tomkyn
asked on
suspicious IIS5 log items
I looked into my IIS5 log and lately, I have been getting 30+ a day requests like shown below from comcast's subnet. Any ideas what this is all about?
10:34:49 68.38.221.161 SEARCH
/±±±±±±±±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±±±± ±±± 401
10:34:49 68.38.221.161 SEARCH
/±±±±±±±±±±±±
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sounds like i hit it on the nail....... it is a buffer overflow attackhmmmm
xxxxxxxxxxxxx - - [04/Mar/2004:03:28:22 -0500] "GET *******/root.exe?/c+dir HTTP/1.0" 404 208
xxxxxxxxxxxxx - - [04/Mar/2004:03:28:22 -0500] "GET ***********/cmd.exe?/c+dir
xxxxxxxxxxxxx - - [04/Mar/2004:03:28:22 -0500] "GET **********/cmd.exe?/c+dir HTTP/1.0" 404 218
xxxxxxxxxxxxx - - [04/Mar/2004:03:28:23 -0500] "GET *************/cmd.exe?/c+d
xxxxxxxxxxxxx - - [04/Mar/2004:03:28:23 -0500] "GET *********winnt/system32/cm
a snippit from my access log, i run apache so i fear not the evil code red!!!
fyi the ************* are removed things such as to not give the entire exploit so script kiddies don't get any bright ideas