Friday, March 24, 2006

Incident Handling: Analyzing IIS6 Log

This is one of the Incident Handling that I have done recently, IP and some infos have changed to protect the related parties.

Date: 20060312

User Domain: www.server.com

Server.com IP = 1.2.3.4

Hacker IP = 6.7.8.9

Client reports about malicious files been uploaded to his web space such as

www.server.com/cgi-bin/cmd.exe
www.server.com/scripts/cmd.exe
www.server.com/scripts/cgitelnet.pl
www.server.com/scripts/NT.pl
www.server.com/scripts/win.pl

First thing I decide to do is navigating IIS6 logs since it is clearly the place to look for the sign of compromised. I compressed the web log under C:\Domains\server.com\logs\W3SVC5213.
I also compress all the malicious files under directories cgi-bin and scripts after checking the MAC time. You might say I shouldn't do anything with it however since I already tag down the MAC time, I just continue with my investigaiton.
The reason why compressing the log due to lacking of tools in Windows that can perform text processing well, so I decide to compress all the logs and perform log parsing in my Unixes machine.
Since the most of the malicious files with the timestamp of March 11, I start navigating the log of the date. And I found z.asp that seems to be malicious as it uploads through images directory. I don't think people upload file with asp extension to images directory. That's fishy!!!!!

2006-03-11 21:16:34 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp action=cmd 80 - 6.7.8.9 HTTP/1.1 Mozilla/ 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP - www.server.com 200 0 0 1053 350 562

Then I have to make a copy of z.asp file to be analyzed. However when comes to analyze z.asp, I was stucked with it's content. You may view the supressed content here. Apparently it is encoded VBScript.


I won't be giving up in this way and try to look for any infos regarding VB script encoding, and I found

http://www.microsoft.com/downloads/details.aspx?FamilyID=e7877f67-c447-4873-b1b0-21f0626a6329&displaylang=en

And with collegue's help, I found the decoder's in the link below and quickly download it.

http://www.virtualconspiracy.com/index.php?page=/scrdec/intro


If you read the microsoft link, it seems the encoding tool used to encounter the hacker is used to protect the code of the hacker, what a joke. That's what happen when tools down to the hand of wrong party.

To decode z.asp, I download the decoder and run

cmd>scrdec18.exe z.asp z.decode -dumb

After decode it, I get the clear content of the VB script and try to understand the code won't be too hard now. Here's the partial contents ...


By now I already understand the function of the VB script, I need to turn back to my log parsing to search for the strings of other tools that been uploaded through z.asp since it provides such function.

To filter IIS6 Log on my Unixes machine, I just run

shell>find ./ -type -f -exec \
egrep -i 'CMD.EXE|NT.PL|cgitelnet.pl|win.pl|z.asp' '{}' \; \
-print > /nsm/WinIR_20060321/all_trace &

I have the footprints of the hacker by now and knowing what is he doing, You can view part of the entries in the screenshot below and some interesting entries would be

2006-03-11 21:17:08 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\ 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.
50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP - www.server.com 200 0 0 14121 536 968

2006-03-11 21:17:11 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.N
ET+CLR+2.0.50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents%20And%20Settings\ www.server.com 200 0 0 11300 640 562

2006-03-11 21:17:14 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR
+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users www.server.com 200 0 0 10931 658 843

2006-03-11 21:17:16 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu\Programs 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;
+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users\Start+Menu www.server.com 200 0 0 21882 678 1281

2006-03-11 21:17:37 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu\Programs\Startup 80 - 6.7.8.9 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1
.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users\Start+Menu\Programs www.server.com 200 0 0 6782 695 406

Here's part of the filtered logs.


However it seems he/she has no success on browsing other directories except the user directory because of the permission settings. At last he/she gives up since can't gain control of the whole system.

P/S: I use egrep with -i to ignore case sensitive since it is windows log.

Have fun with track and trace (:])

No comments: