Apr 28 2008
If you’ve got an IIS server, you’ll want to take a long look at your traffic and make sure you’re not one of the ‘hundreds of thousands’ of the Microsoft web servers that’ve been compromised. Microsoft is staying quiet on this one, it’s F-secure and Panda Security are the one’s who are reporting the problem. And it appears to be quite a problem, since the script on the sites is redirecting web surfers to sites that aren’t nearly as wholesome as the original target site. There is a Microsoft advisory with a work around to block this vulnerability, and Dancho Danchev has a write-up that includes information about the malware that’s being served up with this attack.
A 0day with an automatic discovery and dissemination tool shouldn’t be a surprise to anyone. The fact that it’s hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis? This is another SQL injection attack against the servers, so I wonder if a web app firewall would have protected against this or if tuning would have just opened a whole for the attack vector.
Edit: Microsoft does have something to say after all. Thanks Ben