OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: f**ked up IIS logs...
From: Sean McHugh (Sean.McHughEPIC.SUNGARD.COM)
Date: Tue Oct 17 2000 - 10:46:49 CDT

I suspect some tampering with my iis logs (you can now infer that I've been
owned);
Of course, it could be just bad M$ software; has anyone ever seen the
following:

-W3SVC extended logs are set to create a new file every day - I'm logging
everything.
-Logs appear normal on some days, mostly trusted connections a few 404s 401s
to cgi-bin,etc.
-Then all of a sudden I get a file with non-printing binary chars all over
it.
 It has all sort of funky stuff that looks like a mixture of HTML/JavaScript
with what looks
 to me a little like strings output of a binary executable. Then some normal
log stuff again.
<snip>

OE?'F-
<?16]'Z%U5>$yXi3?A`("R%'EUR
040a^PESPPESP8501252
040bPFINPFIN8501252 040cPFRAPFRA850
1252040fPISLPISL8501252041dPSVE
PSWE8501252-042dPEUQPESP8501252
080aQESMQMEX8501252 080cPFRBQBEL850
1252 0c07QDEA QAUT8501252
0c09(QENA0QAUS8501252
0c0aQESNPESP8501252 0c0cPFRCXQCAN850
1252
100aQESG`QGTM8501252 100cPFRSpQCHE850
1252
140aQESCEURQCRI8501252 140cPFRLQLUX850
1252
180aQESAQPAN8501252
1c09(QENSQZAF4371252
1c0aQESDQDOM8501252
 200aQESVQVEN8501252
$240aQESOQCOL8501252
(280aQESRQPER8501252
,2c0aQESSQARG8501252
0300aQESFRECU8501252
4340aQESLRCHL8501252
8380aQESYRURY8501252
<3c0aQESZ
RPRY8501252.
0R8RRHRPRXR`RhRpRxREURRRR
RRRRRRRRRRSSSS
S0S8SRSHSPSXShSpSEURSS~SSSS
?q=
ףp=
<PART OF IT LOOKS LIKE IT'S FROM CERTSERV!!! --not running>
{
        CEnroll.CEnroll.1 = s 'CEnroll Class'
        {
                CLSID = s '{43F8F289-7A20-11D0-8F06-00C04FC295E1}'
        }
        CEnroll.CEnroll = s 'CEnroll Class'
        {
                CurVer = s 'CEnroll.CEnroll.1'
        }
        NoRemove CLSID
        {
                ForceRemove {43F8F289-7A20-11D0-8F06-00C04FC295E1} = s
'CEnroll Class'
                {
                        ProgID = s 'CEnroll.CEnroll.1'
                        VersionIndependentProgID = s 'CEnroll.CEnroll'
                        ForceRemove 'Programmable'
                        InprocServer32 = s '%MODULE%'
                        {
                                val ThreadingModel = s 'Apartment'
                        }
                }
        }
}
<PART OF IT LOOKS LIKE IT'S FROM CERTSERV!!! --not running>
(...)
W3OnlyNoAuthiusr_xxxInetSvcsNetApiBufferFreeNe
tUserModalsGetnetapi32.dllSeAuditPrivilegeSeTcbPrivilege/\<>
/LM/W3SVCVirtual
Roots*')(tm)SO*')(tm)SOD?sa-(tm)SORoot/
/RootIIsWebVirtualDirOFSCDFSHPFSNTFSFAT%s,%s,%XAut
horization%s,%s,%XDnsTTLInSecondsDnsCacheSizeInKDnsMaxThrea
dSYSTEM\CurrentControlSet\Services\InetInfo\Parameters1GZh5GZ
hGZhGZhIZh
IZhIZhIZhNZhNZhzPZhPZhMax CountersCac Calls
to TsCloseURI()Cac Calls to TsOpenURI()Aac Open URI
Files\\\?\\\?\UNC\"%x%x%x%x%x%x%x%x:%x" </UL>
<LI> %s = %d IIS Cache Aux Counters. <p> <UL>ZoZh[0x%lx]
Svc:Inst = %d:%d; iDemux=0x%lx; ref=%d; TTL=%d; hash=0x%lx; (%d)
%s<br><hr><b>============ Bin %d ==========</b><br></TR></TABLE><p>Total
Objects in bins: %d; OpenFilesInUse(%d); Max Allowed=%d. <br> <hr> The
cached objects: <TD><font color="0x80808080">
</font></TD><TD>%4d</TD></TR><TR><TH>[%3d] </TH><TH>%d</TH>
CacheTable at 0x%lx, MAX_BINS=%d<br><TABLE BORDER> <TR> <TH> Bin Number
</TH>
*.*%s%sRfZheEURZhkEURZh\OpenFileInCacheCacheSecurityDescriptorDis
ableSelectiveCacheFlush set to TRUE in Registry.
DisableSelectiveCacheFlushThe Registry Setting will override the
default.
DisableCacheOplocks set to FALSE in Registry.
DisableCacheOplocks set to TRUE in Registry.
DisableCacheOplocksDisableMemoryCacheDisableCacheOplocks set to TRUE
by default.
%s%uComLogDllCleanUpComLogNotifyChangeComLogDllStartupComL
ogQueryExtraLogFieldsComLogSetConfigComLogGetConfigComLogLogInformation
ComLogTerminateLogComLogInitializeLogiscomlog.dllEventMessageFile
SYSTEM\CurrentControlSet\Services\EventLog\System\.event.logZh
ZhZhZh[%x]
%08x::[InetAcquireResourceShared] WaitForSingleObject Failed
%08x::[InetAcquireResourceShared] Re-Waiting
%08x::[InetAcquireResourceShared] Sem timeout
%08x::[InetAcquireResourceExclusive] WaitForSingleObject Failed
%08x::[InetAcquireResourceExclusive] Re-Waiting
%08x::[InetAcquireResourceExclusive] Sem Timeout
%08x::[InetConvertSharedToExclusive] WaitForSingleObject Failed
%08x::[InetConvertSharedToExclusive] Re-Waiting
%08x::[InetConvertSharedToExclusive] Sem timeout
RtlGetNtProductTypentdll.dllSetCriticalSectionSpinCount. Critical
Error: Unable to Open File %s. Error = %d
Error: MakeBkupCopy() Not Yet Implemented
CloseDbgPrintFile() : CloseHandle( %d) failed. Error = %d
IISTRACE %s (%lu) [ %12s : %05d] ?? Assertion (%s)
Failed: %s
 use !cxr %p to dump context
TickCount = %u
</snip>

(sorry this was so long)

SELF-DECEPTION #1:

The only thing that I can think of other than some hacker mangling my logs
to cover his tracks is
that I'm running Outlook Web Access and that some of the attachments that
people are grabbing are messing
up the URLs that are logged (hey, it's just a guess.)

SELF_DECEPTION #2:
I also had a dr watson from an errant device service (goddamn 3Com cards)
that I have since shut down.
However, due to the way the logs are mangled, I can't tell if the mangling
coincides with the dr.watson

QUESTION #1:
Has anyone at all seen something like this ?
QUESTION #2:
Why can't I open the logs for read access while IIS is using them -like I
can with Apache ?

Any help is greatly appreciated.
Thank you

Sean