IIS exploit attempt?

From: Sven Brill (maddeat_private)
Date: Wed May 02 2001 - 11:25:13 PDT

Next message: Darrin Wassom: "Re: What "methods" are being used"

Previous message: Sven Brill: "IIS exploit attempt?"
Next in thread: Michael Katz: "Re: IIS exploit attempt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am sorry, I made a big booboo copy/pasting the log entries, here is the
email again, this time with the full log entries:

Hi,
I tried asking a couple of people about this, but none of them had a clue
what this could be, so one person referred me to this list.
going through my apache logs at home (setup is a Linux kernel 2.2.17 and
apache, standard mandrake 7.2 installation with security updates), i found
some strange GET requests, pasted here. Does anyone have an idea what this
person might have tried? Is it something new?

Thanks

Sven

-------
excerpt from apache acces_log:

proxy2.rockingham.k12.va.us - - [02/May/2001:10:52:52 -0400] "GET
/scripts/rgs/RgsInit.ASP?AW=202&LV=2047&AS=0&D2=%32_OACS%32%32%32%32@&CU=138
8520 HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:53:19 -0400] "GET
/scripts/rgs/RgsInit.ASP?AW=202&LV=2047&AS=0&D2=%32_OACS%32%32%32%32@&CU=142
6616 HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:53:41 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1453232
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:08 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1480437
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:22 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0" 404 199
"-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:30 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0" 404 199
"-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:32 -0400] "GET
/cycle?host=hs0195510&size=468x60&b=38151639&noscript=1 HTTP/1.0" 404 199
"-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:54:34 -0400] "GET
/scripts/cms/CmsInit1493862.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1506
545 HTTP/1.0" 404 224 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:10:57:40 -0400] "GET
/scripts/cms/CmsInit1508607.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=1690
056 HTTP/1.0" 404 224 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:01:08 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=50415
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:08:06 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=42862
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:08:34 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=80313
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:24:10 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=43905
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:24:41 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=90833
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:35:34 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=47064
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:42:59 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=48218
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:43:26 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=85367
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:43:49 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=107670
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:44:11 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=129712
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:44:33 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=151878
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:48:18 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=48769
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"
proxy2.rockingham.k12.va.us - - [02/May/2001:11:54:44 -0400] "GET
/scripts/cms/CmsInit.ASP?ID=1&D2=?_OACS????@??&AW=202&LV=2047&CU=43411
HTTP/1.0" 404 217 "-" "Mozilla/4.01 [en] (WinNT; I)"

Next message: Darrin Wassom: "Re: What "methods" are being used"
Previous message: Sven Brill: "IIS exploit attempt?"
Next in thread: Michael Katz: "Re: IIS exploit attempt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 02 2001 - 11:46:41 PDT