Updated: IWAP_WWW account on compromised IIS servers

Published: 2004-06-28
Last Updated: 2004-06-29 02:28:29 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Request for Information: IWAP_WWW account

We have received information about compromised systems with Internet
Information Server. These systems had an administrator level account
with the username 'IWAP_WWW' added.

Please check if your server has such an account and let us know
what you find. Until we know more, we suggest that you consider
a server compromised if you find an administrator account with
this username.

Update at the end of the day, still looking for concrete info

We don't have a lot more information on this than when we posted the
initial info this morning. Apparently some people started noticing it
last Tuesday and there has been some speculation that it may be related
to Berbew, but the Symantec write up on Berbew does not mention the
administrator account, so that connection remains tentative at best.

You can find some of the discussion of this at

and the Symantec write up on Berbew at

From the mailbag

We received some correspondence today from an educational institution
which has detected what appears to be a fairly large number of GIFs and
JPEGs on their windows web server that have data stashed in the
alternate data streams (a feature of the NTFS file system). We're not sure
yet, how this data got onto the server. We are
still investigating to determine what exactly has been stashed in the
ADSes, but kudos to the admins at this site for even detecting them.
This should serve as a reminder to administrators to monitor disk space
and network usage and when something out of the ordinary occurs investigate
(or get help investigating). We're not certain at this time how damaging
this particular breach might be. If we learn anything interesting, we'll
provide an update. Obligatory SANSFIRE plug: Track 8 will provide you with
information on tools that can be used to investigate alternate data streams
as part of the Windows forensics tools.

Jim Clausing, jim.clausing at acm.org and

Johannes Ullrich, jullrich_at_sans.org
0 comment(s)


Diary Archives