iks 0 Posted November 4, 2002 Hi there! From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)... I wonder what this is... Was someone trying to attack my system? Code: #Software: Microsoft Internet Information Services 5.1#Version: 1.0#Date: 2002-03-25 22:05:26#Fields: time c-ip cs-method cs-uri-stem sc-status 22:05:26 213.46.204.47 GET /scripts/root.exe 40422:05:31 213.46.204.47 GET /MSADC/root.exe 40422:05:38 213.46.204.47 GET /c/winnt/system32/cmd.exe 40422:05:44 213.46.204.47 GET /d/winnt/system32/cmd.exe 40422:05:50 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:05:56 213.46.204.47 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:06:04 213.46.204.47 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:06:10 213.46.204.47 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40422:06:16 213.46.204.47 GET /scripts/..Á../winnt/system32/cmd.exe 50022:06:22 213.46.204.47 GET /scripts/winnt/system32/cmd.exe 40422:06:28 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:37 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:43 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:06:51 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:17 61.133.99.129 GET /scripts/root.exe 40422:59:26 61.133.99.129 GET /MSADC/root.exe 40422:59:32 61.133.99.129 GET /c/winnt/system32/cmd.exe 40422:59:38 61.133.99.129 GET /d/winnt/system32/cmd.exe 40422:59:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:48 61.133.99.129 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:59:53 61.133.99.129 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:59:58 61.133.99.129 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:00:04 61.133.99.129 GET /scripts/..Á../winnt/system32/cmd.exe 50023:00:10 61.133.99.129 GET /scripts/winnt/system32/cmd.exe 40423:00:19 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:26 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:32 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:38 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:49 61.133.99.129 GET /scripts/..%2f../winnt/system32/cmd.exe 50023:25:19 213.113.206.59 GET /scripts/root.exe 40423:25:22 213.113.206.59 GET /MSADC/root.exe 40423:25:24 213.113.206.59 GET /c/winnt/system32/cmd.exe 40423:25:26 213.113.206.59 GET /d/winnt/system32/cmd.exe 40423:25:28 213.113.206.59 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:25:29 213.113.206.59 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50023:25:34 213.113.206.59 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40423:25:36 213.113.206.59 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:25:38 213.113.206.59 GET /scripts/..Á../winnt/system32/cmd.exe 500 Thanks Share this post Link to post
clutch 1 Posted November 4, 2002 Looks like a Code-Red style attack. If you install IISLockdown (or at least URLScan) from MS that will harden IIS to that type of attack and reject those URLs. IISLockdown http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp URLScan (my fav) http://support.microsoft.com/default.aspx?scid=KB;EN-US;q307608&id=307608&sd=tech Share this post Link to post
iks 0 Posted November 5, 2002 Hi! Thanks for this... Ill sleep much better now ... Share this post Link to post
Butternuts 0 Posted November 6, 2002 The Fact your giving out 404 errors shows that it is not finding what it wants. If those were not there. . . . .worry. Share this post Link to post
iks 0 Posted November 6, 2002 Hi! Yeah IIS was giving out 404, that's good but some of them were 500 (Internal Server Error) and so on... Okay now I've got one more question: When I try to telnet to my XP box via port 17 I get this strange qotations... They are making me a little worried: Code: iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."We have no more right to consume happiness without producing it than to consume wealth without producing it." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."The secret of being miserable is to have leisure to bother about whether you are happy or not. The cure for it is occupation." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."When a stupid man is doing something he is ashamed of, he always declares that it is his duty." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."Man can climb to the highest summits, but he cannot dwell there long." George Bernard Shaw (1856-1950)Connection closed by foreign host. Okay what is this? Some of my friends are having the same 'problem' but not my brother (he is not running IIS). On port 17 I see TCPSVCS.EXE application. Thanks for everything, Share this post Link to post
clutch 1 Posted November 6, 2002 Judging by the quotes and the port, I would say that's going to be the Quote of the Day Protocol (QOTD) at work. Just block that (and any other) unused port. Here is a list of ports and what they are (normally) used for: http://www.iana.org/assignments/port-numbers Share this post Link to post
