"Jheer" <Jheer@discussions.microsoft.com> wrote in message
news:D5CC7112-F73D-4FB3-8ABA-D3DB22D6135A@microsoft.com...
> 2007-04-20 01:59:43UTC 88.229.55.206 Hacked By Nið-DeLi
> Defaced a page on just 1 of my sites. PUT /index.htm to plant the file
> using
> Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1,
> was the method. I have since repaired this per MS KB 241520. prob should
> suggest others disable the same as defacements are rising. Not sure if
> other
> platforms accept the PUT request. In IIS it responds with a 400 error (bad
> request) but WebDAV is still able to replace index.htm. out of all the
> sites
> on the server, 1 site was on root that was defaced, subs were not
> affected.
> Hope this helps someone else avoid a defacement.

"Bernard Cheah [MVP]" wrote:

> They could come in via many channels.
> The safest thing is to rebuild the box, you never know if there's backdoor
> left open.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Jheer" <Jheer@discussions.microsoft.com> wrote in message
> news:D5CC7112-F73D-4FB3-8ABA-D3DB22D6135A@microsoft.com...
> > 2007-04-20 01:59:43UTC 88.229.55.206 Hacked By Nið-DeLi
> > Defaced a page on just 1 of my sites. PUT /index.htm to plant the file
> > using
> > Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1,
> > was the method. I have since repaired this per MS KB 241520. prob should
> > suggest others disable the same as defacements are rising. Not sure if
> > other
> > platforms accept the PUT request. In IIS it responds with a 400 error (bad
> > request) but WebDAV is still able to replace index.htm. out of all the
> > sites
> > on the server, 1 site was on root that was defaced, subs were not
> > affected.
> > Hope this helps someone else avoid a defacement.
>
>