I was hacked

Discussion in 'Computer Security' started by Frank, Aug 3, 2003.

  1. Frank

    Frank Guest

    I have a Windows 2000 server that is current w/ the latest patches from MS.
    It is running an IIS server that is configured w/ Microsoft's URLScan tool.
    It is also running Terminal Services w/ 128 bit encryption turned on. I
    have a firewall configured to allow only inbound/outbound HTTP traffic on
    port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
    scanner that updates/scans nightly. I have Windows security auditing turned
    on. I've also hardened the system by turning off all unnecessary service
    and making all the appropriate registry changes to restrict a access (e.g.
    disabling anonymous access).

    Sounds somewhat secure, right?

    Last night I was hacked. I'm still trying to sort out what happened. I saw
    a series of attempts to attack IIS that the IIS log claimed were coming from
    itself. Unfortunately, my firewall was not logging HTTP traffic - although
    I think I have the source ip via Snort. All these attacks failed. Next, I
    saw a series of logon failures using Terminal Services. Again, all of these
    failed. Then, a few minutes later, I mysteriously see a process called
    A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
    see any cmd sessions or anything else that suggests the attacker
    successfully breached my server

    Below is the web log followed by the event in the event viewer that showed
    the first visible process of the attack. Following this, I saw a series of
    proccesses start (cmd.exe, nbstat, route).

    I can take care of reinstalling and hardening my system. I have one primary
    concern at this stage: understanding how they cracked my server. If you
    have advice or suggestions, it would be appreciated.





    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /iisadmin/ - 404 4184 25 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan>
    ~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    0.htr 404 4184 931 16 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /msadc/msadcs.dll - 404 4184 32 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184 143
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184 143
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cfcache.map - 404 4184 27 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_pvt/authors.pwd - 403 4358 36 16 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_pvt/users.pwd - 403 4358 34 16 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_pvt/service.pwd - 403 4358 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
    /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/ - 404 4184 24 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /scripts/ - 401 4572 48 47 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/sh - 404 4184 26 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/csh - 404 4184 27 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/ksh - 404 4184 27 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /iissamples/issamples/query.asp - 403 4270 46 78 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /samples/search/queryhit.htm - 404 4184 43 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /scripts/*+.pl - 401 4572 62 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /scripts/repost.asp - 403 4270 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /index.htm PageServices 200 0 29 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /search - 404 4184 23 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /index.html+ - 404 4184 29 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/alibaba.pl - 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/testcgi - 404 4184 31 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/test-cgi/* * 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/test.cgi - 404 4184 32 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/enivron.pl - 404 4184 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /scripts/environ.pl - 401 4572 68 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /server-info - 404 4184 27 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /server-status - 404 4184 29 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/tcsh - 404 4184 28 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /~root - 404 4184 21 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET /~ftp -
    404 4184 20 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
    80 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/count.cgi - 404 4184 33 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/webdist.cgi - 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/jj - 404 4184 26 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/formmail - 404 4184 32 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/formmail.pl - 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /robots.txt - 404 4184 26 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404 4184
    81 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/ezshopper/search.cgi
    user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
    inct=1 404 4184 127 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_bin/shtml.dll - 403 4358 34 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /.htaccess - 404 4184 25 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184 78
    16 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/MachineInfo - 404 4184 35 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /cgi-bin/wrap - 404 4184 28 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
    2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -




    Event Type: Success Audit
    Event Source: Security
    Event Category: Detailed Tracking
    Event ID: 592
    Date: 8/2/2003
    Time: 2:50:28 AM
    User: MYSERVER\MyAdmin
    Computer: MYSERVER
    Description:
    A new process has been created:
    New Process ID: 1764
    Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
    Creator Process ID: 1916
    User Name: MyAdmin
    Domain: MYSERVER
    Logon ID: (0x0,0xDE65)
     
    Frank, Aug 3, 2003
    #1
    1. Advertising

  2. Frank

    Frank Cusack Guest

    On Sun, 03 Aug 2003 01:51:49 GMT "Frank" <> wrote:
    > I have a Windows 2000 server that is current w/ the latest patches from MS.
    > It is running an IIS server ...

    ....
    >
    > Sounds somewhat secure, right?


    nope

    /fc
     
    Frank Cusack, Aug 4, 2003
    #2
    1. Advertising

  3. I saw no successes in your IIS Log. Believe me if that was true for all your connections you wouldn't be serving nothing.

    --
    George Hester
    __________________________________
    "Frank" <> wrote in message news:VUZWa.36782$...
    > I have a Windows 2000 server that is current w/ the latest patches from MS.
    > It is running an IIS server that is configured w/ Microsoft's URLScan tool.
    > It is also running Terminal Services w/ 128 bit encryption turned on. I
    > have a firewall configured to allow only inbound/outbound HTTP traffic on
    > port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
    > scanner that updates/scans nightly. I have Windows security auditing turned
    > on. I've also hardened the system by turning off all unnecessary service
    > and making all the appropriate registry changes to restrict a access (e.g.
    > disabling anonymous access).
    >
    > Sounds somewhat secure, right?
    >
    > Last night I was hacked. I'm still trying to sort out what happened. I saw
    > a series of attempts to attack IIS that the IIS log claimed were coming from
    > itself. Unfortunately, my firewall was not logging HTTP traffic - although
    > I think I have the source ip via Snort. All these attacks failed. Next, I
    > saw a series of logon failures using Terminal Services. Again, all of these
    > failed. Then, a few minutes later, I mysteriously see a process called
    > A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
    > see any cmd sessions or anything else that suggests the attacker
    > successfully breached my server
    >
    > Below is the web log followed by the event in the event viewer that showed
    > the first visible process of the attack. Following this, I saw a series of
    > proccesses start (cmd.exe, nbstat, route).
    >
    > I can take care of reinstalling and hardening my system. I have one primary
    > concern at this stage: understanding how they cracked my server. If you
    > have advice or suggestions, it would be appreciated.
    >
    >
    >
    >
    >
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iisadmin/ - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan>
    > ~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0.htr 404 4184 931 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/msadcs.dll - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184 143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184 143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfcache.map - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/authors.pwd - 403 4358 36 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/users.pwd - 403 4358 34 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/service.pwd - 403 4358 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
    > /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ - 404 4184 24 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/ - 401 4572 48 47 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sh - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/csh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ksh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/issamples/query.asp - 403 4270 46 78 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /samples/search/queryhit.htm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/*+.pl - 401 4572 62 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/repost.asp - 403 4270 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.htm PageServices 200 0 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /search - 404 4184 23 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.html+ - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/alibaba.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/testcgi - 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test-cgi/* * 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test.cgi - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/enivron.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/environ.pl - 401 4572 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-info - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-status - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/tcsh - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /~root - 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET /~ftp -
    > 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
    > 80 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/count.cgi - 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/webdist.cgi - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/jj - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail.pl - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /robots.txt - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404 4184
    > 81 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/search.cgi
    > user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
    > inct=1 404 4184 127 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_bin/shtml.dll - 403 4358 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /.htaccess - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184 78
    > 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/MachineInfo - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/wrap - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -
    >
    >
    >
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Detailed Tracking
    > Event ID: 592
    > Date: 8/2/2003
    > Time: 2:50:28 AM
    > User: MYSERVER\MyAdmin
    > Computer: MYSERVER
    > Description:
    > A new process has been created:
    > New Process ID: 1764
    > Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
    > Creator Process ID: 1916
    > User Name: MyAdmin
    > Domain: MYSERVER
    > Logon ID: (0x0,0xDE65)
    >
    >
    >
    >
    >
     
    George Hester, Aug 4, 2003
    #3
  4. I don't know how it relates to this whole thing, but A~NSISu_.exe sounds
    quite a bit like Nullsoft Install System (create a Win32 self-extracting
    executable installer) http://www.nullsoft.com/free/nsis/.


    "George Hester" <> wrote in message
    news:eLSB$...
    I saw no successes in your IIS Log. Believe me if that was true for all
    your connections you wouldn't be serving nothing.

    --
    George Hester
    __________________________________
    "Frank" <> wrote in message
    news:VUZWa.36782$...
    > I have a Windows 2000 server that is current w/ the latest patches from

    MS.
    > It is running an IIS server that is configured w/ Microsoft's URLScan

    tool.
    > It is also running Terminal Services w/ 128 bit encryption turned on. I
    > have a firewall configured to allow only inbound/outbound HTTP traffic on
    > port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
    > scanner that updates/scans nightly. I have Windows security auditing

    turned
    > on. I've also hardened the system by turning off all unnecessary service
    > and making all the appropriate registry changes to restrict a access (e.g.
    > disabling anonymous access).
    >
    > Sounds somewhat secure, right?
    >
    > Last night I was hacked. I'm still trying to sort out what happened. I

    saw
    > a series of attempts to attack IIS that the IIS log claimed were coming

    from
    > itself. Unfortunately, my firewall was not logging HTTP traffic -

    although
    > I think I have the source ip via Snort. All these attacks failed. Next,

    I
    > saw a series of logon failures using Terminal Services. Again, all of

    these
    > failed. Then, a few minutes later, I mysteriously see a process called
    > A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
    > see any cmd sessions or anything else that suggests the attacker
    > successfully breached my server
    >
    > Below is the web log followed by the event in the event viewer that showed
    > the first visible process of the attack. Following this, I saw a series

    of
    > proccesses start (cmd.exe, nbstat, route).
    >
    > I can take care of reinstalling and hardening my system. I have one

    primary
    > concern at this stage: understanding how they cracked my server. If you
    > have advice or suggestions, it would be appreciated.
    >
    >
    >
    >
    >
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iisadmin/ - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan>
    >

    ~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    >

    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    >

    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    >

    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    >

    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    >

    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    >

    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    >

    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    >

    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    >

    0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    >

    %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    >

    20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0.htr 404 4184 931 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/msadcs.dll - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184

    143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184

    143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfcache.map - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/authors.pwd - 403 4358 36 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/users.pwd - 403 4358 34 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/service.pwd - 403 4358 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
    > /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ - 404 4184 24 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/ - 401 4572 48 47 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sh - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/csh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ksh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/issamples/query.asp - 403 4270 46 78 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /samples/search/queryhit.htm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/*+.pl - 401 4572 62 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/repost.asp - 403 4270 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.htm PageServices 200 0 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /search - 404 4184 23 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.html+ - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/alibaba.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/testcgi - 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test-cgi/* * 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test.cgi - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/enivron.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/environ.pl - 401 4572 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-info - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-status - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/tcsh - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /~root - 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET

    /~ftp -
    > 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
    > 80 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/count.cgi - 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/webdist.cgi - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/jj - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail.pl - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49

    0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /robots.txt - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404

    4184
    > 81 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/search.cgi
    >

    user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
    > inct=1 404 4184 127 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_bin/shtml.dll - 403 4358 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /.htaccess - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184

    78
    > 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/MachineInfo - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/wrap - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -
    >
    >
    >
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Detailed Tracking
    > Event ID: 592
    > Date: 8/2/2003
    > Time: 2:50:28 AM
    > User: MYSERVER\MyAdmin
    > Computer: MYSERVER
    > Description:
    > A new process has been created:
    > New Process ID: 1764
    > Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
    > Creator Process ID: 1916
    > User Name: MyAdmin
    > Domain: MYSERVER
    > Logon ID: (0x0,0xDE65)
    >
    >
    >
    >
    >
     
    Patrick Kremer, Aug 5, 2003
    #4
  5. Frank

    SAge Guest

    First, of course, do a full updated scan looking for trojan horses and
    other ills. If you know your program files and other system files
    well, have a look for an odd named file, possibly fitting in but
    something may make it look odd. Could most likely be from 50k-1mb in
    size most averaging 150-550k. Next, if you need to do some
    footprinting on that address you say may be the source. SamSpade.org
    provides good tools. If you need further assistance you can contact
    , attn:SAge. Essentially however, you are only going
    to find some basic info on this IP, if lucky they were dumb and didn't
    proxy around first and its a static IP. Most of the time though you
    will find a proxy, a dead end 99.99%, or a dynamic DHCP type IP also
    99.99% end. Even if you do find them, there is 99.99% chance of
    nothing coming of it. Other than that, look into SATAN or SAINT to
    help check your own network and lots of other tools to try and hack
    yourself. Thats the best way to find and plug your holes.

    SAge
    Echo CCT
    www.echocct.org


    "Frank" <> wrote in message news:<VUZWa.36782$>...
    > I have a Windows 2000 server that is current w/ the latest patches from MS.
    > It is running an IIS server that is configured w/ Microsoft's URLScan tool.
    > It is also running Terminal Services w/ 128 bit encryption turned on. I
    > have a firewall configured to allow only inbound/outbound HTTP traffic on
    > port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
    > scanner that updates/scans nightly. I have Windows security auditing turned
    > on. I've also hardened the system by turning off all unnecessary service
    > and making all the appropriate registry changes to restrict a access (e.g.
    > disabling anonymous access).
    >
    > Sounds somewhat secure, right?
    >
    > Last night I was hacked. I'm still trying to sort out what happened. I saw
    > a series of attempts to attack IIS that the IIS log claimed were coming from
    > itself. Unfortunately, my firewall was not logging HTTP traffic - although
    > I think I have the source ip via Snort. All these attacks failed. Next, I
    > saw a series of logon failures using Terminal Services. Again, all of these
    > failed. Then, a few minutes later, I mysteriously see a process called
    > A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
    > see any cmd sessions or anything else that suggests the attacker
    > successfully breached my server
    >
    > Below is the web log followed by the event in the event viewer that showed
    > the first visible process of the attack. Following this, I saw a series of
    > proccesses start (cmd.exe, nbstat, route).
    >
    > I can take care of reinstalling and hardening my system. I have one primary
    > concern at this stage: understanding how they cracked my server. If you
    > have advice or suggestions, it would be appreciated.
    >
    >
    >
    >
    >
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iisadmin/ - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan>
    > ~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
    > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
    > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
    > 0.htr 404 4184 931 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/msadcs.dll - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184 143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184 143
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfcache.map - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/administrators.pwd - 403 4358 43 344 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/authors.pwd - 403 4358 36 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/users.pwd - 403 4358 34 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/service.pwd - 403 4358 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
    > /_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ - 404 4184 24 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/ - 401 4572 48 47 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sh - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/csh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ksh - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/issamples/query.asp - 403 4270 46 78 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /samples/search/queryhit.htm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/*+.pl - 401 4572 62 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/repost.asp - 403 4270 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.htm PageServices 200 0 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /search - 404 4184 23 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /index.html+ - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/alibaba.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/testcgi - 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test-cgi/* * 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/test.cgi - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/enivron.pl - 404 4184 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /scripts/environ.pl - 401 4572 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-info - 404 4184 27 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /server-status - 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/tcsh - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /~root - 404 4184 21 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET /~ftp -
    > 404 4184 20 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= 404 4184
    > 80 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/count.cgi - 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/nph-test-cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/webdist.cgi - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/jj - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail - 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/formmail.pl - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
    > 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /robots.txt - 404 4184 26 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404 4184
    > 81 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/ezshopper/search.cgi
    > user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
    > inct=1 404 4184 127 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_bin/shtml.dll - 403 4358 34 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /.htaccess - 404 4184 25 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /_vti_pvt/doctodep.btr - 403 4358 37 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catalog 404 4184 78
    > 16 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/MachineInfo - 404 4184 35 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /cgi-bin/wrap - 404 4184 28 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
    > 2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
    > /<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -
    >
    >
    >
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Detailed Tracking
    > Event ID: 592
    > Date: 8/2/2003
    > Time: 2:50:28 AM
    > User: MYSERVER\MyAdmin
    > Computer: MYSERVER
    > Description:
    > A new process has been created:
    > New Process ID: 1764
    > Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
    > Creator Process ID: 1916
    > User Name: MyAdmin
    > Domain: MYSERVER
    > Logon ID: (0x0,0xDE65)
     
    SAge, Aug 6, 2003
    #5
  6. Frank

    d0x Guest

    "... a dynamic DHCP type IP also 99.99% [dead]end"

    this is not true. If you can trace back to a actual person IP, you can
    contact there ISP. Give the ISP the IP address, date and time that the
    offense occurred, and your time zone. The ISP can look through there log
    files to find out who was the last person to have the IP before the time
    you given.
    From that, they can find out the persons mac address, and "null route"
    them ie: assign them an ip address of 192.168.10.231, that will prevent
    them from getting any internet access. When that person calls the isp to
    inquire about there internet connection, they will be caught. Of course
    they could always just change there NIC, but im sure most people wouldn't
    think to do that.
     
    d0x, Jul 17, 2004
    #6
  7. d0x <> wrote in message news:<>...
    > "... a dynamic DHCP type IP also 99.99% [dead]end"
    >
    > this is not true. If you can trace back to a actual person IP, you can
    > contact there ISP. Give the ISP the IP address, date and time that the
    > offense occurred, and your time zone. The ISP can look through there log
    > files to find out who was the last person to have the IP before the time
    > you given.
    > From that, they can find out the persons mac address, and "null route"
    > them ie: assign them an ip address of 192.168.10.231, that will prevent
    > them from getting any internet access. When that person calls the isp to
    > inquire about there internet connection, they will be caught.


    Have you ever actually done that? In my experience, most ISPs won't
    give that information or talk to you unless you're a law enforcement
    person with a subpoena from a court in a country that the ISP
    recognizes, and there isn't any language barrier, and you've contacted
    them soon enough for them to preserve whatever logs they may or may
    not have. Even then, there is a fair chance that what you'll find
    isn't a perpetrator, but a virus-infected computer with a hidden proxy
    or botnet running on it, or something similar.
     
    Karl Levinson [x y] mvp, Jul 19, 2004
    #7
  8. Frank

    Chuckles Guest

    Karl Levinson [x y] mvp wrote:
    > d0x <> wrote in message news:<>...
    >
    >>"... a dynamic DHCP type IP also 99.99% [dead]end"
    >>
    >>this is not true. If you can trace back to a actual person IP, you can
    >>contact there ISP. Give the ISP the IP address, date and time that the
    >>offense occurred, and your time zone. The ISP can look through there log
    >>files to find out who was the last person to have the IP before the time
    >>you given.
    >>From that, they can find out the persons mac address, and "null route"
    >>them ie: assign them an ip address of 192.168.10.231, that will prevent
    >>them from getting any internet access. When that person calls the isp to
    >>inquire about there internet connection, they will be caught.

    >
    >
    > Have you ever actually done that? In my experience, most ISPs won't
    > give that information or talk to you unless you're a law enforcement
    > person with a subpoena from a court in a country that the ISP
    > recognizes, and there isn't any language barrier, and you've contacted
    > them soon enough for them to preserve whatever logs they may or may
    > not have. Even then, there is a fair chance that what you'll find
    > isn't a perpetrator, but a virus-infected computer with a hidden proxy
    > or botnet running on it, or something similar.

    I have done it. You email them your logs and 2 times out of 5 they nab
    the person.
     
    Chuckles, Jul 19, 2004
    #8
  9. "Chuckles" <> wrote in message
    news:...

    > > Have you ever actually done that? In my experience, most ISPs won't
    > > give that information or talk to you unless you're a law enforcement
    > > person with a subpoena from a court in a country that the ISP
    > > recognizes, and there isn't any language barrier, and you've contacted
    > > them soon enough for them to preserve whatever logs they may or may
    > > not have. Even then, there is a fair chance that what you'll find
    > > isn't a perpetrator, but a virus-infected computer with a hidden proxy
    > > or botnet running on it, or something similar.


    > I have done it. You email them your logs and 2 times out of 5 they nab
    > the person.


    Fair enough. Although if you look at www.mynetwatchman.com, you see that
    they do this quite frequently, and they report much less than 1 in 5 success
    rate.
     
    Karl Levinson [x y] mvp, Jul 20, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kouros

    Spread Firefox hacked?

    Kouros, Jul 15, 2005, in forum: Firefox
    Replies:
    2
    Views:
    524
    Travis Evans
    Jul 17, 2005
  2. fatah
    Replies:
    1
    Views:
    4,354
    Phillip Remaker
    May 24, 2004
  3. =?Utf-8?B?R2Vvcmdl?=

    Host file hacked...

    =?Utf-8?B?R2Vvcmdl?=, Jan 19, 2004, in forum: MCSE
    Replies:
    7
    Views:
    1,010
  4. Rowdy Yates

    OT: April Fools - FARK Got Hacked.

    Rowdy Yates, Apr 1, 2004, in forum: MCSE
    Replies:
    0
    Views:
    448
    Rowdy Yates
    Apr 1, 2004
  5. Wayne McGlinn

    OT: Microsoft using Hacked software?

    Wayne McGlinn, Dec 7, 2004, in forum: MCSE
    Replies:
    3
    Views:
    491
Loading...

Share This Page