Re: IUSR trying to run cmd.exe... who is it?

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 12/25/02 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Wed, 25 Dec 2002 10:41:04 -0500

As you may already know, just having SP3 installed is not enough to secure
IIS. You also at a minimum need to go through one or more hardening
checklists for Windows and IIS, for example to delete script mappings such
as .printer, delete sample files such as showcode.asp, etc.

I could be wrong, but I still feel like the most likely way this is hitting
you is through HTTP requests / your IIS logs. I would install URLscan and
check the URLScan.log file, and also check your IIS logs again for anything
suspicious around the time that CMD.EXE was accessed. There are a number of
ways CMD.EXE could be called without the text CMD.EXE appearing in your IIS
logs.

"Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in message
news:ulY7aW6qCHA.2372@TK2MSFTNGP12...
> Hi guys,
>
> For security reasons, I removed permissions from many files in win2k
system
> and added auditting to them. I keep getting this audit event (sometimes 3
> times in a day. others 10 times in a day, all in a row) :
>
> <<<<
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 23/12/2002
> Time: 09:33:03 p.m.
> User: WWW01\IUSR_VGSVR
> Computer: WWW01
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINNT\system32\CMD.EXE
> New Handle ID: -
> Operation ID: {0,139507346}
> Process ID: 2704
> Primary User Name: IUSR_VGSVR
> Primary Domain: WWW01
> Primary Logon ID: (0x0,0x12BEC)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses SYNCHRONIZE
> Execute/Traverse
>
> Privileges -
> >>>>
>
> It seems like one of my sites is trying to execute something with the
shell.
> I don't belive it's a hacker or code red (I have up to SP3 installed).
>
> I searched all the logs for this month (looking for the text cmd) but
> nothing. So this narrows the search to my users code.
>
> Any ideas on how to detect which web site is doing this??
>
> Thanks!!
>
> Agustin.
>
>
>
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002