Re: IUSR trying to run cmd.exe... who is it?
From: Agustin (agustinchernitsky-SPAM@hotmail.com)
Date: 12/26/02
- Next message: Tim Greene: "RE: local computer IIS"
- Previous message: Tom Snyder: "Certificates and DNS"
- In reply to: BB: "Re: IUSR trying to run cmd.exe... who is it?"
- Next in thread: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Agustin" <agustinchernitsky-SPAM@hotmail.com> Date: Thu, 26 Dec 2002 13:00:08 -0300
Well,
It seems it was a CGI script trying to run a SENDMAIL. I am checking that
now...
Thanks for everything!
"BB" <Bernard_at_3exp.com> wrote in message
news:uX5ZAd8qCHA.392@TK2MSFTNGP12...
> Nothing in IIS Log ? if you have urlscan, check urlscanxxxx.log.
> Any idea what's process id 2704. anything in event log ?
>
> Ensure your server is up to date. refer
> www.microsoft.com/security/
> also can refer
> http://securityadmin.info/faq.htm#harden
>
> Rgds.
>
>
> "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in
message
> news:ulY7aW6qCHA.2372@TK2MSFTNGP12...
> > Hi guys,
> >
> > For security reasons, I removed permissions from many files in win2k
> system
> > and added auditting to them. I keep getting this audit event (sometimes
3
> > times in a day. others 10 times in a day, all in a row) :
> >
> > <<<<
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 560
> > Date: 23/12/2002
> > Time: 09:33:03 p.m.
> > User: WWW01\IUSR_VGSVR
> > Computer: WWW01
> > Description:
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: C:\WINNT\system32\CMD.EXE
> > New Handle ID: -
> > Operation ID: {0,139507346}
> > Process ID: 2704
> > Primary User Name: IUSR_VGSVR
> > Primary Domain: WWW01
> > Primary Logon ID: (0x0,0x12BEC)
> > Client User Name: -
> > Client Domain: -
> > Client Logon ID: -
> > Accesses SYNCHRONIZE
> > Execute/Traverse
> >
> > Privileges -
> > >>>>
> >
> > It seems like one of my sites is trying to execute something with the
> shell.
> > I don't belive it's a hacker or code red (I have up to SP3 installed).
> >
> > I searched all the logs for this month (looking for the text cmd) but
> > nothing. So this narrows the search to my users code.
> >
> > Any ideas on how to detect which web site is doing this??
> >
> > Thanks!!
> >
> > Agustin.
> >
> >
> >
> >
>
- Next message: Tim Greene: "RE: local computer IIS"
- Previous message: Tom Snyder: "Certificates and DNS"
- In reply to: BB: "Re: IUSR trying to run cmd.exe... who is it?"
- Next in thread: Egbert Nierop \(MVP for IIS\): "Re: IUSR trying to run cmd.exe... who is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
