You are not logged in. [Log In] CompatDB.org » Forums » Windows NT4/2000/XP/2003/Vista/2008/Home Server/7 » Networking » My IIS WEB Site Log Files (I am in worries)...
Register User    Forum List        FAQ

My IIS WEB Site Log Files (I am in worries)...

Hi there! From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)... I wonder what this is... Was someone trying to attack my system? #Software: Microsoft Internet Information Services...




Topic Options
#114260 - 11/05/02 12:11 AM My IIS WEB Site Log Files (I am in worries)...
iks Offline
member

Registered: 08/02/01
Posts: 134
Hi there!

From a time to time I can find something like this in my WEB log files (C:\WINDOWS\system32\Logfiles\W3SVC1)...
I wonder what this is... Was someone trying to attack my system?

Code:
#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2002-03-25 22:05:26
#Fields: time c-ip cs-method cs-uri-stem sc-status 
22:05:26 213.46.204.47 GET /scripts/root.exe 404
22:05:31 213.46.204.47 GET /MSADC/root.exe 404
22:05:38 213.46.204.47 GET /c/winnt/system32/cmd.exe 404
22:05:44 213.46.204.47 GET /d/winnt/system32/cmd.exe 404
22:05:50 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 500
22:05:56 213.46.204.47 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
22:06:04 213.46.204.47 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
22:06:10 213.46.204.47 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
22:06:16 213.46.204.47 GET /scripts/..Á../winnt/system32/cmd.exe 500
22:06:22 213.46.204.47 GET /scripts/winnt/system32/cmd.exe 404
22:06:28 213.46.204.47 GET /winnt/system32/cmd.exe 404
22:06:37 213.46.204.47 GET /winnt/system32/cmd.exe 404
22:06:43 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 500
22:06:51 213.46.204.47 GET /scripts/..%5c../winnt/system32/cmd.exe 500
22:59:17 61.133.99.129 GET /scripts/root.exe 404
22:59:26 61.133.99.129 GET /MSADC/root.exe 404
22:59:32 61.133.99.129 GET /c/winnt/system32/cmd.exe 404
22:59:38 61.133.99.129 GET /d/winnt/system32/cmd.exe 404
22:59:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 500
22:59:48 61.133.99.129 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
22:59:53 61.133.99.129 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
22:59:58 61.133.99.129 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
23:00:04 61.133.99.129 GET /scripts/..Á../winnt/system32/cmd.exe 500
23:00:10 61.133.99.129 GET /scripts/winnt/system32/cmd.exe 404
23:00:19 61.133.99.129 GET /winnt/system32/cmd.exe 404
23:00:26 61.133.99.129 GET /winnt/system32/cmd.exe 404
23:00:32 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 500
23:00:38 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 500
23:00:43 61.133.99.129 GET /scripts/..%5c../winnt/system32/cmd.exe 500
23:00:49 61.133.99.129 GET /scripts/..%2f../winnt/system32/cmd.exe 500
23:25:19 213.113.206.59 GET /scripts/root.exe 404
23:25:22 213.113.206.59 GET /MSADC/root.exe 404
23:25:24 213.113.206.59 GET /c/winnt/system32/cmd.exe 404
23:25:26 213.113.206.59 GET /d/winnt/system32/cmd.exe 404
23:25:28 213.113.206.59 GET /scripts/..%5c../winnt/system32/cmd.exe 500
23:25:29 213.113.206.59 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
23:25:34 213.113.206.59 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
23:25:36 213.113.206.59 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
23:25:38 213.113.206.59 GET /scripts/..Á../winnt/system32/cmd.exe 500


Thanks

Top
Advertisement
#114267 - 11/05/02 12:29 AM Re: My IIS WEB Site Log Files (I am in worries)...
clutch Offline
Carpal Tunnel

Registered: 03/29/00
Posts: 3859
Looks like a Code-Red style attack. If you install IISLockdown (or at least URLScan) from MS that will harden IIS to that type of attack and reject those URLs.

IISLockdown
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp

URLScan (my fav)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q307608&id=307608&sd=tech

Top
#114319 - 11/05/02 03:54 PM Re: My IIS WEB Site Log Files (I am in worries)...
iks Offline
member

Registered: 08/02/01
Posts: 134
Hi!

Thanks for this... Ill sleep much better now smile...

Top
#114384 - 11/06/02 01:43 AM Re: My IIS WEB Site Log Files (I am in worries)...
Butternuts Offline
stranger

Registered: 11/04/02
Posts: 15
The Fact your giving out 404 errors shows that it is not finding what it wants. If those were not there. . . . .worry.

Top
#114386 - 11/06/02 02:08 AM Re: My IIS WEB Site Log Files (I am in worries)...
iks Offline
member

Registered: 08/02/01
Posts: 134
Hi!

Yeah IIS was giving out 404, that's good but some of them were 500 (Internal Server Error) and so on... smile

Okay now I've got one more question:
When I try to telnet to my XP box via port 17 I get this strange qotations... They are making me a little worried:

Code:
iks@iksbox2&#58;~$ telnet <my_domain> 17
Trying <my_IP>...
Connected to <my_domain>.
Escape character is '^&#93;'.
"We have no more right to consume happiness without producing it than to
 consume wealth without producing it." George Bernard Shaw &#40;1856-1950&#41;
Connection closed by foreign host.

iks@iksbox2&#58;~$ telnet <my_domain> 17
Trying <my_IP>...
Connected to <my_domain>.
Escape character is '^&#93;'.
"The secret of being miserable is to have leisure to bother about whether
 you are happy or not.  The cure for it is occupation."
 George Bernard Shaw &#40;1856-1950&#41;
Connection closed by foreign host.

iks@iksbox2&#58;~$ telnet <my_domain> 17
Trying <my_IP>...
Connected to <my_domain>.
Escape character is '^&#93;'.
"When a stupid man is doing something he is ashamed of, he always declares
 that it is his duty." George Bernard Shaw &#40;1856-1950&#41;
Connection closed by foreign host.

iks@iksbox2&#58;~$ telnet <my_domain> 17
Trying <my_IP>...
Connected to <my_domain>.
Escape character is '^&#93;'.
"Man can climb to the highest summits, but he cannot dwell there long."
 George Bernard Shaw &#40;1856-1950&#41;
Connection closed by foreign host.


Okay what is this? Some of my friends are having the same 'problem' but not my brother (he is not running IIS). On port 17 I see TCPSVCS.EXE application.

Thanks for everything,

Top
#114394 - 11/06/02 03:27 AM Re: My IIS WEB Site Log Files (I am in worries)...
clutch Offline
Carpal Tunnel

Registered: 03/29/00
Posts: 3859
Judging by the quotes and the port, I would say that's going to be the Quote of the Day Protocol (QOTD) at work. Just block that (and any other) unused port. Here is a list of ports and what they are (normally) used for:

http://www.iana.org/assignments/port-numbers

Top


Forums
Windows Support Forums
Everything New Technology
Legacy OS
Hardware
Software
Games
Networking
Customization & Tweaking
Security

Linux Support Forums
Everything Linux
Linux Hardware
Linux Software
Linux Games
Linux Networking
Linux Customization & Tweaking
Linux Security

Apple Support Forums
Everything Apple
Recent Topics
x86 OS, RAM, & Virtual Machines
by Myke
12/22/09 08:16 PM
Ram Question
by JohnnyAshes
12/21/09 09:50 PM
NEWBIE needs help with REALTEK
by SerryJW
12/21/09 06:09 AM
What version of Linux is this?
by DxxLinux
12/15/09 07:59 PM
Anything like HyperCam?
by Luckycharm8989
12/11/09 02:08 PM
Who's Online
1 Registered (MANMEN), 217 Guests and 29 Spiders online.
Key: Admin, Global Mod, Mod
Forum Stats
91386 Members
24 Forums
59229 Topics
189753 Posts

Max Online: 1079 @ 03/12/08 01:36 PM
Privacy statement · Mark all read
NT Compatible · Linux Compatible · Mac OS Compatible · Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22