Hacker News new | past | comments | ask | show | jobs | submit login

the guy who owns test.com emailed me once because I wrote a paper on IIS vulnerabilities and had 'test.com' as example URL's. turns out a lot of people reading my paper would copy+paste the example exploits and own the test.com server (which just happen to be running IIS).



Man, this is really beautiful. Care to share more details? (I suppose all exploits are long patched now). It could be an interesting blog post...


it was actually server.com. I found the old doc, first time I have seen it since I wrote it 11+ years ago:

http://web.archive.org/web/20040210183242/http://black.wiret...

that server.com server was hilarious. it ended up becoming a mini-BBS with people posting funny messages, file names etc. to it. When I went to check it out to see what was going on, I ran a dir on the c drive, and there were almost 500 funny folder and file names there, with 'X WAS HERE' etc.

someone then put out a URL on IRC which would fire up a reverse shell. and that server.com server ended up running gaming servers, porn ftp sites, warez, the works. the guy emailed me around 2-3 months later asking for help to patch the box because it kept getting owned.

fun fact: I wrote a scanner in C back then that would check for these vulnerabilities. The scanner had two 0day vulnerabilities that weren't in this paper. one night at a friends house we were playing around with NXFR transfers from DNS servers (this is back when you could do them and before people figured out to lock this down). we started downloading lists of all the domain names from various TLD's. for eg we had .net, .org, .com etc. then we started downloading various countries, for eg. .at, .co,

we were talking to each other about what to do with them, and he said 'lets run one of these through your scanner'. so I made a quick change that would check the Server banner returned, and if it was IIS, it would then try these different exploits and run a command. we couldn't work out which command we wanted to run, so I had the idea of just creating a file called 'heh.txt' in C. I set it all up and ran it against all the Austrian domains. within a few seconds it was obvious that it was working too well - because it was churning through 5-10 hosts per second and a lot of them were 'SUCCESS'. I left it running, no idea when it finished, but when I picked it back up again the next day around 40% or servers (may have been more) were running IIS and of those, around 98% had our 'heh' command run successfully.

tl;dr hacked ~40% of all servers in austria. if you ever found a file called 'heh.txt' in the root of your C drive, that was me.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: