Re: IIS 5 Log FIle Question

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 05/13/02 

Date: Mon, 13 May 2002 01:12:14 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: Craig Brauckmiller <c_brauckmiller@lek.com>, security-basics@securityfocus.com

They look like unicode + codered and nimda attacks.

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------

--- Craig Brauckmiller <c_brauckmiller@lek.com> wrote:
>
>
>Hello all and forgive my ignorance in this area.
>
>We are in the process of bringing our website in house. It
>was being hosted
>externally
>The site is almost up and I was just poking at the logs and
>was intrigued by
>what I saw.
>
>Below is a snippet from the logs. Can anyone tell by
>looking at it:
>
>1. What type of vulnerabilities were they looking for?
>2. Does the fact the it says <Rejected by urlscan> imply
>that URLScan from M$
>is loaded. I didn't do this myself...thats why I'm curious.
>3. What is the best course of action in regards to the
>individual attempting
>these activities? I traced the IP back to RoadRunner.
>Should I call their
>customer service and complain or am I just pissing in the
>wind?
>4. I did run the IIS Lockdown wizard. Is that sufficient
>for most types of
>attacks? What other tools should I consider running?
>
>#Fields: date time c-ip cs-username s-ip s-port cs-method
>cs-uri-stem
>cs-uri-query sc-status sc-win32-status cs(User-Agent)
>2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/root.exe 404 123 -
>2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/MSADC/root.exe 404 123 -
>2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/c/winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/d/winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%255c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/_vti_bin/..%255c../..%255c../..%
>255c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/_mem_bin/..%255c../..%255c../..%
>255c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%
>1c../..%c1%1c../winnt/system32/cmd.exe
>
>404 123 -
>2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 -
>2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80
>GET /<Rejected-By-UrlScan>
>~/scripts/..%252f../winnt/system32/cmd.exe 404 123 -
>
>Thanks so much for this great list.
>
>Craig Brauckmiller

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag

Relevant Pages

  • Re: nimda fun in linux/win2k network
    ... "Great is the Art of beginning, but Greater is the Art of ending. ... >> I get your whole point, but what exactly do you mean by fileservers running under linux and windows mountable? ... >> And i dont think nimda really replicates itself in linux system. ... >> Regards, ...
    (Security-Basics)
  • Re: New Elliott Randall CD (EP) ...and GUITAR DAY at my place
    ... Thanks you for the compliments! ... next couple of months - cover art is ready, ... Lotsa research as this is a Brave New World as regards this crazy ... what I sort of expected, very tasteful, funky,still got a sort of ...
    (uk.music.guitar)
  • Re: Digital SLR - advantages?
    ... > I guess I would ask where you determine success. ... In art or commercially. ... With regards to what's shown on http://www.pbase.com/stanmore neither. ... > Strong images in art, I feel, comes from freeing your self from ...
    (rec.photo.digital.slr-systems)
  • Re: NAV Issue with SP2
    ... > ssg MS-MVP ... > Art wrote: ... >> then have to manually enable NAV. ...
    (microsoft.public.windowsxp.general)