FYI, here's a post from the editor of BugTraq: ----------------------- "This is definitely being caused by the problems discussed in MS01-033. Its a buffer overflow in Index Server, which is installed and started by default. You may be able to find traces in your IIS logs by looking for requests for default.ida followed by a bunch of "N"s. There will be no trace on disk, its pushed into memory through the overflow where it continues to execute. After the defacement it will also scan other IP addresses looking for more IIS boxes to inflict the same damage to. "As to being patched, many things might cause a patched system to become unpatched. Simply adding or modifying a component can revert a patched system to an unpatched state." "In this case, the best thing to do is to unmap .ida and .ida in your Extensions Mapping screen, and then get the patch in case you decide to use that functionality later on." ----------------------- here are some additional links: the Microsoft security alert for the hack: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec ur ity/bulletin/MS01-033.asp the forums thread at Allaire: http://forums.allaire.com/coldfusion/messageview.cfm?catid=12&threadid =2 12752 -mike > -----Original Message----- > From: Gary Longford [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 17, 2001 7:36 AM > To: CF-Talk > Subject: RE: CF Hack > > > Do you have any additional information on this. As my company > got hit by > this today. Can you maybe forward the email from Macromedia. In great > computing style my manager is panicking about the problem, > and is reluctant > to try the web servers back on. I have email Macromedia > myself but have > received no response as of yet. > > Yours, > > Gary Longford > Senior Web/Database Developer > > -----Original Message----- > From: Dylan Bromby [mailto:[EMAIL PROTECTED]] > Sent: 17 July 2001 00:23 > To: CF-Talk > Subject: CF Hack > > > This weekend a friend of mine's web sites were hacked. It > only affected his > CF pages/applications. All CF pages displayed the message > "Welcome to the > http://www.worm.com Hacked by Chinese". > > They received immediate attention from Macromedia this > morning after sending > them an email. They were one of 3 sites reporting the hack; > they were the > only U.S. based site. Macromedia engineers and personnel are actively > involved in investigating the hack, and one person suggested a > memory-resident virus. But nothing's been confirmed. > > He runs CF4.5 to the best of my knowledge. > > As I learn more I will post. > > --Dylan > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
