OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Parry (markfirstworld.net)
Date: Mon Jul 23 2001 - 13:06:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Somebody else can probably verify that this is true or not, but I believe
    that on an unpatched server, that request would root IIS and the request
    would never get logged.

    It's probably not the best idea to consider yourself safe based off this,
    but I would have admins consider this, especially since many will read their
    IIS logs hoping to detect break-ins. : )

    Adept

    "Si Vis Pacem, Para Bellum" --from Aleph One's sig--"To live in Peace,
    Prepare for War!"
    "Vae Victis" --from Alfred Huger's sig--"Woe to the vanquished"
    "Furnulum pani nolo" --from Adept's sig--"I don't want a toaster."

    ----- Original Message -----
    From: "Colin Stefani" <cstefanitideworks.com>
    To: "'Site Admin'" <tsgbmayahoo.com>; <FOCUS-MSsecurityfocus.com>
    Sent: Monday, July 23, 2001 9:50 AM
    Subject: RE: IIS LOG entry.....

    > 1) Robots.txt is a text file that search engines look for (i.e. bots) that
    > you can create to tell them what to look for on your site, direct them to
    > unlinked content, and keep them off of certain areas. It should be
    harmless.
    >
    > 2) The second entry is probably the Code Red Worm looking for the .ida
    > vulnerability on your machine. Make sure you're patched with IIS patch
    > MS01-033 and you should be fine (for now) against that worm.
    >
    > If you aren't patched against the worm, then do so quickly as you're
    > probably already infected.
    >
    > -cs-
    >
    > -----Original Message-----
    > From: Site Admin [mailto:tsgbmayahoo.com]
    > Sent: Monday, July 23, 2001 3:38 AM
    > To: FOCUS-MSsecurityfocus.com
    > Subject: IIS LOG entry.....
    >
    > Hi All,
    > We have a website on NT4 IIS4.During frequent checks
    > of my IIS log, i found the following entries :
    >
    > 2001-07-22 13:25:58 209.247.40.105 - GET /robots.txt -
    > 404 15 ia_archiver -
    > 2001-07-22 13:26:00 209.247.40.105 - GET
    > /s5intr/SessExpNW.asp - 200 15 ia_archiver -
    >
    > Is it hacking attempt? This particular IP from
    > Alexa.com is found frequntly in the log for
    > "robots.txt".
    >
    > I also found....
    >
    > 2001-07-21 17:16:42 208.20.74.1 - GET /default.ida
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
    >
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    > 404 78 - -
    > 2001-07-21 18:11:39 209.247.40.98 - GET /robots.txt -
    > 404 16 ia_archiver -
    > 2001-07-21 18:11:39 209.247.40.98 - GET /welcome.asp -
    > 200 344 ia_archiver -
    > Again, for the last 3 days, i find entries with GET
    > attempt for /default.ida from a set of 5-10 ip's. When
    > i checked with NSlookup for some ip's nslookup doesnt
    > return any values...
    > But, i have not lost any data and there is no sign
    > of anything being wrong with the wesite.
    > (soory for the long mail)
    > Any advice/help on what to do...
    > regds,
    > RP