Last week, I received a startling email message with this subject line: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites. Those words are certainly enough to warrant any administrator's attention. The email message described the attack, and it sounded scary. According to Alan Paller, director of research for the SANS Institute, the FBI and the Secret Service are jointly investigating the largest organized credit-card theft in history. Hackers have compromised more than 40 Web sites in 20 states, stealing information about more than one million credit cards.
At first, I thought the email was a hoax. The warning included instructions to download a tool from the Center for Internet Security Web site that administrators can use to ensure the safety of their systems. The email message also included a call for immediate action—a necessary component of any hoax. It all sounded a little strange.
After I convinced myself that an immediate call to action was indeed necessary, I started digging into the vulnerability details. The warning listed once again includes the famous ODBC/RDS (MS99-025) vulnerability—Unauthorized Access to IIS Servers through ODBC Data Access with Remote Data Services (RDS). (I think the National Infrastructure Protection Center (NIPC) has re-released this vulnerability about three times.) The NIPC list also includes exploits for SQL Query Abuse Vulnerability (MS00-014), Registry Permissions Vulnerability (MS-008), and Web Server File Request Parsing Vulnerability (MS00-086).
These vulnerabilities aren't new. The ODBC/RDS vulnerability continues to deface Web sites in record numbers. Quite frankly, if you don't need this function, remove it from your Web server. How do you determine whether you need it? If your Web server makes ODBC calls to a source such as a database, you might. It's worth a look. If you used the defaults when you installed IIS, you almost certainly installed the function.
As of this writing, the Center for Internet Security hasn't released the tool. The original warning on the SANS Institute Web site hasn't been updated. And although Microsoft recently released new security bulletins, none of them directly relate to this warning. I strongly recommend that you take a moment to look at the SANS Institute alert and perform a self evaluation based on the included previous alerts. And keep a close eye on the news.http://www.sans.org/newlook/alerts/NTE-bank.htm
Until next time,