IIS Web servers Hacked over the Weekend
- By Scott Bekker
- July 17, 2001
Over the weekend, Web sites running Microsoft Corp.’s IIS Web server platform became the targets of widespread Denial-of-Service (DoS) attacks.
Through Saturday and Sunday, several dozen IT managers posted messages to Microsoft’s IIS newsgroup (microsoft.public.inetserver.iis) in which they complained that Internet services (Web, FTP, SSL) running on Windows NT 4.0 and Windows 2000 systems were arbitrarily stopping – sometimes on the order of every fifteen minutes.
The attacks appeared to target a known vulnerability that Microsoft patched in mid-June, confirms Russ Cooper, editor of the Windows NT Bugtraq Mailing List. The vulnerability affects Windows NT 4.0's and Windows 2000's Web-based indexing and search facilities, dubbed, respectively, Index Server 2.0 or Indexing Service. If properly exploited by means of a buffer overflow attack, the indexing service vulnerability could enable an attacker to run code of his or her choice on a compromised server – with system-level privileges.
At the time of the exploit’s discovery, Microsoft urged all customers to apply a hotfix that it made available to patch the vulnerability.
Not all users got the message, however.
One affected user, John Catalano, a partner with Atlanta-based 323 Interactive LLC, an ISP that serves small- and medium-sized businesses, says that he first became aware of the problem as early as Saturday night. "I hit our Web site and it was not up. I found that to be strange so I went into our server and brought up the management console for IIS and found that every Web site had been stopped," he relates, stressing that the IIS services themselves were still running – but that individual Web sites had been stopped.
Catalano says that he restarted each of the affected Web sites, monitored the server for another half-an-hour, figured that everything was OK, and went home. Sunday morning, he received a page telling him that Web services had again stopped on the same server.
Mark Lordi, e-commerce director for Promedia Publishing & Design, reports a similar experience.
"Starting on Sunday I noticed that our Web pages were showing up unavailable," he says. "When it was first noticed we just thought the server was acting glitchy. So we had a employee go reset the machine and everything worked fine. Well about an hour later we noticed it was doing [it] again."
Most IT managers who were affected by the attacks say that it took them quite some time to troubleshoot the problem. 323Interactive’s Catalano, for example, says that he initially suspected foul play in the form of a virus. After he checked his antivirus software and scanned his machine, however, he says that he knew that he was being hacked.
For his part, Alex Carr, a systems administrator with a UK-based direct marketing firm, says that he initially suspected that the problem could be attributed to a collaborative chat application that he'd installed the week before. After spending hours troubleshooting the problem with the makers of the chat tool, he says that over the next day he reinstalled his Windows NT service packs, re-considered a full operating system re-install prior to chickening out, and then resolved his problem by checking the IIS newsgroup.
Promedia Publishing's Lordi says that he also went through a raft of troubleshooting procedures before finally finding help on the IIS newsgroup.
"Checking error logs, application logs, and system logs everything appeared to be in working order. We tried stopping and restarting service[s, but] nothing was helping our case," he says. "So after checking the [IIS] messageboards, we finally saw a solution that appeared to work and it was downloading a critical update from Microsoft’s Windows update [Web site]."
The critical update in question, Lordi confirms, contained a patch for the June 18th indexing service vulnerability.
Worm Causes Attack
Security experts have long expected an outbreak of attacks of this type. Late last month, security specialist eEye Digital Security warned that several hacker groups had created tools to exploit known IIS vulnerabilities – including the dangerous indexing service vulnerability. And in early July, news outlets reported that a Japanese hacker had posted an IIS-hacking program to a Website on Geocities.com. In both cases, such tools could allow even novice computer users with no cracking experience to exploit un-patched IIS systems and to gain complete control over them.
What’s most sobering about last weekend’s attacks, suggests NTBugtraq’s Cooper, is the fact that they were so very limited in scope: The indexing service vulnerability gives attackers the ability to take complete control over compromised servers – and yet last weekend’s exploits were largely confined largely to frustrating DoS attacks.
Mark Maiffret, chief hacking officer with eEye, agrees.
"Somebody could definitely have done more evil things, they could have made it where nobody knows about it," he says. "Somebody could have definitely developed it in a way where it was quiet and didn’t deface web sites and didn’t change any content so that there’d really have been no way to know that a system was infected."
Bill Tillson, a Windows NT systems operations manager with Primus Managed Hosting Solutions, says that he missed a scheduled family outing on Sunday afternoon to deal with the problem. What puzzles him, he allows, is that the attacks were more of an annoyance than anything else.
"They didn’t really do anything. It seemed like they were just issuing a kind of NET STOP command," he says. "I’m wondering if this guy didn’t got a list of all of the IIS servers out there that were un-patched and just started issuing NET STOP commands."
According to eEye’s Maiffret, the attack – which his company has labeled the ".IDA ‘Code Red’ worm" – is actually a worm that first infects a vulnerable server and then spawns up to 100 new threads as it begins searching for other servers to infect. Although its search patterns are random, Maiffret says, because the worm uses the same "seed" algorithm for randomization of IP addresses, chances are that IP addresses early in the randomized sequence could be targeted several times.
In this case, Maiffret explains, even patched systems could be overwhelmed and taken down by .IDA traffic from exploited systems across the Internet. In this respect, Maiffret says that he's received reports from some systems administrators who claim that they’ve received .IDA requests from up to 5,000 unique IP addresses.
Users Still in the Dark
Many users who were targeted over the weekend say that they’d never even heard of the indexing service vulnerability before.
"I honestly hadn’t heard about it," concedes Primus’ Tilson. "We'd been putting together 2000 systems, and keeping an eye on those patches, but we didn’t even know that this thing affected NT 4.0 [systems], too."
"That was the first time I’ve heard of it," confirms 323Interactive’s Catalano.
At the same time, however, users say that once they identified the existence of a problem – and in the absence of a credible explanation by security experts – the IIS newsgroup helped them to troubleshoot it.
"I jumped on the newsgroup … and found that we were not alone!" says Tom Welch, a Windows NT administrator. "There were others experiencing the same attacks at the same time. Although, this did not change the fact that I was being attacked, it did relieve me to know that people smarter than me were on the hunt for the fix." Stephen Swoyer