Alex,
The series of GET log entries you posted is characteristic
of a Nimda attempt to infect a server. We've all been
hammered with them for the past 2 or 3 weeks.
It is a trail of (you hope failed) attempts to find
specific vulnerabilities on your server.
> #Software: Microsoft Internet Information Services 5.0
> #Version: 1.0
> #Date: 2001-10-03 01:25:59
> #Fields: time c-ip cs-method cs-uri-stem sc-status
> 01:25:59 203.173.177.17 GET /scripts/root.exe 404
> 01:26:02 203.173.177.17 GET /MSADC/root.exe 404
> 01:26:05 203.173.177.17 GET /c/winnt/system32/cmd.exe 404
> 01:26:09 203.173.177.17 GET /d/winnt/system32/cmd.exe 404
> 01:26:12 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200
I am not an expert about this, but to me the above line is alarming
because of the status "200"
It means it looked for *AND FOUND* a copy of "cmd.exe" on your server
in an accessible place.
cmd.exe is the NT command shell. an intruder could send
commands to it by running it like a CGI script.
> 01:27:01 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 01:27:51 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 01:27:54 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 01:59:57 203.173.177.17 GET /scripts/root.exe 404
> 02:00:01 203.173.177.17 GET /MSADC/root.exe 404
> 02:00:08 203.173.177.17 GET /c/winnt/system32/cmd.exe 404
> 02:00:12 203.173.177.17 GET /d/winnt/system32/cmd.exe 404
> 02:00:17 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200
again another hit.
What's strange here is that these log entries ALL come
from 203.173.177.17.
Normally you will see a group of 16 probes from the same IP.
But then subsequent attempts will come from different IPs.
Is it possible this is happening from behind a firewall, and that
203.173.177.17 is a peer (on your network) that is also behind the
firewall? Maybe you're being probed by some other machine on
your network?
> 02:01:10 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 02:01:13 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 02:01:18 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502
> 02:01:22 203.173.177.17 GET /scripts/..%5c../Admin.dll 500
> 02:01:27 203.173.177.17 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 200
> 02:01:29 203.173.177.17 GET
another successfull attempt to find cmd.exe
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502
> 02:01:35 203.173.177.17 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502
> 02:01:38 203.173.177.17 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502
> 02:01:41 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../Admin.dll
500
> etc.
>
> This kind of records started to appear about 2 weeks ago.
>
> I have applied patch for IIS today.
I think the patch isn't enough if you have command shells lying around
in places where they can be reached via a URL into your document root.
I'm not sure how you find them all. They won't always be called
cmd.exe - CodeRed left something called root.exe (I think).
But at a minimum I think you want to fix things up so that the Nimda
probe suite you show in your logs fails every attempt.
>
> Any comments are welcome.
Don't underestimate this one. It's a major PITA.
Good luck.
-ns
---------------------------------------------------------------------------
New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
Website: http://www.delphi.org.nz
To UnSub, send email to: [EMAIL PROTECTED]
with body of "unsubscribe offtopic"
Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
