Report: Attackers exploit IIS hole to breach university server

Updated 6 p.m. PDT with Microsoft comment.

It apparently didn't take long for hackers to try to take advantage of a zero-day hole in Microsoft Internet Information Services (IIS).

Ball State University in Muncie, Ind., told The Register that servers running the program were breached on Monday, the same day Microsoft warned the public about the vulnerability.

Students accessing their iWeb pages on Monday saw messages saying the system had been hacked, The Register reported on Wednesday. There is no evidence data was stolen or malicious files uploaded, however the iWeb accounts were expected to be offline until Thursday or Friday, according to Patty Lucas, a senior help desk support administrator for the university's computing services department.

Microsoft, meanwhile, said it has investigated a public report of a targeted attack on the IIS hole, but did not specify whether it was the Ball State University breach that was looked into.

The investigation "revealed that the vulnerability was not exploited to accomplish this attack," a Microsoft spokeswoman wrote in an e-mail late on Wednesday. "Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time."

The computing services department referred a call from CNET News on Wednesday afternoon to the communications department, which was already closed for the day.

The security vulnerability could allow an attacker to gain access to a location that typically requires authentication by using a specially crafted anonymous HTTP request, according to the Microsoft security bulletin. The problem exists in the way that the WebDAV extension for IIS handles HTTP requests.

According to a posting to the Full Disclosure security e-mail list on Friday, the IIS security vulnerability was discovered on May 12 by Nikolaos Rangos.