Re: Question on IIS servers and reverse lookup

From: Maxime Ducharme (mducharme_at_cybergeneration.com)
Date: 03/10/05

  • Next message: Robert Schwartz: "Re: Question on IIS servers and reverse lookup"
    To: "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>, <focus-ms@securityfocus.com>
    Date: Thu, 10 Mar 2005 13:23:10 -0500
    
    

    good point

    Audit is activated and I do not see failed or successful
    login at this time range.

    we do not run protected directories on IIS, these
    are simple web sites with some ASP & ASP.NET code.

    thx for the reply slawek

    any other ideas ?

    Maxime Ducharme
    Programmeur / Spécialiste en sécurité réseau

    ----- Original Message -----
    From: "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>
    To: <mducharme@cybergeneration.com>; <focus-ms@securityfocus.com>
    Sent: Thursday, March 10, 2005 11:58 AM
    Subject: Re: Question on IIS servers and reverse lookup

    Do you have Security Audit turned on and see Failure Events of the
    Logon/Logoff type timestamped at the same time when IIS tries to send the
    NetBIOS Name Resolution (UDP:137) packet?

    Maybe these are authentication attempts against your IIS Server coming from
    the Internet and the IIS Server is sending a packet to destination asking
    for Domain Name?

    slawek

    >>> "Maxime Ducharme" <mducharme@cybergeneration.com> 3/9/2005 16:41 >>>

    Hi to the list

    We are running a new iptables firewall with
    restrictives policies.

    I just noticed that sometimes (between 1 an 4 packets per
    weeks), our IIS 5.0 server try to send NetBIOS name
    query on foreign IPs.

    Here is a hex dump of that packet :

    11:44:56.495348 x.x.x.x.netbios-ns > 211.40.x.y.netbios-ns: NBT UDP
    PACKET(137): QUERY; REQUEST; UNICAST
    0x0000 4500 004e b2bf 0000 8011 ff8f XXXX XXXX E..N.........hR.
    0x0010 d328 913c 0089 0089 003a 6ff0 c7ee 0000 .(.<.....:o.....
    0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
    0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
    0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..

    x.x.x.x is our server (i replaced hex dump with XXXX XXXX too)

    Source : our server
    Proto : UDP
    Source port : 137
    Dest : foreign server
    Dest port : 137

    I'd like to identify the source of these packets.

    One thing that comes in mind is :
    Would it be related to the option in IIS "reverse
    lookup host" to log hostnames in the log file ?

    I remember that nslookup() function of NT kernel
    uses netbios if DNS doesnt reply anything
    (correct me if i'm wrong).

    There is not other inbound port than 80 opened.
    Opened outbound ports are packets related to a already
    opened connection on port 80 and DNS queries to our
    servers. The server itself cannot open a connection
    on Internet.

    Since this server is hosting ASP & ASP.NET services,
    I agree it would be possible to get access via
    some crafted URLs or webapp attacks, but we didnt
    see anything else than these packets.

    Someone may enlighten me ?

    Thanks in advance

    Maxime Ducharme
    Programmeur / Spécialiste en sécurité réseau

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Robert Schwartz: "Re: Question on IIS servers and reverse lookup"

    Relevant Pages

    • Re: Question on IIS servers and reverse lookup ... found answer
      ... netbios over TCP/IP on the interface your web server uses to talk to the ... There's a huge list of steps to take to secure an IIS ... logs) in addition to the low-level packet capture. ... packet is being sent to that UDP:137 port. ...
      (Focus-Microsoft)
    • Re: HttpHandler not working
      ... !>have anything to do with the non default port that I am using?? ... The 404 Page not found error from IIS is typical error message for permission problems. ... But when I run it from our web app server (Windows Server 2003-R2, ... and automatically has read rights to the datafeed directory in your development box.. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Can I run an Internet web server from a Win2K computer?
      ... You can deffinately run an internet website from IIS on Windows 2000 Pro., ... Be aware though, that there can be no more than 10 simultaneous connections, but for your homegrown website, I would think that this is not a problem. ... You will have to set up your broadband router to forward incoming HTTP connections on port 80 to the computer hosting the website ... I'm trying to use the web server that comes with Windows 2000 ...
      (microsoft.public.win2000.general)
    • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
      ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
      (Securiteam)
    • Re: ISA2004 SP2: EventID 14148
      ... Please do not send email directly to this alias. ... is that it does work on Small Business Server ... IIS 6.0 and host headers. ... The Web Proxy filter failed to bind its socket to 218.188.188.188 port ...
      (microsoft.public.isa.configuration)