After yesterday's incident where a Microsoft France website was hacked and defaced by a Turkish cracker going by the handle of TIThack, Zone-H investigated a bit and contacted the cracker and asked to detail the intrusion methodology [the cracker originally reported a generic "web server intrusion"].
So, are we looking at a new win2k3 / IIS 6.0 0day exploit here?
The attacker revealed that he exploited a .net script 0day vulnerability after discovering that expert.microsoft.fr had installed and was running a vulnerable .net nuke script.
This hole allowed the attacker to gain the same rights as the script, and that was enough to to upload a FSO script, a kind of shell used by the attacker to create a new folder and upload the defacemernt.
When asked what his motivation was, the cracker indicated that he was frustrated at a Microsoft XP upgrade that broke his system and hence was looking for revenge.
Who's fault is this? Clearly it is Microsoft's, who should have explicit rules about what software is allowed to be installed on corporate assets, especialy on a mission critical Internet facing servers. Obviously checks and balances across the corporate enterprise were not in effect here and we are sure this will result in a full audit of Microsoft's worldwide Internet presence.
While this attack is not the feared 0day IIS 6.0 attack, we can not rule out that the large increase in win2k3 / iis6 attacks is due to an as yet unknown vector. Zone-h has always stressed that the most secure systems can be compromised because of unauthorised installation of non-approved software and web applications.
