This specific exploit utilises the canonicalization error in IIS 4.0 and 5.0
as specified by MS here -
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Hope that helps.
Ad.
-snip-
>
> a simplre re-install from scratch or backup is WORTHLESS....
> ------------------------------------------------------------
>
> you have to do something different to remove the exploit they
> used to get into the server the first place
> - usually means apply all known patches
> ( intelligently or blindly depending on your comfort level
> ( apply all patches blindly unconditionally, as you already
> ( did that when you installed from cdrom anyway.. gotta trust
> ( somebody
>
> than wait(hours,days,weeks,months) and see if they get in again..
>
> if they get in again... youhave to wonder if the trapdoor and backdoor
> etc is in your backups tooo....and/or if your entire network is insecure
> somewhere else that allows them to get in
>
> have fun tracing/tracking/learning...
> alvin
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
