Re: Interpretation of CSIDS alarms

kynesedgman · ‎05-12-2002

Dear All,

New to the world of IDS I am seeking assistance in the interpretation of a swarm of alarms noted in the logs last week.

I have a bank of 8 IIS servers and a 4230 sensor sitting behind a PIX firewall. On any given day I will see a few hundred attempted attacks using the IIS Unicode exploit or WinNT cmd.exe access.

On one certain day I saw hundreds of thousands of such alarms. The source IP address was that of one of the IIS servers on port 80, while the destination address and port varied across a gamet of addresses and ports.

I figured that an attacker had attempted a DoS attack by spoofing the source address of an internal server (believable since I do not yet have the public interface of the PIX configured to drop packets with internal source addresses). However, I am told that it is very difficult to spoof such an IIS response so my initial assumption may be wrong.

How would others interpret seeing such traffic?

Thanks,

Kyne.

marcabal · ‎05-12-2002

It is possible that you are under attack or may have even been compromised by a virus.

Nimda is one such virus that attacks IIS web servers using the IIS Unicode exploit or WinNT cmd.exe access, and there are several more that use similar methods for propogating themselves.

Be sure you have loaded the latest IIS Security Patches on your web server, and be sure your Anti-Virus software is up to date. Scan your web server with the latest antivirus to determine if you've been infected.