The simplest way to detect whether you're under attack is to use audit logs and an intrusion detection tool.
It's paramount that you enable logging in Windows 2000, IIS, and Microsoft SQL Server, as described in the following sections.
In Windows 2000, you can set auditing policy on a local machine if it's not running in a domain. If the machine is running in a domain, you can make the policy global. Take the following steps:
Table 12-4. Windows 2000 audit settings.
Policy | Setting |
---|---|
Audit account logon events | Success, Failure |
Audit account management | Success, Failure |
Audit directory service access | Failure |
Audit logon events | Success, Failure |
Audit object access | Failure |
Audit policy change | Success, Failure |
Audit privilege use | Failure |
Audit process tracking | No auditing |
Audit system events | No auditing |
You can configure audit logging in IIS by following these steps:
You can configure security logging in SQL Server 7 as follows:
The first logs you should look at if an attack is Web-based are the IIS logs. People often try to perform attacks using scripts for old vulnerabilities that have been fixed. Examples of such attacks are listed in Table 12-5.
Table 12-5. Common attacks on IIS based on vulnerabilities that have been fixed.
Attack | Comments |
---|---|
"::$DATA" bug | Allows the attacker to view the source code of ASP files. |
"." bug | Same as above, but the file being accessed has a "." at the end. |
".htr" buffer overflow | A specially crafted request to an .htr file executes arbitrary code in the security context of the Web server. |
RDS exploit | A specially crafted Remote Data Services request executes arbitrary code at the server. |
Samples | Some samples contain code for viewing source code. Never install samples on a production server. |
You might be under attack if you see any lines in your IIS logs that look like those listed in Table 12-6.
Table 12-6. Examples of suspicious activity recorded in the IIS logs.
Attack | Log File Example(s) |
---|---|
"::$DATA" bug | 15:59:09 218.216.157.240 - W3SVC1 207.46.171.196 80 GET /default.asp::$DATA |
"." bug | 15:59:09 218.216.157.240 - W3SVC1 207.46.171.196 80 GET /default.asp. (Note the "." at the end of default.asp.) |
".htr" buffer overflow | 15:59:09 218.216.157.240 - W3SVC1 207.46.171.196 80 GET / iisadmpwd/aexp.htr (You should consider access to any file ending in .htr suspicious.) |
RDS exploit | 16:55:54 228.153. 98.189 - W3SVC1 207.46.171.196 80 POST /msadc/msadcs.dll hr=800a1004,CSoapStub::HttpExtensionProc, 200 271 679 18:48:21 216.118.25.150 - W3SVC1 207.46.171.196 80 GET /msadc/msadcs.dll - 404 3395 387 15:33:57 219.213.116.121 - W3SVC1 207.46.171.196 80 GET /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetRecordset+HTTP/1.1 - 401 3417 460 15:35:45 219.123.163.22 - W3SVC1 207.46.171.196 80 GET /msadc/msadcs.dll/AdvancedDataFactory.Query+HTTP/1.1 - 401 3417 452 (All of the above are valid RDS entries and should all be treated as suspicious.) |
Samples | 15:59:09 218.216.157.240 - W3SVC1 207.46.171.196 80 GET /IISSamples |
You can use the following Perl code to look for these attempted attacks on your server. Save this file as Attacks.pl; usage is Attacks.pl logfile(s). You can use wildcards in the names of log files.
$SUMMARY_ONLY = 0; # Set to 0 to display all offending lines. %hits=(RDS => 0, DOLLAR_DATA => 0, DOT => 0, SAMPLES => 0, SHOWCODE => 0, HTR => 0, DOT_DOT => 0, SAM_ACCESS => 0, INDEX => 0, BOOT_INI => 0); foreach (<$ARGV[0]>) { print "Opening log $_\n"; warn unless open FILEHANDLE, "<" . $_; # Read each line. while (<FILEHANDLE>) { print "$lines lines processed.\r" if ++$lines % 500 == 0; if (/msadcs/i) { print "[RDS EXPLOIT] $_\n" unless $SUMMARY_ONLY; $hits{RDS}++; } elsif (/::\$DATA/i) { print "[::\$DATA EXPLOIT] $_\n" unless $SUMMARY_ONLY; $hits{DOLLAR_DATA}++; } elsif (/.*GET \/.*\.asp\./i) { print "['.' EXPLOIT] $_\n" unless $SUMMARY_ONLY; $hits{DOT}++; } elsif (/sam\._/i) { print "[ACCESSING SAM] $_\n" unless $SUMMARY_ONLY; $hits{SAM_ACCESS}++; } elsif (/\.ida|\.idq|\.htw/i) { print "[INDEX SERVER] $_\n" unless $SUMMARY_ONLY; $hits{INDEX}++; } elsif (/boot\.ini/i) { print "[ACCESSING BOOT FILE] $_\n" unless $SUMMARY_ONLY; $hits{BOOT_INI}++; } elsif (/iissamples/i) { print "[SAMPLES] $_\n" unless $SUMMARY_ONLY; $hits{SAMPLES}++; } elsif (/showcode\.asp/i) { print "[SHOWCODE] $_\n" unless $SUMMARY_ONLY; $hits{SHOWCODE}++; } elsif (/htr/i) { print "[HTR EXPLOIT] $_\n" unless $SUMMARY_ONLY; $hits{HTR}++; } elsif (/\.\./) { print "[\.\. EXPLOIT] $_\n" unless $SUMMARY_ONLY; $hits{DOT_DOT}++; } } close FILEHANDLE; } # Print the summary results. print "\n\n--------------\nAttack Summary\n--------------\n"; print "$lines lines processed\n\n"; @keys = sort {int $hits{$b} <=> int $hits{$a} } keys %hits; foreach $key (@keys) { $value = $hits{$key}; $percent = ($value / $lines) * 100; printf "%12s = %7d (%0.4f%%) attempts\n",$key,$value,$percent; } |
You should run this script, available on the companion CD, regularly to determine whether you're being attacked or probed, but don't be too alarmed by occasional activity. To quote Chapman and Zwicky in their excellent book Building Internet Firewalls, "Once is an accident; twice is a coincidence; three times is enemy action."
Buffer OverflowsYou might have noticed that we referred to the ".htr" bug as a buffer overflow bug. A buffer overflow is simply a coding problem whereby a large amount of data is copied into a small space. Look at the following C/C++ code:
#include "stdio.h" #include "string.h" void CopyData(char *str) { char buff[64]; strcpy(buff,str); } void main(int argc, char* argv[]) { char cLargeString[80]; memset(cLargeString,'*',80); cLargeString[79] = 0; CopyData(cLargeString); puts("Data copied"); }As you can see, when the CopyData function is called, it tries to copy at least 80 bytes into a 64-byte space. In the best case, an access violation occurs and the operating system shuts down the application. In fact, that's what this code does. In the worst case, the attacker might be able to execute arbitrary code. Here's how.
When one function calls another, it places (the correct term is pushes) the address of the next instruction onto the stack. When the function returns, it " pops " the address off the stack and continues execution at the new address. Look at the buff variable in CopyData. If you know C or C++, you know that this is a stack-based variable. In other words, buff is right next to the return address for this function on the stack. Also on the stack is the only argument to CopyData, a pointer to a series of characters: char *str. In memory, the stack looks like that shown in Figure 12-5.
Figure 12-5. A healthy stack.
You'll notice another unit of data called the SFP, or stack frame pointer. We won't cover this, but you must take its size into consideration in a real attack.
The secret to an attack is the content of the 80-byte block, which is specially crafted so that it overwrites the return address to point to the contents of the 64-byte buffer. The attacker places executable assembly language instructions in the buffer. After a successful attack, the stack looks like that shown in Figure 12-6.
Figure 12-6. A stack after an attack.
This is often referred to as "smashing the stack." The preeminent paper on the subject is called "Smashing the Stack for Fun and Profit" by AlephOne in issue 49 of Phrack magazine (www.phrack.com). Another great article is "The Tao of Windows Buffer Overflow" by DilDog, available at www.cultdeadcow.com/cDc_files/cDc-351.
You should also monitor the Windows 2000 logs; especially suspicious are the security events described in Table 12-7.
Table 12-7. Security event log entries that you should monitor.
Security Event ID | Comments |
---|---|
612 | The audit policy has changed, perhaps maliciously. |
640 | A change has been made to the SAM database. (Was it you?) |
531 | An attempt was made to log on using a disabled account. (Why would anyone want to do this?) |
539 | A logon attempt was made and rejected because the account was locked out. (Why would anyone want to do this?) |
529 | An attempt was made to log on using an unknown user account or using a valid user account but with an invalid password. (An unexpected increase in the number of these audits might indicate an attempt to guess passwords.) |
517 | The audit log has been cleared. (Is an attacker attempting to cover her tracks?) |
624 | A user account has been created. (Was it created by a trusted person?) |
628 | A user account's password has been set. (Was this done by a trusted person?) |
Note that you can filter the event log in Windows 2000. To monitor for 529 events, take these steps:
You should set up a filter for any other events that are of interest to you.
If you deal with many computers, you might want to use the Dump Event Log (or Dumpel) tool that comes with the Microsoft Windows 2000 Server Resource Kit. This command line tool dumps an event log for a local or remote system into a tab-separated or comma-separated text file.
You can also use the tool to filter certain event types. For example, the following will dump security events 529 and 531 from the security event log on a server called \\major into a file called seclog.txt:
Dumpel -f seclog.txt -s \\major -l security -m security -e 529 531 |
You can then easily parse this file to look for suspicious activity.
SQL Server has two log types, the Windows 2000 event log and its own text files, called errorlog.nnn, in the \MSSQL7\LOG directory. The event log entries are always the same regardless of whether the logon was validated; only the text varies. The entries are in the Application log. Source is MSSQLServer, Category is Logon, and Event ID is 17055. This makes them a little difficult to analyze. However, the text files are quite easy to analyze. They look something like this:
1999-12-17 12:48:16.16 logon Login succeeded for user 'DOM\Squirt'. Connection: Trusted. 1999-12-17 12:49:09.64 logon Login failed for user 'sa'. 1999-12-17 12:55:00.34 logon Login succeeded for user 'sa'. Connection: Non-Trusted. |
The first entry shows a valid trusted connection from a user called Squirt on the DOM domain. Connection: Trusted means that the account was authenticated using Windows authentication. Connection: Non-Trusted means that the account used the built-in SQL Server authentication.
You can quickly parse these files by entering the following at the command line in the SQL Server log file directory:
findstr /i "login.failed" err*.* |
Note the period between login and failed. Without it, findstr would look for the words login or failed in the files.
You should also consider monitoring resource load—most notably, CPU load—using Performance Monitor. If the system peaks at 100 percent CPU use, the computer might be under a DoS attack. Of course, the server might just be very busy!
Intrusion detection tools are programs that look for attack "fingerprints" and log the results in an audit file or notify an administrator. Thankfully, these tools are becoming commonplace in many organizations. A good analysis of these tools is available at www.networkcomputing.com/1023/1023f1.html.
There are many tools to choose from, including the following:
Figure 12-7 shows a computer monitored by BlackICE coming under serious attack.
Figure 12-7. The BlackICE intrusion detection tool showing a series of attacks.
The seven oldest events are probes, not attacks, although the Telnet abuse might be one or the other. If the probes were just Telneting to port 80 to find out the Web server version, it's part of the information-gathering exercise; however, if they were typing in some illegal characters to, say, an RPC port to attempt to get the RPC service to crash, it might be an attack.
The TCP OS Fingerprint event is interesting. Operating systems can behave differently when they receive certain types of specially crafted IP packets. By sending these packets to a server and evaluating the response, a program can determine with some accuracy which operating system is running on the remote computer. The most common tool for performing this is called NMAP. For more details about OS fingerprinting and NMAP, go to phrack.infonexus.com/search.phtml?view&article=p54-9.
The top two events, SynDrop and Fragment overlap, are attacks, both of which were mentioned in "Some Common Attacks."
Many tools also have excellent documentation explaining each attack in detail. Figure 12-8 shows an example of the BlackICE online documentation for a SYN flood attack.
It's quite easy to see whether you're under a SYN flood attack without an intrusion detection tool by using the netstat utility included with Windows 2000. This tool provides statistics about the TCP/IP protocol suite, but more importantly, it can display the status of all TCP/IP connections to and from your computer and the state of each connection.
Figure 12-8. BlackICE's online documentation for a SYN flood attack.
For example, if you enter netstat-n-p tcp at the command line, you'll see output like this if you're under attack:
Proto Local Address Foreign Address State TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT |
Note the number of connections in the SYN_RECEIVED state. Be aware that the foreign address is probably fake.
Another issue to be aware of is the coordinated or DDoS attack. Hosts around the world can coordinate to mount a massive attack on a single host. For more information, go to www.cert.org/incident_notes/IN-99-07.html.
Another tool that you should seriously consider using is an integrity tool. Integrity tools check that resources such as files, access controls lists, and Registry settings haven't been tampered with. If they have, the tools can perform actions such as e-mailing administrative staff.
Two such tools we've used are
Here's some sample output from Intact 2.0 indicating that a file has been changed. (The file size has grown.) Was the change benign or malicious? Has a hacker left some new wording on your home page? You should check whether changes such as this were made by your Web development team!
INFO: MSG: CONFIG: Intact Intelligence Version 2.0 INFO: MSG: CONFIG: Current User EXAIR\WebAdmin INFO: MSG: CONFIG: INTACT CHECK START 09/03/99 22:33:12 CHANGED: FILE: c:\Web\Default.html Last write time changed: was: September 02, 1999 13:53:21 is: September 02, 1999 23:12:54 Size has changed was: 1022 is: 1431 DIGEST1 is different was: (MD5: 27 00 70 A8 DC C4 C6 D1 AE F0 08 92 C8 3B 39 C2) is: (MD5: 02 A9 25 77 87 E3 1E FD 0F 39 EA 6E 17 36 11 9D) DIGEST2 is different was: (SHA1: 38 DE FA 26 78 7E 66 EB 88 D7 6B A7 21 46 A6 B1 A1 2F 0D 63) is: (SHA1: 71 FD 44 E8 FA 1A BC C8 81 E4 EE 01 8A 11 00 00 17 11 2B FE) |