hack attempt

[GitzJoey]

i'm using win2k adv server with iis [windows update to the latest patches]
i got this in my logfiles directory
[ip address i change to x]

2004-09-19 08:38:55 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:38:57 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:04 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:09 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:14 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:16 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:17 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:22 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:43 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:49 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:51 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:53 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ø???¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:55 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ü????¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:40:11 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -

yes, i know this is iis exploit directory transversal...
my question....
is it the hacker get my drive c list ???
as far as i know 404,500 is a http response for file not found and internal
error, is it 404 and 500 in the log are http response?
is it right that my box already compromised by the hacker??? but i dont see
anything changes in my webserver

last, i want to know the exactly the hackers came from throught the ip's but
when i whois or tracert it give me nothing
all i need just the exact location like country or what proxy server did
he/she use, any one here can give me direction
to this problem

thanks in advance & sorry for my bad english....

 

[Miha Pihler]

Hi,

Errors 500 and 404 indicate that they didn't get any information of of your
webserver. This is quite old exploit and should be patched about 4 years ago
if you keep up with your patches.

You might also want to install IISLockDown and URLScan. Test this before you
actually deploy it in production, to see if IISLockDown will cause any
problem with any of your web applications.

IIS Lockdown Tool 2.1


Mike

i'm using win2k adv server with iis [windows update to the latest patches]
i got this in my logfiles directory
[ip address i change to x]

2004-09-19 08:38:55 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:38:57 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:04 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:09 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:14 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:16 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:17 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:22 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:43 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:49 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:51 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:53 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ø???¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:55 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ü????¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:40:11 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -

yes, i know this is iis exploit directory transversal...
my question....
is it the hacker get my drive c list ???
as far as i know 404,500 is a http response for file not found and internal
error, is it 404 and 500 in the log are http response?
is it right that my box already compromised by the hacker??? but i dont see
anything changes in my webserver

last, i want to know the exactly the hackers came from throught the ip's but
when i whois or tracert it give me nothing
all i need just the exact location like country or what proxy server did
he/she use, any one here can give me direction
to this problem

thanks in advance & sorry for my bad english....

 

[Jeff Cochran]

i'm using win2k adv server with iis [windows update to the latest patches]
i got this in my logfiles directory
[ip address i change to x]

2004-09-19 08:38:55 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:38:57 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:04 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:09 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:14 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:16 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:17 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 500 -
2004-09-19 08:39:22 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:43 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:49 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:51 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:53 xx.xxx.xx.6x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ø???¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:39:55 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/scripts/..ü????¯../winnt/system32/cmd.exe /c+dir 404 -
2004-09-19 08:40:11 xx.xxx.xx.8x - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -

yes, i know this is iis exploit directory transversal...
my question....
is it the hacker get my drive c list ???

Not according to this. 404 and 500 errors don't return the requested
files.

as far as i know 404,500 is a http response for file not found and internal
error, is it 404 and 500 in the log are http response?
Yep.

is it right that my box already compromised by the hacker?

Can't tell. But from this log snippet you didn't get compromised.

.but i dont see
anything changes in my webserver

last, i want to know the exactly the hackers came from throught the ip's but
when i whois or tracert it give me nothing

You didn't post the IP's so we can't help either. Look them up at
iana.org, or use a product like Sam Spade.

all i need just the exact location like country or what proxy server did
he/she use, any one here can give me direction
to this problem

You can get who the IP is assigned to, but it won't get you anything
useful.

thanks in advance & sorry for my bad english....

It's better than many locals here...

Jeff