Manuel,
There was a recent security breach discovered in Win2000 on May 1 that we
were notified
about that could give an intruder complete control of your server if not
fixed. Here's
is the info we received:
I. Description
>
> Windows 2000 includes support for the Internet Printing Protocol (IPP)
> via an ISAPI extension. According to Microsoft, this extension is
> installed by default on all Windows 2000 systems, but it is only
> accesible through IIS 5.0. The IPP extension contains a buffer
> overflow that could be used by an attacker to execute arbitrary code
> in the Local System security context, essentially giving the attacker
> compete control of the system. This vulnerability was discovered by
> eEye Digital Security.
>
> Microsoft has issued the following bulletin regarding this
> vulnerability:
>
> http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
>
> This vulnerability has been assigned the identifier CAN-2001-0241 by
> the Common Vulnerabilities and Exposures (CVE) group:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0241
>
>II. Impact
>
> Anyone who can reach a vulnerable web server can execute arbitrary
> code in the Local System security context, resulting in the intruder
> gaining complete control of the system. Note that this may be
> significantly more serious than a simple "web defacement."
>
>III. Solution
>
>Apply a patch from your vendor
>
> A patch is available from Microsoft at
>
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
>
> Additional advice on securing IIS web servers is available from
>
> http://www.microsoft.com/technet/security/iis5chk.asp
> http://www.microsoft.com/technet/security/tools.asp
>
>Appendix A. Vendor Information
>
>Microsoft Corporation
>
> The following documents regarding this vulnerability are available
> from Microsoft:
>
> http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
>
>References
>
> 1. VU#516648: Microsoft Windows 2000/Internet Information Server
> (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer
> overflow, CERT/CC, 05/02/2001,
> http://www.kb.cert.org/vuls/id/516648
>
> Authors: Chad Dougherty, Shawn Hernan.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-10.html
Hope this helps your situation.
Rj
At 01:18 PM 5/9/01, you wrote:
>Hello Everyone,
>
>Someone broke into my intranet and replace the default.htm with a page
>that displays an obsenity. They also replaced or installed default.asp
>with the same page discussting page.
>The new page has an email on that could lead to this sick individual.
>Does anyone know if there are any goverment agencies that investigate
>this type of activity?
>
>Any information would jbe appreciated.
>Manuel
