Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IIS Hack Attempt ? 1

Status
Not open for further replies.
RJ45100BT

RJ45100BT

IS-IT--Management
Nov 19, 2002
30
US
I am noticing alot of GET requests in my Logs for


/ROOT.EXE AND CALLS MADE TO SYSTEM32\CMD.EXE

07:38:35 212.202.199.18 HEAD /PBServer/..S5c..S5c..S5cwinnt/system32/cmd.exe 404
07:38:35 212.202.199.18 HEAD /PBServer/..S5c..S5c..S5cwinnt/system32/cmd.exe 404
07:38:35 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:38:35 212.202.199.18 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:38:47 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:38:49 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 502
07:38:52 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:38:56 212.202.199.18 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:38:56 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:39:00 212.202.199.18 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:39:04 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 502
07:39:04 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 200
07:39:04 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd2.exe 200
07:39:04 212.202.199.18 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd2.exe 502

What's up ?



 
Sort by date Sort by votes
A 200 reply in your log indicates that your server is vulnerable to the UNICODE directory transversal vulnerablity for IIS. This is a serious vulnerablity and if you are just realizing you are vulnerable, your web server has most likely already been exploited.

The vulnerablity works by utilizing execute permissions in a web site or virtual directory and 'browsing a directory structure' or 'executing any application that does is not prohibited by authenticated users' on the webserver.

The log indicates that would respond to a web browser as a listing of your C:\ Directory, or root of your C:\ drive if permissions were set to default Windows 2000/NT permissions.

You need to use Windows Update and at minimum grab all critical patches for your server, but more than likely if you have had your system online for a long time, it has been 'rooted' and there is no telling what is on your server.

The log does not show that you were hacked, it proves that you have been vulnerable to being hacked for a long time. Look through your old logs and look for something like /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:\ or something else after the ? that is more dangerous, this will let you know what has been executed against your server.

root.exe is a file from NIMDA, see
Most likely if you have root.exe on your server, you had NIMDA at some point. A good check if you find root.exe is to check to see if your guest account on a server has been enabled and added to the administrators group. If this is the case there is no telling what type of nasty stuff people have done on your system.

Hope this helps! Keep your systems patched to current levels and lock down systems, Microsoft is doing a much better job of getting quality information out there for Server Administrators, use it!

See for a complete guide to locking down your Windows 2000 Server and additional information regarding your risk.

Galrahn
 
Upvote 0 Downvote
I also get a lot of the same in my logs. I have NT4 running IIS 4 and have all the current patches etc. loaded so the log lines also say <Rejected-By-UrlScan> in them. What I do however find strange is that these are mainly coming from the same IP Addresses so I have denied them access to the website through the IP Address and Domani Name Restrictions settings in Directory Security. Despite this, the entries are still appearing with the same source IP Addresses.

Is this because they are trying to access a different directory or is it sending a false IP Address through?

Thanks in advance.
 
Upvote 0 Downvote
Well I have blocked them via ACL's in my PIX. I am still concerned that I appear vulnerable even after several levels of service packs and hot-fixes.


Thanks
 
Upvote 0 Downvote
Open internet service manager and open your website.
Go to Advanced. In here you edit your host headers info.
Ensure that the host headers have been configured so that the IIS site cannot be access by its IP address (i.e. instead ensure it can be accessed only by its relevant domain/machine name (Code Red and other similar virii attack machines by IP address. Having IIS only respond to its dns name will stop your machine being probed by these trojans that scan by IP address only.

Regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
758
DrB0b
DrB0b
GriffMG
  • Locked
  • Question
Server 2016 IIS - When opening default web page in Edge (chromium) it downloads rather than opening
Replies
1
Views
357
GriffMG
GriffMG
donb01
  • Locked
  • Question
IIS - Can I do this Redirect?
Replies
1
Views
221
donb01
donb01
KnowItAllmost
  • Locked
  • Question
IIS 8.5 Throws Server Error 500.19 and error code: 0x80070021 SOLVED
Replies
0
Views
362
KnowItAllmost
KnowItAllmost

Part and Inventory Search

Sponsor

Back
Top