Jim, I see the same log entries all of the time, on most of my web servers. It is the scanning stages of a Nimda or Code Red attacks. If you have Microsoft's URL Scan filter installed, and your IIS server patched (MS has a patch to guard against folder traversal) you shouldn't have too much to worry about. If you can track down the ip addresses where these scans are coming from you may be able to notify their ISP and have the attacking systems pulled offline.
Chances are it's a machine that is on "auto-pilot", randomly scanning any machine using IIS. Todd -----Original Message----- From: Jim Grossl [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 11:24 AM To: [EMAIL PROTECTED] Subject: IIS log files, can I have your take on these attacks? 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 3837 207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 I kind of bothers me to post these on an open list (apparently our Web server doesn't need any more "attention") but I would like to know what everyone thinks of these attacks. My Web server logged > 2000 of these attacks over the weekend. I'm pretty sure that attacks are not succeeding, but I've read that if the "%5c" shows up in the Double Decode attack that the file traversal is taking place. Thanks. Jim Grossl
