Feeds

Hacking IIS – how sweet it is

Shopping sprees for carders

  • alert
  • submit to reddit

Business security measures using SSL

Updated We've looked over a few recent credit-card database compromises brought to our attention by CardCops (formerly AdCops), an organization which tries to get the straight dope on e-commerce hacks directly from the blackhat community to better inform merchants of threats to their systems.

The most recent victims CardCops has seen are on-line perfumery StrawberryNet.com; computer retailer mWave.com; and a very large Texas ISP called Stic.net, which gave up many thousands of credit card details, along with the records of 500 businesses and their FTP logins. All of the victims are running IIS 4 or 5 over Win-NT or 2K.

Not surprisingly, Microsoft IIS is quite popular among carders, because its got lots and lots of holes, and because its often used by people who lack the technical know-how to bung them. It's easy to use, which makes it particularly attractive for those who want to break into e-commerce on a shoestring, and particularly attractive as well for those who just want to break in.

CardCops founder Dan Clements reckons that IIS is in use by roughly fifty per cent of e-merchants, but represents over eighty per cent of their data compromises.

Under its 'amnesty program,' CardCops seeks information from active carders in exchange for a guarantee that they won't be tracked, reported or otherwise harassed. The idea is to warn the merchants and card issuers when they've been hacked, and to learn which exploits are most popular and most successful.

One such submission posted recently caught our eye. It details the sheer ease with which one can exploit the IIS folder traversal vulnerability (which was also exploited by the sadmind/IIS worm for the less-threatening business of defacing servers, as we reported here).

Exploiting the folder traversal bug causes IIS to reveal any directory on the logical drive that contains the Web directory and gives up access to any file in it. It allows the user to escape from the Web directory and access files elsewhere on the same drive. If the user has his Web directories and system directories on the same drive, bingo -- machine owned.

Mind you, MS issued a hotfix for this vulnerability in October of 2000, and the sadmind/IIS worm ought to have alerted quite a few admins that they were open to it, but this seems not to have helped as much as one would wish. Furthermore, the simple precaution of placing Web directories and system directories on different drives would limit the damage, but this also seems to be overlooked more often than not.

According to what we've seen -- a little how-to manual submitted to CardCops -- finding a vulnerable IIS machine is pretty much like shooting fish in a barrel.

The unique item here is the author's home-made progie, called 'Microsoft IIS Raper', which quickly scans chosen IP ranges, automatically searching for vulnerable IIS machines.

The program also simplifies matters and speeds things up considerably by trying to fetch cmd.exe directly via http. Whenever it hits, one knows that the folder traversal vulnerability is working as it should. After that, one simply installs a Trojan to keep the machine open in case it should be patched later, and thus it's owned. (Savvy crackers will patch the system fully at this point, to prevent competitors from taking it over.)

Patch this
How can it be this easy to exploit a vulnerability that Microsoft patched ten months ago, and which a recent worm highlighted to admins with numerous page defacements?

"What's going on is that there are just too damn many patches. It's simply impossible to keep up. I get weekly summaries of new vulnerabilities and patches. One alert service listed 19 new patches in a variety of products in the first week of March 2001. That was an average week. Some of the listings affected my network, and many of them did not. Microsoft Outlook had over a dozen security patches in the year 2000. I don't know how the average user can possibly install them all; he'd never get anything else done," Counterpane Internet Security CTO Bruce Schneier remarks in a recent article.

It's a fair point indeed, though we have hopes that Microsoft will soon make it a bit easier.

And as for the recent hacks, CardCops' Clements says that none of the businesses or ISPs he's contacted recently, warning that they've been hacked, have bothered to reply. However, Stic.net President David Robertson told us that he was never contacted, and deems it "highly unlikely" that his system had been compromised.

He's lately been "bouncing off the walls," he reports, trying to contact AdCops for more information since press time. ®

Related Story

Online Fraud Museum details CC hacking techniques

Related Links

Folder traversal patch IIS 4.0
Folder traversal patch IIS 5.0

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.