Re: MS Vulnerability? I was hacked!

From: BobOki (boboki@boboki.com)
Date: 01/12/03 

From: "BobOki" <boboki@boboki.com>
Date: Sat, 11 Jan 2003 16:47:00 -0800

Looking a little deeper...
I found some more odd things.
This is at a different timeframe, but still well within
the timeframe to actually be the hack attempt.
I looked in my Event viewer hoping to find anything else
that might point in the right direction, and I found these:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5506
Date: 1/11/2003
Time: 5:54:53 AM
User: N/A
Computer: ANIMESERVER
Description:
The DNS server encountered an invalid domain name offset
in a packet. The offset is the error.
Data:
0000: 70 00 00 00 p...

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5501
Date: 1/11/2003
Time: 5:54:53 AM
User: N/A
Computer: ANIMESERVER
Description:
The DNS server encountered a bad packet from
192.100.77.5. Packet processing leads beyond packet
length.

I got about 10 of those all within 1 second of the first
one posted.
The IP that is listed is not an IP on my network. I am on
a dual nic card setup on my box. I have my external line,
all sharing turned off, then my internal lan card, which
has sharing turned on. Is it possible they somehow
confused my DNS server into thinking that they were an
internal user? And if so, can I pull logs of what they did?
>-----Original Message-----
>Yeah, thats what I thought too... but, then again, all my
>index.htm/.html.asp and default.htm/.html.asp were
changed
>to new files stating that "F3NP OWNS YOU! f3np@iname.com"
>I was on very late last night, and went to bed shortly
>before this. I was the lat person to access my logs
before
>this, and the first person to access them afterwards.
This
>is the only thing that was logged, and its a hack
attempt.
>I am assuming that whatever they did, did not get logged.
>This is why I am thinking it is something new like
>variation of code red that affects IIS somehow. I checked
>my logs for FTP. They showed now attempts at all on it.
>Most other ports are closed. My mail server is clean...
>So that leads me to belive its something in IIS.
>
>Doing a Yahoo search for F3NP brought up a good deal of
>webpages hacked by the same person/group. So definatly
>take this as a warning too all... They ARE activly
hacking
>right now....
>
>I guess what I need is #1. make people aware that there
IS
>a vulerability right now.. though what it is I cannot say,
>and also to get some information on how I can dig deeper
>to find what they could have done, how they got in, etc
>etc.
>
>
>>-----Original Message-----
>>I think it's inconclusive to say whether you've been
>hacked. From this log
>>it looks like nothing was done, leading me to believe
>that whatever it was
>>gave up after having no success.
>>
>>Additionally, code 404, 403, 40x etc. is so far always a
>code of no success.
>>500 is usually no success but not always. 200 is
usually
>success but not
>>always. For more information on this, see:
>>
>>http://securityadmin.info/faq.htm#iislogs2
>>http://securityadmin.info/faq.htm#iislogs
>>
>>This looks like a worm like Nimda or Code Red. There's
>nothing you really
>>can or should do to stop these from hitting your server,
>you just need to be
>>sure your server is hardened against them, which it
seems
>you are. Everyone
>>gets tons of these attempts in their IIS logs.
>>
>>Having said that, you should really consider running
>URLScan which is free
>>from Microsoft, comes with IISLockdown. The 500 error
>codes also indicate
>>you may not have followed the IIS hardening checklists
>out there, starting
>>with the ones from www.microsoft.com/technet/security
>>
>>Other things you should consider doing to harden your
>system are at:
>>
>>http://securityadmin.info/faq.htm#harden
>>
>>PS this log does not prove that your server has not been
>hacked ever, just
>>that it does not appear to have been hacked today via
>IIS. If you want to
>>look for signs of a successful hacking, you can try this:
>>
>>http://securityadmin.info/faq.htm#hacked
>>http://securityadmin.info/faq.htm#re-secure
>>
>>
>>"BobOki" <boboki@boboki.com> wrote in message
>>news:314f01c2b9c6$9dd684e0$d3f82ecf@TK2MSFTNGXA10...
>>I got hacked last night, seems they were using the same
>>old same old hack that Microsoft said they patched in the
>>last service pack! (windows 2000 server SP3)
>>
>>heres the log,
>>
>>2003-01-11 21:47:14 24-240-234-157.charter.com -
>>GET /scripts/root.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:14 24.240.234.157 - GET /MSADC/root.exe
>>403 4227 HTTP/1.0 - -
>>2003-01-11 21:47:16 24-240-234-157.charter.com -
>>GET /c/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:16 24-240-234-157.charter.com -
>>GET /d/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:17 24-240-234-157.charter.com -
>>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>>HTTP/1.0 - -
>>2003-01-11 21:47:17 24-240-234-157.charter.com -
>>GET /_vti_bin/..%5c../..%5c../..%
>>5c../winnt/system32/cmd.exe 500 0 HTTP/1.0 - -
>>2003-01-11 21:47:17 24-240-234-157.charter.com -
>>GET /_mem_bin/..%5c../..%5c../..%
>>5c../winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:19 24.240.234.157 - GET /msadc/..%
>5c../..%
>>5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
403
>>4227 HTTP/1.0 - -
>>2003-01-11 21:47:19 24-240-234-157.charter.com -
>>GET /scripts/..Á../winnt/system32/cmd.exe 500 0
>HTTP/1.0 -
>> -
>>2003-01-11 21:47:20 24-240-234-157.charter.com -
>>GET /scripts/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:21 24-240-234-157.charter.com -
>>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:21 24-240-234-157.charter.com -
>>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>>2003-01-11 21:47:22 24-240-234-157.charter.com -
>>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>>HTTP/1.0 - -
>>2003-01-11 21:47:22 24-240-234-157.charter.com -
>>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>>HTTP/1.0 - -
>>2003-01-11 21:47:23 24-240-234-157.charter.com -
>>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>>HTTP/1.0 - -
>>2003-01-11 21:47:23 24-240-234-157.charter.com -
>>GET /scripts/..%2f../winnt/system32/cmd.exe 500 0
>>HTTP/1.0 - -
>>
>>Thats the last I have on there until I accessed it this
>>morning, having been hacked by F3PN.
>>Anyone have any insight on this?
>>
>>
>>---
>>Outgoing mail is certified Virus Free.
>>Checked by AVG anti-virus system
(http://www.grisoft.com).
>>Version: 6.0.435 / Virus Database: 244 - Release Date:
>12/30/2002
>>
>>
>>.
>>
>.
>

Relevant Pages

  • RE: Monitoring and Reporting Errors
    ... I keep trying to send you the logs but i get an error message back from the ... If you change that to local system account, you will get Server ... Open IIS snap-in. ... Click Directory Security tab. ...
    (microsoft.public.windows.server.sbs)
  • Re: Page Cannot Be Displayed Errors
    ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ...
    (microsoft.public.inetserver.iis)
  • Re: Cannot open the /connectcomputer site
    ... performancee logs and alerts service. ... There is no connectcomputer site in IIS. ... what errors are in the event logs on the server? ...
    (microsoft.public.windows.server.sbs)
  • RE: Infected with code red II ?
    ... The 2xx series of codes are all success codes of ... Restart IIS. ... The following is a sample from my IIS 4.0 server (I get the same activity on ... infection is cleaned up and this is just a probe? ...
    (Focus-Microsoft)
  • Re: Security Problem...
    ... Is there anything in your IIS web server ... What are you seeing in your firewall logs that is INCOMING to your ... A very typical scenario is for a hacker to use an IIS web service ... > I know those are the tools that would be used for making an FTP server. ...
    (microsoft.public.security)