Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Microsoft Security Advisory 975191 Revised - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Advisory 975191 Revised

We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers. 

Microsoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.

Adrien de Beaupré Inc.


Adrien de Beaupre

353 Posts
ISC Handler
Feb 8th 2011
I would like to suggest a good workaround to avoid multiple bruteforce attacks on IIS.

Just download a FREE porting of Linux Fail2Ban that block IP address that attempt to brute force your FTP

Sign Up for Free or Log In to start participating in the conversation!