Re: Identifying Internet Attacks

From: Karl Levinson [x y] MVP (
Date: 10/21/02

From: "Karl Levinson [x y] MVP" <>
Date: Mon, 21 Oct 2002 12:34:33 -0400

"kevin" <> wrote in message
> I was just wondering has anyone found any good whitepapers
> etc. about signs to look for to identify that you are
> being attacked/hacked or have been attacked/hacked on a
> W2K machine with IIS 5.0.

Personally I wouldn't recommend just one paper but many. [I can't remember
them all, but try the reading room at, www.honeyI like the
books Incident Response [and possibly also Hacking Web Applications Exposed,
Hacking Exposed 3rd edition and/or Hacker's Challenge] for introductions to
security issues.

Note that to secure IIS or any other web server, you should also know about
security and attack methods used against networks, Windows OS, web
applications, SQL server and databases, etc.

Also, the way you investigate a possible hacking depends on your environment
and your needs. Some of the things you do during the investigation can
possibly destroy some of the evidence, or make it unusable in any legal
procedings, or alert the hacker to start destroying evidence or retailiate
against you. On the other hand, if you alert law enforcement immediately,
evidence might have a better chance of being preserved, but law enforcement
might be restricted from doing some things to collect evidence that you
might have been able to do before you called them. You also have a choice
of whether or not to unplug the network cable, use a firewall to redirect or
contain the hacker to a particular machine, leave the machine on the network
to keep your site running, etc.

Maybe the info below might help:

You may consider performing the actions below:
1. Unplugging the network cable is one possible way to try to prevent
further damage.

2. Use Fport or Vision from or pslist / pstools
from to look at the open ports on your computer and the
program or executable using that port. Some firewall software such as will also tell you this information.

You can also use the NETSTAT -A command that comes with Windows to look at
open ports; however, this will not identify which program is using the port.

If you're unsure about the purpose of a particular port or program, try
searching an Internet search engine such as for the name of
the port or program, or try right-clicking on the file in question to see
the properties. Or, you could even try to telnet to that port e.g. by typing
TELNET LOCALHOST 82 ] and press the Enter key a few times to see if any
informative messages appear.

3. Consider using a file change checker, such as the unsupported free tool
Languard File Integrity Checker at
Recently changed files on your system can sometimes indicate an intrusion.
You could also find and list the files on your hard drives that have been
modified in the past 3 days by clicking on Start, Search [or Find], Files or
Folders, and setting the appropriate date [though note that this may change
the "Last Accessed" date stamp on some of these files]. "The Forensic
Toolkit" from includes command-line tools to
list files without modifying the date.

4. Inspect the programs that launch when Windows starts on your computer, by
using MSCONFIG or Startup Cop. Suspicious programs starting when Windows
starts can indicate a successful intrusion. [These can also indicate less
serious events such as a virus or worm infection or even the installation of
a freeware or ad-ware program such as an MP3 music file sharing program.]

5. Check the logs on your computer, especially your Internet router or
firewall logs, the IIS web and ftp server logs and Windows security event
log. [This is probably the first thing to do if IIS web services are running
on the computer.] Some of these logs may not exist if you have not already
enabled them.

Many common hacks are first seen in the IIS web server logs. Any line in
your web server log that contains % or .EXE and which also contains a 200 or
502 error code is cause for further investigation. If you are familiar with
DOS commands, you may be able to see exactly what commands the intruder
tried to execute. Keep in mind that every web server on the Internet will
have suspicious looking entries from worms like Nimda, though these are not
necessarily signs of a successful intrusion.

6. Consider using a Trojan scanner. Antivirus programs generally detect some
but not all of the most common Trojans and hacker tools. Some people choose
to use a Trojan scanner in addition to antivirus.

7. Consider installing an antivirus program that is configured to
automatically download updates daily.

8. Consider running a port scanner such as Vision, Fport and/or SuperScan
from [and/or a vulnerability scanner such as
MBSA from and/or Languard Network Scanner from] to look for security flaws and configuration errors on your
computers. For example, you might also run a port scanner against your
computers to look for open ports. A particular open port might indicate the
way a hack occurred and/or might give you a way to identify other infected

9. Consider enabling or installing a firewall and/or a sniffer [either
software or hardware based] to monitor network traffic. There are a number
of free firewalls available on the Internet which can show network
transmissions to and from your computer, such as, or you
could use the Network Monitor which comes with Windows 2000 / XP / NT / .NET

For more information on how and where to locate free and not-free firewall
software and hardware, see the section in this FAQ entitled "Which firewall
should I choose? Which firewall is the best?"

10. The third party web sites and tools below may also be helpful:

For example, some of the helpful free tools on this site include Filemon,
Regmon and Process Explorer which all display activity on your computer you
might not otherwise be able to see. These tools show which files, registry
keys, .DLLs and other objects are currently being accessed and by which

Pstools is a group of tools including pslist, which lists detailed
information about processes, and psloggedon, which displays who is logged
onto your computer currently.

For example, one of the free tools on this site is NTLast, a security event
log analysis tool that helps identify who has gained access to the system,
using the NT security event logs [assuming auditing has previously been
turned on].

Also, the Forensic Toolkit is a collection of tools including:

* Afind, which lists recently accessed files without changing the date stamp
on the file;

* Hfind, which scans the disk for hidden files;

* Sfind, which scans the disk for files hidden in data streams.

Incident Response Collection Report (IRCR) is a collection of forensic tools
that automates many of the tasks a forensics expert might perform.

If you have trouble understanding the results of any of these tools, you can
post your results along with your question to an appropriate Usenet
newsgroup. Note that the Microsoft newsgroups may not be the place to get
the best answers to your questions, though you can try and see what happens.

[Thanks to Susan Bradley, Rob Lee and others]

Relevant Pages

  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
  • Re: How do I block just one port from being listened to on my server
    ... Well I looked through ALL my logs; ... Well I'll be testing that Firewall out that you gave the link to. ... I just don't want it blocking everything by ... Blocking one port isn't the answer. ...
  • Re: Turning on Media Sharing in WMP11
    ... I believe it forms quite a reasonable network media device. ... Turning on SSDP (it was disabled as was uPnP) to Manual and then UPnP ... If there is a firewall, or NAT, built into your ... You need to open port s: ...
  • Re: May need to move from SBS because of connection issues
    ... Just to make sure you are clear regarding port 4125, ... access remote systems and you are behind a firewall on a non-SBS network, ... established that RWW worked TO your SBS network from outside. ... have been proof that the required ports were forwarded to the SBS server. ...
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...