I see this on my stats, does anyone recognize this activity?

Date and Time URL
2002-02-03 16:43:20 - user created
2002-02-03 16:43:20 /scripts/root.exe?/c+dir
2002-02-03 16:43:20 /msadc/root.exe?/c+dir
2002-02-03 16:43:20 /c/winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:20 /d/winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:20 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:20 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /scripts/..Á../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /scripts/winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:21 /winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:22 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:22 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:22 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
2002-02-03 16:43:22 /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

I think that's an infected computer trying to infect yours. As long as you're not using NT you're fine I think... not sure.

I am using NT (Windows 2000) How do you prevent this?

I'm running Norton AntiVirus on the system.

looks like you may be infected with Code Red II

goto:

http://www.incidents.org/react/code_redII.php

to find out how to remove it or if you really are infected.

patches are also available at http://www.windowsupdate.com

My servers are fully up-to-date with Windows Update and the critical updates / security patches. Maybe STATS is just showing the attempts, I'm not sure it's actually getting in to run those scripts though. Not sure! I'll check the URL you mentioned.

Thanks!

I just built up these servers, assigned all the web sites and their IP's. There is one site that IIS (win2k adv server) creates called "Default Web Site" which is for All Unassigned IP's and points to those MDAC and script folders.

Question is...Do I need this site (Default Web Site) or can I delete it? I stopped it, also changed the Directory Security and unchecked "Allow Anonymous Access". I don't use this site to point to any web site, it's just the default in Win2K.

Again, all critical updates have been applied, but I'm just not confident that code red is going to get blocked, and if it's trying to run cmd.exe and use the MDAC folder stuff, that site was how it was getting in.

Interested in your thoughts!

Secondly, anyone know of a good book on "Securing your Server"??? I need to learn learn learn!!!

I have the same. It is a computer / virus trying to see if there are any holes in your system. There is nothing you can do to stop them trying and as long as you have all the latest patches you will be fine.

Originally posted by jgriff64
I have the same. It is a computer / virus trying to see if there are any holes in your system. There is nothing you can do to stop them trying and as long as you have all the latest patches you will be fine.

Thanks!!!! Do you delete the "Default Web Site" site in IIS? The one that points to the inetpub stuff such as scripts and MSADC?

Whew, I feel better now! :D

Use the IIS Lockdown tool at:

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

This will help with locking down unnecessary features in IIS.