IIS Log file entry. Should I be concerned

General Network security, firewalls, port filtering/forwarding, wireless security, anti-spyware, as well as spam control and privacy discussions.
Post Reply
User avatar
Jon
Advanced Member
Posts: 882
Joined: Fri Jun 09, 2000 12:00 am
Location: 3rd rock from the sun

IIS Log file entry. Should I be concerned

Post by Jon »

I was going through my IIS log files this afternoon and noticed a few entries that don't look to good.

02:26:22 24.91.31.91 GET /scripts/root.exe 404
02:26:22 24.91.31.91 GET /MSADC/root.exe 404
02:26:22 24.91.31.91 GET /c/winnt/system32/cmd.exe 404
02:26:22 24.91.31.91 GET /d/winnt/system32/cmd.exe 404
02:26:22 24.91.31.91 GET /scripts/..%5c../winnt/system32/cmd.exe 500
02:26:24 24.91.31.91 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
02:26:24 24.91.31.91 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
02:26:24 24.91.31.91 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
02:26:24 24.91.31.91 GET /scripts/..Á../winnt/system32/cmd.exe 500
02:26:25 24.91.31.91 GET /scripts/winnt/system32/cmd.exe 404
02:26:25 24.91.31.91 GET /winnt/system32/cmd.exe 404
02:26:25 24.91.31.91 GET /winnt/system32/cmd.exe 404
02:26:25 24.91.31.91 GET /scripts/..%5c../winnt/system32/cmd.exe 500
02:26:25 24.91.31.91 GET /scripts/..%5c../winnt/system32/cmd.exe 500
02:26:26 24.91.31.91 GET /scripts/..%5c../winnt/system32/cmd.exe 500
02:26:26 24.91.31.91 GET /scripts/..%2f../winnt/system32/cmd.exe 500

12:56:42 24.192.11.229 GET /scripts/root.exe 404
12:56:42 24.192.11.229 GET /MSADC/root.exe 404
12:56:42 24.192.11.229 GET /c/winnt/system32/cmd.exe 404
12:56:42 24.192.11.229 GET /d/winnt/system32/cmd.exe 404
12:56:42 24.192.11.229 GET /scripts/..%5c../winnt/system32/cmd.exe 500
12:56:42 24.192.11.229 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
12:56:43 24.192.11.229 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
12:56:47 24.192.11.229 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
12:56:56 24.192.11.229 GET /scripts/..Á../winnt/system32/cmd.exe 500
12:56:56 24.192.11.229 GET /scripts/winnt/system32/cmd.exe 404
12:56:56 24.192.11.229 GET /winnt/system32/cmd.exe 404
12:56:56 24.192.11.229 GET /winnt/system32/cmd.exe 404
12:56:56 24.192.11.229 GET /scripts/..%5c../winnt/system32/cmd.exe 500
12:56:56 24.192.11.229 GET /scripts/..%5c../winnt/system32/cmd.exe 500
12:56:56 24.192.11.229 GET /scripts/..%5c../winnt/system32/cmd.exe 500
12:56:57 24.192.11.229 GET /scripts/..%2f../winnt/system32/cmd.exe 500

06:29:52 24.203.209.97 GET /scripts/root.exe 404
06:29:52 24.203.209.97 GET /MSADC/root.exe 404
06:29:52 24.203.209.97 GET /c/winnt/system32/cmd.exe 404
06:29:53 24.203.209.97 GET /d/winnt/system32/cmd.exe 404
06:29:53 24.203.209.97 GET /scripts/..%5c../winnt/system32/cmd.exe 500
06:29:55 24.203.209.97 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
06:29:55 24.203.209.97 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:29:56 24.203.209.97 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
06:29:56 24.203.209.97 GET /scripts/..Á../winnt/system32/cmd.exe 500
06:29:57 24.203.209.97 GET /scripts/winnt/system32/cmd.exe 404
06:29:58 24.203.209.97 GET /winnt/system32/cmd.exe 404
06:29:58 24.203.209.97 GET /winnt/system32/cmd.exe 404
06:29:58 24.203.209.97 GET /scripts/..%5c../winnt/system32/cmd.exe 500
06:29:58 24.203.209.97 GET /scripts/..%5c../winnt/system32/cmd.exe 500
06:29:59 24.203.209.97 GET /scripts/..%5c../winnt/system32/cmd.exe 500
06:29:59 24.203.209.97 GET /scripts/..%2f../winnt/system32/cmd.exe 500

From what I gather from looking at this, someone was trying to gain root access but was denied? Am I interpreting this correctly?

What does this entry mean?
13:31:10 12.250.78.249 GET /default.ida 200

there are quite a few from various IP addresses.

TIA
Jon
Top
User avatar
Matt615
Senior Member
Posts: 2030
Joined: Sun Jan 07, 2001 12:00 am
Location: Somewhere on the east coast of the US

Post by Matt615 »

Yes it definately looks like someone was trying to get root access and command line access to your computer. I dont think they got access because I think it would say more after the root commands and everything else.

I would block those IP's in IIS so they cant make any further attempts to get in. Just make sure that IIS is running with the most up to date patches and security updates.

I would also like to know what default.ida is???
Windows has not yet detected a keyboard. Press any key to continue.
Top
User avatar
Jon
Advanced Member
Posts: 882
Joined: Fri Jun 09, 2000 12:00 am
Location: 3rd rock from the sun

Post by Jon »

As near as I can tell, the call for default.ida is caused by some other code red infected web server looking for a non protected server to infect.
Top
User avatar
Matt615
Senior Member
Posts: 2030
Joined: Sun Jan 07, 2001 12:00 am
Location: Somewhere on the east coast of the US

Post by Matt615 »

Ohh yeah that would probrably make sense.
Windows has not yet detected a keyboard. Press any key to continue.
Top
User avatar
Thorazine
Regular Member
Posts: 353
Joined: Tue Dec 14, 1999 12:00 am
Location: Washington, DC, USA

Post by Thorazine »

Through the *.ida files Code Red, Nimba and their variants try to infect your machine. As long as your patched, your fine.
Top
User avatar
Susky
Member
Posts: 29
Joined: Tue May 14, 2002 10:11 am

Post by Susky »

From the 404 and 500 result codes, I'd think that your server isn't handing stuff out to (I think) Nimda. I run some UNIX servers, and I see a lot of those error messages. You should be okay.
Top
Post Reply

Return to “Network Security”