Microsoft Site Defacement Spurs IIS Flaw Rumors
Microsoft's Web site for France was defaced by digital graffiti artists over the weekend. Normally, I wouldn't call attention to this kind of childish and illegal behavior, except in this case the "attacker" appears to be only breaking into sites that run Microsoft Internet Information Services (IIS) server 6.0 on Windows Server 2003 installations.
The murmurs are basically that If Microsoft can't secure its own site against defacements, then perhaps there is a previously unknown security flaw in MicrosofWeb server software being exploited here. I have no reason to believe this is the case; it seems more likely someone at Microsoft simply misconfigured the server. Either way, I've put a query in to the folks at Microsoft, and I will update this blog post once I hear back from them.
The Microsoft France site is still down as of this writing, but you can see a screenshot of the message left by the attacker here. This hacker or hacker group, which goes by the handle "TitHack", has been busy lately, as evidenced by the hundreds of other sites running Server 2003 that have suffered the same attack recently.
I sincerely hope this is not foreshadowing of another Microsoft Web server flaw, as some have suggested. As the Code Red and Code Red II worms showed in July 2001, Web server worms can be extremely nasty. Code Red left a defacement message on affected Microsoft IIS servers, and then instructed tens of thousands of infected computers to launch an attack against the White House Web site.
Update, 2:02 p.m. ET: Microsoft put out a statement saying its "initial investigation points to a mis-configuration of a web server at a third party hosting facility as the most likely cause of the compromise. Upon completion of our investigation more information regarding the cause will be posted to the MSRC blog.
Update, 10:35 a.m. ET, June 20: Web site defacement archive Zone-h.org posted a follow-up today on this break-in, where they apparently interviewed the guy that attacked Microsoft's site. According to Zone-H co-author Roberto Preatoni, the hacker broke in using an unpatched flaw in DotNetNuke an open-source content management system designed to interact with ASP.NET, a Web development language from Microsoft. I left a message with the people over at DotNetNuke, but no word yet on whether they're aware of this issue.
Update, 10:42 a.m. ET, June 21: I caught up with DotNetNuke founder Shaun Walker, who said he was unaware of any unpatched flaws with his application. Walker suggested that the problem might have stemmed from a vulnerable third-party DotNetNuke plug-in, such as one recently identified in a program module from DNN Modules. Richard Cox of DNN Modules had this to say:
"We have no knowledge of the particular incident mentioned in the URL you cited. However we can confirm that approximately seven weeks ago we did become aware of a vulnerability in our modules, and the symptoms described at that URL are consistent with the vulnerability."
Posted by: OT question | June 19, 2006 1:37 PM | Report abuse
Posted by: Bk | June 19, 2006 1:55 PM | Report abuse
Posted by: Marley | June 20, 2006 12:21 AM | Report abuse
Posted by: Frank McLellan | June 20, 2006 10:15 AM | Report abuse
Posted by: Bk | June 20, 2006 10:15 AM | Report abuse
Posted by: Frank | June 20, 2006 10:58 AM | Report abuse
Posted by: Thanks | June 20, 2006 3:46 PM | Report abuse
Posted by: Ben | June 20, 2006 8:34 PM | Report abuse
Posted by: Shane | June 21, 2006 1:56 PM | Report abuse
Posted by: Bk | June 21, 2006 2:23 PM | Report abuse
Posted by: eb | June 21, 2006 2:26 PM | Report abuse
Posted by: Shane | June 21, 2006 3:05 PM | Report abuse
Posted by: Shane | June 21, 2006 3:16 PM | Report abuse
Posted by: Greg | June 22, 2006 6:20 PM | Report abuse
Posted by: Bob | July 17, 2006 10:00 AM | Report abuse
Posted by: Chris | July 18, 2006 1:31 PM | Report abuse
Posted by: Bob | July 18, 2006 1:49 PM | Report abuse
The comments to this entry are closed.