Boots corporate website attacked

Boots' corporate website has been defaced by a hacker who exploited a flaw in Microsoft Internet Information Server 4.0.

The website, which provides corporate information on Boots' businesses, was defaced this morning by an anonymous hacker who replaced the corporate page with an essay on the mentality of hacking.

Boots said that the site contained no sensitive data and was up and running again by 9am.

Security experts said it was another example of a site administrator failing to ensure that the web server, which was running on Windows NT4.0, had been patched with the latest fixes.

Paul Rogers, network security analyst at MIS Corporate Defence Systems, said: "The person responsible for the security needs to get better information on how to update their software with the latest patches.

"They either aren't subscribing to the right communication lists, or they don't know what they're doing."

Web Leicester, the firm hosting the website for Boots' contractor Media Maker, failed to return calls from vnunet.com before publication.

Boots is the latest in a line of high profile websites running Internet Information Server 4.0 or 5.0 on NT4.0 to have been hacked. According to attrition.org, which mirrors compromised websites, last year NT was the most hacked system.

Ironically, Boots.co.uk, website for Boots the Chemist, runs on an Apache server on the Solaris Unix operating system.

Microsoft has said some attacks occur because users didn't read their manuals properly, but more often are a case of administrators failing to patch newly found weaknesses before a hacker exploits them.

The problem will be a concern for thousands of website operators. According to Netcraft, which conducts monthly surveys into web-server use, 19 per cent of the 4.1 million companies it questioned in October used IIS.

However, Rogers warned that some firms are considering changing systems because of the number of problems being discovered.

He said: "Some of our clients are asking us to look at how they can move away from IIS4.0, and they're saying this is specifically because of the number of vulnerabilities being discovered and the severity of them."