subject: (Fwd) RE: Web server crashed, now is trying to contact an IP b posted: Tue, 25 Feb 2003 23:01:26 -0000
textbook Q & A
------- Forwarded message follows -------
From: "Levinson, Karl" <[email protected]>
To: "''incidents+AEA-securityfocus.com' '" <[email protected]>
Subject: RE: Web server crashed, now is trying to contact an IP by port 80
every morning.
Date sent: Tue, 25 Feb 2003 08:21:25 -0500
[ Double-click this line for list subscription options ]
Someone else here might have more knowledge on what that IP address is
and why Windows might be contacting it. All I can tell from
www.network-tools.com and http://visualroute.visualware.com is that it
appears to be from xo.com and may be located in or near Chicago IL, USA.
It seems to have no DNS host name. You've probably already checked the
firewall logs to look for other traffic to or from that address or
subnet.
This might not always be safe advice, but sometimes running nmap -O from
www.insecure.org and/or a port scanner like SuperScan from
www.foundstone.com/knowledge against that IP address might give
additional clues. +AFs-It would appear that IP is running SSH and the HTTP
service mentions server: swcd/5.0.2206 which I'm not familiar with and
couldn't find in Google either.+AF0-
I'm guessing this is not malicious, but unless someone else here can
confirm what this is, I might still try the things below to be safe.
Start with the things listed at this URL:
Note that if your server had been compromised, theoretically someone
could be seeing your keystrokes and start deleting evidence or worse.
You could consider unplugging the network cable to be safe.
I would consider using a sniffer to look at the contents of those
packets. Actually, in this case, temporarily installing www.sygate.com
onto the server might be something to try first instead of a sniffer,
because besides packet content, you might also be able to see which
executable generated the traffic, which a sniffer would not tell you.
You could use Vision +AFs-or Fport+AF0- from www.foundstone.com/knowledge or
Active Ports from www.webattack.com/get/activeports.shtml or pslist /
pstools from www.sysinternals.com to see if there are any suspicious
processes on your computer. +AFs-Sygate would also already have told you
this information.+AF0-
You could also inspect the running processes in Task Manager, look for
recently changed files, and consider running an antivirus and
anti-trojan scanner. If you need links to free or not-free scanners,
see here:
The free tools Filemon, Regmon and Process Explorer from
www.sysinternals.com might be useful in letting you see activity on your
server that you might not otherwise be able to see.
To confirm that your server hasn't been compromised through an IIS
exploit, you might check your IIS logs. You could first look for any
lines mentioning .EXE or +ACU- that also have a 200 or 502 status code
+AFs-though those events would not always necessarily represent successful
attacks+AF0-.
As you may know, just installing all the latest patches is not the only
thing you should do to secure IIS. You'd also want to run through a few
hardening checklists, starting with the Baseline security checklists for
IIS and Windows at www.microsoft.com/technet/security Those are not
comprehensive checklists, so URLs to other hardening checklists can be
found at:
-----Original Message-----
From: Dan Harpold
To: incidents+AEA-seacurityfocus.com
Sent: 2/23/2003 10:20 PM
Subject: Web server crashed, now is trying to contact an IP
by port 80 every morning.
My web server crashed the other day. Got a blue screen and on reboot
NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K
Server with IIS 5 and current service packs. It sits in a DMZ.
Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is
trying to contact an outside server via HTTP. The external request,
which is being blocked by my firewall, is trying to go to 64.0.96.14. It
logs about fifteen attempts over the next ten seconds, then doesn't
appear until the next morning.
search: