Re: Help! Hacker is turning off my server.

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 03/11/03

  • Next message: Brian Muth: "A tough one: Kerberos delegation fails with FQDN" 
    From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 11 Mar 2003 16:37:23 -0500

    We had some UPS backups go bad so that they would not charge the battery [or
    ruin brand new batteries] and a minor power fluctuation would power the
    computer off. The UPS gave no indication of anything wrong.

    The virtual root messages just sound like some virtual directories needing
    to be deleted from IIS MMC.

    Disabling the QoS service should get rid of the two QoS related error
    messages. I'm guessing you're not using QoS.

    Attempted anonymous FTP login scans from hackers are pretty normal nowadays,
    but it looks like you've disabled the anonymous FTP account, so that looks
    good.

    "Barry" <bjgarfield@yahoo.com> wrote in message
    news:058801c2e80a$cd9e3610$3001280a@phx.gbl...
    > Will look at the links you suggested. However here is a
    > description from the event log:
    >
    > "The previous system shutdown at 2:08:21 PM on 09/03/2003
    > was unexpected."
    >
    > I don't think its the power supply kicking out or the ups.
    > But I will have to swap them with another computer to be
    > sure.
    >
    > Here are some other event logs that may give a hint to
    > whats happening. The .com websites mentioned are on my
    > server. All of the events happened within minutes of each
    > other, and ultimately resulted in a shut down.:
    >
    > EVENT ID 101:
    > The server was unable to add the virtual
    > root '/_vti_cnf/www.ritewaymarketing.com' for the
    > directory 'D:\WEBSITES\ritewaymarketing.com' due to the
    > following error: Access is denied. The data is the error
    > code.
    >
    > EVENT ID 101:
    > The server was unable to add the virtual root '' for the
    > directory 'D:\WEBSITES\ritewaymarketing.com\webroot' due
    > to the following error: Access is denied. The data is the
    > error code.
    >
    > EVENT ID 101:
    > The server was unable to add the virtual root '' for the
    > directory 'D:\WEBSITES\easierhealthtoday.com\webroot' due
    > to the following error: Access is denied. The data is the
    > error code.
    >
    > EVENT ID 10047:
    > QoS RSVP has failed to find any interfaces with traffic
    > control enabled. Install QoS traffic control services via
    > network and dial-up connections.
    >
    > EVENT ID 10035:
    > This host can not be ACS since the Active Directory has
    > not been properly configured via the QoS ACS management
    > console. Please configure the subnets via the QoS ACS
    > mangement console.
    >
    > EVENT ID 100:
    > The server was unable to logon the Windows NT
    > account 'anonymous@ftp.microsoft.com' due to the following
    > error: Logon failure: unknown user name or bad password.
    > The data is the error code.
    >
    > EVENT ID 6008:
    > The previous system shutdown at 2:08:16 PM on 23/02/2003
    > was unexpected.
    >
    > >-----Original Message-----
    > >Doesn't necessarily sound like hacking but like a
    > software or hardware
    > >problem, power failure, etc. If you get a UPS like APC
    > with a [serial]
    > >cable and software for management connected from the UPS
    > to the server, it
    > >will report any power fluctuations in your windows event
    > log, this could be
    > >helpful.
    > >
    > >Some information you should consider:
    > >
    > >http://securityadmin.info/faq.htm#hacked
    > >http://securityadmin.info/faq.htm#iislogs2
    > >http://securityadmin.info/faq.htm#iislogs
    > >http://securityadmin.info/faq.htm#re-secure
    > >http://securityadmin.info/faq.htm#harden
    > >http://securityadmin.info/faq.htm#ftpfolder
    > >
    > >If you had been hacked, the logs are not necessarily
    > reliable... hackers can
    > >change the logs, and buffer overflow attacks on, say, IIS
    > do not show up in
    > >your IIS logs [though URLScan should help block many of
    > these attacks].
    > >
    > >I would be curious to see what if anything is in your
    > Windows event logs
    > >though. You should at least see a message in the system
    > log from "Event
    > >Log" if the shutdown was unexpected by Windows. If you
    > don't see this, then
    > >the shutdown was probably graceful and initiated either
    > by Windows, or I
    > >suppose possibly by a hacker... but you'd probably see
    > signs of this by
    > >following the instructions in the first link above.
    > >
    > >Do make sure your anonymous FTP user [e.g. IUSR by
    > default] never has both
    > >read and write permissions to any FTP folder, or you'll
    > be hacked.
    > >
    > >Also, SIM from www.gfi.com would be helpful here.
    > >
    > >
    > >"Barry" <bjgarfield@yahoo.com> wrote in message
    > >news:013001c2e7a2$78814090$a001280a@phx.gbl...
    > >> I am running Windows2000server w/IIS 5.0.
    > >> I have applied IIS Lockdown.
    > >> My server's Internet connection is through a Linksys
    > >> router which is set up only to allow access to the
    > server
    > >> through Port 80.
    > >>
    > >> Problem: My server is being hacked continuously. I
    > noticed
    > >> because every day or so, the server is OFF. Powered-
    > down,
    > >> as if someone pressed the power button.
    > >>
    > >> I checked the ftp log and found:
    > >>
    > >> #Software: Microsoft Internet Information Services 5.0
    > >> #Version: 1.0
    > >> #Date: 2003-03-01 10:04:52
    > >> #Fields: time c-ip cs-method cs-uri-stem sc-status
    > >> 10:04:52 80.14.88.60 [3]USER anonymous 331
    > >> 10:04:52 80.14.88.60 [3]PASS Agpuser@home.com 530
    > >> 21:54:34 213.177.159.93 [5]USER anonymous 331
    > >> 21:54:34 213.177.159.93 [5]PASS Pgpuser@home.com 530
    > >>
    > >> I checked the log of a web site I am hosting and found
    > the
    > >> following:
    > >>
    > >> #Software: Microsoft Internet Information Services 5.0
    > >> #Version: 1.0
    > >> #Date: 2003-03-06 03:56:33
    > >> #Fields: date time c-ip cs-username s-ip s-port cs-
    > method
    > >> cs-uri-stem cs-uri-query sc-status cs(User-Agent)
    > >> 2003-03-06 03:56:33 148.223.64.114 - 10.101.101.10 80
    > >> HEAD /index.htm - 200 -
    > >
    > >
    > >.
    > >

  • Next message: Brian Muth: "A tough one: Kerberos delegation fails with FQDN"