Solved

what does this IIS log tell me...

Posted on 2001-06-06
4
1,660 Views
Last Modified: 2008-02-07
The following entries are found in my IIS log file. Please tell me what does it mean. (NT4 + IIS4) Thanks,

2001-05-19 08:27:14 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 150 80 HTTP/1.0 - - -
2001-05-19 08:27:14 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:15 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:15 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:16 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 85 150 80 HTTP/1.0 - - -
2001-05-19 08:27:16 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:18 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..A../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:18 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:19 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..o../winnt/system32/cmd.exe /c+dir 404 3 604 85 160 80 HTTP/1.0 - - -
2001-05-19 08:27:19 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/../../winnt/system32/cmd.exe /c+dir 404 3 604 88 140 80 HTTP/1.0 - - -
2001-05-19 08:27:21 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..????../winnt/system32/cmd.exe /c+dir 404 3 604 91 160 80 HTTP/1.0 - - -
2001-05-19 08:27:21 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..?????../winnt/system32/cmd.exe /c+dir 404 3 604 94 170 80 HTTP/1.0 - - -
2001-05-19 08:27:22 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /scripts/..u?????../winnt/system32/cmd.exe /c+dir 404 3 604 97 140 80 HTTP/1.0 - - -
2001-05-19 08:27:22 202.64.252.67 - W3SVC3 SDC1M004 10.2.2.254 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 3 604 114 160 80 HTTP/1.0 - - -
0
Comment
Question by:jians
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
dredge earned 5 total points
ID: 6160688
that means that someone was trying to exploit the UNICODE bug in IIS4.

this was a but that allowed a user to execute command shells through a web page by breaking out of your directory structure by using a unicode error in IIS.

you should install NT Service Pack 6a to fix this problem.
0
 

Author Comment

by:jians
ID: 6161012
Could you point me a link with more details? Thanks!
0
 
LVL 5

Expert Comment

by:dredge
ID: 6161079
http://www.microsoft.com/technet/iis/

I can't seem to find the specific Unicode bug anymore, but it used to be listed on the front page.

Service Pack 6a fixes this problem, though.
0
 

Author Comment

by:jians
ID: 6161249
Thanks a lot!
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question