Security Incidents mailing list archives

RE: MSIIS servers patched/de-doored, but C and D keep coming back

From: "Mike Horne" <mike.horne () safecom co nz>
Date: Tue, 14 Aug 2001 12:58:14 +1200

from http://www.incidents.org/react/code_redII.php :

Finally, we'd like to thank Jason Fossen for testing the workings
of the Code Red II registry settings and providing insightful information
regarding these. Jason made the interesting discovery that if a virtual
directory which already exists (e.g. /scripts and /msadc) is modified
in the registry, then the next time IIS restarts the modifications are
overwritten with the authoritative info from the metabase. That is, direct
changes to the registry for previously existing virtual folders (/scripts
and
/msadc) are not picked up by IIS and the added permissions aren't reflected
in
the GUI. On the other hand, if a virtual directory is created in the
registry
which did not previously exist (e.g. /c and /d) then these changes are
written
to the metabase, hence, making the changes survive restarts of IIS.  Jason
speculates that this registry-to-metabase flushing may exist for backwards
compatibility with older versions of IIS. All tests were performed on
Windows2000 Advanced Server SP2.

-----Original Message-----
From: Garreth Jeremiah/Markham/IBM [mailto:gjeremia () ca ibm com]
Sent: Tuesday, 14 August 2001 8:28 a.m.
To: incidents () securityfocus com
Subject: MSIIS servers patched/de-doored, but C and D keep coming back


I have been receiving a number of reports suggesting that on certain
devices, after full patching and cleaning - the /C and /D keep coming back
after a reboot.

Anyone explain what is happening?  Is this an IIS thing or a Windows thing?

( note some of these macheines were runnign the French Version of Win2K )

Thanks
______________________________
Garreth J Jeremiah.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 13)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Russell Fulton (Aug 13)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Mike Horne (Aug 14)
- <Possible follow-ups>
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back K P (Aug 14)
  - Re: MSIIS servers patched/de-doored, but C and D keep coming back Gary Flynn (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Krull, Chris (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Davis, Matt (Aug 14)