this is in response to the guy who asked about his weblog showing wierd commands for cmd.exe and root.exe<BR><BR>this message shows how to do it with the cgi-bin folder, but for that guy, he saw it in the scripts folder, which also most likely has execute access. My guess is someone is trying to use this crack to get into his (or his ISP&#039;s) server.<BR><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Some of you may have already noticed a marked increase in the number of IIS defacements over recent weeks. Apparently this is due to a Solaris-based worm which, after compromising a vulnerable Solaris box, propagates itself and attempts to attack IIS boxes it can find.<BR>The IIS vulnerability it exploits is to use .. navigation to copy cmd.exe into the scripts directory as root.exe and then perform a series of commands to replace index.asp (although I¡¦ve been told that some default.asp pages have been overwritten by this code also).<BR>This IIS vulnerability was first addressed by MS00-057 (Aug.10,2000). MS00-078 (Oct.17,2000) reminded folks to get the MS00-057 fix, and MS00-086 (Nov.6,2000) fixed it also. Each of these Microsoft Security Bulletins referred to variations on the same issue, or additionally affected platforms.<BR>„h From what we¡¦ve seen most of the machines that are being compromised are NT 4.0 IIS 4.0 boxes that have never had appropriate patches applied to them (Service Pack installed by no patches). More than a few are development boxes, plus quite a few Outlook Web Access boxes.<BR><BR>Unfortunately, CERT Advisory CA-2001-11 refers to MS00-078 for the<BR>patch, when it should really point to MS00-86 since it fixes the same<BR>components and affords additional protection against vulnerabilities<BR>discovered after MS00-057 was released. The CERT Advisory also makes<BR>reference to MS01-023 for some unknown reason. The best information<BR>we have suggests that MS01-023 has nothing to do with this worm or the current spate of defacements.<BR>For more information read;<BR><BR>and for background;<BR><BR><BR>Keep current on your patches by checking the following URLs regularly;<BR>Windows NT 4.0 with SP6a and IIS 4.0<BR><BR>vicePackId=7<BR>Wi ndows 2000 with SP1 and IIS 5.0<BR><BR>vicePackId=1<BR><B R>Cheers,<BR>Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor<BR>