|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
URLScan as an attack vector?happened. We discovered that production internet web-server (in a DMZ) stopped serving pages after a reboot (patches). We had installed the patches on test servers earlier in the day and not experienced any problems. After scratching my head for a while and poking around a seemingly happy server which just wouldn't serve a page I thought to check the URLScan logs. Sure enough it was denying all requests. Turns out our urscan.ini file had been replaced with this: [version] signature="$CHICAGO$" AdvancedINF=2.5,%BadAdvpackVer% [SourceDisksNames] 1="UrlScan Files",,1 [DefaultInstall] ;existing gen install INF options Copyfiles=SecondList ;advanced INF options RequiredEngine=SETUPAPI,%BadSetupEngineVer% RegisterOCXs=MyRegisterOCXs AddReg=MyAddReg BeginPrompt=BeginPrompt CheckAdminRights=1 Uninstall=DefaultUninstall [DefaultUninstall] RequiredEngine=SETUPAPI,%BadSetupEngineVer% DelFiles=SecondList Deldirs=MyDeldirs DelReg=MyDelReg UnregisterOCXs=MyRegisterOCXs EndPrompt=EndPromptUninstall [DestinationDirs] SecondList=11,inetsrv\urlscan [MyRegisterOCXs] %11%\inetsrv\urlscan\urlscanr.dll [MyAddReg] HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan","UninstallString",,"RunDll32 advpack.dll,LaunchINFSection ""%11%\inetsrv\urlscan\urlscan.inf"",DefaultUninstall,," HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan","DisplayName",,"IIS UrlScan Tool 2.0 (Uninstall)" [MyDelReg] HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan" [MyDeldirs] %11%\inetsrv\urlscan [BeginPrompt] Prompt=%BeginPrompt% ButtonType=OKCANCEL Title=IIS UrlScan Tool 2.0 [EndPromptUninstall] Prompt=%EndPromptUninstall% Title=IIS UrlScan Tool 2.0 [SecondList] urlscan.ini urlscan.inf urlscanr.dll urlscan.dll [Strings] BadAdvpackVer="Incorrect version of advpack.dll. Please get new version from our web site." BadSetupapiVer="Setupapi.dll is required to install on this system." BeginPrompt="This will install IIS UrlScan Tool 2.0" EndPromptUninstall="UrlScan has been uninstalled. If any UrlScan activity took place, the log was left as %windir%\system32\inetsrv\urlscan\urlscan.log. (%windir% represents the root of your Windows installation.)" Anyone seen this attack before or know anything about it? It looks like someone mistakenly copied urlscan.inf to be urlscan.ini on the
machine. I would first look at your patching procedures as the "attack". Personally, if someone was able to hack your server to replace urlscan.ini with urlscan.inf, they were already administrator and have hacked the server -- so it makes no sense for them to disable urlscan and draw attention to the fact. This is why I think it is a human mistake from your patching procedures and not an attack. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Sleepless in Vancouver" <Sleepless in Vancou***@discussions.microsoft.com> Wondering if anyone has experienced this or may have some insight in to whatwrote in message news:AEE1CF0A-D870-42EE-816F-4E71BEC14621@microsoft.com... happened. We discovered that production internet web-server (in a DMZ) stopped serving pages after a reboot (patches). We had installed the patches on test servers earlier in the day and not experienced any problems. After scratching my head for a while and poking around a seemingly happy server which just wouldn't serve a page I thought to check the URLScan logs. Sure enough it was denying all requests. Turns out our urscan.ini file had been replaced with this: [version] signature="$CHICAGO$" AdvancedINF=2.5,%BadAdvpackVer% [SourceDisksNames] 1="UrlScan Files",,1 [DefaultInstall] ;existing gen install INF options Copyfiles=SecondList ;advanced INF options RequiredEngine=SETUPAPI,%BadSetupEngineVer% RegisterOCXs=MyRegisterOCXs AddReg=MyAddReg BeginPrompt=BeginPrompt CheckAdminRights=1 Uninstall=DefaultUninstall [DefaultUninstall] RequiredEngine=SETUPAPI,%BadSetupEngineVer% DelFiles=SecondList Deldirs=MyDeldirs DelReg=MyDelReg UnregisterOCXs=MyRegisterOCXs EndPrompt=EndPromptUninstall [DestinationDirs] SecondList=11,inetsrv\urlscan [MyRegisterOCXs] %11%\inetsrv\urlscan\urlscanr.dll [MyAddReg] HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan","Unins tallString",,"RunDll32 advpack.dll,LaunchINFSection ""%11%\inetsrv\urlscan\urlscan.inf"",DefaultUninstall,," HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan","Displ ayName",,"IIS UrlScan Tool 2.0 (Uninstall)" [MyDelReg] HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IisUrlScan" [MyDeldirs] %11%\inetsrv\urlscan [BeginPrompt] Prompt=%BeginPrompt% ButtonType=OKCANCEL Title=IIS UrlScan Tool 2.0 [EndPromptUninstall] Prompt=%EndPromptUninstall% Title=IIS UrlScan Tool 2.0 [SecondList] urlscan.ini urlscan.inf urlscanr.dll urlscan.dll [Strings] BadAdvpackVer="Incorrect version of advpack.dll. Please get new version from our web site." BadSetupapiVer="Setupapi.dll is required to install on this system." BeginPrompt="This will install IIS UrlScan Tool 2.0" EndPromptUninstall="UrlScan has been uninstalled. If any UrlScan activity took place, the log was left as %windir%\system32\inetsrv\urlscan\urlscan.log. (%windir% represents the root of your Windows installation.)" Anyone seen this attack before or know anything about it? 
Other interesting topics
IIS 6 conflict using port 443 for NON-SSL traffic
How to tell if IIS lockdown Tool is installed? Intranet problem - 404 and 405 errors Failure posting files to iis6.0 using ssl client authentication Anonymous access NTFS permissions request certificate immediately Permission denied: 'CreateObject' - error '800a0046' Indexing Service, web page, no results... Permissions? prevent local security policy override |
|||||||||||||||||||||||
