IUSR trying to run cmd.exe... who is it?

From: Agustin Chernitsky (agustinchernitskyNOSPAM@hotmail.com)
Date: 12/25/02

Next message: BB: "Re: EFS and IIS"
Previous message: Tom Pepper Willett: "Re: OE blocking incoming attachments"
Next in thread: BB: "Re: IUSR trying to run cmd.exe... who is it?"
Reply: BB: "Re: IUSR trying to run cmd.exe... who is it?"
Reply: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
Reply: Karl Levinson [x y] mvp: "Re: IUSR trying to run cmd.exe... who is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com>
Date: Tue, 24 Dec 2002 20:40:48 -0300

Hi guys,

For security reasons, I removed permissions from many files in win2k system
and added auditting to them. I keep getting this audit event (sometimes 3
times in a day. others 10 times in a day, all in a row) :

<<<<
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 23/12/2002
Time: 09:33:03 p.m.
User: WWW01\IUSR_VGSVR
Computer: WWW01
Description:
Object Open:
  Object Server: Security
  Object Type: File
  Object Name: C:\WINNT\system32\CMD.EXE
  New Handle ID: -
  Operation ID: {0,139507346}
  Process ID: 2704
  Primary User Name: IUSR_VGSVR
  Primary Domain: WWW01
  Primary Logon ID: (0x0,0x12BEC)
  Client User Name: -
  Client Domain: -
  Client Logon ID: -
  Accesses SYNCHRONIZE
   Execute/Traverse

Privileges -
>>>>

It seems like one of my sites is trying to execute something with the shell.
I don't belive it's a hacker or code red (I have up to SP3 installed).

I searched all the logs for this month (looking for the text cmd) but
nothing. So this narrows the search to my users code.

Any ideas on how to detect which web site is doing this??

Thanks!!

Agustin.

Next message: BB: "Re: EFS and IIS"
Previous message: Tom Pepper Willett: "Re: OE blocking incoming attachments"
Next in thread: BB: "Re: IUSR trying to run cmd.exe... who is it?"
Reply: BB: "Re: IUSR trying to run cmd.exe... who is it?"
Reply: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
Reply: Karl Levinson [x y] mvp: "Re: IUSR trying to run cmd.exe... who is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Password trading problem
... I've got a client who has an adult themed, password protected, web site and ... I'm in charge of doing a security review of it. ... The information contained in this e-mail and any attachments may be legally ...
(Security-Basics)
Re: IUSR trying to run cmd.exe... who is it?
... Ensure your server is up to date. ... > Event Source: Security ... > Client User Name: - ... > Any ideas on how to detect which web site is doing this?? ...
(microsoft.public.inetserver.iis.security)
Re: Front Page Server extensions display as a Red X
... What security level is your client using. ... ActiveX and are using a High value for Internet Security (Tools>Internet ... > server extensions display as a Red X when they visit our web site. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
[NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
(Securiteam)
lame server messages in named.log
... Mar 30 05:42:30.526 security: info: client 202.52.250.176#1052: ... query (cache) denied ...
(RedHat)