Weird IIS logs (c+dir?!?!?!)

[ktigre]

I'm getting a bunch of weird things showing up in my logs. They all start off different but always end in cmd.exe?/c+dir?/d+dir and have no referrer. The IP address that has generated most of the is 61.139.60.89. It doesn't resolve on DNS so I can't get anykind of a name for it. A couple of the other offenders are : 207.88.219.2 and 218.21.77.29. There are more, but those are the ones generating the most hits...

If anyone has any insight to this please let me know.

Thanks,
Chris

 

[epohl]

Chris,

Most likely these are machines infected with the nimda virus scanning for other IIS servers to infect. As long as your machine has the appropriate patches there is nothing to worry about.

 

[ktigre]

However we use Webtrends to generate reports based upon the IIS logs and get it is critical that these logs be accurate as to whom accesses our sites. other than simply cutting off the IP addresses that are broadcasting at our firewall, is there any way to stop them from occurring?

 

[epohl]

I believe you should be able to setup your firewall to filter this out. What type of firewall are you running?

 

[ktigre]

Cisco Pix 525.

 

[epohl]

You can actually block these on your router using NBAR and blocking any HTTP accessing a url with cmd.exe. But this will create more processing on the router and I am not sure it is worth the trouble.

http://www.cisco.com/warp/public/63/nimda.shtml

 

[miwitte]

I recommend putting the NIMDA block on your routers. Why have all that traffic hitting your servers? It will really not put much strain on your routers. I run it here and it works great. I used to be 10-20% of our traffic to our site. Also if a new worm comes out it would be very simple to add a rule to block it.