I post here the translation (by Freetranslation and seriously revised by me in order to make it more understandable) of an interesting article dealing with scanners, Microsoft IIS, and a possible attack against Internet DNS root servers (this article was written before the October attack!! When fiction meets reality... it's what decided me to share it with you). I could have put it in the M$ security forum, but as the IIS vulnerability aspect was not really surprising, I thought the mass scanning aspect would be more interesting.

The original article (in French) is here
I apologize but the translation is not really good (i didn't want to spend more than 1 hour working in it):

More of a million sites in danger


Antoine Santo, alias AloneTrio, an "expert" in computer security knew and recognized. (To see his portrait in ZATAZ Magazine paper 1, editor's note). After some small boredoms after his discovery, in 2001, in the intranet Matignon, it continued to work on an audit tool Internet which scan IIS holes, hole used in a "radical" manner, a year ago by the virus code red. This audit software has the characteristic to be executable since a simple command under DOS , of small size and multi-threader , it is able to work, to an instant T, on 50 addresses ip of a blow and in an extremist way quick. This audit tool being intended for the businesses interested, an option was added, that is to send back the ip of the sites non fixed to a secure server that loads itself to look for information on these addresss as for example the zone transfers, the owner of the address ... , orderly Information in a basis sql. "The most terrible one " dixit Antoine "My technique has nothing special, or spectacular".

U. W. D.
The tool finished, the site web finished, Unicode Worldwide Database , the antoine project is launched. Some sorted persons will participate in the test of the tool. "I very fast noted of by the mails and the quantities of results that I received that the tool had a fearsome effectiveness ". Imagine, a pirate was able to have the same idea, scanning computer holes by IIS and while transforming this machine in an independent numerical vacuum cleaner via a software of the same kind. One names this sort of machine a zombie. A zombie that transforms itself in hunter of holes.

"My basis very quickly took a consequent size " and the most terrible one is than it proves than hundreds of thousands machines around the planet, special, businesses, armies , administrations are stll non fixed to a security hole known since... 1999.

1000187... no 188 ... no 189 ...
The amount are effectively scaring. To the moment of the writing of this item, July 2002, this data basis was of more than 1 000 187 machines. While peeling this "lists " we were able to discover 16 024 sites in .fr in danger, 310 254 .COM , 270 111 in .NET, 181 156 in .ORG and cherry on the cake, 1 422 .MIL and 141 .GOV, of which 21 *.nasa.gov. In this period to remember according to 11 September, the uncle Sam knows it that it has as much servers in danger? "I contacted the FBI " explained us Antoine "without never to have had a single response ". It is necessary to keep to the mind, that on this number of machine, a little weak system percentage is on dynamic ips (adsl for example), machines that, since, have "surely" been patched and of others, more engraves, that one been reinstalled without correction of the hole.

How to protect itself?
If Antoine succeeded with his audit tool, nothing cannot prevent us from think that of the people, terrorist, pirates, had not the idea, them also, to make a tool in this kind.

"Used and modified to ends - criminal -, my technique, somewhat modified, could allow to fly information , to prepare a mass attack, while transforming these hundreds of thousands of machines in " automatics hackers". Imagine, more of a million of servers in the process of attacking you! " It suffices that the hackers use some of the non fixed machines to attack the root DNS or others potential targets like on strategic points as bandwith resseler through the world". By bandwith Resseler, understand the big suppliers of web connections such as Akamai. The bandwith resseler do not sell usually anothers things than pipes but it happen sometimes that they sell also services as space locations. We can put to the oubliettes MafiaBoy and its friends. (MafiaBoy, was accused to have launched a mass attack in February 2000 against Yahoo!, CNN, Amazon,. ... )"The more better is to avoid the technologies of Microsoft IIS. To look into Apache would not be an evil" explains Antoine. If you cannot do otherwise, patch your servers and never forget to patch them after every reinstallation of your servers