|
midrange.com
john carr
--------------------------------------------
IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running
Microsoft's Internet Information Server (IIS) 5 and possibly end-user
systems that visit these sites. Compromised sites are appending
JavaScript to the bottom of web pages. When executed, this JavaScript
attempts to access a file hosted on another server. This file may
contain malicious code that can affect the end-user's system. US-CERT is
investigating the origin of the IIS 5 compromises and the impact of the
code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no
unusual JavaScript appended to the bottom of pages delivered by their
web server.
This activity is another example of why end users must exercise caution
when JavaScript is enabled in their web browser. Disabling JavaScript
will prevent this activity from affecting an end-user's system, but may
also degrade the appearance and functionality of some web sites that
rely upon JavaScript. US-CERT recommends that end-users disable
JavaScript unless it is absolutely necessary. Users should be aware that
any web site, even those that may be trusted by the user, may be
affected by this activity and thus contain potentially malicious code.
From: United States Computer Emergency Readiness Team out of Carnegie
Mellon University
Here's the Microsoft response so far:
What You Should Know About Download.Ject
Published: June 24, 2004 | Updated June 25, 2004 12:35 A.M. Pacific
Time
Microsoft teams are investigating a report of a security issue
affecting customers using Microsoft Internet Information Services 5.0
(IIS) and Microsoft Internet Explorer, components of Windows.
Important Customers who have deployed Windows XP Service Pack 2
RC2 are not at risk.
Reports indicate that Web servers running Windows 2000 Server and IIS
that have not applied update 835732, which was addressed by Microsoft
Security Bulletin MS04-011, are possibly being compromised and being
used to attempt to infect users of Internet Explorer with malicious
code.
The MS04-011 patch was issued in April, 2004, and the current version of
IIS is 6.0. Apparently this trojan affects an old version of the software
if the administrator has failed to patch the old version properly.
Trojan programs are old hat but this one is more dangerous because it's
harder to detect and doesn't do anything obvious to let you know it's there
- it does use specific port numbers where you can check for activity
though. It's probable intent is to steal ids, passwords, account numbers
and the like and send them back to someplace on the internet.
If you're interested in reading about this kind of thing, try visiting
http://www.us-cert.gov/current/current_activity.html for less impassioned,
more objective and certainly less self-serving information.
Just the facts, ma'am.
"The FUD Buster"
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
