Attacks against IIS web servers involving MDACFriday, December 10, 1999
We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This vulnerability has been widely discussed as early as April 22, 1998. Here are some pointers to information about this vulnerability:
In incidents reported to us so far, attacks can be identified by looking through the IIS log files for POST access to the file "/msadc/msadcs.dll". For example:
1999-10-24 20:38:12 - WWW
POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - -
If you use Microsoft Remote Data Services (RDS) these POST operations may be legitimate.
We encourage all sites using IIS to carefully follow the steps listed in Microsoft Advisory MS99-025, referenced above, to secure or disable RDS.
Copyright 1999 Carnegie Mellon University.