[ http://www.rootshell.com/ ]

From: Marcos Guillen <winnt2@RAN.ES>
Subject: Alert: MS IIS 4.0 FTP Denial of Service Attack

 If a site is running IIS 4.0 FTP server with more than 100 diferent FTP
Virtual Directorys or Virtual sites, a Denial of Service Attack can be
easily performed sending more than 10 simultaneous PUT or DELETE ftp orders
against a public ftp directory.

 After a few minutes, the FTP server start responding with a "426 Connection
closed; transfer aborted" error to ALL FTP public or private Virtual
directories and sites on that machine, making it unavailable to any user,
including Administrators. Only a complete IIS 4.0 stop and restart will
solve the problem.

 Further more, if a legitimate user trys to replace files on the server
after the attack is performed, the files will be locked and overwrited with
a 0 Kb file with the same name than the old one the user was trying to
replace. This will produce a "File contains no data" error to any browser
trying to display that file from the IIS 4.0 Web Service. The file will
remain locked even from a local Administrator Windows NT Explorer console,
until a complete IIS 4.0 stop and restart is performed.

Regards,
Marcos Guillen
Ran Internet