Security Incidents mailing list archives
RE: MSIIS servers patched/de-doored, but C and D keep coming back
From: "Mike Horne" <mike.horne () safecom co nz>
Date: Tue, 14 Aug 2001 12:58:14 +1200
from http://www.incidents.org/react/code_redII.php : Finally, we'd like to thank Jason Fossen for testing the workings of the Code Red II registry settings and providing insightful information regarding these. Jason made the interesting discovery that if a virtual directory which already exists (e.g. /scripts and /msadc) is modified in the registry, then the next time IIS restarts the modifications are overwritten with the authoritative info from the metabase. That is, direct changes to the registry for previously existing virtual folders (/scripts and /msadc) are not picked up by IIS and the added permissions aren't reflected in the GUI. On the other hand, if a virtual directory is created in the registry which did not previously exist (e.g. /c and /d) then these changes are written to the metabase, hence, making the changes survive restarts of IIS. Jason speculates that this registry-to-metabase flushing may exist for backwards compatibility with older versions of IIS. All tests were performed on Windows2000 Advanced Server SP2. -----Original Message----- From: Garreth Jeremiah/Markham/IBM [mailto:gjeremia () ca ibm com] Sent: Tuesday, 14 August 2001 8:28 a.m. To: incidents () securityfocus com Subject: MSIIS servers patched/de-doored, but C and D keep coming back I have been receiving a number of reports suggesting that on certain devices, after full patching and cleaning - the /C and /D keep coming back after a reboot. Anyone explain what is happening? Is this an IIS thing or a Windows thing? ( note some of these macheines were runnign the French Version of Win2K ) Thanks ______________________________ Garreth J Jeremiah. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 13)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Russell Fulton (Aug 13)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Mike Horne (Aug 14)
- <Possible follow-ups>
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back K P (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Gary Flynn (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Krull, Chris (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Davis, Matt (Aug 14)