Re: MS Vulnerability? I was hacked!

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/12/03 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sat, 11 Jan 2003 19:22:48 -0500

I think it's inconclusive to say whether you've been hacked. From this log
it looks like nothing was done, leading me to believe that whatever it was
gave up after having no success.

Additionally, code 404, 403, 40x etc. is so far always a code of no success.
500 is usually no success but not always. 200 is usually success but not
always. For more information on this, see:

http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs

This looks like a worm like Nimda or Code Red. There's nothing you really
can or should do to stop these from hitting your server, you just need to be
sure your server is hardened against them, which it seems you are. Everyone
gets tons of these attempts in their IIS logs.

Having said that, you should really consider running URLScan which is free
from Microsoft, comes with IISLockdown. The 500 error codes also indicate
you may not have followed the IIS hardening checklists out there, starting
with the ones from www.microsoft.com/technet/security

Other things you should consider doing to harden your system are at:

http://securityadmin.info/faq.htm#harden

PS this log does not prove that your server has not been hacked ever, just
that it does not appear to have been hacked today via IIS. If you want to
look for signs of a successful hacking, you can try this:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure

"BobOki" <boboki@boboki.com> wrote in message
news:314f01c2b9c6$9dd684e0$d3f82ecf@TK2MSFTNGXA10...
I got hacked last night, seems they were using the same
old same old hack that Microsoft said they patched in the
last service pack! (windows 2000 server SP3)

heres the log,

2003-01-11 21:47:14 24-240-234-157.charter.com -
GET /scripts/root.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:14 24.240.234.157 - GET /MSADC/root.exe
403 4227 HTTP/1.0 - -
2003-01-11 21:47:16 24-240-234-157.charter.com -
GET /c/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:16 24-240-234-157.charter.com -
GET /d/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:17 24-240-234-157.charter.com -
GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
HTTP/1.0 - -
2003-01-11 21:47:17 24-240-234-157.charter.com -
GET /_vti_bin/..%5c../..%5c../..%
5c../winnt/system32/cmd.exe 500 0 HTTP/1.0 - -
2003-01-11 21:47:17 24-240-234-157.charter.com -
GET /_mem_bin/..%5c../..%5c../..%
5c../winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:19 24.240.234.157 - GET /msadc/..%5c../..%
5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 403
4227 HTTP/1.0 - -
2003-01-11 21:47:19 24-240-234-157.charter.com -
GET /scripts/..Á../winnt/system32/cmd.exe 500 0 HTTP/1.0 -
 -
2003-01-11 21:47:20 24-240-234-157.charter.com -
GET /scripts/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:21 24-240-234-157.charter.com -
GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:21 24-240-234-157.charter.com -
GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
2003-01-11 21:47:22 24-240-234-157.charter.com -
GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
HTTP/1.0 - -
2003-01-11 21:47:22 24-240-234-157.charter.com -
GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
HTTP/1.0 - -
2003-01-11 21:47:23 24-240-234-157.charter.com -
GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
HTTP/1.0 - -
2003-01-11 21:47:23 24-240-234-157.charter.com -
GET /scripts/..%2f../winnt/system32/cmd.exe 500 0
HTTP/1.0 - -

Thats the last I have on there until I accessed it this
morning, having been hacked by F3PN.
Anyone have any insight on this? 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002

Relevant Pages

  • RE: Infected with code red II ?
    ... The 2xx series of codes are all success codes of ... Restart IIS. ... The following is a sample from my IIS 4.0 server (I get the same activity on ... infection is cleaned up and this is just a probe? ...
    (Focus-Microsoft)
  • Re: MS Vulnerability? I was hacked!
    ... The DNS server encountered an invalid domain name offset ... can I pull logs of what they did? ... >So that leads me to belive its something in IIS. ... >>gave up after having no success. ...
    (microsoft.public.inetserver.iis.security)
  • Re: MS Vulnerability? I was hacked!
    ... I was the lat person to access my logs before ... My mail server is clean... ... So that leads me to belive its something in IIS. ... >gave up after having no success. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Necesary / Unnecesary services
    ... the internet (iis). ... server service back on. ... a 2K FW server and after hardening ran ISS and got no ...
    (microsoft.public.win2000.security)
  • Re: MOSS overall security
    ... really any different hardening a MOSS server than it is hardening an IIS ...
    (microsoft.public.sharepoint.portalserver)