[thelist] Fun with Security Holes and Log Files

Tue Jul 24 18:34:44 CDT 2001

Hi Ben, and listoids,

> Just curious...with all this garbage with Code Red (I found several 
> attempts at attacks on some of our sites), what are some 
> other phrases/text 
> to look for in a log file to signify standard IIS attacks?

We've actually got a fairly interesting way of handling this... we use IIS'
"Custom Error" handling to handle all our 404s (as do many people, no
doubt).
One neat side-effect of this is that, *if* your server is patched up to the
hilt (and, of course, it should be), then all the attempts at 'cracking'
your
server through the standard script kiddie exploits will also pass through
the
404 page - and you can do something with them. In our case, this includes
emailing me to let me know the user IP address, HTTP headers, any
significant
data (like if they're stupid enough to have logged on to our site before
trying to crack us). 

I can then contact the ISP (sometimes), and say "hey, getting a crack
attempt
from your servers... NOW. can you kick the user's backside for me"? Good
fun.

For what it's worth, here's the two arrays of strings I use to work out
if it's a "hack attempt":

HACK_STRINGS = Array("..%C0%AF..", "..%C1%9C..", "..%C1%1C..", "SYSTEM32",
"WINNT", "MSADC", "SCRIPTS", "_VTI_BIN", "EXE", "$DATA", ".HTR", ".HTW",
".IDC", ".IDQ", ".IDA", ".IDW")

LAME_HACK_STRINGS = Array("CGI-BIN", "CFAPPMAN", "CFIDE", ".BIN",
"PASSWORD", "PASSWD", "WEBADMIN", "WEBDATA", "WEBBOARD", "TMP", "-CGI",
"SQL", "IISSAMPLES", "SETUP", "ROOT", "PUB", "PERL", "ORACLE", "ODBC",
"LOGIN", "JDBC", "FTP", "CART", "CCARD", "ADMINISTRATOR", "STATS", ".DAT",
"WEBLOW", ".CGI", ".PHP3", ".BAT", ".PW", "PRD.I", ".DLL", ".CSC", ".CFG",
".LOG")

(the "lame hack strings" are possible hack attempts from REALLY lame people
who don't realise that we don't USE cgi-bin or Cold Fusion, or who think
that I'm seriously stupid enough to leave the "IISSAMPLES" directory on a
live server. The email notification I receive from a "Lame" hack attempt 
is considerably more.... derogatory to the cracker.)

These lists err on the paranoid side, but we get emailed ALL the 404s anyway
(makes picking up broken images a snap!), and it's pretty simple to go
"ahh, they're looking for login.gif, that's not a hack attempt".

Cheers,

Paul Cowan

PS: Pretty sure the one that says "WEBLOW" is supposed to say 
"WEBLOG"... dammit. We don't blow (I hope).