Security Basics mailing list archives

RE: Suspicious IIS Log entry

From: "Byron Copeland" <nodialtone () comcast net>
Date: Tue, 9 Sep 2003 22:56:03 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This could also be an attempt to use the exploit "idahack.exe" as well.

- -b

-----Original Message-----
From: Joey Peloquin [mailto:jpelo1 () jcpenney com]
Sent: Tuesday, September 09, 2003 5:49 PM
To: 'Toby Schau'; 'Security-Basics () Securityfocus com'
Subject: RE: Suspicious IIS Log entry

That's the ancient Code Red v2 worm.  Exploiting ISAPI extension for
Index Server (ida).

 - jp

-----Original Message-----
From: Toby Schau [mailto:Toby.Schau () iacudiv state ia us]
Sent: Tuesday, September 09, 2003 11:43 AM
To: 'Security-Basics () Securityfocus com'
Subject: Suspicious IIS Log entry

I found the following suspicious entries in my IIS log files. Does
anyone recognize the specific vulnerabilities that are attempted to be
exploited?
[ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80
GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -

[ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx - xxx.xx.xxx.xx
80 GET /<Rejected-By-UrlScan>
~/scripts/..%255c%255c../winnt/system32/cmd.exe
404 -
Thanks

------------------------------------------------------------------------
---
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP16Sw2HZJr/4PEW4EQIIdQCgh3qrwdEgpqVDIWw0/+9h2P+Zy8EAoOYh
iFgxMr25LWMNpSPa5Yk5iNRj
=rJ7X
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Suspicious IIS Log entry Toby Schau (Sep 09)
- RE: Suspicious IIS Log entry Michael Moeller (Sep 09)
- Re: Suspicious IIS Log entry Tomasz Onyszko (Sep 09)
- Re: Suspicious IIS Log entry Flhex (Sep 09)
- RE: Suspicious IIS Log entry Paul Kurczaba (Sep 09)
- Re: Suspicious IIS Log entry Sean Earp (Sep 09)
- RE: Suspicious IIS Log entry Joey Peloquin (Sep 09)
  - RE: Suspicious IIS Log entry Byron Copeland (Sep 10)
- Re: Suspicious IIS Log entry Tomas Wolf (Sep 10)