Wednesday, December 05, 2007

Server problems - related to /_vti_bin/owssvr.dll?

We got three requests for /_vti_bin/owssvr.dll a short time before our server had some serious issues. We were getting database connection errors and our SSL functionality was hosed. These requests were made by two different IPs. there is one similar request at the bottom from an earlier date. Some actions today also deleted all our request logs prior to: 05/12/2007:20:55:17 -0800

However I have some backup logs.

Not sure if the two are linked by here is more information so far related to this hack:

A few different requests were made, first from 216.104.48.200 and then from 130.76.32.144

Rquest details:
ipAddress: 216.104.48.200
server:
referer:
queryString: UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
method: GET
uri:
session: 27pg82u8olfo6
existing session
session created: Wed Dec 05 15:15:48 PST 2007Accept: */*
XVermeerContentType: application/octetstream
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host:
Connection: keepalive
CacheControl: nocache
CAPREQ: 0
STRMVER: 4
ACT: 4
BUILD: 6551
UL: 1

Could be this person at Valley Medical Center doesn't know their machine is hacked...or an accident by some IT person but I doubt it based on the consistency at which this appears in our logs.

OrgName: Valley Medical Center
OrgID: VMC-11
Address: 400 S 43rd Street
City: Renton
StateProv: WA
PostalCode: 98055
Country: US

NetRange: 216.104.48.0 - 216.104.63.255


Second set of requests for this particular file were from:

******WEBTOOLS.DUMPREQUEST**********
ipAddress: 130.76.32.144
server:
referer:
queryString: UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
servletPath:
method: GET
uri:
session: 3gero4ss5ih8m
new session
session created: Wed Dec 05 15:04:58 PST 2007Accept: */*
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Boeing Kit; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host:
Connection: keepalive
XBlueCoatVia: 996B7CB4B02B592C
XVermeerContentType: application/octetstream
Pragma: nocache
CAPREQ: 0
STRMVER: 4
ACT: 4
BUILD: 6551
UL: 1
************

I also had a related but not exactly the same request from New Zeland IP 125.236.206.207

Could this be the same guy who was just stopped by the BotRoast program?