Solved

what does this IIS log tell me...

Posted on 2001-06-06
4
1,654 Views
Last Modified: 2008-02-07
The following entries are found in my IIS log file. Please tell me what does it mean. (NT4 + IIS4) Thanks,

2001-05-19 08:27:14 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 150 80 HTTP/1.0 - - -
2001-05-19 08:27:14 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:15 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:15 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:16 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 150 80 HTTP/1.0 - - -
2001-05-19 08:27:16 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:18 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..A../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:18 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:19 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..o../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:19 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 88 140 80 HTTP/1.0 - - -
2001-05-19 08:27:21 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..????../winnt/system32/cmd.exe /c+dir 404 3 604 91 160 80 HTTP/1.0 - - -
2001-05-19 08:27:21 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..?????../winnt/system32/cmd.exe /c+dir 404 3 604 94 170 80 HTTP/1.0 - - -
2001-05-19 08:27:22 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..u?????../winnt/system32/cmd.exe /c+dir 404 3 604 97 140 80 HTTP/1.0 - - -
2001-05-19 08:27:22 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 3 604 114 160 80 HTTP/1.0 - - -
0
Comment
Question by:jians
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
dredge earned 5 total points
ID: 6160688
that means that someone was trying to exploit the UNICODE bug in IIS4.

this was a but that allowed a user to execute command shells through a web page by breaking out of your directory structure by using a unicode error in IIS.

you should install NT Service Pack 6a to fix this problem.
0
 

Author Comment

by:jians
ID: 6161012
Could you point me a link with more details? Thanks!
0
 
LVL 5

Expert Comment

by:dredge
ID: 6161079
http://www.microsoft.com/technet/iis/

I can't seem to find the specific Unicode bug anymore, but it used to be listed on the front page.

Service Pack 6a fixes this problem, though.
0
 

Author Comment

by:jians
ID: 6161249
Thanks a lot!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question