RE: IIS 5 Log FIle Question
From: Leon Ward (leon.ward@added-dimension.co.uk)Date: 05/13/02
- Previous message: Tim V(@DZ): "RE: Low budget VPN?????"
- Maybe in reply to: Craig Brauckmiller: "IIS 5 Log FIle Question"
- Next in thread: Williams, Larry: "RE: IIS 5 Log FIle Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Leon Ward <leon.ward@added-dimension.co.uk> To: 'Craig Brauckmiller' <c_brauckmiller@lek.com>, security-basics@securityfocus.com Date: Mon, 13 May 2002 09:41:23 +0100
1) This is a code red v2 infection attempt.
Unfortunately web server admins are having to class these as just normal
background traffic. Please people - MAKE SURE YOU ARE PATCHED!
Looking for holes left by CR v1
GET /<Rejected-By-UrlScan>
~/scripts/root.exe 404 123 -
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80
Testing to see if the box is susceptible to directory traversal, tests many
times using different extended unicode chars.
GET /<Rejected-By-UrlScan> ~/scripts/..%255c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
2) Yes. It comes with the IISLockdown tool. If you want to know more about
URLSCAN let me know, I wrote a walkthrough of the options for someone a
while back and ill send it onto you.
3) Pissing in the wind I am afraid. It would be useful to send an email to
the person in charge of the IP address and CC it to their ISP, but don't
hold your breath.
4) MAKE SURE YOU ARE PATCHED! This is the MOST important thing you can do!
Also look at some of the IIS / Win2k hardening docs on the internet and go
through them carefully.
Just a couple of seconds of thought.
Best Regards
Nard
Please reply to : nard@nardware.co.uk
-----Original Message-----
From: Craig Brauckmiller [mailto:c_brauckmiller@lek.com]
Sent: 10 May 2002 13:55
To: security-basics@securityfocus.com
Subject: IIS 5 Log FIle Question
Hello all and forgive my ignorance in this area.
We are in the process of bringing our website in house. It
was being hosted
externally
The site is almost up and I was just poking at the logs and
was intrigued by
what I saw.
Below is a snippet from the logs. Can anyone tell by
looking at it:
1. What type of vulnerabilities were they looking for?
2. Does the fact the it says <Rejected by urlscan> imply
that URLScan from M$
is loaded. I didn't do this myself...thats why I'm curious.
3. What is the best course of action in regards to the
individual attempting
these activities? I traced the IP back to RoadRunner.
Should I call their
customer service and complain or am I just pissing in the
wind?
4. I did run the IIS Lockdown wizard. Is that sufficient
for most types of
attacks? What other tools should I consider running?
#Fields: date time c-ip cs-username s-ip s-port cs-method
cs-uri-stem
cs-uri-query sc-status sc-win32-status cs(User-Agent) 2002-05-10 02:27:00
65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/scripts/root.exe 404 123 -
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/MSADC/root.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/c/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/d/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%255c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/_vti_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan>
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%
1c../..%c1%1c../winnt/system32/cmd.exe
404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%c1%1c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%c0%2f../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%c0%af../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%c1%9c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%%35%63../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%%35c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%25%35%63../winnt/system32/cmd.exe
404 123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80
GET /<Rejected-By-UrlScan> ~/scripts/..%252f../winnt/system32/cmd.exe 404
123 -
Thanks so much for this great list.
Craig Brauckmiller
This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact postmaster@added-dimension.co.uk.
This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact postmaster@added-dimension.co.uk.
- Previous message: Tim V(@DZ): "RE: Low budget VPN?????"
- Maybe in reply to: Craig Brauckmiller: "IIS 5 Log FIle Question"
- Next in thread: Williams, Larry: "RE: IIS 5 Log FIle Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
