Security Basics mailing list archives
RE: Suspicious IIS Log entry
From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Tue, 09 Sep 2003 16:48:31 -0500
That's the ancient Code Red v2 worm. Exploiting ISAPI extension for Index Server (ida). - jp -----Original Message----- From: Toby Schau [mailto:Toby.Schau () iacudiv state ia us] Sent: Tuesday, September 09, 2003 11:43 AM To: 'Security-Basics () Securityfocus com' Subject: Suspicious IIS Log entry I found the following suspicious entries in my IIS log files. Does anyone recognize the specific vulnerabilities that are attempted to be exploited? [ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 - [ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx - xxx.xx.xxx.xx 80 GET /<Rejected-By-UrlScan> ~/scripts/..%255c%255c../winnt/system32/cmd.exe 404 - Thanks ------------------------------------------------------------------------ --- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ------------------------------------------------------------------------ ----
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer.
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Suspicious IIS Log entry Toby Schau (Sep 09)
- RE: Suspicious IIS Log entry Michael Moeller (Sep 09)
- Re: Suspicious IIS Log entry Tomasz Onyszko (Sep 09)
- Re: Suspicious IIS Log entry Flhex (Sep 09)
- RE: Suspicious IIS Log entry Paul Kurczaba (Sep 09)
- Re: Suspicious IIS Log entry Sean Earp (Sep 09)
- RE: Suspicious IIS Log entry Joey Peloquin (Sep 09)
- RE: Suspicious IIS Log entry Byron Copeland (Sep 10)
- Re: Suspicious IIS Log entry Tomas Wolf (Sep 10)