Groups | Blog | Home
all groups > iis security > december 2003 >

iis security : IIS security alert - new attack?


Chris Popescu
12/21/2003 7:07:41 PM
Hi,

Does anyone know what kind of attack is this and how can be prevented?

IIS servers will not be able to serve any other pages for the time when this attack is active.

We use UrlScan and we have IIS 5/6 patched with latest security patches.

However from IIS logs I can not see much about how this attack is performed.

Thank you,

Chris


x.x.x.x is our server IP address.
2003-12-21 17:21:53 211.38.90.129 - x.x.x.x 80 HEAD /index.asp - 200 362 40 - - -
2003-12-21 17:21:59 211.38.90.129 - x.x.x.x 80 - - - 404 245 65 - - -
2003-12-21 17:22:07 211.38.90.129 - x.x.x.x 80 - - - 404 143 109 - - -
2003-12-21 17:22:17 211.38.90.129 - x.x.x.x 80 - - - 404 245 103 - - -
2003-12-21 17:22:26 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
2003-12-21 17:22:36 211.38.90.129 - x.x.x.x 80 - - - 404 245 103 - - -
2003-12-21 17:22:47 211.38.90.129 - x.x.x.x 80 - - - 404 245 104 - - -
2003-12-21 17:22:59 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
2003-12-21 17:23:10 211.38.90.129 - x.x.x.x 80 - - - 404 245 110 - - -
2003-12-21 17:23:22 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
2003-12-21 17:23:34 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
2003-12-21 17:23:47 211.38.90.129 - x.x.x.x 80 - - - 404 245 130 - - -
2003-12-21 17:24:01 211.38.90.129 - x.x.x.x 80 - - - 404 245 120 - - -
2003-12-21 17:24:13 211.38.90.129 - x.x.x.x 80 - - - 404 245 140 - - -
2003-12-21 17:24:27 211.38.90.129 - x.x.x.x 80 - - - 404 245 120 - - -
2003-12-21 17:24:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
2003-12-21 17:24:53 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
2003-12-21 17:25:06 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
2003-12-21 17:25:20 211.38.90.129 - x.x.x.x 80 - - - 404 143 124 - - -
2003-12-21 17:25:33 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
2003-12-21 17:25:46 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
2003-12-21 17:26:00 211.38.90.129 - x.x.x.x 80 - - - 404 245 126 - - -
2003-12-21 17:26:13 211.38.90.129 - x.x.x.x 80 - - - 404 245 75 - - -
2003-12-21 17:26:27 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:26:41 211.38.90.129 - x.x.x.x 80 - - - 404 245 124 - - -
2003-12-21 17:26:55 211.38.90.129 - x.x.x.x 80 - - - 404 245 75 - - -
2003-12-21 17:27:09 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
2003-12-21 17:27:23 211.38.90.129 - x.x.x.x 80 - - - 404 245 126 - - -
2003-12-21 17:27:36 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
2003-12-21 17:27:50 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
2003-12-21 17:28:04 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:28:18 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
2003-12-21 17:28:31 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
2003-12-21 17:28:45 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
2003-12-21 17:28:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:29:12 211.38.90.129 - x.x.x.x 80 - - - 404 245 121 - - -
2003-12-21 17:29:26 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
2003-12-21 17:29:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
2003-12-21 17:29:54 211.38.90.129 - x.x.x.x 80 - - - 404 245 140 - - -
2003-12-21 17:30:08 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
2003-12-21 17:30:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 90 - - -
2003-12-21 17:30:35 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
2003-12-21 17:30:49 211.38.90.129 - x.x.x.x 80 - - - 404 245 90 - - -
2003-12-21 17:31:03 211.38.90.129 - x.x.x.x 80 - - - 404 245 121 - - -
2003-12-21 17:31:17 211.38.90.129 - x.x.x.x 80 - - - 404 245 93 - - -
2003-12-21 17:31:31 211.38.90.129 - x.x.x.x 80 - - - 404 245 130 - - -
2003-12-21 17:31:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 96 - - -
2003-12-21 17:31:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 139 - - -
2003-12-21 17:32:12 211.38.90.129 - x.x.x.x 80 - - - 404 245 99 - - -
2003-12-21 17:32:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:32:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 124 - - -
2003-12-21 17:32:53 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
2003-12-21 17:33:07 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
2003-12-21 17:33:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 93 - - -
2003-12-21 17:33:35 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
2003-12-21 17:33:49 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
2003-12-21 17:34:02 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
2003-12-21 17:34:16 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
2003-12-21 17:34:30 211.38.90.129 - x.x.x.x 80 - - - 404 245 96 - - -
2003-12-21 17:34:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
2003-12-21 17:34:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
2003-12-21 17:35:11 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
2003-12-21 17:35:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
2003-12-21 17:35:39 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
2003-12-21 17:35:52 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:36:06 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:36:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:36:34 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:36:48 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:37:02 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:37:16 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:37:30 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
2003-12-21 17:37:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
2003-12-21 17:37:57 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
2003-12-21 17:38:11 211.38.90.129 - x.x.x.x 80 - - - 404 245 101 - - -
2003-12-21 17:38:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 104 - - -
2003-12-21 17:38:38 211.38.90.129 - x.x.x.x 80 - - - 404 245 67 - - -
2003-12-21 17:38:52 211.38.90.129 - x.x.x.x 80 - - - 404 143 148 - - -
2003-12-21 17:39:06 211.38.90.129 - x.x.x.x 80 HEAD /etc/passwd /c+dir+c:\ 404 144 138 - - -
2003-12-21 17:39:20 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
2003-12-21 17:39:34 211.38.90.129 - x.x.x.x 80 - - - 404 245 116 - - -
2003-12-21 17:39:48 211.38.90.129 - x.x.x.x 80 - - - 404 245 122 - - -
2003-12-21 17:40:01 211.38.90.129 - x.x.x.x 80 - - - 404 245 116 - - -
2003-12-21 17:40:15 211.38.90.129 - x.x.x.x 80 - - - 404 245 122 - - -
2003-12-21 17:40:29 211.38.90.129 - x.x.x.x 80 - - - 404 245 116 - - -
2003-12-21 17:40:43 211.38.90.129 - x.x.x.x 80 - - - 404 245 122 - - -
2003-12-21 17:40:56 211.38.90.129 - x.x.x.x 80 - - - 404 245 116 - - -
2003-12-21 17:41:10 211.38.90.129 - x.x.x.x 80 - - - 404 245 122 - - -
2003-12-21 17:41:24 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:41:38 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
2003-12-21 17:41:53 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
Chris Popescu
12/21/2003 10:41:29 PM

These logs are similar on busy virtual servers that use there own IP's. Please look at starting time and end time.

For the duration of the attack 1 hour and 20 minutes,

none of them have served other pages and their logs were similar with this and I did not seen requests other requests
with 200 response status from other sites.

I think that the attack is composed from a combination of previous attacks:

2003-12-21 18:17:04 211.38.90.129 4701 x.x.x.70 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4732 x.x.x.63 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4739 x.x.x.123 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4741 x.x.x.62 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4750 x.x.x.125 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4752 x.x.x.66 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4759 x.x.x.188 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:04 211.38.90.129 4760 x.x.x.190 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:04 211.38.90.129 4762 x.x.x.191 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:04 211.38.90.129 4763 x.x.x.237 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:04 211.38.90.129 4791 x.x.x.6 80 HTTP/0.0 HEAD /images/..%252e..%252ewinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:04 211.38.90.129 4802 x.x.x.108 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4828 x.x.x.164 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4829 x.x.x.234 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4845 x.x.x.177 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4871 x.x.x.228 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4872 x.x.x.189 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4881 x.x.x.232 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4883 x.x.x.183 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4888 x.x.x.185 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4891 x.x.x.247 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4950 x.x.x.196 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:05 211.38.90.129 4977 x.x.x.246 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:05 211.38.90.129 4989 x.x.x.226 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1097 x.x.x.10 80 HTTP/0.0 HEAD /images/..%252e..%252ewinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1099 x.x.x.69 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1098 x.x.x.139 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1094 x.x.x.15 80 HTTP/0.0 HEAD /images/..%252e..%252ewinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1106 x.x.x.128 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1100 x.x.x.14 80 HTTP/0.0 HEAD /images/..%252e..%252ewinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1107 x.x.x.187 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1108 x.x.x.199 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1109 x.x.x.134 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1112 x.x.x.198 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1129 x.x.x.251 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1134 x.x.x.72 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1142 x.x.x.197 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1140 x.x.x.131 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1147 x.x.x.192 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1152 x.x.x.195 80 HTTP/0.0 HEAD /images/..%%35c..%%35cwinnt/system32/cmd.exe 400 -
BadRequest
2003-12-21 18:17:06 211.38.90.129 1166 x.x.x.119 80 HTTP/0.0 HEAD
/images/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:06 211.38.90.129 1167 x.x.x.249 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:07 211.38.90.129 1170 x.x.x.235 80 HTTP/0.0 HEAD
/images/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe 400 - BadRequest
2003-12-21 18:17:07 211.38.90.129 1171 x.x.x.75 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:07 211.38.90.129 1172 x.x.x.74 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
2003-12-21 18:17:07 211.38.90.129 1176 x.x.x.71 80 HTTP/0.0 HEAD /images/..%25%35%63..%25%35%63winnt/system32/cmd.exe
400 - BadRequest
Karl Levinson [x y] mvp
12/22/2003 7:33:32 AM
This looks to me like traffic that most web servers are handling just fine.
I don't see any reason why your servers should stop responding [unless they
were Windows workstations and not Windows servers, or were installed from a
Windows 2000 Server 5-CAL demo CD, because those have a limit of 5 or 10 max
concurrent connections].

Also, the two logs you posted are of different activity; the first log
contains 404 errors, the second log contains 400 errors. I'm not sure why
your two logs are so different? But they appear to represent different
requests.

You ARE using URLScan which is free from
www.microsoft.com/technet/security, right? [Looks like you're not.] Very
useful if not mandatory. And a firewall? I also assume your servers are
already fully patched [via http://windowsupdate.microsoft.com ] and
correctly configured for best security using the hardening instructions also
at the above URL?

If there is something making your server stop responding, I'm not sure
you're seeing it in these logs. You might check your firewall logs and use
a sniffer to capture more detail on the network traffic hitting your server.
Your web logs will NOT show you a successful HTTP buffer overflow attack,
nor will they show you a denial of service or other attack that targets
other ports not relating to IIS.


[quoted text, click to view]


Ken Schaefer
12/22/2003 3:10:19 PM
I'm not exactly sure what type of attack you are speaking of.

All the response status in the logfile you have posted are 404 - File Not
Found. Additionally, the requests seem very spaced out (only every 20
seconds or so). That is very low load for an IIS box.

If you want to see the actual rejected requests, you will need to look in
the URLScan log files, since I suspect that URLScan is rejecting these
request (hence the lack of any URI in the IIS log)

Cheers
Ken


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[quoted text, click to view]
: Hi,
:
: Does anyone know what kind of attack is this and how can be prevented?
:
: IIS servers will not be able to serve any other pages for the time when
this attack is active.
:
: We use UrlScan and we have IIS 5/6 patched with latest security patches.
:
: However from IIS logs I can not see much about how this attack is
performed.
:
: Thank you,
:
: Chris
:
:
: x.x.x.x is our server IP address.
: 2003-12-21 17:21:53 211.38.90.129 - x.x.x.x 80 HEAD /index.asp - 200 362
40 - - -
: 2003-12-21 17:21:59 211.38.90.129 - x.x.x.x 80 - - - 404 245 65 - - -
: 2003-12-21 17:22:07 211.38.90.129 - x.x.x.x 80 - - - 404 143 109 - - -
: 2003-12-21 17:22:17 211.38.90.129 - x.x.x.x 80 - - - 404 245 103 - - -
: 2003-12-21 17:22:26 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
: 2003-12-21 17:22:36 211.38.90.129 - x.x.x.x 80 - - - 404 245 103 - - -
: 2003-12-21 17:22:47 211.38.90.129 - x.x.x.x 80 - - - 404 245 104 - - -
: 2003-12-21 17:22:59 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
: 2003-12-21 17:23:10 211.38.90.129 - x.x.x.x 80 - - - 404 245 110 - - -
: 2003-12-21 17:23:22 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
: 2003-12-21 17:23:34 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
: 2003-12-21 17:23:47 211.38.90.129 - x.x.x.x 80 - - - 404 245 130 - - -
: 2003-12-21 17:24:01 211.38.90.129 - x.x.x.x 80 - - - 404 245 120 - - -
: 2003-12-21 17:24:13 211.38.90.129 - x.x.x.x 80 - - - 404 245 140 - - -
: 2003-12-21 17:24:27 211.38.90.129 - x.x.x.x 80 - - - 404 245 120 - - -
: 2003-12-21 17:24:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
: 2003-12-21 17:24:53 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
: 2003-12-21 17:25:06 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
: 2003-12-21 17:25:20 211.38.90.129 - x.x.x.x 80 - - - 404 143 124 - - -
: 2003-12-21 17:25:33 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
: 2003-12-21 17:25:46 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
: 2003-12-21 17:26:00 211.38.90.129 - x.x.x.x 80 - - - 404 245 126 - - -
: 2003-12-21 17:26:13 211.38.90.129 - x.x.x.x 80 - - - 404 245 75 - - -
: 2003-12-21 17:26:27 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
: 2003-12-21 17:26:41 211.38.90.129 - x.x.x.x 80 - - - 404 245 124 - - -
: 2003-12-21 17:26:55 211.38.90.129 - x.x.x.x 80 - - - 404 245 75 - - -
: 2003-12-21 17:27:09 211.38.90.129 - x.x.x.x 80 - - - 404 245 125 - - -
: 2003-12-21 17:27:23 211.38.90.129 - x.x.x.x 80 - - - 404 245 126 - - -
: 2003-12-21 17:27:36 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
: 2003-12-21 17:27:50 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
: 2003-12-21 17:28:04 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
: 2003-12-21 17:28:18 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
: 2003-12-21 17:28:31 211.38.90.129 - x.x.x.x 80 - - - 404 245 115 - - -
: 2003-12-21 17:28:45 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
: 2003-12-21 17:28:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
: 2003-12-21 17:29:12 211.38.90.129 - x.x.x.x 80 - - - 404 245 121 - - -
: 2003-12-21 17:29:26 211.38.90.129 - x.x.x.x 80 - - - 404 245 107 - - -
: 2003-12-21 17:29:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
: 2003-12-21 17:29:54 211.38.90.129 - x.x.x.x 80 - - - 404 245 140 - - -
: 2003-12-21 17:30:08 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
: 2003-12-21 17:30:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 90 - - -
: 2003-12-21 17:30:35 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
: 2003-12-21 17:30:49 211.38.90.129 - x.x.x.x 80 - - - 404 245 90 - - -
: 2003-12-21 17:31:03 211.38.90.129 - x.x.x.x 80 - - - 404 245 121 - - -
: 2003-12-21 17:31:17 211.38.90.129 - x.x.x.x 80 - - - 404 245 93 - - -
: 2003-12-21 17:31:31 211.38.90.129 - x.x.x.x 80 - - - 404 245 130 - - -
: 2003-12-21 17:31:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 96 - - -
: 2003-12-21 17:31:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 139 - - -
: 2003-12-21 17:32:12 211.38.90.129 - x.x.x.x 80 - - - 404 245 99 - - -
: 2003-12-21 17:32:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 123 - - -
: 2003-12-21 17:32:40 211.38.90.129 - x.x.x.x 80 - - - 404 245 124 - - -
: 2003-12-21 17:32:53 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
: 2003-12-21 17:33:07 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
: 2003-12-21 17:33:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 93 - - -
: 2003-12-21 17:33:35 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
: 2003-12-21 17:33:49 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
: 2003-12-21 17:34:02 211.38.90.129 - x.x.x.x 80 - - - 404 245 109 - - -
: 2003-12-21 17:34:16 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
: 2003-12-21 17:34:30 211.38.90.129 - x.x.x.x 80 - - - 404 245 96 - - -
: 2003-12-21 17:34:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
: 2003-12-21 17:34:58 211.38.90.129 - x.x.x.x 80 - - - 404 245 91 - - -
: 2003-12-21 17:35:11 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
: 2003-12-21 17:35:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
: 2003-12-21 17:35:39 211.38.90.129 - x.x.x.x 80 - - - 404 245 113 - - -
: 2003-12-21 17:35:52 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:36:06 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:36:21 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:36:34 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:36:48 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:37:02 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:37:16 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:37:30 211.38.90.129 - x.x.x.x 80 - - - 404 245 92 - - -
: 2003-12-21 17:37:44 211.38.90.129 - x.x.x.x 80 - - - 404 245 95 - - -
: 2003-12-21 17:37:57 211.38.90.129 - x.x.x.x 80 - - - 404 245 98 - - -
: 2003-12-21 17:38:11 211.38.90.129 - x.x.x.x 80 - - - 404 245 101 - - -
: 2003-12-21 17:38:25 211.38.90.129 - x.x.x.x 80 - - - 404 245 104 - - -
: 2003-12-21 17:38:38 211.38.90.129 - x.x.x.x 80 - - - 404 245 67 - - -
: 2003-12-21 17:38:52 211.38.90.129 - x.x.x.x 80 - - - 404 143 148 - - -
: 2003-12-21 17:39:06 211.38.90.129 - x.x.x.x 80 HEAD /etc/passwd /c+dir+c:\
404 144 138 - - -
: 2003-12-21 17:39:20 211.38.90.129 - x.x.x.x 80 - - - 404 245 112 - - -
jcochran.nospam NO[at]SPAM naplesgov.com
12/22/2003 4:27:34 PM
On Sun, 21 Dec 2003 22:41:29 -0800, "Chris Popescu"
[quoted text, click to view]

This really isn't very heavy traffic, and shouldn't stop your servers
from responding.

[quoted text, click to view]

These are all different from your previous post, and all ae reuqests
for CMD.EXE. Use URLScan to drop these requests.

Also, they are all from the same IP, 211.38.90.129. A Whois shows
these as an APNIC block, (Asia/Pacific) specifically Korea Telecom.
You could block this IP in your firewall, or if you have no legitimate
reason to get requests from Korea, maybe block 211.32.0.0 -
211.39.255.255, the entire range assigned to them.

David Wang [Msft]
12/23/2003 4:46:11 PM
This doesn't look like any to be concerning.

You posted both HTTPERR.log and a W3SVC web log. The HTTPERR shows some
repetitive attempts to send invalid requests to IIS6 (the requests just sent
"GET /url" without an HTTP version, hence logged as HTTP/0.0 ), but they
were quickly dropped with a 400 response. The 404 errors look like requests
rejected by URLScan, so you need to scan those logs for why they were
rejected.

Bottom line:
It looks like a bunch of random junk is being sent to you, but IIS6 is
pretty much ignoring them all as fast as possible.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]

These logs are similar on busy virtual servers that use there own IP's.
Please look at starting time and end time.

For the duration of the attack 1 hour and 20 minutes,

none of them have served other pages and their logs were similar with this
and I did not seen requests other requests
with 200 response status from other sites.

I think that the attack is composed from a combination of previous attacks:



Mike Larson
12/29/2003 10:16:00 AM
I wish I had a solution for you but I don't. I
experienced the same problem today, 12-29-03. My server
would not serve web pages and when I looked at the CPU
utilization it was 90-100 and but when I hit the processes
tab the system idle process was 90. I have all patches,
URLSCAN, IISlockdown and removed non-essential services.
I bet it is some new worm or virus. My attackers ip was
64.223.230.X Verizon Global Networks, Inc

[quoted text, click to view]
245 116 - - -
Mike Larson
12/29/2003 12:43:07 PM
This might be our solution:
http://www.securitytracker.com/alerts/2003/Dec/1008563.html

people using Microsoft urlscan should add the
TRACK verb to the DenyVerbs section and make sure it is
not in the
AllowVerbs section in the urlscan.ini file.


[quoted text, click to view]
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn