[logs] NT Event Log and Web Server Attacks

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Jan 17 2003 - 02:59:45 PST

  • Next message: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"

    Hi all,
    I just wanted to let the list know of a way to detect intrusions via
    IIS. It may work for other web servers, too.
    We have just build a new rule to use the nt event log to detect (so far
    unknown) attacks... Well effectively, we detect intrusions after they
    happend. So the intruder most probably already got in. This will not
    save you from the intrusion, but at least you know you need to react.
    For it to work, we assume the following:
    1. IIS process tracking is activated (and hopefully works reliable
    enough ;))
    2. The web site is accessed by anonymous users, only
    3. The server is a dedicated web server
    If 2 or 3 are not the case, we can probably still use the same idea, but
    the filter needs to be more advanced.
    It is important to know that anonymous requests are run in the security
    context of a specifically designated NT account. In most cases this is
    the IUSR_xxx account where xxx is typically the machine name. This
    account can be configured in the IIS admin console. So you need to
    lookup the details there.
    What we now do is we look at the event log in short intervals. When we
    detect a program start (security event log, source "Security", event id
    592) AND the user is the IUSR_xxx account AND it is not a program we
    know IIS needs to run (e.g. perl.exe is run for PERL scripts; php.exe is
    for PHP scripts) then chances are very high that someone has
    successfully intruded our machine via IIS. So it would probably be a
    good idea to forward the event log record to an admin in charge (via
    email or whatever).
    I hope this is helpful. As always, comments are very welcome. I would
    particularly like to know if that works with Apache under win32 ;)
    Rainer Gerhards
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 10:07:00 PST