Re: security advice (possible hacker activity?)

From: Agustin (agustinchernitsky-SPAM@hotmail.com)
Date: 12/16/02 

From: "Agustin" <agustinchernitsky-SPAM@hotmail.com>
Date: Mon, 16 Dec 2002 14:57:59 -0300

Hi Karl,

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:urfbjiRpCHA.2432@TK2MSFTNGP12...
> Sounds suspicious to me. Launching CMD.EXE from IIS is a common hacker
and
> worm method for attempting intrusion [though it could be possible that
you
> are being scanned by worm that is not related to the lockups]. The fact
> that CMD.EXE is trying to run tells me your machine has not been
adequately
> hardened, e.g. is probably missing some patches, the hardening checklists
> for Windows and IIS have probably not been applied, and is definitely not
> running URLScan which comes free with IISlockdown. All this can be gotten
> from www.microsoft.com/technet/security
>

Absolutely. I have up to SP3 installed. I will add the new patches ASAP.

> You might also be able to get some use out of an intrusion detection
> solution like Snort [free], BlackIce, etc. and also the free system file
> change checker from www.gfi.com
>

> Firewalls generally do not block these sorts of attacks. I also wouldn't
be
> too quick to assume that the firewall is configured as securely as it can
> be... e.g. are outbound ports being blocked, or is absolutely everything
> being allowed outbound?

Incomming are blocked (only 80, 25, 21, 20, 110 are allowed). The outgoing
are not restricted. Should I allow restrict outgoing too?

>
> It also sounds like there possibly could be something wrong with your
> computer being able to run out of process code as the IWAM user. This
could
> be as a result of a hacker trying to run something funny, or it could be a
> successful worm infection like Nimda or Code Red which have been known to
> sap resources and reboot computers, or it could be a general software
> problem, or it could be insufficient permissions. Enabling auditing can
> help you see if there are insufficient permissions [although the IWAM and
> IUSR users should definitely be blocked from accessing certain files, such
> as definitely CMD.EXE]
>

Well, IWAM runs any site with Access or SQL. What we are experiencing is low
free memory. We are planning an upgrade to 1 GB... Could low memory cause
such reboots?

I have enabled cmd.exe auditing and many more...

The problem is that I have more than 100+ sites... how can I check wich log
had the CODE RED, or something like that? Just a plain txt search?

> Here are some things you can do to try to see if your computer has been
> successfully hacked and further secure your computer. The IIS logs are
the
> first place to check to see what a hacker or worm is trying to do to your
> computer, whether it might have been successful, and exactly when the
> attempt occurred [e.g. whether the attempt coincided with the reboot,
etc].
>
> http://securityadmin.info/faq.htm#iislogs2
> http://securityadmin.info/faq.htm#iislogs
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
> http://securityadmin.info/faq.htm#firewall
>
>

Thanks, I will look into that right now!

> "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> wrote in
message
> news:O5dsXoPpCHA.1776@TK2MSFTNGP09...
> > Hi guys,
> >
> > This is the second time I get this problem. The server suddently freezes
> up.
> > Once I reboot it and check the log, I get these entries:
>
> [snip]
>
> > Description:
> > The server stop serving requests for application '/LM/W3SVC/70/Root'
> because
> > the number of Out of Process component crashes exceed a limit.
> > For additional information specific to this message please visit the
> > Microsoft Online Support site located at:
> > http://www.microsoft.com/contentredirect.asp.
> > >>
> >
> > The strange thing is that I have a System startup log at 07.10, right
> after
> > all this chain of errors. It looks that the server rebooted himself.
> >
> > The server is behind a firewall, So I don't think that's the problem.
>
>
>