sooo, on one (actually 2) of our servers running IIS, we get a lot of hack attempts lately. they're all of the same type, buffer overflow attacks on port 80.

i have all the latest security patches (Windows NT 4) and they are NOT compromising the box, that's the good news.

the bad news is, that lately, the type of attack has slightly changed and now they succeed in crashing IIS!

so here's the problem:
this box (or 2) run important eCommerce websites for me so closing port 80 or moving to another port is NOT an option.
moving to another OS is NOT an option. banning IP's is NOT a option (most of those kids are on dialup DSL, so i would have to block a whole range, most likely cutting out legit customers)
how can i run those websites without having IIS die on me a couple of times a day?

the only thing i can think of is to implement some sort of content filtering that removes malicious code before it gets to the web-server.
anyone here who has a running example of a setup like that?
what (good) firewalls have that sort of filtering and how much do they cost?

i'm at the end of the rope here ...
Andy

There are several tricks, but some copies of the IISlogs to see exactly what they are doing would be helpful.

1. Run IISLockdown
2. Remove any of the defaults installed with IIS (default web site, etc..)
3. File permissions
4. Install a Host-based IDS
5. Install AntiVirus
6. Have enough RAM?
7. Are you sure you have all the patches on?
8. Upgrade to WIN2K with IIS 5.0 (much more stable web server, but still requires patching)

I work in the financial industry. http://www.visa.com/cisp has many requirements to help lock down systems.

Do you have a custom ISAPI DLL crashing the box? Need more info on your setup.

nope, it's a simple HTTP request that has way too many characters (buffer overflow attack) ...

and IIS just stops working. no other harm done.


1. Run IISLockdown
how would that help?

2. Remove any of the defaults installed with IIS (default web site, etc..)
done 2 years ago when the machine was first installed

3. File permissions
huh? how would that help?

4. Install a Host-based IDS
how would that help?

5. Install AntiVirus
i do have norton antivirus software, but that won't help cause there's no VIRUS transmitted.

6. Have enough RAM?
yes, plenty of ram, why?

7. Are you sure you have all the patches on?
positive

8. Upgrade to WIN2K with IIS 5.0 (much more stable web server, but still requires patching)
that might be a option, but are you sure IIS5 doesn't have the same problem?

9. Do you have a custom ISAPI DLL crashing the box?
nope, it's a buffer overflow attack from the OUTSIDE


Andy

Couple of questions...

What version of IIS? I'm assuming NT4 = IIS4 but I'm not positive.

The IIS Lockdown tool is a microsoft tool to evaluate you're IIS server for vulerabilities. It will tell you if something is not right according to microsoft (consider the source). If you haven't run it - you should. If you have, it probably won't help but it also won't hurt.

Other than that - a log message from the event log would help a great deal in troubleshooting.

Otherwise what steps have you actually taken to fix the problem?

Could you post a log of the buffer overflow attack from the IISLogs?

On a long term basis, I think you are best served by moving to W2k/w2k3. Nt4 is no longer supported by MS and there will be no more patching. As attacks come out, MS will not be doing anything to help you, so you are on your own.

Host based intrusion detection is a good idea, however, you may run into support issues because you are still using NT4.

Move on man!

here's some stuff from the logs, the XXXXXXXX is where my hostname and IP would be.


normal valid request:

195.219.183.5, -, 5/25/04, 1:36:41, W3SVC11, XXXXXXXX, XXXXXXXX, 0, 497, 0, 200, 0, GET, /index.asp, -,

hack attempt that doesn't cause any problems: (i have been seeing those for quite a while now)

142.176.139.196, -, 5/25/04, 3:02:03, W3SVC11, XXXXXXXX, XXXXXXXX, 0, 59, 0, 500, 87, GET, /scripts/..%5c%5c../winnt/system32/cmd.exe, /c+dir,

this is new, causes IIS to crash!

66.131.233.237, -, 5/25/04, 3:54:58, W3SVC11, XXXXXXXX, XXXXXXXX, 0, 65623, 280, 501, 50, SEARCH, /±±±±± [... more here, i cut the rest out, too long ...]



now what? upgrade to win2k advanced?
anyone got any leads on a firewall with a good active filtering system?

Andy

Looks like a WEBDAV hack attempt. IIS4 does not support WEBDAV, but it does have the vulnerability in the ntddl.dll.

Have you appplied MS03-007 for NT4.0?

MS03-007 Patch

I do not think you need advanced server, unless you want to cluster (not recommended in W2k btw). If you are going to upgrade, go to W2k3 anyway.

As for a firewall, you need to allow port 80 traffic in, regardless of what's inside it, so that will be tough. A Host INtrusion Detection System (HIDS) is a good way to go. Be careful, the HIDS can sometimes make change management on the IIS difficult.

If you cant upgrade right now, I would start at SSL and work backwards to be sure everything is locked down and patched...
http://support.microsoft.com/default.aspx?...s;iis&x=11&y=11
and for the complete list: http://search.microsoft.com/search/results...u=iis+4.0&na=54
We run a lot of NT4 legacy here and it is a MAJOR pain keeping it all safe...

These guys are all wet Andy. Clearly, your flux capacitor needs new dilithium crystals. Either that, or the muffler bearings are bad.


No thanks necessary.

sooo, i go and get the latest version of IIS-Lockdown. newer is better, right?
on MickeySoft's website it says it's compatible with NT4,
so i install it.

all goes well, i make sure the URLScan ini file has the right settings, restart the box AND:

nothing works anymore!

turns out, the version of IIS-Lockdown i just installed applied Win2k type security settings to ALL my folders and NT4 can't read it!

i'm going to jump out of the window now, you guys all have a nice day ...
Andy

SirAndy,



What is the HTTP Status code returned at the end of this IISlog? 200, 403, 500, etc...???

Maybe you dropped a valve.

Have you checked for rust in the longs?

What about the round realy - try switching those out.

Could be fuse #9.

Try a helicoil on the exhaust stud.

Your MPS is leaking.

Replace your fuel lines before you have a fire.

One option is to install a server side proxy server like squid or apache on a linux box.

Make everyone talk to the linux box and let it decide what traffic is valid to be sent on to the Windows box. It can be set up so it is 100% transparent to the legitimate end user, but you should be able to block anything that is not a GET or a POST, or that contains anything iffy (like excessively large request bodies).

Just a thought - happy to help setting it up. Email me though - since I am only checking the board every couple of days at the moment.

l8r,

Fiid.

For firewalls you could try Smoothwall on a separate box; I believe a 486 will do fine. Was going to try that, but have not had the time. http://www.smoothwall.org/
I do use Zonealarm on several boxes; it is a free utility, but the Pro version may be better in your application. http://www.zonelabs.com/store/content/home.jsp

I firmly believe that everyone should be running both a firewall and an antivirus product. Better, possibly, if they are from the same source. Both Zonelabs and Symantec offer these packages.

Ouch, I see those log messages all day long on my Windows box running apache.

Doesn't even phase it.

A Host based intrusion system can filter those bad requests out or you can use a proxy with some filtering capacity and use a regexpression to filter out those bad requests.

We had to do that here in a different situation.

The thing is, those devices that are capable of the filtering you need (Cisco Caching engines, blue coat, websense, etc) are not low dollar items.

Your best bet I think is to get your OS and Web server up to a supportable level. Sorry to say that of course.

Damn, Ms sucks.

Though, I'm really happy with how well apache is performing on my xp Pro box...

A PIX could negate embryonic connections but not much else. You might be able to do a context based access list via a Cisco IOS device or possibly a PIX but I've never used it to block this type of request and I'd be afraid of it blocking legitimate stuff.

Andy, did you get the permissions issue fixed?

Sorry to have misled you. Just trying to help.

I've told ya before Andy, I'm no Windoze 'spert, but ditch IIS. If I'm not mistaken, you can load Apache on NT can't ya? At least that way you have a snowball's chance in hell of getting updates at least for your web server.

Good luck man!

can't do that. the site uses ASP. a lot. like over 100,000 lines of code. plus it uses various ActiveX components.

i'm not going to redo all that just to switch ...
Andy

PS.: i *think* i got it under control for now. the file permission issues was kind of a PITA, but that is working again.
the urlscan filter seems to be working. fingers crossed ...

thanks guys for all the help!

i am truely baffled by the amount of hack-attempts on this server.
today alone so far (and it's only 10:50 am !) we had a whooping 2264 malformed URL's trying to hack into the system ...

aren't those kids supposed to be in school right now?
Andy

Wow Andy. Sorry to see all the problems. Hope you got it under control. I would have to concour that IIS5 or some type of IDS system would benefit your eCommerce environment.

One of the guys here was mentioning something about an appliance that goes between your web server and the outside world that filters much/many of the IIS specific exploits. I'll try to find out what it is if your interested in looking it up.

Rick

My apache on linux server also has to put up with numerous IIS compromise attempts per minute.

I would never consider putting a Windows or IIS box directly on the net. The on-box firewalls for windows help a lot, and you can certainly improve your situation a lot, but until you get your windows machine behind another firewall machine you can't call it secure, mainly because you just don't know what that code is doing. Microsoft has been proven in past performance to ignore some security violations in their code. At least if it's open source, you can fix it yourself, or hire someone to fix it for you.

Let me know if I can help at all.

l8r,

Fiid.

Oh - and by "directly on the net" I mean "with a routable IP address". Put it on 192.168.x.x or 10.x.x.x - that way there's no direct path to the machine from the outside, not can there be unless you specifically configure it.

In addition - if you are running 2 IIS servers - putting the right thing in front of it will allow you to do load balancing and failover in addition to filtering of security risks.

This means you can keep your site up and running when you have a blue screen of death situation, or anything else happens that causes one of your servers to not be running anymore.

l8r,

Fiid.