IIS Admins Beware - Get your systems patched

[cybernetic]

and the link is www.astalavista.com ... first one on top

[DjM]

Originally posted here by Tiger Shark
if you are near Detroit

Detroit might be a bit of a stretch, but I'll keep it in mind, who's knows, might be a good security course there someday.


Cheers:

[SirDice]

Did anyone run this tool against something that's known to be vulnerable? Something like an IIS5.0 without any service packs. That should start some bells ringing.

[bballad]

Well on Monday I will have a complete report on what this thing dose, just found out that one of my coworkers is Iranian...but he went home sick today so....Monday I will go through the program with him and see what it actually says.

[omalakai]

We use Snort for IDS, and the ACID Html viewer to read the Snor logs. I am attaching a screenshot of the ACID report. I ran this tool from my workstation to an internal IIS server on our LAN.
In checking the Snort packet captures, this tool does try a lot of directory traversal exploits (against every default IIS virtual directory in the book!) and CMD.EXE calls. But to be honest, you could run any of the vulnerability scanners out there (like Retina from eEye) to get the same result.

[bballad]

Ok the output is in Persian… Well most of it at least. Its poorly written and I couldn’t get the stupid thing to find my server, but here is a translation of the strings we saw,
Asiab doesn’t seem to be a word...or at least not a Persian word its from a language that my middle eastern coworker was unfamiliar with but Pazir Nist is "not permited" Irad az is "problem connecting" this is all I got. and NARAD is "doesn’t exist" so it looks like none of the systems tested where vulnerable...but we tried a system that was a clean IIS 5 install, no patches or service packs on 2k and still got Irad az, it looks like a faulty program. No worries on this one.