RE: IIS Hack Attempt

Mon, 19 Nov 2001 11:01:22 -0800 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are things you should not worry about. Most webserver admins
see them daily and make most of the error logs. Just a host scanning
for known IIS bugs or an infected (nimda?) webserver trying to affect
others. If you applied the security patches you should have nothing
to worry about. If you want to help to prevent these attacks parse
out all the IP's and resolve them or check on port 80 to see if is
webserver (not sure if non-webserver machine's infected with nimda if
nimda opens a port 80 server) and inform the web admin about it. You
could send the rest of the IP's ISP a complaint but history proves
these complaints quicky find there way into the recycle bin.

Philip Wagenaar

- -----Original Message-----
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]] 
Sent: donderdag 15 november 2001 19:18
To: [EMAIL PROTECTED]
Subject: IIS Hack Attempt


Can someone help me decipher this?
 
11:30:48 207.217.205.149 GET /scripts/root.exe 404
11:30:48 207.217.205.149 GET /MSADC/root.exe 404
11:30:49 207.217.205.149 GET /c/winnt/system32/cmd.exe 404 11:30:49
207.217.205.149 GET /d/winnt/system32/cmd.exe 404 11:30:49
207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500
11:30:49 207.217.205.149 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50
207.217.205.149 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50
207.217.205.149 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.e
xe
500
11:30:50 207.217.205.149 GET /scripts/..Á../winnt/system32/cmd.exe
500 11:30:50 207.217.205.149 GET /scripts/winnt/system32/cmd.exe 404
11:30:51 207.217.205.149 GET /winnt/system32/cmd.exe 404 11:30:51
207.217.205.149 GET /winnt/system32/cmd.exe 404 11:30:51
207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500
11:30:51 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe
500 11:30:52 207.217.205.149 GET
/scripts/..%5c../winnt/system32/cmd.exe 500 11:30:52 207.217.205.149
GET /scripts/..%2f../winnt/system32/cmd.exe 500
 
Thanks.
 
 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBO/h9984JcipDIO8UEQI/nQCgl0pKa2hPtRQap/QV8/zdIREwrt4AmwXt
aWynbb1FreyGBm2lvWg80HIp
=bYSQ
-----END PGP SIGNATURE-----

Reply via email to