The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>Attacks against IIS web servers involving MDAC</h2> Friday, December 10, 1999 <p> We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This vulnerability has been widely discussed as early as April 22, 1998. Here are some pointers to information about this vulnerability: <p> <dl> <dd><a href="http://support.microsoft.com/support/kb/articles/q184/3/75.asp"> http://support.microsoft.com/support/kb/articles/q184/3/75.asp</a></dd> <dd><a href="http://www.microsoft.com/security/bulletins/ms98-004.asp"> http://www.microsoft.com/security/bulletins/ms98-004.asp</a></dd> <dd><a href="http://www.microsoft.com/security/bulletins/ms99-025.asp"> http://www.microsoft.com/security/bulletins/ms99-025.asp</a></dd> </dl> <p> In incidents reported to us so far, attacks can be identified by looking through the IIS log files for POST access to the file "/msadc/msadcs.dll". For example: <p> <dl><dd> <pre> 1999-10-24 20:38:12 <source addr="" ip=""/> - WWW <dest addr="" ip=""> POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - - </dest></pre> </dd></dl> <p> If you use Microsoft Remote Data Services (RDS) these POST operations may be legitimate. <p> We encourage all sites using IIS to carefully follow the steps listed in Microsoft Advisory MS99-025, referenced above, to secure or disable RDS. <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> </p></p></p></p></p></p> |