Re: Suspicious IIS log file entries! Help!!

From: Brjann Brekkan (bbrekkan@hotmail.com)
Date: 11/17/02 

From: "Brjann Brekkan" <bbrekkan@hotmail.com>
Date: Sun, 17 Nov 2002 19:30:38 +0100

Code Red or NIMDA but since its all 403 and 404 there are no succesful GET
requests so all that is happening is that the server 68.80.91.9 has been
infected and is now trying to infect your server. Not to worry.

Brjann Brekkan
I think you can find som info on
http://www.securityadmin.info/faq.htm#iislogs or on www.iisfaq.com (GREAT
SITES)

"Keith" <kkleiman@ureach.com> wrote in message
news:el0nspejCHA.2432@tkmsftngp10...
> I checked my IIS log files and have several days with with sever al of the
> following suspicious entries:
>
> 2002-10-29 02:11:59 68.80.91.9 - 192.168.0.6 80 GET /scripts/root.exe
/c+dir
> 404 -
> 2002-10-29 02:12:00 68.80.91.9 - 192.168.0.6 80 GET /MSADC/root.exe /c+dir
> 403 -
> 2002-10-29 02:12:02 68.80.91.9 - 192.168.0.6 80 GET
> /c/winnt/system32/cmd.exe /c+dir 404 -
> 2002-10-29 02:12:04 68.80.91.9 - 192.168.0.6 80 GET
> /d/winnt/system32/cmd.exe /c+dir 404 -
>
> I think this is a worm (possibly code red or nimbda) that is doing port
> scanning on port 80, but not sure if this is just an attack that is being
> logged or if this means that I have already been exploited. I have been
up
> to date on my patches, so I thin it is just an attack, but need to know
for
> sure.
>
> Do you know if this is an attack or a sign of being exploited?
>
> Thank you!!!
> Keith
>
>

Relevant Pages

  • RE: SSH server under attack...
    ... Dave and et al, ... Subject: Re: SSH server under attack... ... > I changed the port of the SSH server from 22 to 2222. ...
    (Security-Basics)
  • SSH server under attack...
    ... OK...within a few hours the server was being attacked again on port 2222. ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... I scanned the machine and found that it is hosting a webserver Server at www.springs.cl) among other services. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)
  • UT DDoS risk
    ... UDP 7778 is for server querying. ... - The host A send 1 empty UDP packet with the source IP of the host C ... (UT default port) ... The host A after 2 mins and 30 secs can restart the attack. ...
    (Bugtraq)
  • Re: Security problem
    ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
    (comp.os.linux.development.apps)
  • Re: SSH server under attack...
    ... > My SSH server has been under DoS and I cant stop it!!! ... > I changed the port of the SSH server from 22 to 2222. ... the new machine to attack me is 200.55.192.29. ... > Computer Emergency Response Teams, ...
    (Security-Basics)