RE: IIS log files, can I have your take on these attacks?
From: Jim Grossl (jgrossl@lplearningcenter.org)Date: 01/16/02
- Previous message: Jim Grossl: "RE: IIS log files, can I have your take on these attacks?"
- Maybe in reply to: Jim Grossl: "IIS log files, can I have your take on these attacks?"
- Next in thread: Bill Walls: "Re: IIS log files, can I have your take on these attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jim Grossl <jgrossl@lplearningcenter.org> To: 'Todd Williamson' <twilliamson@prolinkconsulting.com>, security-basics@securityfocus.com Date: Wed, 16 Jan 2002 15:30:20 -0700
Hi Todd, the machine is patched. I am not however running
the URL Scan filter. But the server is issuing 400 level
error messages, and I cannot find any abnormal processes
or open ports (using fport).
BTW, I see allot of these also, but last weekend was
the pits!
Jim Grossl
Lee Pesky Learning Center
Boise, Idaho USA
-----Original Message-----
From: Todd Williamson [mailto:twilliamson@prolinkconsulting.com]
Sent: Wednesday, January 16, 2002 11:24 AM
To: Jim Grossl; security-basics@securityfocus.com
Subject: RE: IIS log files, can I have your take on these attacks?
Jim,
I see the same log entries all of the time, on most of
my web servers. It is the scanning stages of a Nimda
or Code Red attacks. If you have Microsoft's URL Scan filter
installed, and your IIS server patched (MS has a patch to guard
against folder traversal) you shouldn't have too
much to worry about.
If you can track down the ip addresses where these scans are
coming from you may be able to notify their ISP and have
the attacking systems pulled offline.
Chances are it's a machine that is on "auto-pilot", randomly
scanning any machine using IIS.
Todd
-----Original Message-----
From: Jim Grossl [mailto:jgrossl@lplearningcenter.org]
Sent: Tuesday, January 15, 2002 11:24 AM
To: security-basics@securityfocus.com
Subject: IIS log files, can I have your take on these attacks?
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:23 -0700]
"GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 401 3837
207.225.190.149 - - [14/Jan/2002:10:30:25 -0700]
"GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
I kind of bothers me to post these on an open list (apparently
our Web server doesn't need any more "attention") but
I would like to know what everyone thinks of these attacks. My
Web server logged > 2000 of these attacks over the weekend. I'm
pretty sure that attacks are not succeeding, but I've read that
if the "%5c" shows up in the Double Decode attack that the file
traversal is taking place. Thanks.
Jim Grossl
- Previous message: Jim Grossl: "RE: IIS log files, can I have your take on these attacks?"
- Maybe in reply to: Jim Grossl: "IIS log files, can I have your take on these attacks?"
- Next in thread: Bill Walls: "Re: IIS log files, can I have your take on these attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
