Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: IIS :: al200108.txt

AusCERT Alert 2001.08 Current widespread intruder activity against IIS and sunrpc


A  U  S  C  E  R  T                                           A  L  E  R  T
                        AL-2001.08  --  AUSCERT ALERT
         Current widespread intruder activity against IIS and sunrpc
                                 8 May 2001



	  AusCERT has received increased numbers of reports of apparently
	  automated activity directed against vulnerable implementations
	  of Microsoft Internet Information Server (IIS) and Sun portmapper
	  (sunrpc) services on Internet hosts within Australia and New
	  Zealand over the past few days. Web site defacements have been
	  reported that may be a result of this activity.

	  The cause of this activity is believed to be a new worm that is
	  similar to 1i0n or Ramen.  The worm is believed to operate by
	  compromising Solaris machines running vulnerable services
	  available via sunrpc.  These compromised platforms are then used
	  to launch web defacement attacks utilising the "Unicode Bug"
	  against vulnerable IIS 4.0 and 5.0 servers.

	  The IIS attack is based on a relatively old vulnerability in
	  unpatched versions of Microsoft IIS 4.0 and IIS 5.0. This
	  vulnerability is more commonly known as the "Unicode Bug". More
	  information is available from the previous AusCERT Alert:

	  and the AusCERT External Security Bulletin:

	  It appears that this attack is accompanied by attempts to exploit
	  services available via sunrpc (port 111) on Sun Solaris machines.
	  Information about the most recent vulnerabilities are in the
	  AusCERT External Security Bulletins:

	  These attacks are currently widespread and AusCERT is releasing
	  this information to alert system administrators to this activity.
	  Member sites may wish to check their systems for evidence of
	  attacker activity directed at sunrpc services or malformed URL
	  requests directed at IIS servers.


	  For the sunrpc activity, currently only Solaris platforms which
	  have unpatched services available via sunrpc (port 111) may be
	  vulnerable to these attacks.

	  For the Unicode Bug, unpatched IIS 4.0 and 5.0 servers are
	  vulnerable to these attacks.


	  Sun Solaris systems are being actively attacked and root

	  Servers running IIS 4.0 and 5.0 are being actively attacked and


          A. Patch Vulnerable Solaris Services

	  Solaris System Administrators are urged to check their systems for
	  insecure versions of sunrpc services as per AusCERT Alerts and
	  Bulletins available from:

          B. Patch Vulnerable Versions of IIS

	  Microsoft System Administrators are urged to check their systems
	  for insecure versions of IIS services as per AusCERT Alerts and
	  Bulletins available from:

          C. Consider Wrapping portmap 

	  Administrators may wish to consider wrapping the portmap service
	  using tools such as portmapper as provided by Wietse Venema:


          D.  Check For Signs of Compromise
          If you suspect that your site may have been compromised, we
          encourage you to read:


          If your site has been compromised, we encourage you to read:


	  AusCERT is currently monitoring this problem, if you detect your
	  systems have been compromised please contact AusCERT.

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

AusCERT maintains an anonymous FTP service which is found on:  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
Australian Computer Emergency Response Team
The University of Queensland
Qld  4072

Version: 2.6.3i
Charset: noconv


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH