Security Incidents mailing list archives
IIS4 Logs
From: dboyd () CA UKY EDU (Daniel K. Boyd)
Date: Wed, 24 May 2000 13:18:34 -0400
Reading the IIS4 logs of one of our boxes found these goodies. Is it possible that there is an innocent explantion for this? We have a few remote users that use this ISP (assuming the IP is legit) and I would hate to incorrectly submit a complaint due to my cluelessness. Also, there are no forms on this box or forms that POST to this box. I don't understand the "OPTIONS" entry in the last line. Looks very much like an attempt to exploit to me. Like something right out of what I would expect to see if I ran the Cerberus scanner. Remedies for the DVWSSR.DLL exploit and the shtml.exe have been applied to this box. Any feedback will be greatly appreciated. 209.250.45.86 - - [24/May/2000:11:50:53 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367 209.250.45.86 - - [24/May/2000:11:50:54 -0500] "GET /_vti_inf.html HTTP/1.1" 404 270 209.250.45.86 - - [24/May/2000:11:50:55 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367 209.250.45.86 - - [24/May/2000:11:50:56 -0500] "OPTIONS / HTTP/1.1" 200 190 --- Daniel K. Boyd
Current thread:
- IIS4 Logs Daniel K. Boyd (May 24)
- Single packet per IP# port 137 scan Bryan Andersen (May 25)
- incident input re: FBI Laura Taylor (May 25)
- Re: IIS4 Logs M J (May 25)
- <Possible follow-ups>
- Re: IIS4 Logs rain forest puppy (May 25)