The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Attacks against IIS web servers involving MDAC</h2>

Friday, December 10, 1999
<p>
We have received reports of IIS web servers compromised via a
vulnerability in MS Data Access Components (MDAC). This vulnerability
has been widely discussed as early as April 22, 1998. Here are some
pointers to information about this vulnerability:
<p>
<dl>
<dd><a href="http://support.microsoft.com/support/kb/articles/q184/3/75.asp">
       http://support.microsoft.com/support/kb/articles/q184/3/75.asp</a></dd>
<dd><a href="http://www.microsoft.com/security/bulletins/ms98-004.asp">
        http://www.microsoft.com/security/bulletins/ms98-004.asp</a></dd>
<dd><a href="http://www.microsoft.com/security/bulletins/ms99-025.asp">
        http://www.microsoft.com/security/bulletins/ms99-025.asp</a></dd>
</dl>
<p>
In incidents reported to us so far, attacks can be identified by
looking through the IIS log files for POST access to the file
"/msadc/msadcs.dll". For example:
<p>
<dl><dd>
<pre>
1999-10-24 20:38:12 <source addr="" ip=""/> - WWW <dest addr="" ip=""> POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - -
</dest></pre>
</dd></dl>
<p>
If you use Microsoft Remote Data Services (RDS) these POST operations
may be legitimate.

<p>
We encourage all sites using IIS to carefully follow the steps listed
in Microsoft Advisory MS99-025, referenced above, to secure or disable
RDS.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p>