Re: security advice (possible hacker activity?)

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/16/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 16 Dec 2002 10:32:35 -0500

Sounds suspicious to me. Launching CMD.EXE from IIS is a common hacker and
worm method for attempting intrusion [though it could be possible that you
are being scanned by worm that is not related to the lockups]. The fact
that CMD.EXE is trying to run tells me your machine has not been adequately
hardened, e.g. is probably missing some patches, the hardening checklists
for Windows and IIS have probably not been applied, and is definitely not
running URLScan which comes free with IISlockdown. All this can be gotten
from www.microsoft.com/technet/security

You might also be able to get some use out of an intrusion detection
solution like Snort [free], BlackIce, etc. and also the free system file
change checker from www.gfi.com

Firewalls generally do not block these sorts of attacks. I also wouldn't be
too quick to assume that the firewall is configured as securely as it can
be... e.g. are outbound ports being blocked, or is absolutely everything
being allowed outbound?

It also sounds like there possibly could be something wrong with your
computer being able to run out of process code as the IWAM user. This could
be as a result of a hacker trying to run something funny, or it could be a
successful worm infection like Nimda or Code Red which have been known to
sap resources and reboot computers, or it could be a general software
problem, or it could be insufficient permissions. Enabling auditing can
help you see if there are insufficient permissions [although the IWAM and
IUSR users should definitely be blocked from accessing certain files, such
as definitely CMD.EXE]

Here are some things you can do to try to see if your computer has been
successfully hacked and further secure your computer. The IIS logs are the
first place to check to see what a hacker or worm is trying to do to your
computer, whether it might have been successful, and exactly when the
attempt occurred [e.g. whether the attempt coincided with the reboot, etc].

http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall

"Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in message
news:O5dsXoPpCHA.1776@TK2MSFTNGP09...
> Hi guys,
>
> This is the second time I get this problem. The server suddently freezes
up.
> Once I reboot it and check the log, I get these entries:

[snip]

> Description:
> The server stop serving requests for application '/LM/W3SVC/70/Root'
because
> the number of Out of Process component crashes exceed a limit.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
> >>
>
> The strange thing is that I have a System startup log at 07.10, right
after
> all this chain of errors. It looks that the server rebooted himself.
>
> The server is behind a firewall, So I don't think that's the problem.