Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Focus on Microsoft
/Rpc virtual directory in IIS - How did it get there? Dec 05 2002 03:08AM
sjr hushmail com (2 replies)
Re: /Rpc virtual directory in IIS - How did it get there? Dec 08 2002 03:33AM
Frank Knobbe (fknobbe knobbeits com)
Re: /Rpc virtual directory in IIS - How did it get there? Dec 06 2002 06:41PM
H C (keydet89 yahoo com)
Did you preserve the MAC times from the virtual
directory, as well as the DLL you found? You could
use those to track back activity, based on whatever
logging (EventLog, IIS web logs, etc) that you find
suspicious activity in. Since you say you only allow
port 443 access, that may rule out directory
transversal, but I'd check the logs anyway.

Also, were any updates done recently?

--- sjr (at) hushmail (dot) com [email concealed] wrote:
>
> Recently I was surprised to notice a new virtual
> directory on an Internet-facing IIS box of ours. It
> was called Rpc, and pointed to c:\winnt\system32
> with Read and Execute permissions. Ding-ding-ding,
> alarm bells started going off in my head. As I
> investigated further, though, I was surprised to
> find that there could actually be pseudo-justifiable
> reasons for this. The box also had a new ISAPI
> filter installed called RPCProxy, which referenced
> c:\winnt\system32\rpcproxy.dll. Googling on
> rpcproxy.dll brought up, among other things, the
> WinNT SP4 Readme.txt, which describes how to set up
> COM Internet Services (CIS), aka DCOM tunneled over
> HTTP. The setup instructions are not too dissimilar
> to what I found on our IIS box, although MS
> recommends that you copy rpcproxy.dll to its own
> folder and point the virtual directory there rather
> than exposing all those other goodies in system32.
>
> So, either way I'm left wondering - how the heck did
> the virtual directory and ISAPI filter end up on
> this box? The box was reasonably well patched,
> though it didn't have the latest round of hotfixes
> (like the MDAC one). Plus, we only allow SSL/TCP
> 443 traffic to it from the Internet, which generally
> wards off the most common IIS attacks. Regardless,
> does this match any known attack signatures that
> anyone can think of?
>
> Alternately, does anyone know of 3rd-party software
> that might install COM Internet Services silently as
> part of its own installation routine?
>
> Any other thoughts?
>
>
>
> Concerned about your privacy? Follow this link to
> get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate
> Program:
>
https://www.hushmail.com/about.php?subloc=affiliate&l=427

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

[ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus