• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 905
  • Last Modified:

Is this a IIS 6.0 xml document security hack?

I've been seeing wierd things with my .net web site in regard to xml files on the server.  XML files (including my web.config file) suddenly will have the following data inserted into them (see below).  It looks like information I saw in a windows security event log entry here, ( http://www.eggheadcafe.com/ng/microsoft.public.windows.server.sbs/post644880.asp ) but it is not clear text--inbetween each character there is a 'square' symbol (when viewed in EditPlus).

Is sombody hacking by writing event log info to the xml file?

kerberos {some numbers/letters here resembling a guid}
local IP address here
(my servername here )
(my computer/domain name here)
(a few lines of gobbedly-gook here)
sesecurityprivilege
sebackupprivilege
setakeownershipprivilege
SeDebugPrivilege  
SeSystemEnvironmentPrivilege  
SeLoadDriverPrivilege  
SeImpersonatePrivilege  
SeEnableDelegationPrivilege

then the above repeats many times
0
tomandlis
Asked:
tomandlis
  • 8
  • 3
1 Solution
 
tomandlisAuthor Commented:
I guess I should add (whether this is a security hack or not), how do I stop it?
0
 
dnojcdCommented:
you will get this kind of entries in the eventlog if you have enabled auditing for process tracking, privilege use and system
events. but getting the event log into the xml files is a new thing as far as me is concerned.

you can try disabling the auditing and check if it  re-appears.
0
 
tomandlisAuthor Commented:
hmm, I'm a bit hesitant to turn off auditing as it is probably a good thing to have to see if someone is trying to repeated login (intrusion).  
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tomandlisAuthor Commented:
OK, well it doesn't look like anyone else is going to suggest an alternative, so how do I disable auditing?
0
 
tomandlisAuthor Commented:
BTW, I have to think this is some sort of intrusion (maybe a new technique)
0
 
dnojcdCommented:
if no one else is having any other idea you can disable auditing by going to the Group policy settings.i think it should come under the Audit Policy or something like that
0
 
tomandlisAuthor Commented:
could you give me a click-by-click description on how to do that on W2K3 Server (small busn edition).  I looked around and couldn't find 'Audit Policy' in administrative tools or control panel.
0
 
dnojcdCommented:
type gpedit.msc in the run :-) then you will find the Group Ploicy. in that one unde that one Computer settings--widows settings---security settings---Local Policy ---Audit Policy
0
 
tomandlisAuthor Commented:
well, it appears unrelated to the audit policy as I turned it off and still got hacked (maybe).  Today I found that one of my asp files had its contents written over with a bunch of gobbedly-gook (binary) right on a line that was working with an xml doc

The line looked like this

xmlDoc.documentElement.selectNodes(...)

the "..." part was overwritten with "tof tof tof ..." (about 1000 times with a, I think, vbCrLf -new line character inbetween) then it goes into a bunch of binary gobbedly-gook looking like alphabet and control character soup and then it ends with "...tof tof tof" (about 1000 times)

Ideas?
0
 
tomandlisAuthor Commented:
Well, more evidence this is a hack.  Today someone drop the backend DB to the site.  My guess is they found out the db name using this msxml domdocument hack and then they injected sql to drop the db.
0
 
tomandlisAuthor Commented:
Changed all my passwords on the box and dropped unnecessary users.  They had logged onto the box using remote desktop -- I figured that out only because they made one slip which let me know they were logged in via RD.  However, they cleaned all the logs and I don't think I'll be able to identify them.  IIS was definitely there point of entry for recon because they deleted all the logs on the days they hacked.  

Someone should alert MS about this because this appears to be a new hack.  How would I get them involved?

They were after credit card info, fortunately I had none in my DB.
0
 
GranModCommented:
PAQed with points refunded (300)

GranMod
Community Support Moderator
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now