UPDATE:
http://www.cert.org/advisories/CA-2001-11.html
Well, we got the work site (read that ISP) systems recovered. They are using the 'parent path' weakness to back out of the web page 'up' to the operating system, then are executing stuff to create the webpages.
We closed the 'parent path' door. (don't forget to reboot or the changes do nothing)
We deleted all the unneeded virtual directories.
A sure sign of this attack is finding 'root. exe' in your website's script directory.
I replaced it with a copy of notepad. exe, renamed to root. exe and locked the file down to prevent it from being replaced.
=
My home server only had the 'parent path' fix in place, and I can tell you that it is not enough to prevent the hackers.
I was lucky enough to catch the website logfile before it was deleted (it is not just a diesel that one can 'BOMB'
#ad
). A very crafty string is being sent to the webserver as a web page URL. That contains the entire attack!
If you are in the industry, send me an email and I will send you the logfile thread.
My first attack was from a computer at the University of Miami. I talked to some real red-faced folks there!
Tonight I was attacked again from a university in Japan. I just finished that email message to the Director of information services.
Ah, the joy of computers.
Remember, it is considered impossible to hack a computer that is really turned off.
[This message has been edited by David_VT (edited 05-09-2001). ]
Attention: TDR Forum Junkies 
