Re: security advice (possible hacker activity?)

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/16/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 16 Dec 2002 14:33:58 -0500

"Agustin" <agustinchernitsky-SPAM@hotmail.com> wrote in message
news:#ZrxWuSpCHA.1624@TK2MSFTNGP12...

> Incomming are blocked (only 80, 25, 21, 20, 110 are allowed). The outgoing
> are not restricted. Should I allow restrict outgoing too?

Well, it's entirely up to you, but usually blocking all ports both outbound
and inbound gives more security. Outbound connections can be used to
remotely control a computer, email out your passwords, etc. for example if a
trojan or worm is installed onto the web server. For example, a worm emails
itself through the firewall to an email user on a PC, where the worm then
runs and infects the web server if there is no firewall between the PC and
the IIS web server. Or, a common trick is for a hacker or worm to go
through a firewall by sending a crafted URL to TCP 80 to take advantage of
an unpatched IIS exploit to launch TFTP or FTP to upload additional attack
tools to the web server "outbound" through the firewall.

One way to try starting this is to watch your firewall logs for a week to
see what ports are being used outbound and in which direction, close all
other ports, and then research the remaining open ports one by one to
confirm whether these are services you really want to permit.

> Well, IWAM runs any site with Access or SQL. What we are experiencing is
low
> free memory. We are planning an upgrade to 1 GB... Could low memory cause
> such reboots?

My reason for saying this was that normally IWAM / out of process
applications should not crash the application server, and so when
investigating the problem, do look at the source of those "IWAM access
denied" error messages, but don't make the mistake of just changing the
permissions on the IWAM account to enable what had previously been denied,
since some of those things might be things that you want to stay blocked.

> The problem is that I have more than 100+ sites... how can I check wich
log
> had the CODE RED, or something like that? Just a plain txt search?

That is a tough one. I think the default of IIS is to generate a new IIS
log every day. For me, it is easier to search and read the log if it only
rolls over once a month, although for very busy web sites this might not be
practical. You can change this in the IIS.

It's up to you as to how you read the logs. Not necessarily the best way,
but you could use the command
TYPE LOGNAME.TXT >> C:\
... in a batch file or other script in order to combine multiple log files
into one long searchable log file. Then, you could import the file into
Excel or Access to be able to manipulate the data such as sort data by
column.

I would probably start by searching for any lines that have CMD or CMD.EXE
in them and then read all the lines above and below that line that are from
the same IP address or otherwise appear to be related. You could also
search for any line containing % in it. You could also look for any lines
that contain a 200 or 502 error code and that also contain .EXE or % in that
line. Note that this would probably not show you unsuccessful attacks, so
while you wouldn't normally expect an unsuccessful attack to lock up your
server, your data so far suggests that this could be what is happening, so
you could be missing something important.

I would expect URLScan that comes with IISLockdown from
www.microsoft.com/technet/security to block all this stuff so that CMD.EXE
wouldn't even have a chance to create an access denied in the Windows event
logs. If you dont' have this installed, I would. It's up to you whether
you want to wait and install it after you've finished researching this
problem, or just install it and take your chance that it might block this
attack without you completely figuring out what other vulnerability might be
causing it.

Relevant Pages

  • Re: security advice (possible hacker activity?)
    ... Well, it's entirely up to you, but usually blocking all ports both outbound ... trojan or worm is installed onto the web server. ... the IIS web server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA2004 SP2: EventID 14148
    ... No firewall is active on the Cisco and all ports are passed through. ... Most likely it is IIS. ... are no thing different for web server publishing and IIS. ...
    (microsoft.public.isa.configuration)
  • Re: OWA Is Completely Hozed - How To Fix?
    ... >Verify that you web server is configured in IIS to use the ... >start the web server and restart ISA server. ... >> When I try to start the websites in IIS for OWA, ... No ports are configured to ...
    (microsoft.public.exchange2000.clients)
  • Re: I am sick of windows firewall
    ... I use the AnalogX IPsec rules to supplement BlackIce ... need IPsec to stop outbound that BlackIce cannot do by ... attempts on the Windows networking ports even though BI ... supplemental packet filtering solution. ...
    (comp.security.firewalls)
  • Re: Question regarding firewalls
    ... In an SBS domain, what firewall ports are really needed for most ... 110 if they use POP3 on external server ... Your clients should need only HTTP and HTTPS outbound, ...
    (microsoft.public.windows.server.sbs)