1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MS IIS FTP Wildcard DoS


Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects an attempt to exploit a vulnerability in the MS IIS FTP service.

Additional Information

A vulnerability exists in the handling of certain user requests in the IIS FTP service.

Pattern-matching function is a function that supports the use of wildcards in filenames and is used by all of the FTP commands. The function is used to expand the wildcards and match the patterns to the filenames.

The pattern-matching function used by a certain FTP command contains a flaw that may result in a denial-of-service condition. If a user submits an FTP command along with a filename containing specially placed wildcard sequences, the pattern-matching function will not allocate sufficent memory. This results in IIS experiencing a denial-of-service condition. All current IIS sessions will disconnect, and any new sessions will be refused until the service has been restarted.

If successfully exploited on IIS 5.0, the server will automatically restart itself. It is possible that a log of the attack will not be recorded.

A manual restart of IIS 4.0 is required in order to gain normal functionality.


  • Microsoft IIS 4.0, 5.0


Microsoft has released a patch that rectifies this issue.

Microsoft IIS 4.0:
Microsoft Patch Q295534
Microsoft Patch Q295534

Microsoft IIS 5.0:
Microsoft Patch Q293826

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube