IIS exploit attempt?

From: Sven Brill (maddeat_private)
Date: Wed May 02 2001 - 11:12:30 PDT

  • Next message: Sven Brill: "IIS exploit attempt?" 

    Hi,
I tried asking a couple of people about this, but none of them had a clue
what this could be, so one person referred me to this list.
going through my apache logs at home (setup is a Linux kernel 2.2.17 and
apache, standard mandrake 7.2 installation with security updates), i found
some strange GET requests, pasted here. Does anyone have an idea what this
person might have tried? Is it something new?

Thanks

Sven

-------
excerpt from apache acces_log:

proxy2.rockingham.k12.va.us - - [02/May/2001:10:52:52 -0400] "GET
/scripts/rgs/RgsInit.ASP?AW=202&LV=2047&AS=0&D2=%32_OACS%32%32%32%
proxy2.rockingham.k12.va.us - - [02/May/2001:10:53:19 -0400] "GET
/scripts/rgs/RgsInit.ASP?AW=202&LV=2047&AS=0&D2=%32_OACS%32%32%32%
proxy2.rockingham.k12.va.us - - [02/May/2001:10:53:41 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:08 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:22 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:30 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:32 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:34 -0400] "GET
/scripts/cms/CmsInit1493862.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=20
proxy2.rockingham.k12.va.us - - [02/May/2001:10:57:40 -0400] "GET
/scripts/cms/CmsInit1508607.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=20
proxy2.rockingham.k12.va.us - - [02/May/2001:10:57:40 -0400] "GET
/scripts/cms/CmsInit1508607.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=20
proxy2.rockingham.k12.va.us - - [02/May/2001:11:01:08 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=5
proxy2.rockingham.k12.va.us - - [02/May/2001:11:08:06 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4
proxy2.rockingham.k12.va.us - - [02/May/2001:11:08:34 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=8
proxy2.rockingham.k12.va.us - - [02/May/2001:11:24:10 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4
proxy2.rockingham.k12.va.us - - [02/May/2001:11:24:41 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=9
proxy2.rockingham.k12.va.us - - [02/May/2001:11:35:34 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4
proxy2.rockingham.k12.va.us - - [02/May/2001:11:42:59 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4
proxy2.rockingham.k12.va.us - - [02/May/2001:11:43:26 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=8
proxy2.rockingham.k12.va.us - - [02/May/2001:11:43:49 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1
proxy2.rockingham.k12.va.us - - [02/May/2001:11:44:11 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1
proxy2.rockingham.k12.va.us - - [02/May/2001:11:44:33 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1
proxy2.rockingham.k12.va.us - - [02/May/2001:11:48:18 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4
proxy2.rockingham.k12.va.us - - [02/May/2001:11:54:44 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=4

    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 11:45:33 PDT