Re: hack attack question with IIS and OWA

From: Paul Lynch (paul.lynch@ntlworld.com)
Date: 09/28/02

• Next message: rajendra: "ssl"
• Previous message: David Wang [MS]: "Re: Convince IIS to hide ODBC errors from the client"
• In reply to: abeeber: "hack attack question with IIS and OWA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Paul Lynch <paul.lynch@ntlworld.com>
Date: Sat, 28 Sep 2002 11:24:28 +0100

On 26 Sep 2002 07:37:29 -0700, abeeber@grx.com (abeeber) wrote:

>Hi,
>I was checking my IIS log files for my OWA/Exchange server and noticed
>the following entries...
>
>218.64.200.118 - - [26/Sep/2002:09:46:57 -0500] "GET
>/„/............/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 4618

>IS this a hack attack against my exchange server via OWA and IIS?
>
>If so, I notice that there are 4XX errors which means the get requests
>are failing, so should I be concerned? Is there anything I can do to
>prevent this?
>
>Thanks in advance.
>Andrew Beeber

Andrew,

This is the log footprint of the Nimda worm randomly trying the handle
on the car door of your server (in a manner of speaking)

The response code indicates that this attack was unsuccessful. You
don't need to worry but it is always a good idea to reamin vigilant
and aware of current security issues and vulnerabilities.

This particular worm came to light over a year ago. Full details can
be found here :
http://www.cert.org/advisories/CA-2001-26.html

My best advice to you would be to sign up for notification of MS
Security Bulletins
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp

and run HFNetchk or the MBSA against your server to check for possible
security 'lapses'
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp

HTH,

Paul Lynch
MCSE

---

• Next message: rajendra: "ssl"
• Previous message: David Wang [MS]: "Re: Convince IIS to hide ODBC errors from the client"
• In reply to: abeeber: "hack attack question with IIS and OWA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: HTTP 401.1 ... what's in the IIS log files? ... event logs - it may give you a better idea as to what's up ... > My web server suddenly will not allow me to view my ... > other sites on the server are still available. ... (microsoft.public.inetserver.iis.security) RE: IIS log files, can I have your take on these attacks? ... But the server is issuing 400 level ... IIS log files, can I have your take on these attacks? ... If you have Microsoft's URL Scan filter ... (Security-Basics) Re: IIS 6 and remote linking and bandwidth ... >the IIS Log Files. ... that is when an external website places a direct ... >> The second question, is there a reliable way to monitor ... >> bandwidth on Server 2003 Web server edition? ... (microsoft.public.inetserver.iis) Re: HTTP 401.1 ... or proxy server is not set up correctly ... I know to check but can't find the server error. ... >what's in the IIS log files? ... >> My web server suddenly will not allow me to view my ... (microsoft.public.inetserver.iis.security) Re: Classic ASP page gives The page cannot be found in IIS6.0 ... Yes, in the HTTPERR directory under logfiles directory, in httperr1.log, I am ... "Ken Schaefer" wrote: ... > the server, or the server is not responding at all. ... if you look in the IIS log files ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2002-09