Re: I was hacked

From: SAge (solon_amadeus_at_yahoo.com)
Date: 08/06/03

• Next message: Nick van Dal: "IIS integrated authentication not recognized"
• Previous message: Bruno CHARLOUP: "Activating RDS with W2K"
• In reply to: Frank: "I was hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 5 Aug 2003 23:47:47 -0700

First, of course, do a full updated scan looking for trojan horses and
other ills. If you know your program files and other system files
well, have a look for an odd named file, possibly fitting in but
something may make it look odd. Could most likely be from 50k-1mb in
size most averaging 150-550k. Next, if you need to do some
footprinting on that address you say may be the source. SamSpade.org
provides good tools. If you need further assistance you can contact
echo@echocct.org, attn:SAge. Essentially however, you are only going
to find some basic info on this IP, if lucky they were dumb and didn't
proxy around first and its a static IP. Most of the time though you
will find a proxy, a dead end 99.99%, or a dynamic DHCP type IP also
99.99% end. Even if you do find them, there is 99.99% chance of
nothing coming of it. Other than that, look into SATAN or SAINT to
help check your own network and lots of other tools to try and hack
yourself. Thats the best way to find and plug your holes.

SAge
Echo CCT
www.echocct.org

"Frank" <frank@nospamplease.com> wrote in message news:<VUZWa.36782$Vt6.14734@rwcrnsc52.ops.asp.att.net>...
> I have a Windows 2000 server that is current w/ the latest patches from MS.
> It is running an IIS server that is configured w/ Microsoft's URLScan tool.
> It is also running Terminal Services w/ 128 bit encryption turned on. I
> have a firewall configured to allow only inbound/outbound HTTP traffic on
> port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
> scanner that updates/scans nightly. I have Windows security auditing turned
> on. I've also hardened the system by turning off all unnecessary service
> and making all the appropriate registry changes to restrict a access (e.g.
> disabling anonymous access).
>
> Sounds somewhat secure, right?
>
> Last night I was hacked. I'm still trying to sort out what happened. I saw
> a series of attempts to attack IIS that the IIS log claimed were coming from
> itself. Unfortunately, my firewall was not logging HTTP traffic - although
> I think I have the source ip via Snort. All these attacks failed. Next, I
> saw a series of logon failures using Terminal Services. Again, all of these
> failed. Then, a few minutes later, I mysteriously see a process called
> A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
> see any cmd sessions or anything else that suggests the attacker
> successfully breached my server
>
> Below is the web log followed by the event in the event viewer that showed
> the first visible process of the attack. Following this, I saw a series of
> proccesses start (cmd.exe, nbstat, route).
>
> I can take care of reinstalling and hardening my system. I have one primary
> concern at this stage: understanding how they cracked my server. If you
> have advice or suggestions, it would be appreciated.
>
>
>
>
>
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iisadmin/ - 404 4184 25 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan>
> ~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> 0.htr 404 4184 931 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /msadc/msadcs.dll - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184 143
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184 143
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfcache.map - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/authors.pwd - 403 4358 36 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/users.pwd - 403 4358 34 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/service.pwd - 403 4358 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
> /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ - 404 4184 24 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/ - 401 4572 48 47 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/sh - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/csh - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ksh - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/issamples/query.asp - 403 4270 46 78 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /samples/search/queryhit.htm - 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/*+.pl - 401 4572 62 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/repost.asp - 403 4270 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /index.htm PageServices 200 0 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /search - 404 4184 23 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /index.html+ - 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/alibaba.pl - 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/testcgi - 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/test-cgi/* * 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/test.cgi - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/enivron.pl - 404 4184 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /scripts/environ.pl - 401 4572 68 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /server-info - 404 4184 27 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /server-status - 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/tcsh - 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /~root - 404 4184 21 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET /~ftp -
> 404 4184 20 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
> 80 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/count.cgi - 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/webdist.cgi - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/jj - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/formmail - 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/formmail.pl - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
> 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /robots.txt - 404 4184 26 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404 4184
> 81 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/ezshopper/search.cgi
> user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
> inct=1 404 4184 127 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_bin/shtml.dll - 403 4358 34 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /.htaccess - 404 4184 25 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184 78
> 16 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/MachineInfo - 404 4184 35 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /cgi-bin/wrap - 404 4184 28 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
> 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
> /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -
>
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 592
> Date: 8/2/2003
> Time: 2:50:28 AM
> User: MYSERVER\MyAdmin
> Computer: MYSERVER
> Description:
> A new process has been created:
> New Process ID: 1764
> Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
> Creator Process ID: 1916
> User Name: MyAdmin
> Domain: MYSERVER
> Logon ID: (0x0,0xDE65)

---

• Next message: Nick van Dal: "IIS integrated authentication not recognized"
• Previous message: Bruno CHARLOUP: "Activating RDS with W2K"
• In reply to: Frank: "I was hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: I was hacked ... I saw no successes in your IIS Log. ... > It is running an IIS server that is configured w/ Microsoft's URLScan ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ... (alt.computer.security) Re: I was hacked ... I saw no successes in your IIS Log. ... > It is running an IIS server that is configured w/ Microsoft's URLScan ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ... (microsoft.public.inetserver.iis.security) Re: I was hacked ... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ... (alt.computer.security) Website Defacement ... Here is a peice of an IIS 6 log file of a recently defaced site. ... I know that this is somewhat a joke of an attack. ... I have not been to the server I have only reviewed the IIs logs at this point. ... (Incidents) I was hacked ... I have a Windows 2000 server that is current w/ the latest patches from MS. ... It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... It is also running Terminal Services w/ 128 bit encryption turned on. ... the first visible process of the attack. ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)