RE: IIS LOG entry.....

From: Colin Stefani (cstefani@tideworks.com)
Date: 07/23/01


Message-ID: <DBC363EA37C5D311823A00508BCF2A6A07276DC0@seamail.ssofa.com>
From: Colin Stefani <cstefani@tideworks.com>
To: "'Site Admin'" <tsgbma@yahoo.com>, FOCUS-MS@securityfocus.com
Subject: RE: IIS LOG entry.....
Date: Mon, 23 Jul 2001 08:50:24 -0700

1) Robots.txt is a text file that search engines look for (i.e. bots) that
you can create to tell them what to look for on your site, direct them to
unlinked content, and keep them off of certain areas. It should be harmless.

2) The second entry is probably the Code Red Worm looking for the .ida
vulnerability on your machine. Make sure you're patched with IIS patch
MS01-033 and you should be fine (for now) against that worm.

If you aren't patched against the worm, then do so quickly as you're
probably already infected.

-cs-

-----Original Message-----
From: Site Admin [mailto:tsgbma@yahoo.com]
Sent: Monday, July 23, 2001 3:38 AM
To: FOCUS-MS@securityfocus.com
Subject: IIS LOG entry.....

Hi All,
  We have a website on NT4 IIS4.During frequent checks
of my IIS log, i found the following entries :

2001-07-22 13:25:58 209.247.40.105 - GET /robots.txt -
404 15 ia_archiver -
2001-07-22 13:26:00 209.247.40.105 - GET
/s5intr/SessExpNW.asp - 200 15 ia_archiver -

   Is it hacking attempt? This particular IP from
Alexa.com is found frequntly in the log for
"robots.txt".

  I also found....

2001-07-21 17:16:42 208.20.74.1 - GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
404 78 - -
2001-07-21 18:11:39 209.247.40.98 - GET /robots.txt -
404 16 ia_archiver -
2001-07-21 18:11:39 209.247.40.98 - GET /welcome.asp -
200 344 ia_archiver -
   Again, for the last 3 days, i find entries with GET
attempt for /default.ida from a set of 5-10 ip's. When
i checked with NSlookup for some ip's nslookup doesnt
return any values...
  But, i have not lost any data and there is no sign
of anything being wrong with the wesite.
(soory for the long mail)
  Any advice/help on what to do...
regds,
RP

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/



Relevant Pages

  • RE: Suspicious IIS Log entry
    ... The first entry is the Code Red II Worm: ... Subject: Suspicious IIS Log entry ... I found the following suspicious entries in my IIS log files. ...
    (Security-Basics)
  • RE: IIS LOG entry.....
    ... > Subject: IIS LOG entry..... ... Internet search engines regularly browse web sites to ... detailed advisory about the worm. ... initial advisory on the vulnerability (the .ida overflow) which the ...
    (Focus-Microsoft)
  • IIS LOG entry.....
    ... Subject: IIS LOG entry..... ... Again, for the last 3 days, i find entries with GET ... i checked with NSlookup for some ip's nslookup doesnt ... Make international calls for as low as $.04/minute with Yahoo! ...
    (Focus-Microsoft)
  • Re: IIS LOG entry.....
    ... Subject: IIS LOG entry..... ... that request would root IIS and the request ... > MS01-033 and you should be fine against that worm. ... > i checked with NSlookup for some ip's nslookup doesnt ...
    (Focus-Microsoft)