Server logs and security

  vinnyo123 00:30 13 Jun 2004
Locked

strange IIS logs
why would I be getting these logs form this site and other IP's for example IP# click here

log::
200.137.133.128 - - [11/Jun/2004:23:19:28 -0800] "GET / Rejected-By-UrlScan>?~/scripts/..%255c%255c../winnt/system32/cmd.exe HTTP/1.0" 404 4184

Do a google search and it comes up no good activity going on!!!
had a few more similiar should I worry or just filter the IP's as they come.

thanks in advance

  wawadave 04:38 13 Jun 2004

you might want to get samspade and run the ip,s through it see what it says. might do some looking for root kits in the server.

  vinnyo123 05:30 13 Jun 2004

Looking into root kits and been running whois. Some interesting stuff. Alot of info out there about these logs (hacker 101) I would post another log just in case there is any other thoughts on these from other members.

24.214.198.120 - - [12/Jun/2004:02:30:22 -0800] "GET /<Rejected-By-UrlScan>?~/scripts/root.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:22 -0800] "GET /<Rejected-By-UrlScan>?~/MSADC/root.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:22 -0800] "GET /<Rejected-By-UrlScan>?~/c/winnt/system32/cmd.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:22 -0800] "GET /<Rejected-By-UrlScan>?~/d/winnt/system32/cmd.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:22 -0800] "GET /<Rejected-By-UrlScan>?~/scripts/..%255c../winnt/system32/cmd.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:23 -0800] "GET /<Rejected-By-UrlScan>?~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:23 -0800] "GET /<Rejected-By-UrlScan>?~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe HTTP/1.0" 404 4184
24.214.198.120 - - [12/Jun/2004:02:30:23 -0800] "GET /<Rejected-By-UrlScan>?~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe HTTP/1.0" 404 4184

  Gaz 25 05:39 13 Jun 2004

Umm, looks worrying.

I saw CMD.EXE come up a few times unexpectidly when running the webserver, sounds like people could be after us all.

  GANDALF <|:-)> 10:39 13 Jun 2004

'I saw CMD.EXE come up a few times unexpectidly when running the webserver, sounds like people could be after us all'....what on earth are you on about Gaz??????

click here


G

  Forum Editor 10:49 13 Jun 2004

once you start looking at logs. I am routinely asked to "come and help us with a problem Trojan, we can't get rid of it" and arrive to find that everyone's terrified of ISASS.EXE, which keeps cropping up in the process logs........it's a perfectly harmless server process concerned with login validations.

As GANDALF <|:-)> has pointed out, CMD.EXE is a 32bit command prompt, and is also completely harmless.

If you're going to start examining logs in detail it's a good idea to spend some time getting up to speed with al the things you're likely to find - that way lies peace of mind.

  vinnyo123 14:32 13 Jun 2004

MSADC/root.exe

scripts/root.exe

Mister FE as for your quote " If you're going to start examining logs in detail it's a good idea to spend some time getting up to speed with al the things you're likely to find - that way lies peace of mind". Why you think I made the post int the first place..

Learning!

  GANDALF <|:-)> 16:52 13 Jun 2004

The post was refering to Gaz 25's assumptions......

G

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

HP Envy x2 review: Hands-on

How Sketch and InVision have revolutionised our design workflow

The best tech gifts for Christmas 2017

Les meilleurs jeux de société (2017)