These are known NT exploits. The /../../ trick, the MSDAC exploit, the Unicode trick, possibly NIMDA, but not enough information to tell. I couldn't tell you if your server is compromised or not. You'll have to once-over the box yourself to find out. You SHOULD be OK provided you've patched your server. Check the M$ site to determine what the patchlevel should be based on NT version and service pack. If you're not at the right patch level, I'd assume the worst and go from there. Sam Sylar Sr. SysAdmin/GCIA ERAC Network Services (314) 512-2989 [EMAIL PROTECTED] [EMAIL PROTECTED] --------------------------------- Apathy is the world's worst problem. But who cares?
> -----Original Message----- > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 17, 2002 10:09 AM > To: [EMAIL PROTECTED] > Subject: [gb-users] Not Gnatbox but security related > > > Hi everyone > > I have to administer our small company network in my spare time which > hopefully explains my little security knowledge... > I have just come across a scary entry in our Windows 2000 > Server Internet > Information Services 5.0 log: > > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET > /scripts/root.exe > /c+dir 403 www - > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET > /MSADC/root.exe /c+dir > 403 www - > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET > /c/winnt/system32/cmd.exe /c+dir 403 www - > 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET > /d/winnt/system32/cmd.exe /c+dir 403 www - > 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - > > Is someone currently executing terrible things on our server? > > I would be very greatfull for any quick help and/or explanation! > > Thanks a lot and best wishes to everyone > > Marc > > Suxdorf Studios f�r Design > Milchstrasse 6b > D-20148 Hamburg > Tel +49 (40) 41345-100 > Fax +49 (40) 41345-101 > Email [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
