Re: Dummies got a sample page

[Ryan Russell <ryan () securityfocus com>]

On Wed, 30 May 2001, James Edwards wrote:

> Today I discovered that the sample pages installed when IIS is
> installed had been defaced (Ya' know the standard "F*** USA
> Government"). Hadn't noticed earlier since the real pages for the web
> site were untouched.

Any idea when?  (Timestamp on defacement files?)

> I noticed that the firewall installed on the NT
> 4.0 SP6a server wasn't responding, and so I checked "Services". They
> had *all* been set to "Disabled", so naturally the firewall services
> weren't running.  The system has (and had) all of the current
> services packs and security patches installed. The site is running
> Cold Fusion. Any suggestions as to what flavor of attack was
> employed, and the best methods of countering it would be appreciated.

That vast majority of those defacements were done with the original
unicode hole, which presumably was one of the hotfixes you had installed.

However, at the tail end of the "hack week", this hole was announced:
http://www.securityfocus.com/bid/2708

And it was used in a few of the pro-China defacements, and basically came
into immediate use.  That hole is only 15 days old today.  Did you have
that hotfix installed, and have it installed before the defacement?

                                        Ryan