|
|
You're in the
iis security
group:Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!
iis security:
General consensus and mosts docs on the 115 error say something is listening on my http/https ports, however, netstat does not show anything. I am checking into third party utilities to get more info, but I found something very disturbing: My favorite trick for seeing if SMTP servers are running is 'telnet <host> 25' to see if server responds. I did this for port 80 and 443, and even when web service is stopped, I get a response on 443 that says: Hallo, Willkommen auf Compactzone Stro! Ich hoffe, Sie haben viel Spa¯! Loader Danke fnr ihren Besuch! Bist zum nSchsten Mal! Loader This cannot be good. How can I find what this is and get rid of it? Any help _greatly_ appreciated Hal ----------------------------------------------------------------------------------------------------- Something happened to my Exchange server over the weekend that caused a crash (nothing logged) and upon startup my IIS is failing with Event ID 115 (Service could not bind instance 1). This error is logged for both MSFTPSVC and W3SVC. All services seem to be running but OWA access to either port 80 or 443 gets a page cannot be displayed error. The access attempt is responded to with an account login and the logs show the access attempt. I am running a certificate, and a port redirection from port 80. Most docs I have found on this refer to running multiple instances which I do not have. My securebindings in metabase is correct. I have no other instances of either FTP or W3SVC. This behaves exactly the same either on reboot or IIS Admin restart. I have tried disabling SSL by removing port listener in default web site properties and service behaves exactly the same so it doesn't seem to be an SSL related problem. Any suggestions greatly appreciated. thanks
On Wed, 30 Jun 2004 17:14:17 +0100, Paul Lynch <paul.lynch@nospam.com>
[quoted text, click to view] wrote: >You're right. This doesn't sound good. You need to find out which >process is binding to ports 80 and /or 443 on your server ASAP ! > >Any of these tools will do this for you : > >http://www.sysinternals.com/ntw2k/source/tcpview.shtml > >http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm > Thanks for the response, one of the really strange parts about this is that I've tried tcpview and fport as well as netstat and nothing shows anything listening on 443. I get a normal response on 80 when IIS is running (even though event log shows 115 error), and when I shut down IIS I get no response on 80, but still get a response on 443. Yet nothing shows in LISTEN state on port mapper. Very strange. Any other suggestions? I am turning up nothing on problems like this in my net searches. thanks again Hal [quoted text, click to view] >Availability and description of the Port Reporter tool
>http://support.microsoft.com/?id=837243 > >In the meantime I would seriously consider disconnecting your server >from any network as a precaution. > >I think you may need to spend some time reading this : > >http://securityadmin.info/faq.asp#hackerstoc > >http://securityadmin.info/faq.asp#re-secure > >http://securityadmin.info/faq.asp#harden > > >Regards, > >Paul Lynch >MCSE
[quoted text, click to view]
On Wed, 30 Jun 2004 08:00:27 -0600, hal@nospam.com wrote: >I posted yesterday about my IIS dying. Original post is below. >General consensus and mosts docs on the 115 error say something is >listening on my http/https ports, however, netstat does not show >anything. I am checking into third party utilities to get more info, >but I found something very disturbing: My favorite trick for seeing >if SMTP servers are running is 'telnet <host> 25' to see if server >responds. I did this for port 80 and 443, and even when web service >is stopped, I get a response on 443 that says: > >Hallo, Willkommen auf Compactzone Stro! > Ich hoffe, Sie haben viel Spa¯! > Loader > > Danke fnr ihren Besuch! > Bist zum nSchsten Mal! > Loader > >This cannot be good. How can I find what this is and get rid of it? > >Any help _greatly_ appreciated > >Hal Hal, You're right. This doesn't sound good. You need to find out which process is binding to ports 80 and /or 443 on your server ASAP ! Any of these tools will do this for you : http://www.sysinternals.com/ntw2k/source/tcpview.shtml http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm Availability and description of the Port Reporter tool http://support.microsoft.com/?id=837243 In the meantime I would seriously consider disconnecting your server from any network as a precaution. I think you may need to spend some time reading this : http://securityadmin.info/faq.asp#hackerstoc http://securityadmin.info/faq.asp#re-secure http://securityadmin.info/faq.asp#harden Regards, Paul Lynch
Could be whatever it is has Windows root kit functionality, in which case
you could try running RKDetect [search google] and/or scan the hard drive for viruses and/or suspicious files, registry entries and startup values either from another computer from across the network through Windows networking, or after slaving the hard drive in another known virus free Windows computer, or after booting to an alternate OS such as a Knoppix CD. [quoted text, click to view] <hal@nospam.com> wrote in message news:96r5e05udqs76rnd135j75luutvaoct0id@4ax.com... > On Wed, 30 Jun 2004 17:14:17 +0100, Paul Lynch <paul.lynch@nospam.com> > wrote: > > >You're right. This doesn't sound good. You need to find out which > >process is binding to ports 80 and /or 443 on your server ASAP ! > > > >Any of these tools will do this for you : > > > >http://www.sysinternals.com/ntw2k/source/tcpview.shtml > > > >http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcont ent=/resources/proddesc/fport.htm > > > > Thanks for the response, one of the really strange parts about this is > that I've tried tcpview and fport as well as netstat and nothing shows > anything listening on 443. I get a normal response on 80 when IIS is > running (even though event log shows 115 error), and when I shut down > IIS I get no response on 80, but still get a response on 443. Yet > nothing shows in LISTEN state on port mapper. Very strange. Any > other suggestions? I am turning up nothing on problems like this in > my net searches. > > thanks again > > Hal > > >Availability and description of the Port Reporter tool > >http://support.microsoft.com/?id=837243 > > > >In the meantime I would seriously consider disconnecting your server > >from any network as a precaution. > > > >I think you may need to spend some time reading this : > > > >http://securityadmin.info/faq.asp#hackerstoc > > > >http://securityadmin.info/faq.asp#re-secure > > > >http://securityadmin.info/faq.asp#harden > > > > > >Regards, > > > >Paul Lynch > >MCSE >
PS you are probably missing patches and have other insecure configuration.
While it is useful to figure out what was done and what you did wrong, you may want to consider formatting and reinstalling and fully securing the computer after you have exhausted your investigation. http://securityadmin.info/faq.asp#re-secure http://securityadmin.info/faq.asp#harden [quoted text, click to view] <hal@nospam.com> wrote in message news:96r5e05udqs76rnd135j75luutvaoct0id@4ax.com... > On Wed, 30 Jun 2004 17:14:17 +0100, Paul Lynch <paul.lynch@nospam.com> > wrote: > > >You're right. This doesn't sound good. You need to find out which > >process is binding to ports 80 and /or 443 on your server ASAP ! > > > >Any of these tools will do this for you : > > > >http://www.sysinternals.com/ntw2k/source/tcpview.shtml > > > >http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcont ent=/resources/proddesc/fport.htm > > > > Thanks for the response, one of the really strange parts about this is > that I've tried tcpview and fport as well as netstat and nothing shows > anything listening on 443. I get a normal response on 80 when IIS is > running (even though event log shows 115 error), and when I shut down > IIS I get no response on 80, but still get a response on 443. Yet > nothing shows in LISTEN state on port mapper. Very strange. Any > other suggestions? I am turning up nothing on problems like this in > my net searches. > > thanks again > > Hal > > >Availability and description of the Port Reporter tool > >http://support.microsoft.com/?id=837243 > > > >In the meantime I would seriously consider disconnecting your server > >from any network as a precaution. > > > >I think you may need to spend some time reading this : > > > >http://securityadmin.info/faq.asp#hackerstoc > > > >http://securityadmin.info/faq.asp#re-secure > > > >http://securityadmin.info/faq.asp#harden > > > > > >Regards, > > > >Paul Lynch > >MCSE >
Hi Hal.
I am having the same problem you are. I have a server running IIS and I can't browse to port 443 using SSL anymore. It just started yesterday. I've been trying everything I can think of to get it going with no success. When I try to telnet the server using port 443 I get the same message you were getting that says 'Hallo, Wilkommen auf Compactzone Stro!'. Have you found a way to resolve this issue yet? I can't seem to find an answer anywhere. Any help you can give would be GREATLY appreciated. If you don't have a solution yet and I can somehow figure out how to resolve this thing I will be sure to let you know. Thanks, Steve [quoted text, click to view] hal@nospam.com wrote:
> I posted yesterday about my IIS dying. Original post is below. > General consensus and mosts docs on the 115 error say something is > listening on my http/https ports, however, netstat does not show > anything. I am checking into third party utilities to get more info, > but I found something very disturbing: My favorite trick for seeing > if SMTP servers are running is 'telnet <host> 25' to see if server > responds. I did this for port 80 and 443, and even when web service > is stopped, I get a response on 443 that says: > > Hallo, Willkommen auf Compactzone Stro! > Ich hoffe, Sie haben viel Spa¯! > Loader > > Danke fnr ihren Besuch! > Bist zum nSchsten Mal! > Loader > > This cannot be good. How can I find what this is and get rid of it? > > Any help _greatly_ appreciated > > Hal > > ----------------------------------------------------------------------------------------------------- > Something happened to my Exchange server over the weekend that caused > a crash (nothing logged) and upon startup my IIS is failing with Event > ID 115 (Service could not bind instance 1). This error is logged for > both MSFTPSVC and W3SVC. All services seem to be running but OWA > access to either port 80 or 443 gets a page cannot be displayed error. > The access attempt is responded to with an account login and the logs > show the access attempt. I am running a certificate, and a port > redirection from port 80. Most docs I have found on this refer to > running multiple instances which I do not have. My securebindings in > metabase is correct. I have no other instances of either FTP or > W3SVC. This behaves exactly the same either on reboot or IIS Admin > restart. I have tried disabling SSL by removing port listener in > default web site properties and service behaves exactly the same so it > doesn't seem to be an SSL related problem. > > Any suggestions greatly appreciated. > > thanks > > Hal
This is probably a flavor of Hacker Defender. The bottom line is a
miscreant has remote access to the box with admin rights. You should format and reinstall the server. The attack vector could have been a exposed vulnerability, or a compromised admin account. It is likely that an MS04-011 vulnerability was exploited so you may want to confirm what day 835732 was applied. This posting is provided "AS IS" with no warranties, and confers no rights. Thanks! ~Andrew Davis Microsoft PSS Security -------------------- [quoted text, click to view] >Date: Thu, 08 Jul 2004 11:57:28 -0500 cpmsftngxa06.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0>From: Steve <123@abc.com> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >Newsgroups: microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security >Subject: Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, > Willkommen auf Compactzone Stro! >References: <1fh5e0hlb2dp8mf4i809smft98jm1g538t@4ax.com> >In-Reply-To: <1fh5e0hlb2dp8mf4i809smft98jm1g538t@4ax.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 8bit >NNTP-Posting-Host: uslink-66.173.9-61.uslink.net >Message-ID: <40ed7cb2_3@newspeer2.tds.net> >X-Trace: newspeer2.tds.net 1089305778 66.173.9.61 (8 Jul 2004 11:56:18 CST) >Lines: 61 >Organization: TDS.NET Internet Services www.tds.net >Path: 8.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!tdsnet-transit!newspeer.tds.ne t!216.170.153.144.MISMATCH!newspeer2.tds.net!not-for-mail [quoted text, click to view] >Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13214 ----------------------------------------------------------------------------microsoft.public.inetserver.iis:311213 >X-Tomcat-NG: microsoft.public.inetserver.iis.security > >Hi Hal. > >I am having the same problem you are. I have a server running IIS and I >can't browse to port 443 using SSL anymore. It just started yesterday. > I've been trying everything I can think of to get it going with no >success. When I try to telnet the server using port 443 I get the same >message you were getting that says 'Hallo, Wilkommen auf Compactzone >Stro!'. Have you found a way to resolve this issue yet? I can't seem >to find an answer anywhere. Any help you can give would be GREATLY >appreciated. If you don't have a solution yet and I can somehow figure >out how to resolve this thing I will be sure to let you know. > >Thanks, >Steve > >hal@nospam.com wrote: >> I posted yesterday about my IIS dying. Original post is below. >> General consensus and mosts docs on the 115 error say something is >> listening on my http/https ports, however, netstat does not show >> anything. I am checking into third party utilities to get more info, >> but I found something very disturbing: My favorite trick for seeing >> if SMTP servers are running is 'telnet <host> 25' to see if server >> responds. I did this for port 80 and 443, and even when web service >> is stopped, I get a response on 443 that says: >> >> Hallo, Willkommen auf Compactzone Stro! >> Ich hoffe, Sie haben viel Spa¯! >> Loader >> >> Danke fnr ihren Besuch! >> Bist zum nSchsten Mal! >> Loader >> >> This cannot be good. How can I find what this is and get rid of it? >> >> Any help _greatly_ appreciated >> >> Hal >> >> ------------------------- [quoted text, click to view] >> Something happened to my Exchange server over the weekend that caused >> a crash (nothing logged) and upon startup my IIS is failing with Event >> ID 115 (Service could not bind instance 1). This error is logged for >> both MSFTPSVC and W3SVC. All services seem to be running but OWA >> access to either port 80 or 443 gets a page cannot be displayed error. >> The access attempt is responded to with an account login and the logs >> show the access attempt. I am running a certificate, and a port >> redirection from port 80. Most docs I have found on this refer to >> running multiple instances which I do not have. My securebindings in >> metabase is correct. I have no other instances of either FTP or >> W3SVC. This behaves exactly the same either on reboot or IIS Admin >> restart. I have tried disabling SSL by removing port listener in >> default web site properties and service behaves exactly the same so it >> doesn't seem to be an SSL related problem. >> >> Any suggestions greatly appreciated. >> >> thanks >> >> Hal > >
Hello,
I have the same issue as noted below but was unable to find anything in the registry. I ran the utilities and nothing is registering on ports 443, 2004 or 21. However when I open a dos prompt and telnet to them I receive the German stuff letting me know they are open. Have you seen this before? I can't figure out what has these ports open. Thanks Damien [quoted text, click to view] Paul Lynch <paul.lynch@nospam.com> wrote in message news:<77p5e0pmg76sfm7c8n0j2ni6sbh8rd8duf@4ax.com>...
> On Wed, 30 Jun 2004 08:00:27 -0600, hal@nospam.com wrote: > > >I posted yesterday about my IIS dying. Original post is below. > >General consensus and mosts docs on the 115 error say something is > >listening on my http/https ports, however, netstat does not show > >anything. I am checking into third party utilities to get more info, > >but I found something very disturbing: My favorite trick for seeing > >if SMTP servers are running is 'telnet <host> 25' to see if server > >responds. I did this for port 80 and 443, and even when web service > >is stopped, I get a response on 443 that says: > > > >Hallo, Willkommen auf Compactzone Stro! > > Ich hoffe, Sie haben viel Spa¯! > > Loader > > > > Danke fnr ihren Besuch! > > Bist zum nSchsten Mal! > > Loader > > > >This cannot be good. How can I find what this is and get rid of it? > > > >Any help _greatly_ appreciated > > > >Hal > > Hal, > > You're right. This doesn't sound good. You need to find out which > process is binding to ports 80 and /or 443 on your server ASAP ! > > Any of these tools will do this for you : > > http://www.sysinternals.com/ntw2k/source/tcpview.shtml > > http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm > > Availability and description of the Port Reporter tool > http://support.microsoft.com/?id=837243 > > In the meantime I would seriously consider disconnecting your server > from any network as a precaution. > > I think you may need to spend some time reading this : > > http://securityadmin.info/faq.asp#hackerstoc > > http://securityadmin.info/faq.asp#re-secure > > http://securityadmin.info/faq.asp#harden > > > Regards, > > Paul Lynch
You may have been taken over by something more insidious, like a rootkit
that is able to fool utilities. I would seriously suggest you restore the machine from known good backups (or rebuild the machine from scratch) Cheers Ken [quoted text, click to view] "Damien" <damianini@hotmail.com> wrote in message : Hello,news:9e04e035.0407131049.68b821c9@posting.google.com... : : I have the same issue as noted below but was unable to find anything : in the registry. I ran the utilities and nothing is registering on : ports 443, 2004 or 21. However when I open a dos prompt and telnet to : them I receive the German stuff letting me know they are open. Have : you seen this before? I can't figure out what has these ports open. : : Thanks : : Damien : [quoted text, click to view] : Paul Lynch <paul.lynch@nospam.com> wrote in message : >news:<77p5e0pmg76sfm7c8n0j2ni6sbh8rd8duf@4ax.com>... : > On Wed, 30 Jun 2004 08:00:27 -0600, hal@nospam.com wrote: : > >I posted yesterday about my IIS dying. Original post is below. : > >General consensus and mosts docs on the 115 error say something is : > >listening on my http/https ports, however, netstat does not show : > >anything. I am checking into third party utilities to get more info, : > >but I found something very disturbing: My favorite trick for seeing : > >if SMTP servers are running is 'telnet <host> 25' to see if server : > >responds. I did this for port 80 and 443, and even when web service : > >is stopped, I get a response on 443 that says: : > > : > >Hallo, Willkommen auf Compactzone Stro! : > > Ich hoffe, Sie haben viel Spa¯! : > > Loader : > > : > > Danke fnr ihren Besuch! : > > Bist zum nSchsten Mal! : > > Loader : > > : > >This cannot be good. How can I find what this is and get rid of it? : > > : > >Any help _greatly_ appreciated : > > : > >Hal : > : > Hal, : > : > You're right. This doesn't sound good. You need to find out which : > process is binding to ports 80 and /or 443 on your server ASAP ! : > : > Any of these tools will do this for you : : > : > http://www.sysinternals.com/ntw2k/source/tcpview.shtml : > : > http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm : > : > Availability and description of the Port Reporter tool : > http://support.microsoft.com/?id=837243 : > : > In the meantime I would seriously consider disconnecting your server : > from any network as a precaution. : > : > I think you may need to spend some time reading this : : > : > http://securityadmin.info/faq.asp#hackerstoc : > : > http://securityadmin.info/faq.asp#re-secure : > : > http://securityadmin.info/faq.asp#harden : > : > : > Regards, : > : > Paul Lynch : > MCSE
Hal, I just read your post from June about your IIS issue and I a having the same problem (I think) since I installed Sygate Firewall. Not sure what's going on...did you resolve your problem? If so, can email you tonight for troubleshooting session? I have tried everythin you have described and don't see my port 443 listed anywhere except o Sygate screen and when I do a backtrace, I end up somewhere no describable by the program... Matt Stone mstone@dhs.ca.gov mstone@directcon.net [quoted text, click to view] hal@nospam.com wrote: > *I posted yesterday about my IIS dying. Original post is below. > General consensus and mosts docs on the 115 error say something is > listening on my http/https ports, however, netstat does not show > anything. I am checking into third party utilities to get mor > info, > but I found something very disturbing: My favorite trick for seeing > if SMTP servers are running is 'telnet <host> 25' to see if server > responds. I did this for port 80 and 443, and even when web service > is stopped, I get a response on 443 that says: > > Hallo, Willkommen auf Compactzone Stro! > Ich hoffe, Sie haben viel Spa¯! > Loader > > Danke fnr ihren Besuch! > Bist zum nSchsten Mal! > Loader > > This cannot be good. How can I find what this is and get rid of it? > > Any help _greatly_ appreciated > > Hal > > ----------------------------------------------------------------------------------------------------- > Something happened to my Exchange server over the weekend tha > caused > a crash (nothing logged) and upon startup my IIS is failing wit > Event > ID 115 (Service could not bind instance 1). This error is logge > for > both MSFTPSVC and W3SVC. All services seem to be running but OWA > access to either port 80 or 443 gets a page cannot be displaye > error. > The access attempt is responded to with an account login and th > logs > show the access attempt. I am running a certificate, and a port > redirection from port 80. Most docs I have found on this refer to > running multiple instances which I do not have. My securebinding > in > metabase is correct. I have no other instances of either FTP or > W3SVC. This behaves exactly the same either on reboot or IIS Admin > restart. I have tried disabling SSL by removing port listener in > default web site properties and service behaves exactly the same s > it > doesn't seem to be an SSL related problem. > > Any suggestions greatly appreciated. > > thanks > > Hal - mston ----------------------------------------------------------------------- Posted via http://www.webservertalk.co ----------------------------------------------------------------------- View this thread: http://www.webservertalk.com/message289642.htm
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |