Users login

Create an account »


Users login

Home » Hacking News » Malicious Web Attacks May Be New IIS Worm

Malicious Web Attacks May Be New IIS Worm

by phiber on July 17th, 2001 A new Internet worm may be on the loose and could have already infected thousands of sites running Web server software from Microsoft, security experts warned Monday. Since late last week, a malicious program has been scanning the Internet and compromising Microsoft systems running unpatched versions of the Internet Information Server (IIS), according to independent reports. Experts who have reviewed the signature of the code ...

...left behind in Web server logs said it appears to exploit a buffer overflow flaw in

IIS that was discovered by eEye Digital Security and published last

month. In a bulletin released June 18, Microsoft said the flaw could

enable an attacker to take complete control of vulnerable IIS

systems. The company has released a patch to correct the


According to Marc Maiffret, chief hacking officer for eEye, a

preliminary analysis by the security software firm of log files and

a copy of the program obtained from victim sites suggests it may be

a self-propagating worm designed to scan the Internet for IIS

machines vulnerable to the ".ida attack" and to automatically deface their homepages.

According to Maiffret, the defaced page contains a simple message

in all red letters: "Welcome to! Hacked By


After infecting an IIS system, the program continues randomly

scanning the Internet for other unpatched IIS machines.

Besides performing defacements, some of the commands recorded in

victims' server logs indicate the code may also be pulling a program

off the Internet that creates a backdoor on the compromised server,

according to Maiffret.

The malicious code can be identified by its attempts to access a

flawed IIS file named default.ida on the victim computer. The code

also appears to make a connection to a Web server located at

The role of the site is still a mystery, according to

Richard Bejtlich, a network security engineer for Ball Aerospace who

has encountered non-IIS client machines that were scanned but not

compromised by the code.

"It's possible that the program is calling home to papa. But all we

know for sure is that there is exploit code that is very actively

looking for these vulnerable IIS systems. How your system will be

abused once it's compromised, that's still fuzzy," said Bejtlich.

Roy Messer, the owner of the domain, told Newsbytes that

he has no connection to the malicious code, but over the weekend he

received eight telephone calls from angry system administrators hit

by the program.

"People are accusing me. But I have nothing to do with this thing.

I'm a victim too," said Messer, who originally registered the domain

hoping to develop it as a search site. At present, the site

re-directs visitors to a page at the search engine.

William VanVorst, chief technical officer for NationalNet, Inc.,

the Georgia-based Internet service provider which hosts,

told Newsbytes that the site is running on a Unix server and does

not appear to have been compromised by attackers.

"All I know is hundreds of hosts out there, many of them from Asia,

are trying to access this site, but we don't know why," said

VanVorst, who added that the impact on the ISP's routers has been

like a distributed denial of service attack. The firm has since put

filters in place to block the Internet addresses of the hosts.

Similarly, the administrator of one site compromised by the worm

reported to Maiffret that 5,000 unique IIS systems subsequently

probed the site over port 80, a port designated for TCP web requests.

The new malicious program resembles an Internet worm reported in

May. The Sadmind worm turned unpatched Sun Solaris servers into

robots which silently scanned for Windows NT or 2000 systems running

IIS and defaced their home pages with an anti-American message.

Earlier this month, a Japanese hacker published source code to a

program designed to remotely exploit the ida vulnerability.

According to Maiffret, because the hacker coded the exploit

specifically to attack the Japanese-language version of Windows NT,

the program will simply crash non-Japanese servers rather than giving the attacker control of them.

Microsoft's bulletin on the ida vulnerability is here.

EEye's advisory on the bug is here.

by Newsbytes,

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »