[whoisurdaddy]

[Palos]

What kind of log format are you using for IIS?
- IIS Standard
- IIS Standard with UserID
- IIS Standard with SessionID
- IIS Standard with User&SessionID

Or extended with all the options above....

Actually on a closer look I think it's the Standard IIS format.

The format is the following:

hostname, auth user, date, time, service, server name, virtual host, server response, bytes received, bytes sent, status, window status, method, resource, query string

This corresponds to:

206.166.234.62, -, 11/12/2001, 12:48:17, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 72, 3387, 404, 3, GET, /scripts/root.exe, /c+dir,

W3SVC is the WWW service, so you can say for sure it was sent to the WWW server, not the FTP or other.

Before you try to figure out what happened, do some more research on the incoming IP. Also try to run the exploits on your own, see how deep can you get on your own machine. I doubt IIS permits remote execution of shell commands via WWW, lol. Check your permissions as well. No more ideas, maybe someone else is brighter.

----------------------

On second thoughts, by looking at the "method" field, I think is self-explanatory. The attacker tried to execute a cmd.exe by giving an URL, and got the 404 error all the way, except for one case when IIS returned a 500 error; 404 means page not found
I hope that was it, couldn't bet on it though

[Fekalen]

If it was an attempted hack this guy ain't to bright.

He has his own homepage:
206.228.118.165 = http://t118165.turbonet.com/
And I would guess his name is Kenneth Tun
He lives in Moscow (not the russian capital),Idaho - USA

Here's a mail adress to report his abuse to his ISP if you want: abuse@sprint.net

[clutch]

Don't worry about it. That's a Nimda infected box attacking, and that's its signature. Are you patched up for it? Here's some links about ways to secure IIS, and a link to getting URLScan from MS. It will generate 404 errors when someone makes a request that breaks the predetermined rule set.

Here is a general checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/tips/iis5chk.asp

Here is a link for resources on securing IIS:
http://support.microsoft.com/support/kb/articles/q282/0/60.asp

And here is a link for the new Security Tool Kit from MS:
http://support.microsoft.com/support/kb/articles/Q309/5/36.ASP

This is a link for URLScan (my fav) that is briefly mentioned in a couple of the other links:
http://support.microsoft.com/support/kb/articles/q307/6/08.asp

You will also see references to the IISLockdown Tool, which is pretty strict and works by locking various ISAPI filters and fixing permissions on system directories in case someone can traverse directories (which won't happen anyway if you are using URLScan and it's configured properly). The High Security Template is nice too, and protected many IIS boxes from infection.

You can also subscribe to the security release email list at this link to get all the latest info on patches and such:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp

I have been getting these for quite a while. Here's a page I wrote that queries my logs (I have IIS setup to log to a SQL DB) www.driventechnologies.com/odbclog and type "cmd.exe" without the quotes into the target box. The date range defaults to the current day, but the logs go back to August 1, 2001.

[whoisurdaddy]

Thank you all for replying.

Fekalen,
that is my server. 206.228.118.165 is my comp's IP and I am also running a web server on it just for messing around. I am just wondering because I thought I pretty much secured my computer. I have Zonealarm Pro firewall and all guest accounts are disabled and stuff...

----

Palos,
I am using Microsoft IIS Log file format. There are only 3 available for me to choose from: Microsoft IIS Log file format, NCSA Common log file and W3C Extended Log file format.


----

Clutch,
I don't think mine is patched up for Nimda. I ran Windows Update two days ago and I downloaded a lot of patch from Microsoft Windows UPdate site but I don't think that Windows Update patched up my computer for Nimda.

[Palos]

Muhuhahaha, Fekalen...good job man.
Clutch sez that it looks like a Nimda zombie, he could be right. If the remote machine tried to execute a shell prompt, that doesn't mean he necessarly DID it.

[clutch]

To flush the normal Code Red worm, you could simply reboot and then apply the patch (with the server offline so it wouldn't get infected again). That would take care of the issue. Some Nimda and Code Red II boxes had nice backdoors left open for intrusions later on. On the MS security site, there is a tool for ridding the system of the worm that stays behind, but there could have been other damage. On your logs, I see many "404" errors, and the lone "500" error (could be for security, invalid execution, etc.) which is a good sign. It shows that your server wasn't able to execute the requests.

Now, here is a normal attack cycle from a Nimda box:

24.60.219.128 - 11/13/2001 11:44:44 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%252f../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:42 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:40 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:29 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:27 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:25 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:23 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:20 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:18 AM W3SVC3 SERVER-1 192.168.1.200 404 - /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:16 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:14 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:12 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%255c../winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:10 AM W3SVC3 SERVER-1 192.168.1.200 404 - /d/winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /c/winnt/system32/cmd.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /MSADC/root.exe?/c+dir -
Info 24.60.219.128 - 11/13/2001 11:44:03 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/root.exe?/c+dir -


Look familiar? Here's the break down on yours:

206.166.234.62 was an automated Nimda attack;
216.179.62.9 was a solo direct attack (but a 404 error-"page not found", so no biggie)
211.44.231.41 old Code Red attack (uses "N" for the flood, an "X" is Code Red II)

So, you will probably see a lot of these, and you will see them for some time to come. Just patch up, and move on.

[whoisurdaddy]

Clutch, thx for the info. I am still learning about this security stuff. Too bad, in school they don't teach me any stuff like this...may be next semester they might teach me about network security in one of my MIS classes.

[clutch]

Unfortunately, I wouldn't count in it. Most MIS grads that I have worked with have learned very little about systems architecture and application in their MIS courses, let alone anything about security. A good deal of the MIS courses I read through seem more focused on floor/personnel management rather than working directly on the information systems themselves. You might want to take some technical courses in security and network architecture as an elective if possible. Where are you going to school at?

[Palos]

MIS courses left me with a bad taste in my mouth during my college years Bla,bla,bla...uninterresting stuff, if you know what I mean.

[whoisurdaddy]

I am a Senior from WSU (Washington State University).

[Palos]

Dude, listen to me...enjoy your last moments in college as if there was no tomorrow. Real life SUCKS (at least nowadays if you're a fresh CS graduate looking for a job).

PS - and your intelligence level is pretty much average, i.e ur not a genius on 2 legs, having NSA and NASA knocking at your door, begging you to take their job offers

PPS - By CS graduate I mean Computer Science, NOT Counter-Strike

[RandyC]

I've learnet loads about system architecture during my 3 years so far at Uni. Especially in my Networking Principles and Operating Systems modules last year and this year. I guess maybe UK Bsc (Hons) Computer Science degrees go into more depth than some of the states degrees despite being only 3 year courses.

I agree working life does suck so i'm doing another year in Uni to concentrate on my final year project(which I could of done this year) and get a CCNA. Have to get a job aswell though as I have to do all of these on a part time basis

[clutch]

That sounds like a normal Computer Science degree, but we were talking about a Management of Information Systems (MIS) degree. Most schools get so hung up on the "Management" portion that the graduates are almost helpless in "the real world".

As for graduating and getting out in the world, making large amounts of money for doing something you like has its perks too, just remember that.

[RandyC]

Ahh didnt read that bit probably because i've never come across a MIS course before. Just wondering if anyone here has done a CCNA course and am wondering how realistically usefull is it in the job world. I always get a biased view from my lecturers as our CS department is partially funded by Cisco.

Thanks

RandyC

[waddy]

[RandyC]