Rule: -- Sid: 1002 -- Summary: This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). -- Impact: Information gathering possible administrator access. -- Detailed Information: This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. -- Affected Systems: Any host using IIS. -- Attack Scenarios: An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. -- Ease of Attack: Simple. -- False Positives: The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre can graph the occurence of worms attacks on a server against time. The HotSaNIC system displays 'WEB-IIS cmd.exe access ' attempts on the server in an image file named thumb-cmd.exe.gif. Each time this image is accessed it generates an event. -- False Negatives: None Known. -- Corrective Action: Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. Ensure that the IIS implementation is fully patched. Ensure that the underlying operating system is fully patched. Employ strategies to harden the IIS implementation and operating system. Check the host for signs of compromise. -- Contributors: Sourcefire Research Team Brian Caswell Nigel Houghton False positive information contributed by Chris McMahon -- Additional References: --