IIS Exploit...

[Chris Hobbs <chobbs () SILVERVALLEY K12 CA US>]

Well, not too much info here - regrettably my snort rules file got
zeroed out when whitehats.com changed their format. So, all I have is my
IIS logs - however, it's pretty straightforward what happened:

19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200
19:01:02 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 502
19:01:06 210.45.192.25 GET /scripts/root.exe 502
19:01:10 210.45.192.25 GET /scripts/root.exe 502
19:01:14 210.45.192.25 GET /scripts/root.exe 502
19:01:14 210.45.192.25 GET /scripts/root.exe 502

That goes on for quite some time - it ended up creating several files in
every directory on the website - index.asp, index.htm, default.asp, and
default.htm.

IP address resolves to a university in China, so I suspect the odds of
getting assistance are about nil.

Moral of the story: I upgraded to SP6A on this NT4 box 10 days ago.
Running IIS 4.0 still. I assumed that SP's applied patches to the web
server as well as the OS - either this isn't the case, or something new
developed in those last 10 days.

Conveniently, I had already setup a Linux box to replace this IIS
server, and had copied over the entire site just two days prior to the
attack. I _will_ be keeping better track of Apache and php exploits,
since I really don't want this to happen again :)

--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:    http://www.silvervalley.k12.ca.us/chobbs/
postmaster:               chobbs () silvervalley k12 ca us