Re: Strange IIS WWW Log Entry - Possible Attack?

From: Ayyappan Nair (me@working.com)
Date: 12/14/02

• Next message: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Previous message: J. S.: "Strange IIS WWW Log Entry - Possible Attack?"
• In reply to: J. S.: "Strange IIS WWW Log Entry - Possible Attack?"
• Next in thread: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Reply: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Ayyappan Nair <me@working.com>
Date: Fri, 13 Dec 2002 19:18:55 -0500

On Fri, 13 Dec 2002 15:34:15 -0800, "J. S." <jsickles@itt-tech.edu>
wrote:

>I was going over my log files, and I found some bizzarre
>entries that started appearing yesterday - it's not a
>normal request, so I have to suspect an attack. These
>come from different sources, but the message is the same.
>Can anyone tell me what this might be?
>Sample entry:
>
>2002-12-13 21:34:23 66.31.68.23 - 192.168.1.100 80
>GET /default.ida
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%
>u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
>ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
>u53ff%u0078%u0000%u00=a 200 -
>
>

That is the foot-print of one of the versions of Code-Red virus. Make
sure your IIS is not infected. This came out long-time back..

Checkout Microsoft IIS lockdown tool for securing IIS from such
viruses...

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp

HTH,
AGN

---

• Next message: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Previous message: J. S.: "Strange IIS WWW Log Entry - Possible Attack?"
• In reply to: J. S.: "Strange IIS WWW Log Entry - Possible Attack?"
• Next in thread: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Reply: J. S.: "Re: Strange IIS WWW Log Entry - Possible Attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Strange IIS WWW Log Entry - Possible Attack? ... I was going over my log files, and I found some bizzarre ... entries that started appearing yesterday - it's not a ... normal request, so I have to suspect an attack. ... (microsoft.public.inetserver.iis.security) Re: vs2005 debugging on ws2k3 server ... I can't share the IIS logs with you, as I stated earlier, there are no ... entries in the iis logs when this error occurs. ... if you could just share the IISLogs containing the debug verbs I ... (microsoft.public.dotnet.framework.aspnet) Re: IP address restrictions, limits of? ... Pirho, how to add 1~2 thousand entry into the list. ... > and 50 IP range entries. ... > The web server, IIS 5.0, is failing more often now, and the admin folks are ... > I am looking for any performance impact that anyone knows of when using IP ... (microsoft.public.inetserver.iis.security) Re: IP address restrictions, limits of? ... > and 50 IP range entries. ... > The web server, IIS 5.0, is failing more often now, and the admin folks are ... > I am looking for any performance impact that anyone knows of when using IP ... the folks who admin our web server are suggesting that we ... (microsoft.public.inetserver.iis.security) Re: Logging errors with ASP 404 error pages ... i am realy not trying to put my own entries. ... you first config a site it tracks everything but the ... Do you know how to do it to the IIS ... >IIS is logged by requests to IIS (and the log already has ... (microsoft.public.inetserver.asp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2002-12