GEN:SID 1:1243
Message WEB-IIS ISAPI .ida attempt
Summary This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter.
Impact Remote access.  This attack may allow execution of arbitrary commands in System context providing complete control of the server.
Detailed Information Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  A buffer overflow vulnerability exists because of improper buffer checking in the .ida ISAPI filter.  This may allow execution of arbitrary commands with System level access on the vulnerable server.  The Code Rode worm used this vulnerability to propagate.
Affected Systems Windows NT 4.0 IIS 4.0
Windows 2000 IIS 5.0
Windows XP beta IIS 6.0 beta
Attack Scenarios An attacker can craft a special HTTP request that can cause a buffer overflow.  
Ease of Attack Simple. Send the following request to a vulnerable server:
GET /a.ida?NNNN... HTTP/1.0 where 240 N's or other characters are supplied.
Corrective Action Consider removing the .ida ISAPI filter if it is not necessary.

Download and install the appropriate patch mentioned in the Microsoft bulletin.
Additional References Arachnids
http://www.whitehats.com/info/IDS552

CERT
http://www.cert.org/incident_notes/IN-2001-08.html

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp

eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20010618.html

Rule References arachnids: 552
bugtraq: 1065 |103
Error: Unknown reference type: BACKDOOR subseven 22
arachnids: 485
url: www.hackfix.org/subseven/