A Digital Age Deserves A Digital Leader

IIS in Vista letting in hackers?

IIS in Vista letting in hackers?

Postby T-Man1984 » Wed Feb 11, 2009 5:01 am

I've noticed lately most of the time I open IE to browse, I have to close and reopen it several times before it connects. My wife's PC is doing the same thing.

I got to checking in the router and happened across the security log.

I set up IIS to share some of my photos. I have disabled it as of now. Can someone tell me what this logfile means?

----------------------------------------

02/10/2009 20:51:50 192.168.2.2 login success
02/10/2009 20:46:19 **SYN Flood to Host** 192.168.2.2, 63495->> 208.109.14.77, 80 (from WAN Outbound)
02/10/2009 20:41:43 **SYN Flood to Host** 192.168.2.2, 62845->> 66.211.176.11, 80 (from WAN Outbound)
02/10/2009 20:36:42 **TCP FIN Scan** 66.211.176.11, 80->> 192.168.2.2, 61182 (from WAN Inbound)
02/10/2009 20:23:52 NTP Date/Time updated.
02/10/2009 20:23:19 DHCP Client: Receive Ack from 172.31.35.248, 'Lease time'=604800
02/10/2009 20:23:19 DHCP Client: Domain name = wowway.com
02/10/2009 20:23:19 DHCP Client: Send Request, Request IP=65.60.131.213
02/10/2009 19:58:28 **TCP FIN Scan** 192.168.2.2, 58897->> 72.167.183.18, 80 (from WAN Outbound)
02/10/2009 19:54:23 **SYN Flood to Host** 192.168.2.2, 58551->> 63.131.45.111, 80 (from WAN Outbound)
02/10/2009 17:33:41 sending ACK to 192.168.2.3
02/10/2009 17:30:13 sending ACK to 192.168.2.3
02/10/2009 17:01:23 sending ACK to 192.168.2.3
02/10/2009 17:01:20 sending ACK to 192.168.2.3
02/10/2009 16:30:23 **UDP Flood Stop** (from WAN Outbound)
02/10/2009 16:30:11 **UDP flood** 192.168.2.2, 39146->> 75.66.144.42, 43882 (from WAN Outbound)
02/10/2009 16:30:11 **UDP flood** 192.168.2.2, 39146->> 24.186.246.26, 37703 (from WAN Outbound)
02/10/2009 16:30:10 **UDP flood** 192.168.2.2, 39146->> 89.212.199.243, 50852 (from WAN Outbound)
02/10/2009 16:30:10 **UDP flood** 192.168.2.2, 39146->> 68.104.168.87, 46436 (from WAN Outbound)
02/10/2009 16:30:10 **UDP flood** 192.168.2.2, 39146->> 142.162.59.141, 45871 (from WAN Outbound)
02/10/2009 16:30:10 **UDP flood** 192.168.2.2, 39146->> 69.134.226.65, 11609 (from WAN Outbound)
02/10/2009 16:30:09 **UDP flood** 192.168.2.2, 39146->> 70.162.154.28, 11065 (from WAN Outbound)
02/10/2009 16:30:06 **UDP flood** 192.168.2.2, 39146->> 75.109.144.209, 36351 (from WAN Outbound)
02/10/2009 16:30:04 **UDP flood** 192.168.2.2, 39146->> 75.37.62.156, 40519 (from WAN Outbound)
02/10/2009 16:30:03 **UDP flood** 192.168.2.2, 39146->> 24.101.218.68, 39913 (from WAN Outbound)
02/10/2009 16:30:03 **UDP flood** 192.168.2.2, 39146->> 24.241.229.203, 25388 (from WAN Outbound)
02/10/2009 16:29:04 **UDP flood** 192.168.2.3, 64360->> 65.55.158.80, 3544 (from WAN Outbound)
02/10/2009 16:28:58 **UDP flood** 24.110.76.41, 6346->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 76.19.31.41, 3190->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 24.144.224.169, 46210->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 173.20.85.42, 45371->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 24.222.42.128, 6346->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 70.121.128.115, 44625->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 69.126.8.165, 11813->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 24.58.47.2, 30578->> 192.168.2.2, 39146 (from WAN Inbound)
02/10/2009 16:28:58 **UDP flood** 192.168.2.2, 39146->> 99.251.254.157, 50423 (from WAN Outbound)
02/10/2009 16:28:58 **UDP flood** 192.168.2.2, 39146->> 99.234.41.158, 34859 (from WAN Outbound)
02/10/2009 16:28:58 **UDP flood** 192.168.2.2, 39146->> 99.240.232.136, 2037 (from WAN Outbound)
02/10/2009 16:28:57 **UDP flood** 192.168.2.2, 39146->> 24.144.163.91, 51085 (from WAN Outbound)
02/10/2009 16:28:57 **UDP flood** 192.168.2.2, 39146->> 72.219.4.216, 10193 (from WAN Outbound)
02/10/2009 16:28:57 **UDP flood** 192.168.2.2, 39146->> 65.92.120.250, 13083 (from WAN Outbound)
02/10/2009 16:01:20 **TCP FIN Scan** 192.168.2.2, 54225->> 208.111.160.107, 80 (from WAN Outbound)
02/10/2009 15:27:50 **TCP FIN Scan** 192.168.2.2, 52713->> 64.28.75.214, 80 (from WAN Outbound)
02/10/2009 15:27:19 **TCP FIN Scan** 192.168.2.2, 52607->> 208.45.133.11, 80 (from WAN Outbound)
02/10/2009 14:23:50 NTP Date/Time updated.
02/10/2009 12:41:08 sending ACK to 192.168.2.3
02/10/2009 12:40:03 sending ACK to 192.168.2.3
02/10/2009 12:39:03 sending ACK to 192.168.2.3
02/10/2009 12:33:38 sending ACK to 192.168.2.3
02/10/2009 12:31:48 sending ACK to 192.168.2.3
02/10/2009 12:31:09 sending ACK to 192.168.2.3
02/10/2009 11:46:17 sending ACK to 192.168.2.3
02/10/2009 11:39:43 sending ACK to 192.168.2.3
02/10/2009 11:38:38 sending ACK to 192.168.2.3
02/10/2009 11:36:27 sending ACK to 192.168.2.3
02/10/2009 11:26:32 sending ACK to 192.168.2.3
02/10/2009 11:24:58 sending ACK to 192.168.2.3
02/10/2009 11:22:45 sending ACK to 192.168.2.3
02/10/2009 11:21:26 sending ACK to 192.168.2.3
02/10/2009 11:19:42 sending ACK to 192.168.2.3
02/10/2009 11:15:09 sending ACK to 192.168.2.3
02/10/2009 11:12:27 sending ACK to 192.168.2.3
02/10/2009 08:23:48 NTP Date/Time updated.
02/10/2009 04:33:13 **TCP FIN Scan** 192.168.2.2, 52410->> 208.45.133.12, 80 (from WAN Outbound)
02/10/2009 02:23:46 NTP Date/Time updated.
02/09/2009 21:03:34 **TCP FIN Scan** 66.135.200.11, 80->> 192.168.2.2, 64218 (from WAN Inbound)
02/09/2009 20:23:44 NTP Date/Time updated.
02/09/2009 20:08:52 **TCP FIN Scan** 208.88.227.4, 80->> 192.168.2.2, 61181 (from WAN Inbound)
02/09/2009 19:47:57 **SYN Flood to Host** 192.168.2.2, 60046->> 72.26.192.36, 80 (from WAN Outbound)
02/09/2009 19:36:50 **TCP FIN Scan** 192.168.2.2, 59301->> 208.109.14.77, 80 (from WAN Outbound)
02/09/2009 19:02:10 sending ACK to 192.168.2.3
02/09/2009 18:43:58 sending ACK to 192.168.2.3
02/09/2009 18:41:33 sending ACK to 192.168.2.3
02/09/2009 18:41:25 sending ACK to 192.168.2.3
02/09/2009 18:41:22 sending ACK to 192.168.2.3
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57330->> 205.234.218.130, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57314->> 205.234.218.98, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57290->> 205.234.218.91, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57282->> 63.135.80.72, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57296->> 205.234.218.128, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57266->> 205.234.218.74, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57269->> 205.234.218.107, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57210->> 216.178.38.222, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57264->> 205.234.218.145, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57250->> 81.52.134.10, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57248->> 81.52.134.17, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57326->> 205.234.218.129, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57187->> 74.125.19.155, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57339->> 216.178.33.43, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57308->> 63.135.80.55, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57355->> 81.52.134.18, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57347->> 209.85.225.127, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57345->> 81.52.134.11, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57332->> 205.234.218.89, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57228->> 205.234.218.81, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57301->> 205.234.218.136, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57292->> 81.52.134.24, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57286->> 205.234.218.75, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57240->> 63.135.80.48, 80 (from WAN Outbound)
02/09/2009 18:02:01 **TCP FIN Scan** 192.168.2.3, 57268->> 205.234.218.131, 80 (from WAN Outbound)
02/09/2009 17:58:41 **TCP FIN Scan** 63.217.8.80, 80->> 192.168.2.2, 56076 (from WAN Inbound)
02/09/2009 16:44:23 **TCP FIN Scan** 208.51.221.83, 80->> 192.168.2.2, 54819 (from WAN Inbound)
02/09/2009 14:23:42 NTP Date/Time updated.
02/09/2009 09:48:11 sending ACK to 192.168.2.3
02/09/2009 08:23:39 NTP Date/Time updated.
02/09/2009 06:46:21 sending ACK to 192.168.2.3
02/09/2009 06:44:23 sending ACK to 192.168.2.3
02/09/2009 04:32:55 **TCP FIN Scan** 63.135.80.50, 80->> 192.168.2.3, 51461 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.119, 80->> 192.168.2.3, 51467 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 208.65.153.253, 80->> 192.168.2.3, 51475 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.26, 80->> 192.168.2.3, 51464 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.39.217, 80->> 192.168.2.3, 51443 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.49, 80->> 192.168.2.3, 51441 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 63.135.80.83, 80->> 192.168.2.3, 51403 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.42, 80->> 192.168.2.3, 51392 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.43, 80->> 192.168.2.3, 51382 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.32.25, 80->> 192.168.2.3, 51397 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.38.116, 80->> 192.168.2.3, 51372 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 216.178.33.47, 80->> 192.168.2.3, 51407 (from WAN Inbound)
02/09/2009 04:32:55 **TCP FIN Scan** 72.233.86.254, 80->> 192.168.2.3, 51445 (from WAN Inbound)
02/09/2009 04:32:24 **TCP FIN Scan** 205.234.225.128, 80->> 192.168.2.2, 52999 (from WAN Inbound)
02/09/2009 04:31:19 **SYN Flood to Host** 192.168.2.2, 52817->> 208.45.133.10, 80 (from WAN Outbound)
02/09/2009 02:23:37 NTP Date/Time updated.
02/08/2009 20:57:28 **SYN Flood to Host** 192.168.2.2, 64260->> 206.82.205.5, 80 (from WAN Outbound)
02/08/2009 20:36:03 **TCP FIN Scan** 192.168.2.2, 63171->> 74.125.19.190, 80 (from WAN Outbound)
02/08/2009 20:36:03 **TCP FIN Scan** 192.168.2.2, 63231->> 74.125.19.91, 80 (from WAN Outbound)
02/08/2009 20:36:03 **TCP FIN Scan** 192.168.2.2, 63132->> 74.125.19.93, 80 (from WAN Outbound)
02/08/2009 20:23:35 NTP Date/Time updated.
02/08/2009 20:12:09 **SYN Flood to Host** 192.168.2.2, 62362->> 204.14.93.181, 80 (from WAN Outbound)
02/08/2009 18:32:07 sending ACK to 192.168.2.3
02/08/2009 18:32:03 sending ACK to 192.168.2.3
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64157->> 81.52.130.153, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64145->> 216.178.33.119, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64137->> 98.27.88.80, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64143->> 216.178.33.26, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64135->> 98.27.88.63, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64155->> 63.135.80.81, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64127->> 63.135.80.50, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64141->> 208.65.153.238, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64161->> 81.52.130.161, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64118->> 98.27.88.17, 80 (from WAN Outbound)
02/08/2009 18:04:42 **TCP FIN Scan** 192.168.2.3, 64117->> 98.27.88.57, 80 (from WAN Outbound)
02/08/2009 17:12:46 sending ACK to 192.168.2.3
02/08/2009 17:12:04 sending ACK to 192.168.2.3
02/08/2009 16:45:30 **TCP FIN Scan** 192.168.2.2, 59945->> 66.114.49.20, 80 (from WAN Outbound)
02/08/2009 16:45:30 **TCP FIN Scan** 192.168.2.2, 59857->> 85.31.206.153, 80 (from WAN Outbound)
02/08/2009 16:44:21 **SYN Flood to Host** 192.168.2.2, 59743->> 81.52.134.11, 80 (from WAN Outbound)
02/08/2009 16:43:30 **SYN Flood to Host** 192.168.2.2, 59516->> 80.12.96.107, 80 (from WAN Outbound)
02/08/2009 15:35:47 sending ACK to 192.168.2.3
02/08/2009 15:35:10 sending ACK to 192.168.2.3
02/08/2009 14:54:25 **TCP FIN Scan** 63.135.80.50, 80->> 192.168.2.2, 58367 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.33.43, 80->> 192.168.2.2, 58427 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.33.26, 80->> 192.168.2.2, 58387 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 208.117.236.70, 80->> 192.168.2.2, 58383 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.33.49, 80->> 192.168.2.2, 58425 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.33.119, 80->> 192.168.2.2, 58389 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.33.52, 80->> 192.168.2.2, 58323 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 63.135.80.81, 80->> 192.168.2.2, 58419 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 69.22.138.137, 80->> 192.168.2.2, 58385 (from WAN Inbound)
02/08/2009 14:54:25 **TCP FIN Scan** 216.178.39.217, 80->> 192.168.2.2, 58325 (from WAN Inbound)
PRO Level 6
User avatar
Posts: 231
Joined: Thu Sep 26, 2002 12:27 am
Location: Ohio
Real Name: Justin Spafford

Re: IIS in Vista letting in hackers?

Postby Absolute-Zero » Wed Feb 11, 2009 9:56 am

Looking at it initially, there's a lot of references to "UDP Flood". However, the majority of these are outgoing connections from UDP Port 39146 on the machine at 192.168.2.2. There's a couple of inbound connections back to that IP and port, I'm guessing they're responses back from the outgoing requests.
There's also a lot of TCP FIN Scan entries outbound from that IP. In fact, there's more than twice the amount of outgoing connections as there are inbound ones listed in your log extract. You might want to check that machine (192.168.2.2) out to see what it's doing. You can download TCP monitoring software such as TCP View from Sysinternals that'll enumerate all open TCP and UDP connections and identify the processes that are open these connections.

The TCP FIN Scan (WAN Inbound) could show that your machines are being scanned for open ports. I'm guessing you've got (had) port 80 open on your firewall to allow web access to the machine hosting IIS? Is it just open to the one machine or is it a "blanket allow", where port 80 is open to all machines downstream of the firewall?
It's possible, I guess, that your connection is being slowed down by responses to these TCP FIN requests. Do you have a bandwidth or traffic monitoring facility on your firewall which you can use to check how much bandwidth is being utilised in realtime?
Image
PROfessional Member
User avatar
Posts: 2495
Joined: Sat Jun 26, 2004 2:46 pm
Location: Forever blowing bubbles...
Real Name: Dan

Re: IIS in Vista letting in hackers?

Postby T-Man1984 » Wed Feb 11, 2009 1:43 pm

The computer with the 2.2 IP is my computer which is hosting the fileshares. What concerned me is I randomly picked a couple of the IP's listed and did a whois on them. Both places I've never heard of and one is in another country.

I had to open the port on the router, but it is only for my ip address, 2.2. Is there some other type of security I need to install to keep hackers from targeting my machine and or being able to do any damage. I want to head it off before it happens.

Thanks!
PRO Level 6
User avatar
Posts: 231
Joined: Thu Sep 26, 2002 12:27 am
Location: Ohio
Real Name: Justin Spafford

Re: IIS in Vista letting in hackers?

Postby Absolute-Zero » Wed Feb 11, 2009 1:54 pm

Opening ports to the outside world will always invite people to try and have a pop at them, unfortunately. The IPs you did a whois lookup on most probably stumbled upon your machine whilst doing an automated portscan of your ISP's IP ranges, trying to find machines that have publicly accessible ports, such as 80 for http, open.

Most server infiltrations take place via common exploits in existing code. Providing the machine you're running IIS on is patched and the directory permissions are sound (non writable via IIS, for example) then there's no real reason as to why the 'hackers' would be able to get to your machine. You could always shore up your defences by running some sort of intrusion detection/prevention software on the machine that drops packets it recognises as being malicious.
Image
PROfessional Member
User avatar
Posts: 2495
Joined: Sat Jun 26, 2004 2:46 pm
Location: Forever blowing bubbles...
Real Name: Dan

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 8 guests

cron
cron