Error Event 560 - attack?
Error Event 560 - attack?
am 17.10.2007 21:35:29 von jardinec
I have noticed that on some of our web servers we are getting hit with
this error thousands of times a day. Each time it seems to have about
100 hits within 1 second.
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\
Handle ID: -
Operation ID: {0,74285651}
Process ID: 3936
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: IUSR_LAMBEAU
Client Domain: LAMBEAU
Client Logon ID: (0x0,0x442FE77)
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I have looked and we probably have at least 50 sites that seem to be
using this Process ID and I have not been able to find anything at the
times in question in any of the logs for any of the sites. I might be
missing some and I may have overlooked something.
Has anyone else seen this kind of thing and what can/should be done
about it?
Thanks,
Chris Jardine
Re: Error Event 560 - attack?
am 18.10.2007 05:53:53 von David Wang
On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
> I have noticed that on some of our web servers we are getting hit with
> this error thousands of times a day. Each time it seems to have about
> 100 hits within 1 second.
>
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: D:\
> Handle ID: -
> Operation ID: {0,74285651}
> Process ID: 3936
> Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> Primary User Name: NETWORK SERVICE
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E4)
> Client User Name: IUSR_LAMBEAU
> Client Domain: LAMBEAU
> Client Logon ID: (0x0,0x442FE77)
> Accesses: SYNCHRONIZE
> ReadData (or ListDirectory)
>
> Privileges: -
> Restricted Sid Count: 0
>
> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
> I have looked and we probably have at least 50 sites that seem to be
> using this Process ID and I have not been able to find anything at the
> times in question in any of the logs for any of the sites. I might be
> missing some and I may have overlooked something.
>
> Has anyone else seen this kind of thing and what can/should be done
> about it?
>
> Thanks,
> Chris Jardine
It sounds like you have enabled auditing that is spewing a lot of
false errors due to your system configuration, such as described at:
http://support.microsoft.com/kb/841001
Is there a specific concern you have about the event? It doesn't look
like an attack and looks like something you can configure to stop.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: Error Event 560 - attack?
am 18.10.2007 16:21:10 von jardinec
On Oct 17, 10:53 pm, David Wang wrote:
> On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
>
>
>
>
>
> > I have noticed that on some of our web servers we are getting hit with
> > this error thousands of times a day. Each time it seems to have about
> > 100 hits within 1 second.
>
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: D:\
> > Handle ID: -
> > Operation ID: {0,74285651}
> > Process ID: 3936
> > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > Primary User Name: NETWORK SERVICE
> > Primary Domain: NT AUTHORITY
> > Primary Logon ID: (0x0,0x3E4)
> > Client User Name: IUSR_LAMBEAU
> > Client Domain: LAMBEAU
> > Client Logon ID: (0x0,0x442FE77)
> > Accesses: SYNCHRONIZE
> > ReadData (or ListDirectory)
>
> > Privileges: -
> > Restricted Sid Count: 0
>
> > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
> > I have looked and we probably have at least 50 sites that seem to be
> > using this Process ID and I have not been able to find anything at the
> > times in question in any of the logs for any of the sites. I might be
> > missing some and I may have overlooked something.
>
> > Has anyone else seen this kind of thing and what can/should be done
> > about it?
>
> > Thanks,
> > Chris Jardine
>
> It sounds like you have enabled auditing that is spewing a lot of
> false errors due to your system configuration, such as described at:http://support.microsoft.com/kb/841001
>
> Is there a specific concern you have about the event? It doesn't look
> like an attack and looks like something you can configure to stop.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //- Hide quoted text -
>
> - Show quoted text -
I guess that my concern is that there is something using the IUSR_...
User from IIS to access something in the Root of the D (Data) drive on
this machine. I realize that I can shut off the messages, but I am
concerned that there may be some kind of attack/vulnerability being
exploited and that it may end up compromising security.
Thanks,
Chris Jardine
Re: Error Event 560 - attack?
am 18.10.2007 22:10:25 von David Wang
On Oct 18, 7:21 am, jardi...@solarus.net wrote:
> On Oct 17, 10:53 pm, David Wang wrote:
>
>
>
>
>
> > On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
>
> > > I have noticed that on some of our web servers we are getting hit with
> > > this error thousands of times a day. Each time it seems to have about
> > > 100 hits within 1 second.
>
> > > Object Open:
> > > Object Server: Security
> > > Object Type: File
> > > Object Name: D:\
> > > Handle ID: -
> > > Operation ID: {0,74285651}
> > > Process ID: 3936
> > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > > Primary User Name: NETWORK SERVICE
> > > Primary Domain: NT AUTHORITY
> > > Primary Logon ID: (0x0,0x3E4)
> > > Client User Name: IUSR_LAMBEAU
> > > Client Domain: LAMBEAU
> > > Client Logon ID: (0x0,0x442FE77)
> > > Accesses: SYNCHRONIZE
> > > ReadData (or ListDirectory)
>
> > > Privileges: -
> > > Restricted Sid Count: 0
>
> > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
> > > I have looked and we probably have at least 50 sites that seem to be
> > > using this Process ID and I have not been able to find anything at the
> > > times in question in any of the logs for any of the sites. I might be
> > > missing some and I may have overlooked something.
>
> > > Has anyone else seen this kind of thing and what can/should be done
> > > about it?
>
> > > Thanks,
> > > Chris Jardine
>
> > It sounds like you have enabled auditing that is spewing a lot of
> > false errors due to your system configuration, such as described at:http://support.microsoft.com/kb/841001
>
> > Is there a specific concern you have about the event? It doesn't look
> > like an attack and looks like something you can configure to stop.
>
> > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> > //- Hide quoted text -
>
> > - Show quoted text -
>
> I guess that my concern is that there is something using the IUSR_...
> User from IIS to access something in the Root of the D (Data) drive on
> this machine. I realize that I can shut off the messages, but I am
> concerned that there may be some kind of attack/vulnerability being
> exploited and that it may end up compromising security.
>
> Thanks,
> Chris Jardine- Hide quoted text -
>
> - Show quoted text -
Actually, you are misreading the audit event.
It's common, so don't worry about it. The event log message says that
the IIS worker process has REQUESTED permission for IUSR to list and
read data from the root of D: drive.
It does not mean that something is ACTUALLY using IUSR to read data
from the root of D: drive.
Tiny but important distinction.
IIS will perform AccessCheck(), so *even if* IUSR attempts to use this
handle to access data, it will still have to go through NTFS. And
that's the real security you should worry about and not necessarily
event 560.
http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.asp x
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: Error Event 560 - attack?
am 18.10.2007 23:24:25 von jardinec
On Oct 18, 3:10 pm, David Wang wrote:
> On Oct 18, 7:21 am, jardi...@solarus.net wrote:
>
>
>
>
>
> > On Oct 17, 10:53 pm, David Wang wrote:
>
> > > On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
>
> > > > I have noticed that on some of our web servers we are getting hit with
> > > > this error thousands of times a day. Each time it seems to have about
> > > > 100 hits within 1 second.
>
> > > > Object Open:
> > > > Object Server: Security
> > > > Object Type: File
> > > > Object Name: D:\
> > > > Handle ID: -
> > > > Operation ID: {0,74285651}
> > > > Process ID: 3936
> > > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > > > Primary User Name: NETWORK SERVICE
> > > > Primary Domain: NT AUTHORITY
> > > > Primary Logon ID: (0x0,0x3E4)
> > > > Client User Name: IUSR_LAMBEAU
> > > > Client Domain: LAMBEAU
> > > > Client Logon ID: (0x0,0x442FE77)
> > > > Accesses: SYNCHRONIZE
> > > > ReadData (or ListDirectory)
>
> > > > Privileges: -
> > > > Restricted Sid Count: 0
>
> > > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
> > > > I have looked and we probably have at least 50 sites that seem to be
> > > > using this Process ID and I have not been able to find anything at the
> > > > times in question in any of the logs for any of the sites. I might be
> > > > missing some and I may have overlooked something.
>
> > > > Has anyone else seen this kind of thing and what can/should be done
> > > > about it?
>
> > > > Thanks,
> > > > Chris Jardine
>
> > > It sounds like you have enabled auditing that is spewing a lot of
> > > false errors due to your system configuration, such as described at:http://support.microsoft.com/kb/841001
>
> > > Is there a specific concern you have about the event? It doesn't look
> > > like an attack and looks like something you can configure to stop.
>
> > > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> > > //- Hide quoted text -
>
> > > - Show quoted text -
>
> > I guess that my concern is that there is something using the IUSR_...
> > User from IIS to access something in the Root of the D (Data) drive on
> > this machine. I realize that I can shut off the messages, but I am
> > concerned that there may be some kind of attack/vulnerability being
> > exploited and that it may end up compromising security.
>
> > Thanks,
> > Chris Jardine- Hide quoted text -
>
> > - Show quoted text -
>
> Actually, you are misreading the audit event.
>
> It's common, so don't worry about it. The event log message says that
> the IIS worker process has REQUESTED permission for IUSR to list and
> read data from the root of D: drive.
>
> It does not mean that something is ACTUALLY using IUSR to read data
> from the root of D: drive.
>
> Tiny but important distinction.
>
> IIS will perform AccessCheck(), so *even if* IUSR attempts to use this
> handle to access data, it will still have to go through NTFS. And
> that's the real security you should worry about and not necessarily
> event 560.
>
> http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.asp x
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //- Hide quoted text -
>
> - Show quoted text -
I did check a little further and I found that I do not have a policy
set up to log those events. The server is not a member of a domain, so
the only place I knew to check was the local machine policy.
Having said that, my concern with this is - why is IIS checking D:\
(since the wwwroot is set to something a bit further in). I have a
number of other web servers (some are members of a domain) that
absolutely no event 560's in their security logs and they have the
same policy for logging the events (disabled).
If I'm missing something here, I really like to know about it.
Thanks,
Chris Jardine
Re: Error Event 560 - attack?
am 19.10.2007 02:06:43 von David Wang
On Oct 18, 2:24 pm, jardi...@solarus.net wrote:
> On Oct 18, 3:10 pm, David Wang wrote:
>
>
>
>
>
> > On Oct 18, 7:21 am, jardi...@solarus.net wrote:
>
> > > On Oct 17, 10:53 pm, David Wang wrote:
>
> > > > On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
>
> > > > > I have noticed that on some of our web servers we are getting hit with
> > > > > this error thousands of times a day. Each time it seems to have about
> > > > > 100 hits within 1 second.
>
> > > > > Object Open:
> > > > > Object Server: Security
> > > > > Object Type: File
> > > > > Object Name: D:\
> > > > > Handle ID: -
> > > > > Operation ID: {0,74285651}
> > > > > Process ID: 3936
> > > > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > > > > Primary User Name: NETWORK SERVICE
> > > > > Primary Domain: NT AUTHORITY
> > > > > Primary Logon ID: (0x0,0x3E4)
> > > > > Client User Name: IUSR_LAMBEAU
> > > > > Client Domain: LAMBEAU
> > > > > Client Logon ID: (0x0,0x442FE77)
> > > > > Accesses: SYNCHRONIZE
> > > > > ReadData (or ListDirectory)
>
> > > > > Privileges: -
> > > > > Restricted Sid Count: 0
>
> > > > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
> > > > > I have looked and we probably have at least 50 sites that seem to be
> > > > > using this Process ID and I have not been able to find anything at the
> > > > > times in question in any of the logs for any of the sites. I might be
> > > > > missing some and I may have overlooked something.
>
> > > > > Has anyone else seen this kind of thing and what can/should be done
> > > > > about it?
>
> > > > > Thanks,
> > > > > Chris Jardine
>
> > > > It sounds like you have enabled auditing that is spewing a lot of
> > > > false errors due to your system configuration, such as described at:http://support.microsoft.com/kb/841001
>
> > > > Is there a specific concern you have about the event? It doesn't look
> > > > like an attack and looks like something you can configure to stop.
>
> > > > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> > > > //- Hide quoted text -
>
> > > > - Show quoted text -
>
> > > I guess that my concern is that there is something using the IUSR_...
> > > User from IIS to access something in the Root of the D (Data) drive on
> > > this machine. I realize that I can shut off the messages, but I am
> > > concerned that there may be some kind of attack/vulnerability being
> > > exploited and that it may end up compromising security.
>
> > > Thanks,
> > > Chris Jardine- Hide quoted text -
>
> > > - Show quoted text -
>
> > Actually, you are misreading the audit event.
>
> > It's common, so don't worry about it. The event log message says that
> > the IIS worker process has REQUESTED permission for IUSR to list and
> > read data from the root of D: drive.
>
> > It does not mean that something is ACTUALLY using IUSR to read data
> > from the root of D: drive.
>
> > Tiny but important distinction.
>
> > IIS will perform AccessCheck(), so *even if* IUSR attempts to use this
> > handle to access data, it will still have to go through NTFS. And
> > that's the real security you should worry about and not necessarily
> > event 560.
>
> >http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.as px
>
> > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> > //- Hide quoted text -
>
> > - Show quoted text -
>
> I did check a little further and I found that I do not have a policy
> set up to log those events. The server is not a member of a domain, so
> the only place I knew to check was the local machine policy.
>
> Having said that, my concern with this is - why is IIS checking D:\
> (since the wwwroot is set to something a bit further in). I have a
> number of other web servers (some are members of a domain) that
> absolutely no event 560's in their security logs and they have the
> same policy for logging the events (disabled).
>
> If I'm missing something here, I really like to know about it.
>
> Thanks,
> Chris Jardine- Hide quoted text -
>
> - Show quoted text -
Are the other web servers also running the same 50 websites.
You are running lots of non-IIS code from those 50 websites in the
same worker process. Maybe some of those 50 websites have code that is
trying to open D:\ for whatever reason. That would show up on this
audit as a part of w3wp.exe even though IIS has nothing to do with the
request for permission.
We won't know what website or application because Windows Audit is by
process. IIS uses threads of a process to execute requests for a site
within the process, so you literally have no way to figure out which
of the 50 websites is asking for permission and triggering the audit
event, and there is no way for IIS to report the site for the audit...
I think your concern is actually "why are my 50 websites checking on D:
\" and NOT "why is IIS checking D:\" -- especially if you have
evidence that other IIS servers are not checking D:\
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: Error Event 560 - attack?
am 08.11.2007 00:13:01 von lansvcs
I have followed this 841001 method 2 on the servers in question and have also
made the same setting in a GPO applied to the OU the servers reside in and i
still get the 560 and 562 entries in the event viewers of all the servers in
the OU with the domain audit object access turned on. i do want to audit
changes to one folder and files on one of these servers but don't want my
security log filled with these events. any idea why this does not seem to be
working as the KB says it should.
thanks
Ed
"David Wang" wrote:
> On Oct 17, 12:35 pm, jardi...@solarus.net wrote:
> > I have noticed that on some of our web servers we are getting hit with
> > this error thousands of times a day. Each time it seems to have about
> > 100 hits within 1 second.
> >
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: D:\
> > Handle ID: -
> > Operation ID: {0,74285651}
> > Process ID: 3936
> > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > Primary User Name: NETWORK SERVICE
> > Primary Domain: NT AUTHORITY
> > Primary Logon ID: (0x0,0x3E4)
> > Client User Name: IUSR_LAMBEAU
> > Client Domain: LAMBEAU
> > Client Logon ID: (0x0,0x442FE77)
> > Accesses: SYNCHRONIZE
> > ReadData (or ListDirectory)
> >
> > Privileges: -
> > Restricted Sid Count: 0
> >
> > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
> >
> > I have looked and we probably have at least 50 sites that seem to be
> > using this Process ID and I have not been able to find anything at the
> > times in question in any of the logs for any of the sites. I might be
> > missing some and I may have overlooked something.
> >
> > Has anyone else seen this kind of thing and what can/should be done
> > about it?
> >
> > Thanks,
> > Chris Jardine
>
>
> It sounds like you have enabled auditing that is spewing a lot of
> false errors due to your system configuration, such as described at:
> http://support.microsoft.com/kb/841001
>
> Is there a specific concern you have about the event? It doesn't look
> like an attack and looks like something you can configure to stop.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>