REDMOND, WA. – Microsoft told systems administrators Tuesday to make sure they have installed a previously announced patch to guard against security attacks bombarding Web sites using the company’s Internet Information Services 5.0 server.

Companies that havent updated their software and installed the patch remain at risk from the ongoing hacker attack. Users who have already deployed Windows XP Service Pack 2 RC2 appear to be protected, the company said.

The Microsoft advisory is in response to what appears to be a continuing attack against IIS 5.0 servers worldwide. The attack, first discovered Monday by several security companies involved a group of Russian hackers breaking into Web sites running the application.

Meanwhile, desktop systems can be infected via two vulnerabilities in Internet Explorer, one of which has an available patch and one that doesn’t, a Microsoft spokesman said.

Following Microsoft’s advice would be a “prudent thing to do” for now, said Marty Lidner, an incident-handling team leader at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

CERT found infections on about 100 Web sites of varying sizes yesterday and informed their operators of the problem. But many other Web sites are likely to be infected that CERT is unaware of. The number also doesn’t include end-user systems that may have been compromised from visiting infected Web sites.
According to Dunham, “hundreds of thousands” of computers are likely to have been infected in the past 24 hours.

It would also be smart for administrators running IIS 5.0 to ensure there is no unusual JavaScript code appended to the bottom of the Web pages served up by their sites, said Russ Cooper, editor of “NT Bugtraq” and an analyst at Herndon, Va.-based TruSecure Corp.

Computer Associates in an advisory issued Tuesday said a Trojan horse program named JS. Toofer or JS. Scrob is installed on vulnerable IIS servers. When executed, this JavaScript attempts to access a file hosted on another server. When users visit compromised Web sites, their systems are directed by Scrob to download a file containing malicious code such as Trojan horses and keystroke loggers from a Russian Web site.

The Russian Web site being used to download malicious code to infected systems is also no longer available, either as a result of law-enforcement action or because the hackers have been scared away.