but a few days ago my shortcut to notepad.exe was replaced with a shortcut to some random exe under c:\windows, and this is on a fully patched machine.
a
Fellas, fellas
Oh yeah!
Just Guessing - yes, getting the server secured is important but I guess that the people that visited his website probably would probably want know what they're infected with as well.
r1ch
Dennis, why not have your friend turn this info into E-Eye or one of those other security groups that investigate these things (and sometime pull Microsoft's pants down in front of the world). If this is truly new it would be helpful to get a fix.
Mike
Don't Blame Me
Didn't hear about any Apache/Linux boxes having this trouble
Troubling
As far as I've seen, this only happens to sites that AREN'T patched (or patched but not rebooted). And you should report this to MS in any case so they can constructively get a handle on it vs. "pulling pants down".
wondering
|