[unisog] vml (and mdac?) exploited web sites

power less absolutelynopower at gmail.com
Sat Feb 3 17:42:56 GMT 2007

I was curious as to what people should search for if they wanted to know if
vml (and mdac?) exploits had made it onto any web pages
in their neighborhood. That would be a worthy cause, wouldn't it, checking
web pages for badness? I don't suppose there a free utility that does that?

Dreaming outloud: the ideal would be a module that could detect potentially
malicious content in supplied html and it could be used as
plugin in web browsers and as a plugin in some kind of web spider program or
other uses.

I am referring to this story:
Note the implication of iis5 and iis6 being compromised.

And here it is alleged that CDC was compromised:

websense also implicated an MDAC exploit:

"The type of malicious software used in the attack is easy to detect and
easy to protect against, the security experts said."
[Sorry I can't help but make a snide comment: yeah that's why it was there
for a week :-) ]

Ok how does one detect it then? Also if people have ideas about how
attackers exploit iis if that's what they do, it'd be
nice to hear about it.

"We literally find tens of thousands of these things every day -- they're
everywhere from big-name sites like this one to mom-and-pop bakery shops,"
said Dan Hubbard, vice president of security research at Websense. "It's
definitely a good lesson in staying up to date on the patches."

Well geez, how about we also
1. stop the miscreants from breaking in and planting crud on people's web
2. detect this stuff so that web owners/institutions can remove such
malicious code as soon as it gets in
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070203/3fdc9761/attachment.htm 

More information about the unisog mailing list