| Tienna Kim 2004-04-27, 6:35 pm |
| Hello,
We recently noticed several failure audits on our web server (Windows 2K,
IIS 5) where the IUSR is attempting to run applications on the server such
as MS Paint and Shell32.dll. Process ID 1440 belongs to inetinfo.exe
The IIS logs don't have any entries around the times the failure audits are
being logged. Could the server be under attack? If so, any idea on how are
they getting access if it's not being logged in the IIS logs? The server is
pretty well maintained with the latest patches and virus definitions and
sits behind a firewall. We have also ran the IIS Lockdown and unfortunately
we cannot use URLScan due to incompatibility with a third party app we are
using. We would be very interested to know how they got in this far - even
if they didn't succeed - so we can protect the server against the
vulnerability whoever is exploiting.
Is there any special meaning that the object name is using the path
\Device\HarddiskDm..\..\..\WINNT\system32\.... rather than just going
straight to C:\WINNT\system32\... ?
Any help/insights would be greatly appreciated. Thanks!
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/27/2004
Time: 1:28:19 PM
User: DEP02\IUSR_DEP02
Computer: DEP02
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolu
mes\BlockVolume2\WINNT\system32\MSPA
INT.EXE
New Handle ID: -
Operation ID: {0,173034924}
Process ID: 1440
Primary User Name: DEP02$
Primary Domain: COSVCS
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_DEP02
Client Domain: DEP02
Client Logon ID: (0x0,0x31622)
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges -
|