Problem is that its not IIS in itself that is the problem is the web-application running on IIS that doesn't sanitize its input that is the problem, that and probably using an Database user account with too much privileges to access the backend, plus no auditing on the database backend to track what is being viewed, and on and on...
Too bad it takes mass hacks like these to get some peoples attention to the matter, often too late, after they have been 0wned..... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, June 15, 2010 5:46 PM To: NT System Admin Issues Subject: Re: Time to verify your IIS setup More important to me is, "How many discrete managers of IIS systems/environments does this represent?" I mean, on one level, if a single ISP hosting 500 discrete sites for clients is a victim, that's not exactly the same thing as those 500 clients failing to manage this risk. On the other hand (and from a more practical standpoint), they're still victims just the same... -ASB: http://XeeSM.com/AndrewBaker On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze <[email protected]> wrote: Dang. I was just curious... How many IIS sites are there in the world? Roughly 780K. So if the Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that are affected. Yikes. Source: http://news.netcraft.com/archives/category/web-server-survey/ (most places on my search pointed to NetCraft having the most accurate results). Sam On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff <[email protected]> wrote: > about 111,000 sites infected > > http://isc.sans.edu/diary.html?storyid=8935 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
