Hello,

The IUSR account from another machine is logging into 3 different servers.
Is this right?  How does this happen?  All three logons occurred at the exac
t
same time.

Thank you,
Kramer

[ Post a follow-up to this message ]

Do you have that IUSR account name on your machine?  If you do not, then you
have nothing to worry about.  Anyone can attempt to log into any machine
with any credential (and it'll get logged in the security logs), but if they
don't succeed, no big deal.  If you locked down anonymous/guest access, no
one logged on even on login failure.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
news:91E02217-8FAB-4B09-A55A-4AAAA0071378@microsoft.com...
Hello,

The IUSR account from another machine is logging into 3 different servers.
Is this right?  How does this happen?  All three logons occurred at the
exact
same time.

Thank you,
Kramer

[ Post a follow-up to this message ]

Hello David,

Thank you for the response.  It was a successfull log-in and I can't figure
out which machine it was from, just know it's not from any of my 3 machines.
By chance some malicious files were dropped on the machine at the same time
of this successfull log in, so that's why I am so confused and suspicious.

Thank you,
Kramer

"David Wang [Msft]" wrote:

> Do you have that IUSR account name on your machine?  If you do not, then y
ou
> have nothing to worry about.  Anyone can attempt to log into any machine
> with any credential (and it'll get logged in the security logs), but if th
ey
> don't succeed, no big deal.  If you locked down anonymous/guest access, no
> one logged on even on login failure.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
> "KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
> news:91E02217-8FAB-4B09-A55A-4AAAA0071378@microsoft.com...
> Hello,
>
> The IUSR account from another machine is logging into 3 different servers.
> Is this right?  How does this happen?  All three logons occurred at the
> exact
> same time.
>
> Thank you,
> Kramer
>
>
>

[ Post a follow-up to this message ]

What OS version are you referring to?
Do you have all patches?
Are you sure you weren't hacked *already* ? i.e. someone planted another
user on the machine

If you suspect malware, only sure way to get clean is backup your DATA (not
the entire server) and rebuild it.  If you've been hacked, back doors can be
planted that make cleanup difficult because you can no longer trust what the
machine tells you.


--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
news:65A16203-5C64-4D37-AAC8-7E3B8091CF0E@microsoft.com...
Hello David,

Thank you for the response.  It was a successfull log-in and I can't figure
out which machine it was from, just know it's not from any of my 3 machines.
By chance some malicious files were dropped on the machine at the same time
of this successfull log in, so that's why I am so confused and suspicious.

Thank you,
Kramer

"David Wang [Msft]" wrote:

> Do you have that IUSR account name on your machine?  If you do not, then
you
> have nothing to worry about.  Anyone can attempt to log into any machine
> with any credential (and it'll get logged in the security logs), but if
they
> don't succeed, no big deal.  If you locked down anonymous/guest access, no
> one logged on even on login failure.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
> news:91E02217-8FAB-4B09-A55A-4AAAA0071378@microsoft.com...
> Hello,
>
> The IUSR account from another machine is logging into 3 different servers.
> Is this right?  How does this happen?  All three logons occurred at the
> exact
> same time.
>
> Thank you,
> Kramer
>
>
>

[ Post a follow-up to this message ]

Thanks again,

Forgot to add: OS is Windows 2000, SP4.

I checked my IIS logs and they are all crazy during that time period.  Lots
of null characters and even looks like some code in my logs.  Is this some
type of buffer overflow??

ugh, I just wanted to figure out what was going on since I felt like I was
all patched and secure.

Thanks again,
Kramer

"David Wang [Msft]" wrote:

> What OS version are you referring to?
> Do you have all patches?
> Are you sure you weren't hacked *already* ? i.e. someone planted another
> user on the machine
>
> If you suspect malware, only sure way to get clean is backup your DATA (no
t
> the entire server) and rebuild it.  If you've been hacked, back doors can 
be
> planted that make cleanup difficult because you can no longer trust what t
he
> machine tells you.
>
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
> "KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
> news:65A16203-5C64-4D37-AAC8-7E3B8091CF0E@microsoft.com...
> Hello David,
>
> Thank you for the response.  It was a successfull log-in and I can't figur
e
> out which machine it was from, just know it's not from any of my 3 machine
s.
> By chance some malicious files were dropped on the machine at the same tim
e
> of this successfull log in, so that's why I am so confused and suspicious.
>
> Thank you,
> Kramer
>
> "David Wang [Msft]" wrote:
> 
> you 
> they 
> rights. 
>
>
>

[ Post a follow-up to this message ]

I am not aware of any known exploits against IIS5 on Windows 2000 SP4 (+
subsequent security rollup).

Extra null characters in the log file is not necessarily of concern since
IIS logs with a buffer, and if you can "read" the code in the log file, it
isn't executable.  Real executable code looks like binary gibberish.  Script
code in the log file may indicate script-based attack against particular web
pages, not IIS -- since IIS doesn't parse/use that data -- so you want to
look at those specific web pages.

If you are up-to-date on security patches, then my suspicion would turn to
whether you have a vulnerable application/web page (it is VERY EASY to write
insecure web pages open to exploitation).  Those sort of targeted situations
suggest Insider-attack instead of random hacks/security vulnerabilities.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
news:C7EE1AEF-46CC-47FF-A43C-8B337A1182F6@microsoft.com...
Thanks again,

Forgot to add: OS is Windows 2000, SP4.

I checked my IIS logs and they are all crazy during that time period.  Lots
of null characters and even looks like some code in my logs.  Is this some
type of buffer overflow??

ugh, I just wanted to figure out what was going on since I felt like I was
all patched and secure.

Thanks again,
Kramer

"David Wang [Msft]" wrote:

> What OS version are you referring to?
> Do you have all patches?
> Are you sure you weren't hacked *already* ? i.e. someone planted another
> user on the machine
>
> If you suspect malware, only sure way to get clean is backup your DATA
(not
> the entire server) and rebuild it.  If you've been hacked, back doors can
be
> planted that make cleanup difficult because you can no longer trust what
the
> machine tells you.
>
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
> news:65A16203-5C64-4D37-AAC8-7E3B8091CF0E@microsoft.com...
> Hello David,
>
> Thank you for the response.  It was a successfull log-in and I can't
figure
> out which machine it was from, just know it's not from any of my 3
machines.
> By chance some malicious files were dropped on the machine at the same
time
> of this successfull log in, so that's why I am so confused and suspicious.
>
> Thank you,
> Kramer
>
> "David Wang [Msft]" wrote:
> 
> you 
> they 
no[vbcol=seagreen] 
> rights. 
servers.[vbcol=seagreen] 
>
>
>

[ Post a follow-up to this message ]

Thank you David,

I'll take a closer look at the logs again and also any web pages that the
code looks like it is with.  I know there were a lot of gibberish characters
in the mix of readable strings.

Thanks again for your assistance.

Kramer

"David Wang [Msft]" wrote:

> I am not aware of any known exploits against IIS5 on Windows 2000 SP4 (+
> subsequent security rollup).
>
> Extra null characters in the log file is not necessarily of concern since
> IIS logs with a buffer, and if you can "read" the code in the log file, it
> isn't executable.  Real executable code looks like binary gibberish.  Scri
pt
> code in the log file may indicate script-based attack against particular w
eb
> pages, not IIS -- since IIS doesn't parse/use that data -- so you want to
> look at those specific web pages.
>
> If you are up-to-date on security patches, then my suspicion would turn to
> whether you have a vulnerable application/web page (it is VERY EASY to wri
te
> insecure web pages open to exploitation).  Those sort of targeted situatio
ns
> suggest Insider-attack instead of random hacks/security vulnerabilities.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
> "KramerCat" <KramerCat@discussions.microsoft.com> wrote in message
> news:C7EE1AEF-46CC-47FF-A43C-8B337A1182F6@microsoft.com...
> Thanks again,
>
> Forgot to add: OS is Windows 2000, SP4.
>
> I checked my IIS logs and they are all crazy during that time period.  Lot
s
> of null characters and even looks like some code in my logs.  Is this some
> type of buffer overflow??
>
> ugh, I just wanted to figure out what was going on since I felt like I was
> all patched and secure.
>
> Thanks again,
> Kramer
>
> "David Wang [Msft]" wrote:
> 
> (not 
> be 
> the 
> rights. 
> figure 
> machines. 
> time 
> no 
> servers. 
>
>
>

[ Post a follow-up to this message ]