Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Hack Attempt ? on IIS ? Log Files ?

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    15

    Question Hack Attempt ? on IIS ? Log Files ?

    Hi people,
    i would like to hear some opinions here please ...

    Im starting to find more and more the following lines on one of my server log files:

    01:11:14 196.31.110.211 GET /scripts/root.exe 404
    01:11:15 196.31.110.211 GET /MSADC/root.exe 404
    01:11:17 196.31.110.211 GET /c/winnt/system32/cmd.exe 404
    01:11:18 196.31.110.211 GET /d/winnt/system32/cmd.exe 404
    01:11:20 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:11:21 196.31.110.211 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    01:11:23 196.31.110.211 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    01:11:24 196.31.110.211 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
    01:11:25 196.31.110.211 GET /scripts/..Á../winnt/system32/cmd.exe 404
    01:11:27 196.31.110.211 GET /scripts/winnt/system32/cmd.exe 404
    01:11:28 196.31.110.211 GET /scripts/../../winnt/system32/cmd.exe 404
    01:11:30 196.31.110.211 GET /scripts/..\../winnt/system32/cmd.exe 404
    01:11:31 196.31.110.211 GET /scripts/..S5c../winnt/system32/cmd.exe 404
    01:11:32 196.31.110.211 GET /scripts/..S5c../winnt/system32/cmd.exe 404
    01:11:34 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:11:35 196.31.110.211 GET /scripts/..%2f../winnt/system32/cmd.exe 404

    If im not wrong ... which i think is the case this is merely a hack attemp,
    NOW - question here .... the resulting code 404 is a denial result on the iis server right ?
    a resulting 200 code will be an accepted query , please tell me if im not wrong.

    Also, is anybody familiar with the type of hack this people are trying to use on my server ? just by reading the lines i can say they are trying to execute the dos prompt of my server.
    Is this an old hack ? how new is it ?
    Could it really be a real live threat on my system ? or it basically looks like a "script-kiddie" work ?
    I would like to hear your ideas ... suggestions ...

    Thanks

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    It's code red or nimda. Have you patched your IIS for those. if so you have nothing to fear.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Junior Member
    Join Date
    Oct 2001
    Posts
    15

    Thumbs up Thanks

    Well yes i have ...
    so i guess im ok ...

    =============

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Sounds like it. You might consider trying to notify the people who you believe to be infected but that's your option. Just for your benefit. Or you might want to set up a tarpit to reduce the amount of bandwidth those things use.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    132
    They could actually be looking for holes, I'll be the first to say that IIS is a security risk waiting to happen, it seems they find a new hole every day.

    Either way, I encourage you to check ot this site
    George's security exploits
    He shows alot of IIS exploits, it would be good to keep an eye on his site, you'll notice some things you need to patch very quickly

    yes, 404 means they got nowhere...and 200 sounds familiar but I can't quite put my name by it yet, I'm a little rusty.

    If you have holes, then you do have alot to worry about, IIS seems to have alot of holes that allow someone to execute commands from your system, if they do succeed at running cmd.exe, they have access to just about everything

    hope I was of some help
    SlackWare my first, Debian my second....building my box into the ultimate weapon

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    132
    another thing, careful with Microsoft patchs....as you'll notice in one of his expolits, one exploit he found was actually caused by a M$ patch...and he strongly urged to get rid of it.
    SlackWare my first, Debian my second....building my box into the ultimate weapon

  7. #7
    HTTP 200 means they got though

  8. #8
    Junior Member
    Join Date
    Sep 2001
    Posts
    1
    Hey man, look at this site: http://www.incidents.org/react/nimda.pdf
    Is a good site that tells you everything about that worm.
    --- >>> XNeCK <<< ---

  9. #9
    I think it is Unicode exploit script used, just patch your system with all pathes and dont worry...


    www.xatrix.org

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    From looking at these log entries I would say that this is a manual hack attempt Here's why:

    01:11:14 196.31.110.211 GET /scripts/root.exe 404
    01:11:15 196.31.110.211 GET /MSADC/root.exe 404
    01:11:17 196.31.110.211 GET /c/winnt/system32/cmd.exe 404

    ......

    01:11:34 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:11:35 196.31.110.211 GET /scripts/..%2f../winnt/system32/cmd.exe 404
    There is a 20 secend period over which these url's are being tried. If a script/worm was doing this, it would be much faster. It would be more like 1 second. It looks as though someone at 196.31.110.211 is physically trying to run these executables on your server from their box.

    Now obviously, the person behind this is probably a novice because of the nature of the hack. It looks like you're fairly safe from this person because all the attempts resulted in a HTTP 404 error. This means they were unsuccessful. As long as yoour directory permissions are correct you have nothing to worry about.

    I'd consider following up this IP address and having a friendly chat to this person's ISP. They're probably too stupid to do any real damge but you don't want them nosing around your system .
    OpenBSD - The proactively secure operating system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •