[Dshield] 0 Day vulnerability in IIS and IE exploited

Johannes B. Ullrich jullrich at euclidian.com
Fri Jun 25 18:51:37 GMT 2004

> Any more info about how the IIS servers are getting hacked?

At this point, it looks like this episode is over. As of last
night, the actual trojan can no longer be reached.

In my opinion, the websites did not get compromised by a 0-day.
The 'SSL-PCT' theory is most plausible to me. Sites may have
been compromised in the past, and kept open via backdoors
after they got patched. So if a sysadmin checks now, they
find that the machine is patched and they exclude ssl-pct
as a route of entry.

The unpatched MSIE vulnerability is a different issue. I think
we are going to see more like this soon.

Visiting SANSFIRE?? Stop by at IPNet and say Hi ;-)
Johannes Ullrich                     jullrich at euclidian.com
contact: http://johannes.homepc.org/contact.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040625/0b8b984c/attachment.bin

More information about the list mailing list