IIS Log File

[Brian]

I found a log file on my system today for IIS6, the trouble being I don't
have and never have had IIS6 installed on my computer. The file itself is
quite lengthy, but I'm troubled because there are parts referencing among
other things, SNMP.

Should I be concerned about a compromise to my system, or is this a normal
occurence? Any help would be greatly appreciated. Also, I can send the
logfile to anyone who would like to take a look, just didnt know if i could
attach it directly to my post.

Thank you

 

[Roger Abell [MVP]]

Hi Brian,

I am not sure what you are looking at, but you posted to an
XP newsgroup, so should I assume this is on XP ?
IIS 6 only runs on Windows Server 2003, and SNMP has
nothing to do with IIS.

Try looking in the advanced dialog within the Security tab
in the properties of the file (in Home you would have to be
in a safe mode boot for this), and in there click on the Owner
tab and see what account created the file.

Roger

 

[Brian]

Sorry about the lack of information from me, but yes, I am running Windows
XP Professional. The reason this seemed strange in the first place is
because i knew that I didnt have IIS 6 on XP, so this log file of activity
seemed odd-the SNMP stood out to me because of the remote access
possibilites.

I looked at the security tab under the advanced tab to find the owner of the
and it is currently owned by the Administrators group. Below this it asks
if I would like to change it.... it gives two choices
Administrator group
Administrators group

is that any help?

 

[Roger Abell]

All we know is that you have a file on the system
that was created by some of the admin accounts,
and which you do not recognize.
Not really much to go on.
I would start by changing the passwords of every account
listed by start / run
net localgroup administrators
and then thouroughly scanning the system for backdoor signs.

 

[Brian]

Ok the passwords are changed and very strong, and i am running Norton
Antivirus 2004 as we speak. Should I run a more specific trojan program?
like the cleaner? Also, did you want me to email a copy of the original
IIS6.log file I was talking about?

And just to help things move, I am also running Adaware and Spybot s&d
daily, and i do have a firewall in place, although its part of my 2Wire
router. There were a few quite a few port, tcp., and udp scans yesterday
and the day before from a remoteport 666, which i dont believe is good.

So if i should run any other anti trojan as of now please let me know, and
thatns again for helping me like this

Brian

 

[Roger Abell]

Adaware and Spybot scans are good to have done.
How did they come out ?

If you are clean to malware scans, the only other thing
you could do is inventory what services are running and
what is starting up other than as a service (msconfig)
It is very hard to "certify" a system is healthy once one
knows it "may" have been compromised. However,
if you have taken control of all accounts and have the firewall
up (you did check what it allows to come in within its defs?),
there is little that can hurt you except for things that are running
on the system that might open a connection outwards (and most
trojan malware does not do this, but rather waits for the "owner"
to come asking to get in).

I do not believe much could be learned from the file, which
seems to have not originated on your system.