One of the best examples of the IIS security problem would be the recent [EMAIL PROTECTED] virus! That thing spread like the plague, and was a REAL pain in the ar$e to get rid of! Web servers STILL have problems with this virus - even today! Proof of the pudding is in our web logs, which run on IIS by the way on an NT server (patched):
2001-11-29 05:35:09 203.252.134.121 - GET /scripts/root.exe 404 604 - - 2001-11-29 05:35:09 203.252.134.121 - GET /MSADC/root.exe 404 604 - - 2001-11-29 05:35:11 203.252.134.121 - GET /c/winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:11 203.252.134.121 - GET /d/winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:12 203.252.134.121 - GET /scripts/..%5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:12 203.252.134.121 - GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:13 203.252.134.121 - GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:13 203.252.134.121 - GET /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:15 203.252.134.121 - GET /scripts/..� ../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:15 203.252.134.121 - GET /scripts/winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:16 203.252.134.121 - GET /scripts/../../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:16 203.252.134.121 - GET /scripts/..\../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:18 203.252.134.121 - GET /scripts/..S5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:18 203.252.134.121 - GET /scripts/..S5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:19 203.252.134.121 - GET /scripts/..%5c../winnt/system32/cmd.exe 404 604 - - 2001-11-29 05:35:19 203.252.134.121 - GET /scripts/..%2f../winnt/system32/cmd.exe 404 604 - - This is basically an infected web server polling other web servers to try and automatically infect our server with the virus.. Hackers seem to HATE Micro$oft, which inherently makes their software a hackers target. You never hear much about security patches in Apache or OMNI HTTPD or some other web server.. Another problem is that Micro$oft like to tie all of their software together with the O/S, and many hackers find the back doors in the O/S to exploit the server software.. If you want to continually check the microsft update pages for security patches that seem to come out every week, then carry on and use IIS! Luckily our service provider does all of this for us (we don't have our web server in house yet - that's my project for next year), but when I get around to this it will most certainly be on LINUX with apache, and probably a MySQL database backend.. Mark -----Original Message----- Verghese Sent: 29 November 2001 04:04 To: Multiple recipients of list ORACLE-L Thanks for you inputs. I'd like some concrete data on Security issues with IIS. Do you know of any sites for this ??? You know how it is, I can't just go to management and tell them that it's not very secure, I need to prove it with data (To make this all the more interesting I'm contracting with a state agency right now... you can imagine the managers there....... No offense to any State "managers" in this group :-) !!!) >From: [EMAIL PROTECTED] >Reply-To: [EMAIL PROTECTED] >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >Subject: RE: 9ias Vs IIS >Date: Wed, 28 Nov 2001 15:00:26 -0800 > >I'm not a web expert either ... we're just starting to look at web-enabling >our forms. > >But one big potential drawback to using IIS would be security issues. It's >the most-targeted and most-hacked server out there. Someone will need to >be >applying patches constantly and hoping for the best. > >Ask the new guys when was the last time they had to deal with a >security/hacker problem with your current 9iAS/Apache setup. :-) Not that >it can't be hacked ... but the hackers tend to focus on the easiest target. > > > -----Original Message----- > > From: Sunny Verghese [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 28, 2001 2:14 PM > > To: Multiple recipients of list ORACLE-L > > Subject: 9ias Vs IIS > > > > > > Briefly, our current setup includes Web enabled forms (PL/SQL > > Cartridges) > > accessing an 8i database via 9ias (currently OAS 4.2 but will > > be moving to > > 9ias in a month). Btw, we also use ORACLE APPS (11i) using > > the same Web > > Server (apps and ias handled by another dba... thankfully :-) ......) > > > > For a new system (requirement : ability for customers to > > upload files (xml, > > fixed format text file or spreadsheet, or enter data via a > > form. Need only > > specific people to be able to upload these files. Files need to be > > transmitted and saved securely...... Digital signature ?. > > These files could > > be required later (Law suit)) that we are looking at, a > > couple of new guys > > (who believe that the Sun rises and sets because of Microsoft > > !!!!) are > > proposing using IIS --> ASP --> OEMDB --> ORACLE database > > (existint DB). > > They also have a problem with IIS --> JSP --> JDBC --> ORACLE > > DB (they claim > > JSP would be an overhead on IIS and would slow it down) > > > > I don't know the web stuff well enough (Obviously :-) !!!) to > > see the holes > > (if any) in this approach. Their complaint is that 9ias is > > slow (or in their > > words, ORACLE should stay with databases and not get into the > > Web server > > world !!!) > > > > Opinions / Info that would help ????? > > > > Thanks, > > Sunny > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp > >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.com >-- >Author: Sunny Verghese > INET: [EMAIL PROTECTED] > >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 >San Diego, California -- Public Internet access / Mailing Lists >-------------------------------------------------------------------- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in >the message BODY, include a line containing: UNSUB ORACLE-L >(or the name of mailing list you want to be removed from). You may >also send the HELP command for other information (like subscribing). >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.com >-- >Author: > INET: [EMAIL PROTECTED] > >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 >San Diego, California -- Public Internet access / Mailing Lists >-------------------------------------------------------------------- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in >the message BODY, include a line containing: UNSUB ORACLE-L >(or the name of mailing list you want to be removed from). You may >also send the HELP command for other information (like subscribing). _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Sunny Verghese INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
