OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: f**ked up IIS logs...
From: Krassimir Tzvetanov (krassiBOL.BG)
Date: Wed Oct 18 2000 - 01:56:10 CDT

what about someone trying to bufer overflow the server by http-query?
I see similar stuff in my ftp logs when someone tries to overflow me.

                                        Krassi

Sean McHugh wrote:

> I suspect some tampering with my iis logs (you can now infer that I've been
> owned);
> Of course, it could be just bad M$ software; has anyone ever seen the
> following:
>
> -W3SVC extended logs are set to create a new file every day - I'm logging
> everything.
> -Logs appear normal on some days, mostly trusted connections a few 404s 401s
> to cgi-bin,etc.
> -Then all of a sudden I get a file with non-printing binary chars all over
> it.
> It has all sort of funky stuff that looks like a mixture of HTML/JavaScript
> with what looks
> to me a little like strings output of a binary executable. Then some normal
> log stuff again.
> <snip>
> 
> OE??'ØüF-
> <?1?6]'Z%³ð?U5>Ê$yXài3?A`ò(?ö"R%'éEUR
> ??040a????^P?ESP??P?ESP?850?????1252????
> ??040b?????P?FIN??P?FIN?850?????1252??????040c????ÀP?FRA?ÈP?FRA?850??
> ???1252??????040f????ÐP?ISL?àP?ISL?850?????1252??????041d????èP?SVE?ð
> P?SWE?850?????1252????-??042d????øP?EUQ??P?ESP?850?????1252????
> ??080a?????Q?ESM?Q?MEX?850?????1252??????080c????ÀP?FRB?Q?BEL?850??
> ???1252??????0c07????Q?DEA? Q?AUT?850?????1252????
> ??0c09????(Q?ENA?0Q?AUS?850?????1252????
> ??0c0a????Q?ESN??P?ESP?850?????1252??????0c0c????ÀP?FRC?XQ?CAN?850??
> ???1252????
> ??100a?????Q?ESG?`Q?GTM?850?????1252??????100c????ÀP?FRS?pQ?CHE?850??
> ???1252????
> ??140a?????Q?ESC?EURQ?CRI?850?????1252??????140c????ÀP?FRL??Q?LUX?850
> ?????1252????
> ??180a?????Q?ESA? Q?PAN?850?????1252????
> ??1c09????(Q?ENS??Q?ZAF?437?????1252????
> ??1c0a?????Q?ESD??Q?DOM?850?????1252????
> ??200a?????Q?ESV?ÐQ?VEN?850?????1252????
> $??240a?????Q?ESO?àQ?COL?850?????1252????
> (??280a?????Q?ESR?ðQ?PER?850?????1252????
> ,??2c0a?????Q?ESS?øQ?ARG?850?????1252????
> 0??300a?????Q?ESF?R?ECU?850?????1252????
> 4??340a?????Q?ESL?R?CHL?850?????1252????
> 8??380a?????Q?ESY?R?URY?850?????1252????
> <??3c0a?????Q?ESZ?
> R?PRY?850?????1252????????ÀÍ????.????????ÍðÙðÙðÙðÙðÙðÙðÙð
> ÙðÙøÍ????0R?8R?R?HR?PR?XR?`R?hR?pR?xR?EURR??R? R?
> ?R??R?ÀR?ÈR?ÐR?ØR?àR?èR?ðR?øR??S?S?S?S?
> S?0S?8S?ØR?S?HS?PS?XS?hS?pS?EURS??S?~S? S??S?ÀS?????ÍÌÍÌÌÌÌ
> ÌÌÌû?q=
> ×£p=
> <PART OF IT LOOKS LIKE IT'S FROM CERTSERV!!! --not running>
> {
> CEnroll.CEnroll.1 = s 'CEnroll Class'
> {
> CLSID = s '{43F8F289-7A20-11D0-8F06-00C04FC295E1}'
> }
> CEnroll.CEnroll = s 'CEnroll Class'
> {
> CurVer = s 'CEnroll.CEnroll.1'
> }
> NoRemove CLSID
> {
> ForceRemove {43F8F289-7A20-11D0-8F06-00C04FC295E1} = s
> 'CEnroll Class'
> {
> ProgID = s 'CEnroll.CEnroll.1'
> VersionIndependentProgID = s 'CEnroll.CEnroll'
> ForceRemove 'Programmable'
> InprocServer32 = s '%MODULE%'
> {
> val ThreadingModel = s 'Apartment'
> }
> }
> }
> }
> <PART OF IT LOOKS LIKE IT'S FROM CERTSERV!!! --not running>
> (...)
> ??W3OnlyNoAuth????iusr_xxx????????I?n?e?t?S?v?c?s?????NetApiBufferFree????Ne
> tUserModalsGet????netapi32.dll????SeAuditPrivilege????SeTcbPrivilege??/\??<>
> ??/LM/W3SVC???Virtual
> Roots????????*')óÐ(tm)S?ÀOÙÁ?*')óÐ(tm)S?ÀOÙÁD?sa-ñÐ(tm)S?ÀOÙÁRoot/??
> ?/Root???IIsWebVirtualDir????OFS?CDFS????HPFS????NTFS????FAT?%s,%s,%X????Aut
> horization???%?s?,?%?s?,?%?X?????DnsTTLInSeconds?DnsCacheSizeInK?DnsMaxThrea
> d????SYSTEM\CurrentControlSet\Services\InetInfo\Parameters???????ÿÿÿÿ1GZh5GZ
> h????ÿÿÿÿùGZhýGZh????ÿÿÿÿIZh
> IZh????ÿÿÿÿÄIZhÈIZh????ÿÿÿÿ?NZh?NZh????ÿÿÿÿzPZh?PZhMax Counters????Cac Calls
> to TsCloseURI()???Cac Calls to TsOpenURI()????Aac Open URI
> Files??\???\?\???\?????\?\???\?U?N?C?\?????"%x%x%x%x%x%x%x%x:%x"??? </UL> ?
> <LI> %s = %d?? IIS Cache Aux Counters. <p> <UL>???ÿÿÿÿ????ZoZh[0x%lx]
> Svc:Inst = %d:%d; iDemux=0x%lx; ref=%d; TTL=%d; hash=0x%lx; (%d)
> %s<br>?<hr><b>============ Bin %d ==========</b><br>???</TR></TABLE><p>Total
> Objects in bins: %d; OpenFilesInUse(%d); Max Allowed=%d. <br> <hr> The
> cached objects: ???<TD><font color="0x80808080">
> </font></TD>??<TD>%4d</TD>????</TR><TR><TH>[%3d] </TH>????<TH>%d</TH>?
> CacheTable at 0x%lx, MAX_BINS=%d<br><TABLE BORDER> <TR> <TH> Bin Number
> </TH>
> ?*.*?%s%s????RfZheEURZhkEURZh\???OpenFileInCache?CacheSecurityDescriptor?Dis
> ableSelectiveCacheFlush set to TRUE in Registry.
> ????DisableSelectiveCacheFlush??The Registry Setting will override the
> default.
> ????DisableCacheOplocks set to FALSE in Registry.
> ??DisableCacheOplocks set to TRUE in Registry.
> ???DisableCacheOplocks?DisableMemoryCache??DisableCacheOplocks set to TRUE
> by default.
> ????%s%u????ComLogDllCleanUp????ComLogNotifyChange??ComLogDllStartup????ComL
> ogQueryExtraLogFields???ComLogSetConfig?ComLogGetConfig?ComLogLogInformation
> ????ComLogTerminateLog??ComLogInitializeLog?iscomlog.dll????EventMessageFile
> ????SYSTEM\CurrentControlSet\Services\EventLog\System\??.event.log??????÷?Zh
> ??Zh÷?ZhÜÅZh[%x]
> ??%08x::[InetAcquireResourceShared] WaitForSingleObject Failed
> ???%08x::[InetAcquireResourceShared] Re-Waiting
> ???%08x::[InetAcquireResourceShared] Sem timeout
> ??%08x::[InetAcquireResourceExclusive] WaitForSingleObject Failed
> ????%08x::[InetAcquireResourceExclusive] Re-Waiting
> ????%08x::[InetAcquireResourceExclusive] Sem Timeout
> ???%08x::[InetConvertSharedToExclusive] WaitForSingleObject Failed
> ????%08x::[InetConvertSharedToExclusive] Re-Waiting
> ????%08x::[InetConvertSharedToExclusive] Sem timeout
> ???RtlGetNtProductType?ntdll.dll???SetCriticalSectionSpinCount?.??? Critical
> Error: Unable to Open File %s. Error = %d
> ???? Error: MakeBkupCopy() Not Yet Implemented
> ?CloseDbgPrintFile() : CloseHandle( %d) failed. Error = %d
> ??IISTRACE %s (%lu) [ %12s : %05d] ??????? Assertion (%s)
> Failed: %s
> use !cxr %p to dump context
> ???? TickCount = %u
> </snip>
>
> (sorry this was so long)
>
> SELF-DECEPTION #1:
>
> The only thing that I can think of other than some hacker mangling my logs
> to cover his tracks is
> that I'm running Outlook Web Access and that some of the attachments that
> people are grabbing are messing
> up the URLs that are logged (hey, it's just a guess.)
>
> SELF_DECEPTION #2:
> I also had a dr watson from an errant device service (goddamn 3Com cards)
> that I have since shut down.
> However, due to the way the logs are mangled, I can't tell if the mangling
> coincides with the dr.watson
>
> QUESTION #1:
> Has anyone at all seen something like this ?
> QUESTION #2:
> Why can't I open the logs for read access while IIS is using them -like I
> can with Apache ?
>
> Any help is greatly appreciated.
> Thank you
>
> Sean