IIS log

[MKuiper]

hi folks,

I'm running an IIS server for about one year. It has no content at all apart from the default "Under construction" page and an application which can be accessed only by a special client program.

Starting on Feb 13th 2004 I have about 10 to 20 of these entries in the server log on every day:

20:50:35 xxx.xxx.xxx.xxx GET /iisstart.asp - 200 1558 191 10 yyy.yyy.yyy.yyy Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
22:54:52 xxx.xxx.xxx.xxx GET /iisstart.asp - 200 1558 191 10 yyy.yyy.yyy.yyy Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
23:50:14 xxx.xxx.xxx.xxx GET /iisstart.asp - 200 1606 316 10 yyy.yyy.yyy.yyy Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)

(xxx.xxx.xxx.xxx = client ip, which is always different)
(yyy.yyy.yyy.yyy = my ip which is always the same of course)

Although it seems harmless at first sight, just asking the startpage and then quit, i am a bit worried about the fact that it is always the same agent, it can't be coincidence anymore.

Does anybody know more about this?

Thanks in advance,



Marcel

 

[rockjockb]

It looks like you are just getting probed at the moment. Someone is footprinting your network and will enumerate what's available. This is usually just a prelude to an attack, or setting up their own server on your system.

I would suggest a couple of things. First and foremost, if you're not using IIS, turn it off. No reason to have a nice, juicy security hole for others to jump into. Second, block unnecessary ports on your router or firewall.

If you don't know how to do this, find someone who does very soon. You could find yourself in this situation:

http://techrepublic.com.com/5100-6329-5055990.html

 

[MKuiper]

Rockjockb,

thank you for replying. I do need IIS for the application running through it, so I'm not able to turn it off.
The computer is protected by a NAT however, only port 80 is open and the rest is stealth. Any more suggestions?


Marcel

 

[bierhunter]

Mainly, keep your patches and anti-virus up to date, keep the web server off the C-drive, and disable the admin website, and keep an eye on it.

I also block malicious addresses I find at our firewall. But there's a limit to that as well.

My web server gets hit everyday with people trying different vulnerabilites. Never been hacked yet.

 

[MKuiper]

patches and antivirus are up to date. Blocking addresses is no use here because the client address is always different, they must be spoofed if they have the same origin.

My webserver also gets hit every day by people or virusses trying different vulnerabilities. For most of then I know what they are and what I can do against them. But this one is new to me and I can't find more info on it. So, if anybody has info on these particular log entries, please post here.


Marcel

 

[bierhunter]

From doing a search on the web for those messages, it looks like a buffer overflow/memory leak attack.

 

[MKuiper]

It seems to be (but nobody is really sure) Nachi.B / Welchi.B, which will stop itself in June 2004.
More info at

http://www.giac.org/practical/GCIH/Russell_Griffith_GCIH.pdf

Just wondering why there is not much info on these log-entries to find on the internet. Or is only a minority of people running a webserver checking their logfiles every day?



Marcel

 

[rockjockb]

If you're running IIS 5 or IIS 6, use this:

http://www.microsoft.com/windows2000/downloads/

recommended/iislockdown/default.asp