The Register® — Biting the hand that feeds IT

Feeds

Microsoft confirms IIS bug gives complete server control

Microsoft has confirmed a vulnerability in its Internet Information Services webserver and spelled out the conditions under which it can be exploited to give an attacker complete control of the server on which it runs. The good news: As previously reported, remote execution of malicious code can be triggered only in limited …

This topic is closed for new posts.
BristolBachelor
FAIL

Priceless comment

"Admins can also detect attacks by reviewing log files."

1. or by noticing that their webpages now say "Kilroy woz ere"

2. or by the phoncalls from users asking why all the online apps have disappeared and the server is not responding.

3. and because admins never have anything better to do than constantly review the log files of all their servers. Although after getting full control, who leaves evidence in the log files?

And now that they have detected the fleeing horse, they can look at the open stable door...

Anonymous Coward
Flame

SOFTWARE HAS BUG SHOCKER!

yadda, yadda, yadda, software in everyday use has bug, yadda, yadda, yadda...

Come one, there must be more interesting stuff going on today? What about another really good ruck between the Apple and MS fanbois?

Anonymous Coward
Thumb Up

Robots could do it better

> * Turn off FTP if it's not needed

> * Disable the creation of new directories

> * Disable the ability for anonymous users to write using IIS settings

If you're an admin and you have any of these settings on in a production environment, then please, quit your day job.

Owen Williams
Linux

But only if...

you run IIS...

Daniel 1

First paragraph says much about the problem

In your opening paragraph, you describe IIS as a 'webserver', as if it were a standalone program like Apache. However, although it originally incorporated large chunks of the NSCA server that both it and Apache share a common heritage with, it is actually a bundle of internet-enabled servers that now form part of the core of a Windows Kernel module.

As your article reveals, IIS offers FTP - but it also offers FTPS, Network News protocol and SMTP. There are even said to be stubs of other servers that were either never implemented or have since been disabled, sitting there in memory. The problem, here, is that many sys admins install this kernel module, needing nothing more than the ability to serve up webpages, but never bother to think whether they should, or should not, turn on these other services. I've known many who do not know whether the FTP clients their suers are using, to communicate with their server, support FTPS or FTP, and so turn on both, "just to get the job done". Others believe that it's "best to turn on everything, since you never know when you'll need it".

Couple this attitude with the fact that busting into IIS is actually busting into a part of the operating system kernel and you do have a potential means of causing considerable harm.

Anonymous Coward
Anonymous Coward

None of it is true!

None of this story can possibly be true. Microsoft never make software that's full of security bugs. Oh no. Their software is always 100% secure.

Graham Wood
Stop

@Various

@BristolBachelor

If you're running a proper system, then the events (as they happen) are shipped elsewhere. If you've got a public facing FTP server, then (unless it's getting the throughput of something like sourceforge) you should have all commands sent to a machine that has no other link to the system in question, and have automated processes monitoring this constantly.

I believe (although I only looked in passing, I'm not using IIS) that the bug is triggered by accessing a specific named directory - therefore looking for that name in the logs will find the attempt.

No, this is not a good solution, since it detects it after it has been attempted - however, anyone that has this setup can now look back to make sure that they have not been hacked already.

Other than that, you're faced with just assuming that your machine has been hacked, and if anyo of your systems are vulnerable doing a full reinstall.

@AC, 07:26

Not everyone is in the same situation. For some companies, anonymous FTP is how they receive bug reports (including things like core files that are too big to be HTTP uploaded through most business proxies). Therefore there are a lot of very "clever" admins out there that have still got anon FTP enabled. Obviously, they tend not to be running IIS for this, but it's still something to be aware of.

Lionel Baden

what is

FTPS

AND anyway i let anon upload to my site in places !!! !

just need to monitor those folders carefully !!!!!

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

Steve Foster

SBS2003 OOB

FTP is *not* on by default on an SBS2003 server.

This post has been deleted by a moderator

This topic is closed for new posts.