This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects attempts to exploit MDAC RDS which may result in remote command execution.
MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation.
RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to:
--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network.
The main risk in this vulnerability is the following:
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information). These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host.
- Cisco Building Broadband Service Manager 5.0
- Cisco Call Manager 1.0, 2.0, 3.0
- Cisco ICS 7750
- Cisco IP/VC 3540 Video Rate Matching Module
- Cisco Unity Server 2.0, 2.2, 2.3, 2.4
- Cisco uOne 1.0, 2.0, 3.0, 4.0
- Microsoft BackOffice 4.0, 4.5
- Microsoft IIS 3.0, 4.0
- Microsoft Index Server 2.0
- Microsoft MDAC 1.5, 2.0, 2.1 CLEAN, 2.1 UPGRADE
- Microsoft Site Server Commerce Edition 3.0 i386
- Microsoft Windows NT 4.0 Option Pack