Hi everyone - As has been stated, these are from viri out in the wild, and will potentially be problematic.
However, Microsoft has a tool (URLSCAN) that blocks all of the currently known viri, and prevents most new ones from taking advantage of known holes. URLScan is an ISAPI module that looks for these screwy requests before IIS actually processes them. It works *really* well, and has the potential of preventing some future problems. URLScan can be installed as part of the IISLockdown tool, which also removes all the "bad" defaults (.htr and .idx processing) that IIS installs with. Quite helpful if you don't have a set secure IIS configuration guideline. URLScan http://www.microsoft.com/technet/security/tools/tools/urlscan.asp IISLockdown http://www.microsoft.com/technet/security/tools/tools/locktool.asp In general, you should *not* be running an IIS server in the wild without URLScan running. Chris Christopher G. Lewis Technical Consultant HTTP://www.ChristopherLewis.com > Date: Mon, 08 Jul 2002 05:02:27 -0700 (PDT) > From: "Paul Sumner" <[EMAIL PROTECTED]> > Subject: [analog-help] Deciphering Hack Attempts > > In my raw logs I find several entries, such as: > > /scripts/root.exe?/c+dir > /MSADC/root.exe?/c+dir > /c/winnt/system32/comd.exe?/c+dir > /d/winnt/system32/comd.exe?/c+dir > /scripts/..%255c.../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > Etc. Etc. > > Are these hack attempts? If not, what are they? > Should I assume that my webhost is blocking these > attempts? > How would I recognize if an attempt is successful > (other than seeing profanity on my website)? > > Thank you! > Paul Sumner > > end These are +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
