IIS 6 strange file -- iis security

magagnon NO[at]SPAM maginformatique.com
6/1/2007 5:48:33 AM

Hi,

There is some strange file that are on the root of different website.
Some of my friend told me that it is a IIS6 security hole. Does
anybody have a solution ???

It's just html file.

Like those :

default.html
tromnk.htm

The content of those file was :

Ir4Dex Back By Zakix your DATA H4Xored =)
core-project
<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1254">
<title>Hacked Mr.Trojan Trojan wWw.StarHack.Org wWw.Trojan-Tr.Org</title>
</head>

<body text="#800000" bgcolor="#000000">

 
 
<a href="http://www.trojan-tr.org">
<img border="0" src="http://www.trojan-tr.org/erterterte.jpg"
width="400" height="400"></a>
 
Mr.Trojan
Was Here

<a href="http://wWw.StarHack.Org" style="text-decoration: none">
wWw.StarHack.Org</a> "
<a href="http://wWw.Trojan-Tr.Org" style="text-decoration: none">
wWw.Trojan-Tr.Org</a> 
 

</body>

</html>

Dave
6/3/2007 7:38:45 PM

it may 'just' be an html file, but if you didn't put it there then someone
else has access to your server.

my best first step advice, PULL THE PLUG NOW! this will stop it from being
used to attack anyone else or getting further into your network.

then research the problem, find how it got on, and what else may have been
damaged. copy off only files that you can PROVE have not been contaminated,
then my second step advice is to flatten the box and start over, making sure
that you plug all the security holes this time before it goes live on the
internet.

[quoted text, click to view]

iis security : IIS 6 strange file