Network News

X My Profile
View More Activity

Microsoft Site Defacement Spurs IIS Flaw Rumors

Microsoft's Web site for France was defaced by digital graffiti artists over the weekend. Normally, I wouldn't call attention to this kind of childish and illegal behavior, except in this case the "attacker" appears to be only breaking into sites that run Microsoft Internet Information Services (IIS) server 6.0 on Windows Server 2003 installations.

The murmurs are basically that If Microsoft can't secure its own site against defacements, then perhaps there is a previously unknown security flaw in MicrosofWeb server software being exploited here. I have no reason to believe this is the case; it seems more likely someone at Microsoft simply misconfigured the server. Either way, I've put a query in to the folks at Microsoft, and I will update this blog post once I hear back from them.

The Microsoft France site is still down as of this writing, but you can see a screenshot of the message left by the attacker here. This hacker or hacker group, which goes by the handle "TitHack", has been busy lately, as evidenced by the hundreds of other sites running Server 2003 that have suffered the same attack recently.

I sincerely hope this is not foreshadowing of another Microsoft Web server flaw, as some have suggested. As the Code Red and Code Red II worms showed in July 2001, Web server worms can be extremely nasty. Code Red left a defacement message on affected Microsoft IIS servers, and then instructed tens of thousands of infected computers to launch an attack against the White House Web site.

Update, 2:02 p.m. ET: Microsoft put out a statement saying its "initial investigation points to a mis-configuration of a web server at a third party hosting facility as the most likely cause of the compromise. Upon completion of our investigation more information regarding the cause will be posted to the MSRC blog.

Update, 10:35 a.m. ET, June 20: Web site defacement archive Zone-h.org posted a follow-up today on this break-in, where they apparently interviewed the guy that attacked Microsoft's site. According to Zone-H co-author Roberto Preatoni, the hacker broke in using an unpatched flaw in DotNetNuke an open-source content management system designed to interact with ASP.NET, a Web development language from Microsoft. I left a message with the people over at DotNetNuke, but no word yet on whether they're aware of this issue.

Update, 10:42 a.m. ET, June 21: I caught up with DotNetNuke founder Shaun Walker, who said he was unaware of any unpatched flaws with his application. Walker suggested that the problem might have stemmed from a vulnerable third-party DotNetNuke plug-in, such as one recently identified in a program module from DNN Modules. Richard Cox of DNN Modules had this to say:

"We have no knowledge of the particular incident mentioned in the URL you cited. However we can confirm that approximately seven weeks ago we did become aware of a vulnerability in our modules, and the symptoms described at that URL are consistent with the vulnerability."

By Brian Krebs  |  June 19, 2006; 10:50 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ZoneAlarm Update Flaky for McAfee Users
Next: Web Security Holes: A Tasty Treat for Hackers

Comments

I apologize for posting something not directly connected to your blog, but I do not know who else to ask. At least this is about MS...

I downloaded Windows Genuine Advantage Notifications but do not want to install it but I cannot get it off my computer. I realized what it was before it installed (but after it downloaded) because I trust MS so little that I do not let updates be installed without asking me. My copy of XP is legit (came with my ThinkPad) but I do not want to install this thing for several reasons such as the fact the install is permanent and cannot be reversed, I fear possible system problems--and because I resent so much MS trying to sneak this in. (Its initial description of itself is very misleading; it only tells you what it is really doing when you click for more information.) Even though I have managed to not install it, I can find no way to delete it from the installation "queue." It keeps bugging me to install it. Now that I have downloaded it, how can I get rid of it without letting it install? Thanks for any help.

Greg

Posted by: OT question | June 19, 2006 1:37 PM | Report abuse

Greg -- check out this tool made available at BroadbandReports.com, that claims to kill the notification thingee. I can't vouch for it, but others have had success w/ it.

Good luck.

http://www.dslreports.com/forum/remark,16330119

Posted by: Bk | June 19, 2006 1:55 PM | Report abuse

Greg,

If you haven't installed the WGA updates yet, you should be able to click on the Automatic Updates icon in your tray (the yellow shield) and view the updates.

Click on the plus sign near those updates, and you'll get a more detailed description and a check box which says "Do not display this update again." (That's from memory, it may not be exact. You get the idea.)

Check that box and continue the update process. You shouldn't see it again.

I've done this with the machines I support, and while I can't go to windowsupdate.microsoft.com and download updates anymore, Automatic Updates continues to download critical updates which I then install manually.

There's tons of commentary on this topic. Google "Windows Genuine Advantage," or even "Windows Genuine Disadvantage."

Posted by: Marley | June 20, 2006 12:21 AM | Report abuse

In your blog "Microsoft Site Defacement Spurs IIS Flaw Rumors" you say that "it seems more likely someone at Microsoft simply misconfigured the server". However, a little later you state that ""TitHack", has been busy lately, as evidenced by the hundreds of other sites running Server 2003 that have suffered the same attack recently". These two statements seem to be mutually exclusive but I do hope that the former is correct.

Posted by: Frank McLellan | June 20, 2006 10:15 AM | Report abuse

Marley,

I think your method works, but i'm pretty sure you will have to keep declining the install every time you download patches from Microsoft. It's just like the malicious software removal tool: even if you uncheck the box and say "don't ask me again," it will still prompt you to install it again.

Posted by: Bk | June 20, 2006 10:15 AM | Report abuse

See the latest update to the entry above, tx.

Posted by: Frank | June 20, 2006 10:58 AM | Report abuse

Thanks a bunch, Brian and Marley. I am sure one or both of these methods will work. D--- Microsoft...

Greg

Posted by: Thanks | June 20, 2006 3:46 PM | Report abuse

I find it very hypocritical of people to bash Microsoft and Bill Gates and then use Windows on all of their systems. I run Slackware on most of my computers, not because I dislike or distrust Microsfot, but because it works for me more efficently than Windows. I conceed that Microsoft has had some problems, but I have two Windows computers that have been problem free for close to two years. Windows is a useful and complete product. It has it's flaws, but I think the reason I don't have problems with viruses and spyware is that I take responsibilty for securing and protecting my system and I don't wait or depend on others to do it for me. I'm not a Windows user, but it really irks me to hear people bash Windows reflexivly and not be able to back up their criticism. IMHO, it's on par with racism.

Posted by: Ben | June 20, 2006 8:34 PM | Report abuse

Regarding DotNetNuke and the DNN Modules vulnerability, I'm writing because I don't think your post was fair. For one thing, it's not know that in fact the problem was a result of the vulnerability in the DNN Modules software. That's just a possibility. I don't like the way Shaun seemed to pass the buck over to DNN Modules either. Most significantly, though, as a long-time customer of DNN Modules I don't think it's fair to write that they had a problem without also mentioning the excellent customer service and follow-up they had subsequent to the problem. Any complicated software has bugs and security flaws; they dealt with it an an unusually quick and responsible manner. Actually, the DotNetNuke core team did as well. But anyway, we don't even know that the DNN Modules vulnerability had anything to do with the incident you described in your post. So I feel your post draws conclusions which aren't properly-qualified as uncertain, and which also unfairly characterize DNN Modules in a poor light.

Posted by: Shane | June 21, 2006 1:56 PM | Report abuse

Shane -- I'm sorry you feel this post was unfair to DNN. I'm glad you had such a positive experience with their customer service. Many companies could learn a great deal from that kind of inspired loyalty (assuming you don't work for DNN).

My reporting on this Web site defacement elicited a response from Microsoft that this was the result of a "mis-configuration of a web server," which is one way of saying someone did not securely configure the Web site and the software that runs it. Usually, this is the result of patches that were not applied or default settings that were not changed. In either case, the onus falls on the user to keep their systems up to date.

When one talks about a misconfiguration that the world's largest software company makes, it's reasonable to assume others have made the same mistake. The point of my column is to give people information they can use to protect themselves online. Should I not report information about vulnerabilities in products just because that vulnerability was fixed quickly and graciously? Again, the issue is getting people to apply the updates, so calling attention to their very existence is a very necessary thing.

Posted by: Bk | June 21, 2006 2:23 PM | Report abuse

Ben, your post stating that you "take responsibilty for securing and protecting my system and don't wait or depend on others to do it for me" is elitist at best and unrealistic at worst. Millions of Microsoft Windows users do not have the skills or knowledge to protect themselves, and Microsoft's unfortunate choices in areas such as least user priviledge and ActiveX controls have left these users twisting in the wind.

Posted by: eb | June 21, 2006 2:26 PM | Report abuse

I accidentally inserted my post a second time, if you would kindly delete the second copy of it.

Thanks.

Posted by: Shane | June 21, 2006 3:05 PM | Report abuse

Brian, thanks for qualifying that and for including the information on the response from Microsoft. And FYI no, I don't work for DNN but have been a happy user for a couple of years.

Posted by: Shane | June 21, 2006 3:16 PM | Report abuse

Ben,

I am not sure if you were referring to me when you said "I find it very hypocritical of people to bash Microsoft and Bill Gates and then use Windows on all of their systems." In case you were, FYI I am soon to be an ex-Windows user as I am buying a Mac in a couple of months.

Thanks,

Greg

Posted by: Greg | June 22, 2006 6:20 PM | Report abuse

I was wondering if there was any update on this. I noticed on the zone-h site that as recently as 7/16/2006 that there are still a lot of sites being defaced by TiTHack and that some of them are mass defacements of hosting sites. Have you heard anything new?

Posted by: Bob | July 17, 2006 10:00 AM | Report abuse

This is just another nail in the coffin of Open Source. I tried DNN for almost two years and found it extremely painful to work with. I also started really realizing just how vunerable Open Source code is because hackers have your blue prints, making it extreme easy to hack.

Posted by: Chris | July 18, 2006 1:31 PM | Report abuse

I've used good open source and bad open source and I've paid for good and bad software. I haven't found either more or less secure based on whether or not it's open source or closed. Besides, I don't know anyone who closes their source for security, they do it for MONEY.

DNN sites are not the only ones being defaced though. Several of the sites that I checked out I know were created with Dreamweaver and asp.

My real concern is that this group has now defaced nearly 2500 sites and I still haven't been able to find any information about what the misconfiguration is or how to fix it to prevent compromise.

Posted by: Bob | July 18, 2006 1:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company