Re: Suspicious IIS log file entries! Help!!

From: Brjann Brekkan (bbrekkan@hotmail.com)
Date: 11/17/02


From: "Brjann Brekkan" <bbrekkan@hotmail.com>
Date: Sun, 17 Nov 2002 19:30:38 +0100


Code Red or NIMDA but since its all 403 and 404 there are no succesful GET
requests so all that is happening is that the server 68.80.91.9 has been
infected and is now trying to infect your server. Not to worry.

Brjann Brekkan
I think you can find som info on
http://www.securityadmin.info/faq.htm#iislogs or on www.iisfaq.com (GREAT
SITES)

"Keith" <kkleiman@ureach.com> wrote in message
news:el0nspejCHA.2432@tkmsftngp10...
> I checked my IIS log files and have several days with with sever al of the
> following suspicious entries:
>
> 2002-10-29 02:11:59 68.80.91.9 - 192.168.0.6 80 GET /scripts/root.exe
/c+dir
> 404 -
> 2002-10-29 02:12:00 68.80.91.9 - 192.168.0.6 80 GET /MSADC/root.exe /c+dir
> 403 -
> 2002-10-29 02:12:02 68.80.91.9 - 192.168.0.6 80 GET
> /c/winnt/system32/cmd.exe /c+dir 404 -
> 2002-10-29 02:12:04 68.80.91.9 - 192.168.0.6 80 GET
> /d/winnt/system32/cmd.exe /c+dir 404 -
>
> I think this is a worm (possibly code red or nimbda) that is doing port
> scanning on port 80, but not sure if this is just an attack that is being
> logged or if this means that I have already been exploited. I have been
up
> to date on my patches, so I thin it is just an attack, but need to know
for
> sure.
>
> Do you know if this is an attack or a sign of being exploited?
>
> Thank you!!!
> Keith
>
>