IIS 6 strange file - site hacked

Hi,

There is some strange file that are on the root of different website.
Some of my friend told me that it is a IIS6 security hole. Does
anybody have a solution ???

It's just html file.

Like those :

default.html
tromnk.htm

The content of those file was :

Ir4Dex Back By Zakix your DATA H4Xored =)
core-project
<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1254">
<title>Hacked Mr.Trojan Trojan wWw.StarHack.Org wWw.Trojan-Tr.Org</title>
</head>

<body text="#800000" bgcolor="#000000">

 
 
<a href="http://www.trojan-tr.org">
<img border="0" src="http://www.trojan-tr.org/erterterte.jpg"
width="400" height="400"></a>
 
Mr.Trojan
Was Here

<a href="http://wWw.StarHack.Org" style="text-decoration: none">
wWw.StarHack.Org</a> "
<a href="http://wWw.Trojan-Tr.Org" style="text-decoration: none">
wWw.Trojan-Tr.Org</a> 
 

</body>

</html>

John
Fri Jun 01 10:48:55 CDT 2007

magagnon@maginformatique.com wrote:
> Hi,
>
> There is some strange file that are on the root of different website.
> Some of my friend told me that it is a IIS6 security hole. Does
> anybody have a solution ???
>
> It's just html file.
>
> Like those :
>
> default.html
> tromnk.htm
>
> The content of those file was :
>
> Ir4Dex Back By Zakix your DATA H4Xored =)
> core-project
> <html>
>
> <head>
snip...
> </html>
>

Looks like a pretty standard sort of site defacement and I don't see
anything there that would suggest any sort of danger -- unless your own
computer's security is weak and you used one of the links. As for a
"solution", finding the owner of the site and telling them about the
defacement and urging them to use some proper security precautions on
their server is all I could imagine doing.

John McGaw
http://johnmcgaw.com

Roger
Sat Jun 02 01:17:57 CDT 2007

To my awareness there are no known "holes" in IIS6, in fact
there have not been any security patches for IIS (6 or 5) since
the IIS 5 rollup was released years ago.
The server hosting the site is not well configured, or the content
of the site is not well designed/implemented.

<magagnon@maginformatique.com> wrote in message
news:1180702368.389936.171940@q66g2000hsg.googlegroups.com...
> Hi,
>
> There is some strange file that are on the root of different website.
> Some of my friend told me that it is a IIS6 security hole. Does
> anybody have a solution ???
>
> It's just html file.
>
> Like those :
>
> default.html
> tromnk.htm
>
> The content of those file was :
>
> Ir4Dex Back By Zakix your DATA H4Xored =)
> core-project
> <html>
>
> <head>
> <meta http-equiv="Content-Language" content="tr">
> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
> <meta name="ProgId" content="FrontPage.Editor.Document">
> <meta http-equiv="Content-Type" content="text/html;
> charset=windows-1254">
> <title>Hacked Mr.Trojan Trojan wWw.StarHack.Org wWw.Trojan-Tr.Org</title>
> </head>
>
> <body text="#800000" bgcolor="#000000">
>
>  
>  
> <a href="http://www.trojan-tr.org">
> <img border="0" src="http://www.trojan-tr.org/erterterte.jpg"
> width="400" height="400"></a>
>  
> MS">Mr.Trojan
> Was Here
> 
> <a href="http://wWw.StarHack.Org" style="text-decoration: none">
> wWw.StarHack.Org</a> "
> <a href="http://wWw.Trojan-Tr.Org" style="text-decoration: none">
> wWw.Trojan-Tr.Org</a> 
>  
>
> </body>
>
> </html>
>

Michal
Sat Jun 02 08:17:14 CDT 2007

The defacement has probably nothing to do with so-called "hole"
(vulnerability) in IIS 6.0. Could you provide more information?
I think I could definetely help you. For instance, if your web site
takes advantage of PHP scripts, one of those might be vulnerable
to code injection (RFI/LFI), cross-site scripting or SQL injection -
those vulnerabilities are much more probable than a remotely
exploitable vulnerability (format string, buffer overflow..) in IIS 6.0.

Such skiddies' defecements usually stem from the vulnerabilities in
scripts (remember about right file access rights!), your FTP server
could also be the reason (but it probably doesn't have to do anything
with a remotely exploitable flaw - an account could simply be prone
to a brute-force attack).

I suggest that you provide more information.

--
Michal Bucko
eleytt.com
sapheal.hack.pl

Gerald309
Sat Jun 02 13:14:58 CDT 2007

On Jun 1, 8:52 am, magag...@maginformatique.com wrote:
> Hi,
>
> There is some strange file that are on the root of different website.
> Some of my friend told me that it is a IIS6 security hole. Does
> anybody have a solution ???
>
> It's just html file.
>
> Like those :
>
> default.html
> tromnk.htm
>
> The content of those file was :
>
> Ir4Dex Back By Zakix your DATA H4Xored =)
> core-project
> <html>
>
> <head>
> <meta http-equiv="Content-Language" content="tr">
> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
> <meta name="ProgId" content="FrontPage.Editor.Document">
> <meta http-equiv="Content-Type" content="text/html;
> charset=windows-1254">
> <title>Hacked Mr.Trojan Trojan wWw.StarHack.Org wWw.Trojan-Tr.Org</title>
> </head>
>
> <body text="#800000" bgcolor="#000000">
>
>  
>  
> <a href="http://www.trojan-tr.org">
> <img border="0" src="http://www.trojan-tr.org/erterterte.jpg"
> width="400" height="400"></a>
>  
> MS">Mr.Trojan
> Was Here
> 
> <a href="http://wWw.StarHack.Org" style="text-decoration: none">
> wWw.StarHack.Org</a> "
> <a href="http://wWw.Trojan-Tr.Org" style="text-decoration: none">
> wWw.Trojan-Tr.Org</a> 
>  
>
> </body>
>
> </html>

=====================/.
You may want to look around also, with all the answers, with any
software you may feel is comprimised. Right click the properties of
the software and check for any that are "connected to another
computer" and terminate that immediately. You can then inspect
contents to remove the threat if any (trojan apparently).

This scenario may have occurred with sophisticated malware - and
intends to hide behind interactive usage with legitimate software to
perform crimeware tactics.

Stefan
Sun Jun 03 10:35:22 CDT 2007

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:

> To my awareness there are no known "holes" in IIS6, in fact
> there have not been any security patches for IIS (6 or 5) since
> the IIS 5 rollup was released years ago.

What about MSKB 328832?

Stefan

Roger
Mon Jun 04 03:00:50 CDT 2007

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
news:%23h$nEXfpHHA.4364@TK2MSFTNGP03.phx.gbl...
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:
>
>> To my awareness there are no known "holes" in IIS6, in fact
>> there have not been any security patches for IIS (6 or 5) since
>> the IIS 5 rollup was released years ago.
>
> What about MSKB 328832?
>
> Stefan
>

I take it that you disagree with the assessment in that KB stating
that the behavior is by design ? While it does describe an odd
behavior for webhits.dll, I would also note that it says this is an
issue with index server (apparently how it adjusts IIS behavior).

There have been a number of security related, critical isses with
codes that applicatively layer on the IIS frame, but as far as I have
seen none for the IIS frame since the rollup for IIS 5 was issued.

Roger

Stefan
Mon Jun 04 12:28:58 CDT 2007

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:

> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
> news:%23h$nEXfpHHA.4364@TK2MSFTNGP03.phx.gbl...
> > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:
> >
> >> To my awareness there are no known "holes" in IIS6, in fact
> >> there have not been any security patches for IIS (6 or 5) since
> >> the IIS 5 rollup was released years ago.
> >
> > What about MSKB 328832?
> >
> > Stefan
> >
>
> I take it that you disagree with the assessment in that KB stating
> that the behavior is by design ?

No, I just wanted get your attention:-) your overall remark "no known
holes in IIS6" is a little keen.

> While it does describe an odd
> behavior for webhits.dll, I would also note that it says this is an
> issue with index server (apparently how it adjusts IIS behavior).

Ahhh, thats finest Microspeak: it's an issue.

No, it opens a hole.
That's a problem for all those out there who run index server, most
of whom I bet aint aware of this behaviour, although documented.

And there might well be quite some people out there who run IIS and
some framework above it but dont know that at all or aint fully aware
of the fact: there a some newer Microsoft products (and third party
vendors' too) that use IIS, like VS2005, WSUS, ...

Better be safe than sorry and have your eyes open.
My belly gets a little nervous just thinking of all that "fine" 3rd
party software out there that silently installs say MSDE (or some
MS XML; see <news:eaL8uQ0mHHA.4516@TK2MSFTNGP05.phx.gbl>). Most often
these additional software aint uptodate on the installation media,
sometimes not even installed properly, but just copied into the SYSTEM
directory or side-by-side (like GDIPLUS.DLL or MSVC*<version>.DLL).

> There have been a number of security related, critical isses with
> codes that applicatively layer on the IIS frame, but as far as I have
> seen none for the IIS frame since the rollup for IIS 5 was issued.

For the little I know about IIS that seems right.

Stefan

msnews
Tue Jun 05 16:20:23 CDT 2007

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
news:OgSzufupHHA.4188@TK2MSFTNGP02.phx.gbl...
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:
>
>> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
>> news:%23h$nEXfpHHA.4364@TK2MSFTNGP03.phx.gbl...
>> > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:
>> >
>> >> To my awareness there are no known "holes" in IIS6, in fact
>> >> there have not been any security patches for IIS (6 or 5) since
>> >> the IIS 5 rollup was released years ago.
>> >
>> > What about MSKB 328832?
>> >
>> > Stefan
>> >
>>
>> I take it that you disagree with the assessment in that KB stating
>> that the behavior is by design ?
>
> No, I just wanted get your attention:-) your overall remark "no known
> holes in IIS6" is a little keen.
>
>> While it does describe an odd
>> behavior for webhits.dll, I would also note that it says this is an
>> issue with index server (apparently how it adjusts IIS behavior).
>
> Ahhh, thats finest Microspeak: it's an issue.
>
> No, it opens a hole.
> That's a problem for all those out there who run index server, most
> of whom I bet aint aware of this behaviour, although documented.
>
> And there might well be quite some people out there who run IIS and
> some framework above it but dont know that at all or aint fully aware
> of the fact: there a some newer Microsoft products (and third party
> vendors' too) that use IIS, like VS2005, WSUS, ...
>
> Better be safe than sorry and have your eyes open.
> My belly gets a little nervous just thinking of all that "fine" 3rd
> party software out there that silently installs say MSDE (or some
> MS XML; see <news:eaL8uQ0mHHA.4516@TK2MSFTNGP05.phx.gbl>). Most often
> these additional software aint uptodate on the installation media,
> sometimes not even installed properly, but just copied into the SYSTEM
> directory or side-by-side (like GDIPLUS.DLL or MSVC*<version>.DLL).
>
>> There have been a number of security related, critical isses with
>> codes that applicatively layer on the IIS frame, but as far as I have
>> seen none for the IIS frame since the rollup for IIS 5 was issued.
>
> For the little I know about IIS that seems right.
>
> Stefan
>

Rereading I can see how someone would/could misread my first post,
but by IIS I actually did mean IIS (not WebDAV, WSS, ASP, PHP, etc.).
The KB you point out doc's what seems to me a pretty odd behavior to
intend to allow by design, but hey, at least they admit it was a design
issue.

Roger

IIS 6 strange file - site hacked

Re: IIS 6 strange file - site hacked by John

Re: IIS 6 strange file - site hacked by Roger

Re: IIS 6 strange file - site hacked by Michal

Re: IIS 6 strange file - site hacked by Gerald309

Re: IIS 6 strange file - site hacked by Stefan

Re: IIS 6 strange file - site hacked by Roger

Re: IIS 6 strange file - site hacked by Stefan

Re: IIS 6 strange file - site hacked by msnews