Re: security advice (possible hacker activity?)
From: Agustin Chernitsky (agustinchernitskyNOSPAM@hotmail.com)
Date: 12/17/02
- Next message: fjahan@yahoo.com: "Microsoft Security Bulletin MS02-065"
- Previous message: John Delaney: "Password not working"
- In reply to: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Next in thread: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Reply: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com> Date: Mon, 16 Dec 2002 22:08:12 -0300
Hi Karl,
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:eOzlbpTpCHA.2308@TK2MSFTNGP10...
>
> "Agustin" <agustinchernitsky-SPAM@hotmail.com> wrote in message
> news:#ZrxWuSpCHA.1624@TK2MSFTNGP12...
>
> > Incomming are blocked (only 80, 25, 21, 20, 110 are allowed). The
outgoing
> > are not restricted. Should I allow restrict outgoing too?
>
> Well, it's entirely up to you, but usually blocking all ports both
outbound
> and inbound gives more security. Outbound connections can be used to
> remotely control a computer, email out your passwords, etc. for example if
a
> trojan or worm is installed onto the web server. For example, a worm
emails
> itself through the firewall to an email user on a PC, where the worm then
> runs and infects the web server if there is no firewall between the PC and
> the IIS web server. Or, a common trick is for a hacker or worm to go
> through a firewall by sending a crafted URL to TCP 80 to take advantage of
> an unpatched IIS exploit to launch TFTP or FTP to upload additional attack
> tools to the web server "outbound" through the firewall.
I will add permissions to TFTP and FTP and many others.... I will also add
outgoing rules. I ran an antivirus software and haven't found any virus/
trojans. Still, I checked for files for Code RED and nothing yet.
>
> One way to try starting this is to watch your firewall logs for a week to
> see what ports are being used outbound and in which direction, close all
> other ports, and then research the remaining open ports one by one to
> confirm whether these are services you really want to permit.
>
>
> > Well, IWAM runs any site with Access or SQL. What we are experiencing is
> low
> > free memory. We are planning an upgrade to 1 GB... Could low memory
cause
> > such reboots?
>
> My reason for saying this was that normally IWAM / out of process
> applications should not crash the application server, and so when
> investigating the problem, do look at the source of those "IWAM access
> denied" error messages, but don't make the mistake of just changing the
> permissions on the IWAM account to enable what had previously been denied,
> since some of those things might be things that you want to stay blocked.
>
I haven't any access denied. The only thing IWAM was trying to use was the
DCOM server. Still, I think I will go for a memory problem... Since the
mayority of the errors were hardware related (cannot read, write, etc).
>
> > The problem is that I have more than 100+ sites... how can I check wich
> log
> > had the CODE RED, or something like that? Just a plain txt search?
>
> That is a tough one. I think the default of IIS is to generate a new IIS
> log every day. For me, it is easier to search and read the log if it only
> rolls over once a month, although for very busy web sites this might not
be
> practical. You can change this in the IIS.
>
> It's up to you as to how you read the logs. Not necessarily the best way,
> but you could use the command
> TYPE LOGNAME.TXT >> C:\
> ... in a batch file or other script in order to combine multiple log files
> into one long searchable log file. Then, you could import the file into
> Excel or Access to be able to manipulate the data such as sort data by
> column.
>
> I would probably start by searching for any lines that have CMD or CMD.EXE
> in them and then read all the lines above and below that line that are
from
> the same IP address or otherwise appear to be related. You could also
> search for any line containing % in it. You could also look for any lines
> that contain a 200 or 502 error code and that also contain .EXE or % in
that
> line. Note that this would probably not show you unsuccessful attacks, so
> while you wouldn't normally expect an unsuccessful attack to lock up your
> server, your data so far suggests that this could be what is happening, so
> you could be missing something important.
>
> I would expect URLScan that comes with IISLockdown from
> www.microsoft.com/technet/security to block all this stuff so that CMD.EXE
> wouldn't even have a chance to create an access denied in the Windows
event
> logs. If you dont' have this installed, I would. It's up to you whether
> you want to wait and install it after you've finished researching this
> problem, or just install it and take your chance that it might block this
> attack without you completely figuring out what other vulnerability might
be
> causing it.
Well, I did search the logs. Found some attempts, but all 404. My Antivirus
soft reports nothing. I removed the mayority of the permissions from
cmd.exe. There are many files to go yet: command.com, tftp, ftp, telnet,
etc.
I also searched registry entries (run, runonce) but nothing.
Do you think URLScan is completely safe? Will it affect my IIS performance?
Thanks so much for your help and advice!
- Next message: fjahan@yahoo.com: "Microsoft Security Bulletin MS02-065"
- Previous message: John Delaney: "Password not working"
- In reply to: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Next in thread: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Reply: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
