TUCoPS :: Web :: IIS :: iis4ftp.txt

Microsoft IIS 4.0 FTP Denial of Service Attack

[ http://www.rootshell.com/ ]

From: Marcos Guillen <winnt2@RAN.ES>
Subject: Alert: MS IIS 4.0 FTP Denial of Service Attack

 If a site is running IIS 4.0 FTP server with more than 100 diferent FTP
Virtual Directorys or Virtual sites, a Denial of Service Attack can be
easily performed sending more than 10 simultaneous PUT or DELETE ftp orders
against a public ftp directory.

 After a few minutes, the FTP server start responding with a "426 Connection
closed; transfer aborted" error to ALL FTP public or private Virtual
directories and sites on that machine, making it unavailable to any user,
including Administrators. Only a complete IIS 4.0 stop and restart will
solve the problem.

 Further more, if a legitimate user trys to replace files on the server
after the attack is performed, the files will be locked and overwrited with
a 0 Kb file with the same name than the old one the user was trying to
replace. This will produce a "File contains no data" error to any browser
trying to display that file from the IIS 4.0 Web Service. The file will
remain locked even from a local Administrator Windows NT Explorer console,
until a complete IIS 4.0 stop and restart is performed.

Marcos Guillen
Ran Internet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH