'RE: Potential Web Services Threat'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    RE: Potential Web Services Threat
From:       "Sireika, James" <JSireika () azerty ! com>
Date:       2004-06-28 19:21:19
Message-ID: 210DF55DED65B547896F728FB057F3B20413E1FE () seaver ! ussco ! com
[Download RAW message or body]

From sans:

We have received information about compromised systems with Internet
Information Server. These systems had an administrator level account with
the username 'IWAP_WWW' added. 

Please check if your server has such an account and let us know what you
find. Until we know more, we suggest that you consider a server compromised
if you find and administrator account with this username. 



http://isc.sans.org/



 

-----Original Message-----
From: Peter Kruse [mailto:pkr@csis.dk] 
Sent: Monday, June 28, 2004 2:19 PM
To: Patch Management Mailing List
Subject: SV: Potential Web Services Threat

Hi Lee,

Since no one really knows the attack vector being used to compromise these
servers it´s hard to tell for sure. Microsoft blames (MS04-011) since
affected servers was not proberly updated. The MS warning can be found here:
http://www.microsoft.com/security/incident/download_ject.mspx

I have not come across any reports that indicates creation of user accounts,
but then again everything is really possible.

A good and detailed writeup of this threat can be found at Symantec´s
website:
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.p
df

As a sidenote more than 600 servers are still infected with JS.Scub accoring
to Cyveillance, Inc. A pressrelease can be found at this URL:
http://www.cyveillance.com/web/newsroom/press_rel/2004/2004-06-28.htm

Kind regards
Peter Kruse
http://www.csis.dk

>-----Oprindelig meddelelse-----
>Fra: Lee Birchmore [mailto:lbirchmore@gciuk.com]
>Sendt: 28. juni 2004 18:58
>Til: Patch Management Mailing List
>Emne: RE: Potential Web Services Threat
>
>
>Do you have any other info........i.e. one website is saying that a 
>dummy user is created
>
>-----Original Message-----
>From: Gerritz, Jonus (Contractor)
>[mailto:Jonus.Gerritz@usmint.treas.gov]
>Sent: 24 June 2004 19:26
>To: Patch Management Mailing List
>Subject: Potential Web Services Threat
>
>
>


---
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org

---
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic