Updated June 25th 2004 01:27 UTC
"RFI - Russian IIS Hacks?
The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops...
[original diary entry follows]
A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security ***) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number...
Also (may be related) >>> Corporate Web servers infecting visitors' PCs
June 24, 2004, 6:35 PM PDT
"...The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties. "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site. The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available..."
Edited by apluswebmaster, 25 June 2004 - 03:22 AM.