return 42;

by Jan Wedel

Spools Prin4Spool v5.0 for WinSock

If you're running some ASP.NET pages on an IIS and you open any webpage on the server and get this:

220 Spools Prin4Spool v5.0 for WinSock ready...
530 Not logged in.
530 Not logged in.
331 User name okay, need password.
530 Not logged in.
530 Not logged in.
530 Not logged in.
530 Not logged in.nn
421 Maximum session time exceeded - closing.

Then, your server has most probably been hacked.

Running netstat -anb in an admin shell displays all processes that have ports open. Check for processes like uTorrent, WinMX and the like. They are started using the hidden user IWAM_ASP. Stop IIS, kill all processes running by this user as a first measure. I'll try to post some more infos here.

[UPDATE]

I've been searching for more information about the IWAM_ASP user and I couldn't find evidence that this user is legit. Moreover, there was also a sql_rootuser. Both were only shown in the Server Manager tool and both had admin privileges. I've deleted both of them including their User directories. After the user was deleted, I've checked the windows event viewer's security section which showed that there was somebody actually trying to login (which was not successful, of course). So I guess, both users have been created after first code has been injected via ASP. I'm still not sure what the vulnerability actually was.

[UPDATE 2]

After thinking hard (just kidding) about how to host a Windows server with IIS and ASP and especially how to secure it, we decided that we just don't. We are hosting Linux server for years now without any security issues. So this was a nice little exploration into the Windows world (no, it wasn't)...


Jan Wedel's DEV Profile