Wondering if anyone has experienced this or may have some insight in to what
happened.

We discovered that production internet web-server (in a DMZ) stopped serving
pages after a reboot (patches).  We had installed the patches on test server
s
earlier in the day and not experienced any problems.  After scratching my
head for a while and poking around a seemingly happy server which just
wouldn't serve a page I thought to check the URLScan logs.  Sure enough it
was denying all requests.

Turns out our urscan.ini file had been replaced with this:

[version]
signature="$CHICAGO$"
AdvancedINF=2.5,%BadAdvpackVer%

[SourceDisksNames]
1="UrlScan Files",,1

[DefaultInstall]
;existing gen install INF options
Copyfiles=SecondList
;advanced INF options
 RequiredEngine=SETUPAPI,%BadSetupEngineV
er%
RegisterOCXs=MyRegisterOCXs
AddReg=MyAddReg
BeginPrompt=BeginPrompt
CheckAdminRights=1
Uninstall=DefaultUninstall

[DefaultUninstall]
 RequiredEngine=SETUPAPI,%BadSetupEngineV
er%
DelFiles=SecondList
Deldirs=MyDeldirs
DelReg=MyDelReg
UnregisterOCXs=MyRegisterOCXs
EndPrompt=EndPromptUninstall

[DestinationDirs]
SecondList=11,inetsrv\urlscan

[MyRegisterOCXs]
%11%\inetsrv\urlscan\urlscanr.dll

[MyAddReg]
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan","Unins
tallString",,"RunDll32
advpack.dll,LaunchINFSection
""%11%\inetsrv\urlscan\urlscan.inf"",DefaultUninstall,,"
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan","Displ
ayName",,"IIS UrlScan Tool 2.0 (Uninstall)"

[MyDelReg]
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan"

[MyDeldirs]
%11%\inetsrv\urlscan

[BeginPrompt]
Prompt=%BeginPrompt%
ButtonType=OKCANCEL
Title=IIS UrlScan Tool 2.0

[EndPromptUninstall]
Prompt=%EndPromptUninstall%
Title=IIS UrlScan Tool 2.0

[SecondList]
urlscan.ini
urlscan.inf
urlscanr.dll
urlscan.dll

[Strings]
BadAdvpackVer="Incorrect version of advpack.dll. Please get new version from
our web site."
BadSetupapiVer="Setupapi.dll is required to install on this system."
BeginPrompt="This will install IIS UrlScan Tool 2.0"
EndPromptUninstall="UrlScan has been uninstalled. If any UrlScan activity
took place, the log was left as
 %windir%\system32\inetsrv\urlscan\urlsca
n.log. (%windir% represents the root
of your Windows installation.)"



Anyone seen this attack before or know anything about it?

[ Post a follow-up to this message ]

It looks like someone mistakenly copied urlscan.inf to be urlscan.ini on the
machine. I would first look at your patching procedures as the "attack".

Personally, if someone was able to hack your server to replace urlscan.ini
with urlscan.inf, they were already administrator and have hacked the
server -- so it makes no sense for them to disable urlscan and draw
attention to the fact. This is why I think it is a human mistake from your
patching procedures and not an attack.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Sleepless in Vancouver" <Sleepless in Vancouver@discussions.microsoft.com>
wrote in message news:AEE1CF0A-D870-42EE-816F-4E71BEC14621@microsoft.com...
Wondering if anyone has experienced this or may have some insight in to what
happened.

We discovered that production internet web-server (in a DMZ) stopped serving
pages after a reboot (patches).  We had installed the patches on test
servers
earlier in the day and not experienced any problems.  After scratching my
head for a while and poking around a seemingly happy server which just
wouldn't serve a page I thought to check the URLScan logs.  Sure enough it
was denying all requests.

Turns out our urscan.ini file had been replaced with this:

[version]
signature="$CHICAGO$"
AdvancedINF=2.5,%BadAdvpackVer%

[SourceDisksNames]
1="UrlScan Files",,1

[DefaultInstall]
;existing gen install INF options
Copyfiles=SecondList
;advanced INF options
 RequiredEngine=SETUPAPI,%BadSetupEngineV
er%
RegisterOCXs=MyRegisterOCXs
AddReg=MyAddReg
BeginPrompt=BeginPrompt
CheckAdminRights=1
Uninstall=DefaultUninstall

[DefaultUninstall]
 RequiredEngine=SETUPAPI,%BadSetupEngineV
er%
DelFiles=SecondList
Deldirs=MyDeldirs
DelReg=MyDelReg
UnregisterOCXs=MyRegisterOCXs
EndPrompt=EndPromptUninstall

[DestinationDirs]
SecondList=11,inetsrv\urlscan

[MyRegisterOCXs]
%11%\inetsrv\urlscan\urlscanr.dll

[MyAddReg]
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan","Unins
tallString",,"RunDll32
advpack.dll,LaunchINFSection
""%11%\inetsrv\urlscan\urlscan.inf"",DefaultUninstall,,"
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan","Displ
ayName",,"IIS UrlScan Tool 2.0 (Uninstall)"

[MyDelReg]
HKLM," SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\IisUrlScan"

[MyDeldirs]
%11%\inetsrv\urlscan

[BeginPrompt]
Prompt=%BeginPrompt%
ButtonType=OKCANCEL
Title=IIS UrlScan Tool 2.0

[EndPromptUninstall]
Prompt=%EndPromptUninstall%
Title=IIS UrlScan Tool 2.0

[SecondList]
urlscan.ini
urlscan.inf
urlscanr.dll
urlscan.dll

[Strings]
BadAdvpackVer="Incorrect version of advpack.dll. Please get new version from
our web site."
BadSetupapiVer="Setupapi.dll is required to install on this system."
BeginPrompt="This will install IIS UrlScan Tool 2.0"
EndPromptUninstall="UrlScan has been uninstalled. If any UrlScan activity
took place, the log was left as
 %windir%\system32\inetsrv\urlscan\urlsca
n.log. (%windir% represents the root
of your Windows installation.)"



Anyone seen this attack before or know anything about it?

[ Post a follow-up to this message ]