Copyright 2001 : Email
This is a quick tutorial on the EYEIS tool used to exploit the ISAPI vulnerability in Microsoft Windows IIS 4 and 5.
I scanned all my servers at work, and then took it on the road and hit servers on the Internet. I was having fun with it. What it does is it tries gaining root access by using the ISAPI exploit. I found that 90% of the servers I ran it against, I got administrator access! And I didn’t even have to do anything special, all I had to do was plug in a URL or an IP address of the system I wanted to test.
Sounds pretty great, right? Well, sort of. Read on. First, I ignored the warning and never bothered to read it.
Therefore, I missed the line that says, “For the soul purpose of monitoring eyeIS for illegal use due to its nature, we may log your IP address while using eyeIS.”
What did this mean? Well, I found out when I tested it on my friends site. He looked at all his logs and saw that it had sent an email out after I completed a connection with it to his server. What did this email contain? Where was it sent? Who cares? The fact is that it sent out an email with information I would rather not let anyone else find out. So the fact that if you use this in a professional environment, and it sends out an email to these people, if your server is found vulnerable, they know this too now.
Sounds like reverse hacking. This isn’t the first tool to do this and it won’t e the last. But you should be aware of it.
HOW TO USE IT
Goto parsec’s website, http://www.parsec.de.tf/, and download it. Install it. When you launch it, you get a warning screen, click ‘Accept’.
Next, click on the ‘TFTP Settings; button and put in your IP address. It uses TFTP that is installed in essentially every OS. By putting in your IP address, you are telling it to use your machine’s TFTP.
After you have completed that, put in a target URL or IP address. Hit the connect button and wait. Some servers can take up to 2 minutes while others connect immediately. The amount of time it takes depends on your connection, the target’s connection and the hops in between. Once you have completed a connection, you will see a screen like this:
As you can see, it gives a lot of information. It tells us the date and time of the server, the IIS version, the content type, the volume serial number and the C drives label. Then you can see the files and the folders listed below. In the example above, .mcc, COMPAQ, CPQSYSTEM, INETPUB are directories while everything else are files. We can also see the size of the files, for example, the files named error.txt is 952 bytes in size.
Another nice feature is the ability to view files. For example, the error.txt file could be viewed without downloading it by clicking on it once in the window and clicking the button 'VIEW' in the console. This is handy if you want to view the log files as well!
Also, you can delete files from here, like the Log files. You can change partitions, if there is more than one partition on that server, by clicking the ‘/’ in the box on the console. A drop down list will appear and you can click the next letter of the drive you want to go to. I found one server once with several drives.
Finally, there is the ability to upload netcat.exe to the server you have just taken over. Netcat is an excellent tool and will allow you to click on the Bind Shell command in the console and work from a command prompt. From there, you can move, copy, rename, and anything else you can imagine.
HOW DO I PROTECT MYSELF FROM THIS
There are a couple of ways. You can patch your system with the lates Microsoft patches or you can just remove the ISAPI driver.