Re: IUSR trying to run cmd.exe... who is it?

From: Agustin Chernitsky (agustinchernitskyNOSPAM@hotmail.com)
Date: 12/25/02 

From: "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com>
Date: Wed, 25 Dec 2002 18:05:09 -0300

Hi Karl,

What I did found is that the process the audit referes to is not an actual
runninng process. This narrows the search to CGI apps like: PHP or Perl.

Still, you are right, I should check the logs... I am running audits to
perl.exe and php.exe to see if they are accessed or executed when this error
happens...

thanks!

"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
news:#7QW1tCrCHA.2504@TK2MSFTNGP12...
> As you may already know, just having SP3 installed is not enough to secure
> IIS. You also at a minimum need to go through one or more hardening
> checklists for Windows and IIS, for example to delete script mappings such
> as .printer, delete sample files such as showcode.asp, etc.
>
> I could be wrong, but I still feel like the most likely way this is
hitting
> you is through HTTP requests / your IIS logs. I would install URLscan and
> check the URLScan.log file, and also check your IIS logs again for
anything
> suspicious around the time that CMD.EXE was accessed. There are a number
of
> ways CMD.EXE could be called without the text CMD.EXE appearing in your
IIS
> logs.
>
>
> "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in
message
> news:ulY7aW6qCHA.2372@TK2MSFTNGP12...
> > Hi guys,
> >
> > For security reasons, I removed permissions from many files in win2k
> system
> > and added auditting to them. I keep getting this audit event (sometimes
3
> > times in a day. others 10 times in a day, all in a row) :
> >
> > <<<<
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 560
> > Date: 23/12/2002
> > Time: 09:33:03 p.m.
> > User: WWW01\IUSR_VGSVR
> > Computer: WWW01
> > Description:
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: C:\WINNT\system32\CMD.EXE
> > New Handle ID: -
> > Operation ID: {0,139507346}
> > Process ID: 2704
> > Primary User Name: IUSR_VGSVR
> > Primary Domain: WWW01
> > Primary Logon ID: (0x0,0x12BEC)
> > Client User Name: -
> > Client Domain: -
> > Client Logon ID: -
> > Accesses SYNCHRONIZE
> > Execute/Traverse
> >
> > Privileges -
> > >>>>
> >
> > It seems like one of my sites is trying to execute something with the
> shell.
> > I don't belive it's a hacker or code red (I have up to SP3 installed).
> >
> > I searched all the logs for this month (looking for the text cmd) but
> > nothing. So this narrows the search to my users code.
> >
> > Any ideas on how to detect which web site is doing this??
> >
> > Thanks!!
> >
> > Agustin.
> >
> >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002
>
>

Quantcast