My IIS WEB Site Log Files (I am in worries)...
Hi there! From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1). . . I wonder what this is. . . Was someone trying to attack my system? Code:#Software: Microsoft Internet Information Services 5.
Hi there!
From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)...
I wonder what this is... Was someone trying to attack my system?
Code:
Thanks
From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)...
I wonder what this is... Was someone trying to attack my system?
Code:
#Software: Microsoft Internet Information Services 5.1#Version: 1.0#Date: 2002-03-25 22:05:26#Fields: time c-ip cs-method cs-uri-stem sc-status 22:05:26 213.46.204.47 GET /scripts/root.exe 40422:05:31 213.46.204.47 GET /MSADC/root.exe 40422:05:38 213.46.204.47 GET /c/winnt/system32/cmd.exe 40422:05:44 213.46.204.47 GET /d/winnt/system32/cmd.exe 40422:05:50 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:05:56 213.46.204.47 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:06:04 213.46.204.47 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:06:10 213.46.204.47 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40422:06:16 213.46.204.47 GET /scripts/..Á../winnt/system32/cmd.exe 50022:06:22 213.46.204.47 GET /scripts/winnt/system32/cmd.exe 40422:06:28 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:37 213.46.204.47 GET /winnt/system32/cmd.exe 40422:06:43 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:06:51 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:17 61.133.99.129 GET /scripts/root.exe 40422:59:26 61.133.99.129 GET /MSADC/root.exe 40422:59:32 61.133.99.129 GET /c/winnt/system32/cmd.exe 40422:59:38 61.133.99.129 GET /d/winnt/system32/cmd.exe 40422:59:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50022:59:48 61.133.99.129 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50022:59:53 61.133.99.129 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40422:59:58 61.133.99.129 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:00:04 61.133.99.129 GET /scripts/..Á../winnt/system32/cmd.exe 50023:00:10 61.133.99.129 GET /scripts/winnt/system32/cmd.exe 40423:00:19 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:26 61.133.99.129 GET /winnt/system32/cmd.exe 40423:00:32 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:38 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:00:49 61.133.99.129 GET /scripts/..%2f../winnt/system32/cmd.exe 50023:25:19 213.113.206.59 GET /scripts/root.exe 40423:25:22 213.113.206.59 GET /MSADC/root.exe 40423:25:24 213.113.206.59 GET /c/winnt/system32/cmd.exe 40423:25:26 213.113.206.59 GET /d/winnt/system32/cmd.exe 40423:25:28 213.113.206.59 GET /scripts/..%5c../winnt/system32/cmd.exe 50023:25:29 213.113.206.59 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 50023:25:34 213.113.206.59 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 40423:25:36 213.113.206.59 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 40423:25:38 213.113.206.59 GET /scripts/..Á../winnt/system32/cmd.exe 500
Thanks
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Looks like a Code-Red style attack. If you install IISLockdown (or at least URLScan) from MS that will harden IIS to that type of attack and reject those URLs.
IISLockdown
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp
URLScan (my fav)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q307608&id=307608&sd=tech
IISLockdown
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp
URLScan (my fav)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q307608&id=307608&sd=tech
The Fact your giving out 404 errors shows that it is not finding what it wants. If those were not there. . . . .worry.
Hi!
Yeah IIS was giving out 404, that's good but some of them were 500 (Internal Server Error) and so on...
Okay now I've got one more question:
When I try to telnet to my XP box via port 17 I get this strange qotations... They are making me a little worried:
Code:
Okay what is this? Some of my friends are having the same 'problem' but not my brother (he is not running IIS). On port 17 I see TCPSVCS.EXE application.
Thanks for everything,
Yeah IIS was giving out 404, that's good but some of them were 500 (Internal Server Error) and so on...
Okay now I've got one more question:
When I try to telnet to my XP box via port 17 I get this strange qotations... They are making me a little worried:
Code:
iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."We have no more right to consume happiness without producing it than to consume wealth without producing it." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."The secret of being miserable is to have leisure to bother about whether you are happy or not. The cure for it is occupation." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."When a stupid man is doing something he is ashamed of, he always declares that it is his duty." George Bernard Shaw (1856-1950)Connection closed by foreign host.iks@iksbox2:~$ telnet <my_domain> 17Trying <my_IP>...Connected to <my_domain>.Escape character is '^]'."Man can climb to the highest summits, but he cannot dwell there long." George Bernard Shaw (1856-1950)Connection closed by foreign host.
Okay what is this? Some of my friends are having the same 'problem' but not my brother (he is not running IIS). On port 17 I see TCPSVCS.EXE application.
Thanks for everything,
Judging by the quotes and the port, I would say that's going to be the Quote of the Day Protocol (QOTD) at work. Just block that (and any other) unused port. Here is a list of ports and what they are (normally) used for:
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/port-numbers
