My IIS WEB Site Log Files (I am in worries)...

Hi there! From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1). . . I wonder what this is. . . Was someone trying to attack my system? Code:#Software: Microsoft Internet Information Services 5.

Windows Networking 2246 This topic was started by ,


data/avatar/default/avatar26.webp

134 Posts
Location -
Joined 2001-08-02
Hi there!
 
From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)...
I wonder what this is... Was someone trying to attack my system?
 

Code:
#Software: Microsoft Internet Information Services 5.1#Version: 1.0#Date: 2002-03-25 22:05:26#Fields: time c-ip cs-method cs-uri-stem sc-status 22:05:26 213.46.204.47 GET /scripts/root.exe 40422:05:31 213.46.204.47 GET /MSADC/root.exe 40422:05:38 213.46.204.47 GET /c/winnt/system32/cmd.exe 40422:05:44 213.46.204.47 GET /d/winnt/system32/cmd.exe 40422:05:50 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:05:56 213.46.204.47 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:06:04 213.46.204.47 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:06:10 213.46.204.47 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40422:06:16 213.46.204.47 GET /scripts/..Á../winnt/system32/cmd.exe 50022:06:22 213.46.204.47 GET /scripts/winnt/system32/cmd.exe 40422:06:28 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:37 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:43 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:06:51 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:17 61.133.99.129 GET /scripts/root.exe 40422:59:26 61.133.99.129 GET /MSADC/root.exe 40422:59:32 61.133.99.129 GET /c/winnt/system32/cmd.exe 40422:59:38 61.133.99.129 GET /d/winnt/system32/cmd.exe 40422:59:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:48 61.133.99.129 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:59:53 61.133.99.129 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:59:58 61.133.99.129 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:00:04 61.133.99.129 GET /scripts/..Á../winnt/system32/cmd.exe 50023:00:10 61.133.99.129 GET /scripts/winnt/system32/cmd.exe 40423:00:19 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:26 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:32 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:38 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:49 61.133.99.129 GET /scripts/..%2f../winnt/system32/cmd.exe 50023:25:19 213.113.206.59 GET /scripts/root.exe 40423:25:22 213.113.206.59 GET /MSADC/root.exe 40423:25:24 213.113.206.59 GET /c/winnt/system32/cmd.exe 40423:25:26 213.113.206.59 GET /d/winnt/system32/cmd.exe 40423:25:28 213.113.206.59 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:25:29 213.113.206.59 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50023:25:34 213.113.206.59 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40423:25:36 213.113.206.59 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:25:38 213.113.206.59 GET /scripts/..Á../winnt/system32/cmd.exe 500
 
Thanks

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar26.webp

134 Posts
Location -
Joined 2001-08-02
OP
Hi!
 
Thanks for this... Ill sleep much better now ...

data/avatar/default/avatar28.webp

15 Posts
Location -
Joined 2002-11-04
The Fact your giving out 404 errors shows that it is not finding what it wants. If those were not there. . . . .worry.

data/avatar/default/avatar26.webp

134 Posts
Location -
Joined 2001-08-02
OP
Hi!
 
Yeah IIS was giving out 404, that's good but some of them were 500 (Internal Server Error) and so on...
 
Okay now I've got one more question:
When I try to telnet to my XP box via port 17 I get this strange qotations... They are making me a little worried:
 

Code:
iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."We have no more right to consume happiness without producing it than to consume wealth without producing it." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."The secret of being miserable is to have leisure to bother about whether you are happy or not.  The cure for it is occupation." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."When a stupid man is doing something he is ashamed of, he always declares that it is his duty." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."Man can climb to the highest summits, but he cannot dwell there long." George Bernard Shaw (1856-1950)Connection closed by foreign host.
 
Okay what is this? Some of my friends are having the same 'problem' but not my brother (he is not running IIS). On port 17 I see TCPSVCS.EXE application.
 
Thanks for everything,

data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
Judging by the quotes and the port, I would say that's going to be the Quote of the Day Protocol (QOTD) at work. Just block that (and any other) unused port. Here is a list of ports and what they are (normally) used for:
 
http://www.iana.org/assignments/port-numbers