IIS security..anyone recognize this?

From: Alissa (shauna@tds.net)
Date: 11/07/02 

From: "Alissa" <shauna@tds.net>
Date: Thu, 07 Nov 2002 18:24:19 GMT

I am looking to see if someone could help me out with some IIS logs. I
recently installed a couple security programs from Microsoft, one of them
URLScan (I have Win200 Server running). Does anyone know what this person
is trying to do, and are there other ways to block him/her from my server
besides using URLScan? I get these quite often-people trying to run cmd.exe
on my server. I have a Linksys Firewall and a Router...I do not have ISA
Server installed. Thanks in advance!!!!

-Alissa

c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query
sc-status cs-host cs(User-Agent)
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan> ~/scripts/root.exe 404
www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan> ~/MSADC/root.exe 404
www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/c/winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/d/winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%255c../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 404 www -

216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 404 www -

216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe 404 www -

216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%c0%af../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%%35%63../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%%35c../winnt/system32/cmd.exe 404 www -
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 www
216.31.163.163 - MY IP 80 GET /<Rejected-By-UrlScan>
~/scripts/..%252f../winnt/system32/cmd.exe 404 www -

Relevant Pages

  • Re: How do you hide the HTTP Server header?
    ... David Dietz -- IIS Technical Lead ... © 2001 Microsoft Corporation. ... |>Subject: Re: How do you hide the HTTP Server header? ... |>IISlockdown includes URLscan which is I think an excellent security tool, ...
    (microsoft.public.inetserver.iis.security)
  • Re: rpc over http with URLScan 2.5
    ... Thanks Charles, the information provided works to resolve the issue (so far, ... To be clear of the steps that I took from original install of URLScan 2.5, ... > of requests reaching the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: URLscan problem
    ... I did indeed restart the IIS server after ... I took a look at the URLscan log files and found my ... >URLscan seems to be causing a problem with public folder ...
    (microsoft.public.inetserver.iis.security)
  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... That SEARCH request is indicative of an attempt to exploit the ... of URLScan blocks SEARCH requests such as this one. ... Internet Services Manager -> right click on your server name -> Properties ... does contain a number of other very important security fixes for IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: security advice (possible hacker activity?)
    ... I test URLScan before installing. ... server for virus, nothing found... ... Account Used for Logon by: ... I'd recommend installing it from the Lockdown ...
    (microsoft.public.inetserver.iis.security)
Loading