Testing out tonight a new URLScan beta 3


Information is here http://blogs.iis.net/nazim/archive/2008/06/05/using-the-new-rules-configuration-in-urlscan-v3-0-beta-part-1.aspx and http://blogs.iis.net/wadeh/archive/2008/06/05/urlscan-v3-0-beta-release.aspx and having to make a few tweaks to balance out making the blog site work with the URLScan feature enabled.


If you get to a page that doesn’t work and should let me know.  As some of the rule sets have blocked legitmate folks from accessing content.


In the meantime looking at some of the items hitting the site is indeed interesting… this from the urlscan.log file just a few moments ago…


[06-21-2008 – 02:15:39] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:15:48] Client at 65.55.209.198: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:15:53] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:16:09] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:16:09] Client at 211.197.107.208: Rule ‘SQL Injection’ detected string ‘;’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/library/errorpages/smarterror.aspx’
[06-21-2008 – 02:16:11] Client at 211.197.107.208: Rule ‘SQL Injection’ detected string ‘;’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/errorpages/smarterror.aspx’
[06-21-2008 – 02:16:24] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:16:25] Client at 65.55.209.183: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/SearchResults.aspx’
[06-21-2008 – 02:16:50] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:16:54] Client at 195.75.146.228: QueryString contains sequence ‘%%3C’, which is disallowed. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/SearchResults.aspx’, QueryString=’q=generic+viagra+online+%%0d%%0a+%%3ca+href%%3d%%22http%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677%%22%%3egeneric+viagra%%3c%%2fa%%3e+%%0d%%0a+http%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677+%%0d%%0a+%%5burl%%3dhttp%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677%%5dgeneric+viagra%%5b%%2furl%%5d++%%0d%%0a+%%3ca+href%%3d%%22http%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile%%22%%3eorder+viagra%%3c%%2fa%%3e+%%0d%%0a+http%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile+%%0d%%0a+%%5burl%%3dhttp%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile%%5dorder+viagra%%5b%%2furl%%5d+&tag=General+Chatter&orTags=0&o=Relevance’
[06-21-2008 – 02:17:19] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/Searchrss.aspx’
[06-21-2008 – 02:17:20] Client at 74.6.8.100: Rule ‘SQL Injection’ detected string ‘end’ in the query string. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/SearchResults.aspx’
[06-21-2008 – 02:17:22] Client at 195.75.146.228: QueryString contains sequence ‘%%3C’, which is disallowed. Request will be rejected.  Site Instance=’983214064′, Raw URL=’/search/SearchResults.aspx’, QueryString=’q=generic+viagra+online+%%0d%%0a+%%3ca+href%%3d%%22http%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677%%22%%3egeneric+viagra%%3c%%2fa%%3e+%%0d%%0a+http%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677+%%0d%%0a+%%5burl%%3dhttp%%3a%%2f%%2fwww.hackint0sh.org%%2fforum%%2fmember.php%%3fu%%3d67677%%5dgeneric+viagra%%5b%%2furl%%5d++%%0d%%0a+%%3ca+href%%3d%%22http%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile%%22%%3eorder+viagra%%3c%%2fa%%3e+%%0d%%0a+http%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile+%%0d%%0a+%%5burl%%3dhttp%%3a%%2f%%2fwww.epinions.com%%2fuser-dr-lerman%%2fshow_%%7eView_Profile%%5dorder+viagra%%5b%%2furl%%5d+&tag=General+Chatter&orTags=0&o=Relevance’


Which brings to me to my theory and speculation at this point of what happened, so please treat this accordingly.  Whether this theory turns from the speculation that it is now to actual fact may or may not be able to be proven if the IIS log files are too much a needle in a hay stack, but putting on this URLscan 3.0 that has a rule set that specifically looks for SQL Injection attacks is part of the new changes on the blog.


I hesitate a bit to be this honest about the speculation I’m doing for a couple of reasons.  First… as someone in MSRC once said in a TechEd presentation, early information is usually wrong and very speculative.  So I hesitate to make any conclusions at this point, especially with the Security folks still looking at the raw data. 


So until they confirm (again assuming that there is log files enough on the box to be clear as to what happened, we may not find the smoking gun), based on the current threat levels, activity out there on other web sites, even if I think what may have happened, didn’t happen, it’s wise that we’re putting this prevention in place.


Ergo why I’m putting a urlscan filter on the server that specifically looks for SQL injection attacks.


So here’s the sequence of events that I think should not and cannot be overlooked. 


On June 4th, search broke.  I thought it very odd but when you are getting ready to upgrade, sometimes the wheels start falling off the car. (or so I reasoned with myself… Failure number 1, don’t look at an upcoming upgrade and put it down to computers that realize their days are numbered [even though it seems like it and they start acting up]).


On June 5th, I went to the SQL database, ran a command to clear out the “isindexed” in the database and began a reindexing.  I then went on a quick trip (on behalf of WindowsSecrets.com) to Seattle and didn’t pay attention to the growing size of the indexing that wasn’t stopping.  (Failure 2 – The lack of attention to these early indicators are a key failure on my part and lesson learned).  On the night of the 6th, the blog outgrew it’s D: drive and got stuck.  The server was hard rebooted to gain RDP access and I logged in to find a near full 400gig hard drive.  Quickly stopped the indexing and cleaned up[ the drive. 


When the box was rebooted, the tcp/ip service didn’t start.  (Failure number 3 on my part to notice the failure and not realize that this wasn’t a real service.)


To get the sbot/rbot on the system, the intruder gained access.  At this point in the security logs, there is no evidence at all that anyone gained access through RDP (there’s an interesting story about that that will be in part two of my brain dump analysis).  So the $64,000 question that at this time I really can’t answer with an absolute certainty is How did someone gain access and at this time I have to say “I don’t know”.  When they put sbot/rbot file on the box, that was a merely an effect, not a cause.


So I’ll draw my line in the sand at speculation at right there but I will say that my obvious failure was lack of monitoring.   I wonder if I wasn’t trying to travel, and do all the other stuff I was doing at the time that I would have paid more attention to what was going on.  This is/will definitely be remedied and increased accordingly.


But I’ll tell you one thing…. I really think it would be wise to put this URLScan 3 on any public facing site you have out there.  It required some tweaking on this blog site, but so far it’s making for some interesting log reading.  No matter what this turns out to be, there’s enough nasty stuff that this is wise to do.


Next up in part two, hang on to your hats to see what fun can be had with a little RDP.

 

Comments are closed.