maybe off topic, unless bymer is in here eh

[ctll]

any thoughts on what i could do about it?

on a side note, i love this guy http://grc.com/

this is somebody trying to get at my cmd. (?) (i'm correct?)

this is the IP.


#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-12 23:56:42
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-06-12 23:56:42 61.134.126.138 - 64.xx.xx.xx 80 GET /winnt/system32/cmd.exe /c+dir 404 -


all these, i dunno:


this one, now, could just be a mistake... btw y is a diff IP on same computer
[below here explained. or could it a hackerwebbot?(paranoia? my computer was raped!!!)] [webcrawler@www.xxxxxxxxx.com]

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-18 06:58:16
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-06-18 06:58:16 64.55.148.54 - 64.yy.yy.yy 80 GET /robots.txt - 404 Mozilla/2.0+(compatible;+Ask+Jeeves)


this beats me, about the java1.3.0

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-16 03:51:55
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-06-16 03:51:55 207.253.45.199 - 64.yy.yy.yy 80 GET /iisstart.asp - 200 Java1.3.0
2001-06-16 03:51:55 207.253.45.199 - 64.yy.yy.yy 80 GET /iisstart.asp - 200 Java1.3.0
2001-06-16 03:52:55 207.253.45.199 - 64.yy.yy.yy 80 GET /iisstart.asp - 200 Java1.3.0


what's this? our survey says! (never heard of em, SEEMS innocent...)

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-18 22:50:20
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-06-18 22:50:20 195.92.95.61 - 64.xx.xx.xx 80 HEAD /Default.htm - 200 Mozilla/4.0+(compatible;+Netcraft+Web+Server+Survey)



[i just read an ms technet article about isapi security issue ithink?]

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-21 04:58:06
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-06-21 04:58:06 12.31.208.217 - 64.xx.xx.xx 80 GET /Default.asp Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)

 

[JHutch]

Looks like someone turned on logging on his web server and is getting paranoid now!

1) I don't see how accessing your CMD.exe file would help a hacker. The file would just be running on his end, not yours... Besides, he didn't get access to it anyway.

2) Ask Jeeves. It is a search engine site checking for robots.txt file, which is a file that can tell search engines not to catalog this page. It is a completely harmless entry.

3) Someone is looking to see if you have the default IIS page up in your server. Probably because they figure if you still have the default page up, you'll have lax security and be a prime break-in target.

4) I think NetCraft is one of those companies that puts out figures every so often on how many web servers are running which OS and server software... Harmless.

5) Honestly don't know what's going on with the last one. It is asking for the default web page, but the server is erroring out of the request. Maybe someone else can say what is happening here...

 

[RaySun2Be]

And this just in for those of you running IIS:

*SERIOUS NEW MICROSOFT FLAW AFFECTS MILLIONS, PATCH AVAILABLE
By Shawna McAlearney
eEye Digital Security is being simultaneously praised and criticized for
its handling of a serious IIS vulnerability that permits full remote
systems access--potentially affecting millions of systems.

Marc Maiffret, eEye's chief hacking officer, says the vulnerability likely
affects 3 million Web servers running the (Internet Data Administration)
.ida extension, possibly making it the single largest IIS vulnerability to
date.

Affecting all IIS versions running on default installations of Windows NT
4.0, 2000 and XP, the flaw allows a Web server to interact with the
Microsoft Indexing Service function. The problem is that the .ida
(Indexing Service) ISAPI filter doesn't perform proper "bounds checking"
on the user-inputted buffers and, therefore, is susceptible to
buffer-overflow attacks, eEye says.

The workaround is to remove script mappings, which are often unnecessary
for most Web sites. eEye and Microsoft are urging sysadmins whose sites
use the Index Service to install the patch immediately. According to
Microsoft, Windows XP will be patched before its commercial release in
October.

Microsoft commended eEye for bringing the vulnerability to its attention
and working with its programmers to create a patch. However, security
experts charge eEye with publicizing the exploit program it created to
demonstrate the vulnerability. In only a matter of minutes, the tool could
produce a remote command prompt, allowing an attacker to easily connect
and execute system-level access. Security experts say knowledge of the
tool's existence will encourage attackers to create additional exploits.

"Unfortunately, eEye had to brag about the fact they created a sample
exploit that did this," says Russ Cooper, editor of security list serve
NTBugtraq. "As a result, I expect to see several other versions that do
the same thing tomorrow. Ergo, there will be lots of people with exploit
tools in their hands."

Though the company shared the tool with Microsoft, eEye decided not to
place the program in general circulation because of its potential for
abuse.

"People can say that (knowledge of the tool) makes it easier to exploit
the vulnerability," Maiffret says. "But its another thing to pull it off."

Critics indicate that eEye's motives in publicizing the exploit are less
than pure, since the company is also shamelessly promoting its product
that blocks the vulnerability. However, the "gray hat" consultancy
contends that is just a facet of running a business.

"We don't claim to be the security Red Cross," Maiffret says. "Of course
we have business motivations."
Technet
Windows NT 4.0
Windows 2000 professional, Server, Advanced Server

Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and
available from the OEM.

Security Wire Digest is an e-mail newsletter brought to you on Mondays and
Thursdays by Information Security magazine.

 

[Wiz]

I received a notice of the vulnerability.

This only affects 20% of all internet servers, I wouldn't worry - besides there are plenty of good secure web server software products IIS users could BUY and switch to. MS Hackers Assistant (IIS) and MS Virus Assistant (Outlook Express) are great free programs.

 

[ctll]

thanks dudes.

i haunt the technet security site now. my stuff is as patched as i can get it.

EVERYBODY should subscribe to technet security email notification, it's not just for IIS. patch those browsers! and windoze too!

http://www.microsoft.com/technet/security/

http://www.microsoft.com/technet/security/notify.asp