Re: Log files Help

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/20/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 19 Feb 2003 22:16:13 -0500

Wait a minute, don't panic just yet.

I'm not sure anyone told you that you and everyone else will *always* see
these things in your web server logs. There's nothing you can or should do
to prevent these things, and these often aren't signs of hacking, just code
red or nimda worms. What you should do is confirm that you have all the
latest patches installed and that you have hardened your server using the
URLs below... however, either you'd be infected in less than a day or you'll
never be infected.

If the logs indicate that exploit was not successful, it probably never will
be. Generally a 404 error in the logs is good. 500 is also usually an
error that means no success, but not always. 200 is usually a bad sign that
the attack was successful, but again, not always. More info:

http://securityadmin.info/faq.htm#hacked [how to look for signs of back
doors and hacking]
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
http://securityadmin.info/faq.htm#harden
http://securityadmin.info

RE: FTP, you want to make sure the anonymous user [usually the IUSR account
by default] does not have both read and write permissions to any one folder,
or else your server will be subject to FTP abuse. You also probably want to
delete the posix subsystem [instructions in the hardening URL above].

"Junh" <yyy@o.pi> wrote in message
news:#jd9FEH2CHA.2472@TK2MSFTNGP11.phx.gbl...
> Hi. All probes were blocked...But what does it mean running that lines in
> the Log?
>
>
> "Junh" <yyy@o.pi> wrote in message
> news:OcknBMG2CHA.1612@TK2MSFTNGP11.phx.gbl...
> Upss, sorry i am scaning possible Ports for Trojans
>
>
> "Junh" <yyy@o.pi> wrote in message news:usCJEHG2CHA.1748@TK2MSFTNGP12...
> You are rigth, what is your suggestion to find Bakdoors?
>
>
> "Crimson Star" <Crimson.Star@remove.gov.ab.ca> wrote in message
> news:#3deDCG2CHA.2204@TK2MSFTNGP09...
> Actions speak louder than words. If your firewall did block that request,
> it could not have made it to IIS and would not be in the IIS log. The IIS
> log shows that the request was received by IIS but could not be executed
> because the file could not be found.
>
> As you probably already realize, it is NIMDA or something similar trying
to
> find a backdoor left by Code Red.
>
> "Junh" <yyy@o.pi> wrote in message news:eaR3v3F2CHA.1764@TK2MSFTNGP10...
> > Sorry but i think Yes, look at the FW Log and IIS log
> >
> > IIS log
> >
> > 19:11:25 213.228.42.43 GET /scripts/root.exe 404
> >
> > FW Log
> >
> > Details:Attempted Intrusion "IIS_CGI_Decode_Command_Execution" against
> your
> > machine was detected and blocked
> > Intruder: 213.228.42.43(4551)
> > Risk Level: Medium
> > Protocol: TCP
> > Attacked IP: xxxx(xxxxxx).
> > Attacked Port: http(80)
> >
> >
> > "Crimson Star" <Crimson.Star@remove.gov.ab.ca> wrote in message
> > news:#OnatwF2CHA.1748@TK2MSFTNGP12...
> > Your firewall is NOT blocking communication on port 80 or there would be
> no
> > entries in the IIS logs! The 404 status code is returned by IIS to
> indicate
> > "file not found".
> >
> > "Junh" <yyy@o.pi> wrote in message news:O#BE9MF2CHA.1180@TK2MSFTNGP12...
> > > Hi Bernard, i tried to Fix Nimda but:
> > >
> > > :: W32.Nimda.A@mm has not been found on your computer.
> > >
> > > Now check this
> > >
> > > 14:29:16 213.228.40.97 GET /scripts/root.exe 404
> > > 14:29:26 213.228.40.97 GET /MSADC/root.exe 404
> > > 17:47:11 213.228.40.97 GET /scripts/root.exe 404
> > > 17:47:21 213.228.40.97 GET /MSADC/root.exe 404
> > > 18:29:26 213.228.42.43 GET /scripts/root.exe 404
> > > 18:29:26 213.228.42.43 GET /MSADC/root.exe 404
> > > #Software: Microsoft Internet Information Services 5.1
> > > #Version: 1.0
> > > #Date: 2003-02-19 19:11:25
> > > #Fields: time c-ip cs-method cs-uri-stem sc-status
> > > 19:11:25 213.228.42.43 GET /scripts/root.exe 404
> > > 19:11:25 213.228.42.43 GET /MSADC/root.exe 404
> > >
> > > This is Given the error 404 Because the FireWall Blocked Comunication
> > >
> > > What is your guess now, Thanks
> > >
> > >
> > > "BB" <Bernard_at_3exp.com> wrote in message
> > > news:OJdiW0#1CHA.2292@TK2MSFTNGP10...
> > > Error 530. user not able to login.
> > > This show someone try to access your ftp server
> > > anonymously.. it's ok.. since all failed.
> > >
> > > you might want to monitor awhile, if they
> > > keep coming, block their ip access using
> > > firewall.
> > >
> > > Rgds.
> > >
> > >
> > > "Junh" <yyy@o.pi> wrote in message
> > > news:eoTRWs#1CHA.416@TK2MSFTNGP11.phx.gbl...
> > > > Hi i changed the security and the atacker tried today something, can
> > > someone
> > > > help me to read this? FTP is not set to anonymous connections..
> > > >
> > > > Thanks
> > > >
> > > > 06:58:37 81.84.33.131 [6]USER anonymous@ftp.microsoft.com 331
> > > > 06:58:37 81.84.33.131 [6]PASS - 530
> > > > 07:06:56 81.84.33.131 [7]USER anonymous 331
> > > > 07:06:56 81.84.33.131 [7]PASS anonymous@on.the.net 530
> > > > 07:10:32 81.84.33.131 [8]USER anonymous 331
> > > > 07:10:32 81.84.33.131 [8]PASS anonymous@on.the.net 530
> > > >
> > > > "BB" <Bernard_at_3exp.com> wrote in message
> > > > news:OrpaAd81CHA.2292@TK2MSFTNGP10...
> > > > Someone attack you
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/
> > > > virus/nimda.asp
> > > >
> > > > ensure you have the latest service packs and update
> > > > refer http://www.microsoft.com/security/
> > > >
> > > > Get IISLockDown and install urlscan.
> > > > and secure your box with
> > > > http://support.microsoft.com/?id=282060
> > > >
> > > > Rgds.
> > > >
> > > >
> > > > "Junh" <yyy@o.pi> wrote in message
> news:uuYezQ61CHA.2564@TK2MSFTNGP12...
> > > > > Sorry, in the 1st Line is FTP Log
> > > > >
> > > > > Virtual Directories i meant to say of Web
> > > > >
> > > > > Thanks
> > > > >
> > > > > "Junh" <yyy@o.pi> wrote in message
> > news:#imG9M61CHA.2564@TK2MSFTNGP12...
> > > > > Hi, i have this line in my Log, what does it mean?
> > > > >
> > > > > >> 00:30:52 63.141.30.190 GET
> > /scripts/..%5c%5c../winnt/system32/cmd.exe
> > > > >
> > > > > Where is the Log file of my Virtual Directories?
> > > > >
> > > > > Thanks, Regards
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Server Sync and OMA Wont work.
    ... Please enable IIS logging and reproduced the issue (sync with the SBS ... access the OMA site) and collect IIS log and IIS metabase. ... Restart the Default Website and try Server Activesync to reproduce the ...
    (microsoft.public.windows.server.sbs)
  • RE: RWW - Service unavailable
    ... CEO is primary user of RWW.. ... server, the issue disappeared. ... For a complete list of Microsoft Customer Support Services phone numbers ... Please help me gather IIS log and Metabase to me for further analysis, ...
    (microsoft.public.windows.server.sbs)
  • Re: Log files Help
    ... If your firewall did block that request, ... it could not have made it to IIS and would not be in the IIS log. ... > Your firewall is NOT blocking communication on port 80 or there would be ... >>> Someone attack you ...
    (microsoft.public.inetserver.iis.security)
  • RE: Sharepoint Not Working After CEICW
    ... access SharePoint. ... How to configure Internet access in Windows Small Business Server 2003 ... Please help me capture screenshots of all error messages you encountered ... Please help me gather IIS log and Metabase to me for further analysis, ...
    (microsoft.public.windows.server.sbs)
  • Re: I was hacked
    ... I saw no successes in your IIS Log. ... > It is running an IIS server that is configured w/ Microsoft's URLScan ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (microsoft.public.inetserver.iis.security)
Quantcast