Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!
From: Andrew Davis [MS] (adavis_at_online.microsoft.com)
Date: 07/09/04
- Next message: pacific force: "Sounds familiar"guest" appearing in IIS log files - hack attempt?"
- Previous message: pacific force: "unwanted user hacking into my dial-up"
- In reply to: Steve: "Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!"
- Next in thread: Damien: "Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 09 Jul 2004 15:02:42 GMT
This is probably a flavor of Hacker Defender. The bottom line is a
miscreant has remote access to the box with admin rights. You should format
and reinstall the server.
The attack vector could have been a exposed vulnerability, or a compromised
admin account. It is likely that an MS04-011 vulnerability was exploited so
you may want to confirm what day 835732 was applied.
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks!
~Andrew Davis
Microsoft PSS Security
--------------------
>Date: Thu, 08 Jul 2004 11:57:28 -0500
>From: Steve <123@abc.com>
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)
>X-Accept-Language: en-us, en
>MIME-Version: 1.0
>Newsgroups:
microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security
>Subject: Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo,
> Willkommen auf Compactzone Stro!
>References: <1fh5e0hlb2dp8mf4i809smft98jm1g538t@4ax.com>
>In-Reply-To: <1fh5e0hlb2dp8mf4i809smft98jm1g538t@4ax.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>Content-Transfer-Encoding: 8bit
>NNTP-Posting-Host: uslink-66.173.9-61.uslink.net
>Message-ID: <40ed7cb2_3@newspeer2.tds.net>
>X-Trace: newspeer2.tds.net 1089305778 66.173.9.61 (8 Jul 2004 11:56:18 CST)
>Lines: 61
>Organization: TDS.NET Internet Services www.tds.net
>Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!tdsnet-transit!newspeer.tds.ne
t!216.170.153.144.MISMATCH!newspeer2.tds.net!not-for-mail
>Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13214
microsoft.public.inetserver.iis:311213
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>Hi Hal.
>
>I am having the same problem you are. I have a server running IIS and I
>can't browse to port 443 using SSL anymore. It just started yesterday.
> I've been trying everything I can think of to get it going with no
>success. When I try to telnet the server using port 443 I get the same
>message you were getting that says 'Hallo, Wilkommen auf Compactzone
>Stro!'. Have you found a way to resolve this issue yet? I can't seem
>to find an answer anywhere. Any help you can give would be GREATLY
>appreciated. If you don't have a solution yet and I can somehow figure
>out how to resolve this thing I will be sure to let you know.
>
>Thanks,
>Steve
>
>hal@nospam.com wrote:
>> I posted yesterday about my IIS dying. Original post is below.
>> General consensus and mosts docs on the 115 error say something is
>> listening on my http/https ports, however, netstat does not show
>> anything. I am checking into third party utilities to get more info,
>> but I found something very disturbing: My favorite trick for seeing
>> if SMTP servers are running is 'telnet <host> 25' to see if server
>> responds. I did this for port 80 and 443, and even when web service
>> is stopped, I get a response on 443 that says:
>>
>> Hallo, Willkommen auf Compactzone Stro!
>> Ich hoffe, Sie haben viel SpaŻ!
>> Loader
>>
>> Danke fnr ihren Besuch!
>> Bist zum nSchsten Mal!
>> Loader
>>
>> This cannot be good. How can I find what this is and get rid of it?
>>
>> Any help _greatly_ appreciated
>>
>> Hal
>>
>>
----------------------------------------------------------------------------
-------------------------
>> Something happened to my Exchange server over the weekend that caused
>> a crash (nothing logged) and upon startup my IIS is failing with Event
>> ID 115 (Service could not bind instance 1). This error is logged for
>> both MSFTPSVC and W3SVC. All services seem to be running but OWA
>> access to either port 80 or 443 gets a page cannot be displayed error.
>> The access attempt is responded to with an account login and the logs
>> show the access attempt. I am running a certificate, and a port
>> redirection from port 80. Most docs I have found on this refer to
>> running multiple instances which I do not have. My securebindings in
>> metabase is correct. I have no other instances of either FTP or
>> W3SVC. This behaves exactly the same either on reboot or IIS Admin
>> restart. I have tried disabling SSL by removing port listener in
>> default web site properties and service behaves exactly the same so it
>> doesn't seem to be an SSL related problem.
>>
>> Any suggestions greatly appreciated.
>>
>> thanks
>>
>> Hal
>
>
- Next message: pacific force: "Sounds familiar"guest" appearing in IIS log files - hack attempt?"
- Previous message: pacific force: "unwanted user hacking into my dial-up"
- In reply to: Steve: "Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!"
- Next in thread: Damien: "Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
