Technical: Microsoft DNS/IIS Attack (2014-04-12)

Background

One area that I do not like to cover in a public forum is security. But, in the last few days we have started noticing a sustained attack on a couple of our publicly facing Windows boxes.

Attack Surface Area

Microsoft – DNS

Using SysInternals \ TCP View, we are are able to see repeated DNS connections.


DNSAttack

 

 

Microsoft – IIS

Here is what one of our web sites look like post attacks:

 

HolyBibleSearch

 

Security Review

Microsoft – Event Viewer

Here is an attack from 173.194.64.70 targeting HTTPS/Port 443

Category-12809-EventID-5152__065034PM

 

Here is an attack from 173.194.64.111 targeting HTTPS/Port 443

Category-12809-EventID-5152__065034PM_v2

 

Here is an attack from 173.194.64.114 targeting HTTPS/Port 443

 

Category-12809-EventID-5152__065034PM_v3

Here is an attack from 68.87.64.106 targeting DNS/Port 53

Category-12809-EventID-5152__065034PM_v3__68-87-64-196

 

 

What to do

  • Consider perimeter Firewall
  • On individual hosts, make sure that you ‘re running Microsoft Windows Firewall
  • On individual hosts, make sure that DNS Services are only running on servers that need it
  • On individual hosts,  configure Microsoft IIS with Security best practices
  • On individual hosts,  make sure that you ‘re running a good, reputable AntiVirus

 

Anti-Virus

Symantec / ANt-Virus

Buzz99 has a good and freshlg updated blog post @

Norton Antivirus 2014 Product Key Free 6 Months Subscription
http://www.buzz99.com/norton-antivirus-2014-product-key-free-6-months-subscription/#sthash.K5Xl2TmT.dpuf

Courtesy of same blog post here is the URL to the product:

 http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/IS/nav/MUI/fbook/Setup.exe

Even though it warns that product has not / yet to be tested on MS Windows 2012, it installs and works on it.

 

 

Addendum

2014-09-23

Posted a follow-up @ Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing ( https://danieladeniji.wordpress.com/2014/04/14/27740/ ).

 

 

One thought on “Technical: Microsoft DNS/IIS Attack (2014-04-12)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s