Using IIS logs for fun and malware profit!

On an intrusion I was investigating last year, I was given access to IIS logs of a public facing web server that was comrpomised via sql injection and that sql injection was used as a pivot point for the intruder (more on this in another post)

I wanted to start reviewing the IIS logs so the first thing I did because the logs had a lot of encoded traffic was to run the logs through this simple python script to unqote all the logs to make it a little easier to investigate:

#!/usr/bin/env python
import urllib
log = open("/home/investigate/case111/weblogs//iislogs.txt","rb")
log_unquoted = open("/home/investigate/case111/weblogs/iislogs_unquoted.txt","wb")
for line in log:

While manually  reviewing the unquoted logs I saw a entry that contained the following:
exec master.dbo.xp_cmdshell ‘echo gg=^”4D5A … ^”_>> C:\dir\fg.vbs’;exec …

First you might see a xp_cmdshell – yup this host was vulnerable to sql injection and xp_cmdshell was enabled (yes, I know its bad but hey I was the responder don’t shoot the messenger)
You might notice that 4D5A is the hex header for the magic number of DOS Executables. To me this looked like the attacker was uploading a exe through the webserver. I wondered if we would be able to extract through the logs what the attacker uploaded.

I decided to grep for any line in the file that contained fg.vbs and write it to a text file
cat iislogs_unquoted.txt| grep “fg.vbs” > fg.vbs.txt
I then used awk to show me the 11th field of the logs which had the hex data for the exe they were attempting to upload.

cat fg.vbs.txt | awk ‘{print $11}’ > fg.txt

I then used a global search and replace in vi  to remove the following characters ^” from the begining and ^”_ from the end.
This gave me a text file full of hex, I then copied the hex and pasted it into a hex editor and saved the results as fg.exe.

I then copied fg.exe over to a vm I use for testing suspicious files. I then ran the following fg.exe /?

fg.exe usage

fg.exe usage

Looks like a password dumper lets run it with out any switches:

Results of fg.exe

Results of fg.exe

After seeing this was successful I looked for any other entries in the logs that looked like the attackers where uploaded an executable. I was able to also recover a 32 bit and 64 bit version of windows credential editor.

Being able to carve these files out of IIS logs was very helpful and eye opening and allowed us to confirm what the attacker was able to run.  Who would have known that IIS logs could be used to carve malware and not be used generally for web site usage statistics.

As always happy hunting!