|
Home > Archive > IIS Server Security > January 2004 > Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/system3
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/system3
|
|
| David Martin 2004-01-24, 2:02 am |
| Last night I experienced a server attack on IIS 5.0 - with all patches in
place (thankfully).
The logs are available on http://www.skill-it.com/Dave/www.asp and are quite
interesting
- as well as showing attempts to infect with the the CODE RED II worm they
show
what I think is a manual attempt to exploit the situation that the worm
would have caused.
(see the entries for IP address 217.40.142.3 commencing 23/01/2004 12:28:39
(CET))
What I don't understand is why dosome of the commands get a 200 response
such as
200 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\winnt\system32\cmd2.exe
Can someone also explain what the HEAD command does.
Thanks in advance,
David Marin
| |
| Karl Levinson [x y] mvp 2004-01-24, 2:02 am |
| Google:
http://www.google.com/search?hl=en&...q=http+head+get
http://www.webmasterworld.com/forum11/2231.htm
I assume you're not using URLScan. You really should be. It's free from
www.microsoft.com/technet/security There are also a number of free
hardening checklists for Windows and IIS there that you should consider
using.
"David Martin" <David.Martin@skill-it.com> wrote in message
news:eO878am4DHA.1504@TK2MSFTNGP12.phx.gbl...quote:
> Last night I experienced a server attack on IIS 5.0 - with all patches in
> place (thankfully).
> The logs are available on http://www.skill-it.com/Dave/www.asp and are
quitequote:
> interesting
> - as well as showing attempts to infect with the the CODE RED II worm they
> show
> what I think is a manual attempt to exploit the situation that the worm
> would have caused.
> (see the entries for IP address 217.40.142.3 commencing 23/01/2004
12:28:39quote:
> (CET))
>
> What I don't understand is why dosome of the commands get a 200 response
> such as
> 200 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\winnt\system32\cmd2.exe
>
> Can someone also explain what the HEAD command does.
>
> Thanks in advance,
> David Marin
>
>
| |
| David Martin 2004-01-24, 2:02 am |
| Many thanks - Just installed URLScan.
David Martin.
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:uPTdv1n4DHA.2756@TK2MSFTNGP09.phx.gbl...quote:
> Google:
>
> http://www.google.com/search?hl=en&...q=http+head+get
> http://www.webmasterworld.com/forum11/2231.htm
>
> I assume you're not using URLScan. You really should be. It's free from
> www.microsoft.com/technet/security There are also a number of free
> hardening checklists for Windows and IIS there that you should consider
> using.
>
>
> "David Martin" <David.Martin@skill-it.com> wrote in message
> news:eO878am4DHA.1504@TK2MSFTNGP12.phx.gbl...
in[QUOTE][color=darkred]
> quite
they[QUOTE][color=darkred]
> 12:28:39
/c+dir+c:\winnt\system32\cmd2.exe[QUOTE][color=darkred]
>
>
| |
| Laura A. Robinson [MVP] 2004-01-25, 2:35 am |
| circa Sat, 24 Jan 2004 11:42:15 +0100, in
microsoft.public.inetserver.iis.security, David Martin
(David.Martin@skill-it.com) said,quote:
> Last night I experienced a server attack on IIS 5.0 - with all patches in
> place (thankfully).
> The logs are available on http://www.skill-it.com/Dave/www.asp and are quite
> interesting
> - as well as showing attempts to infect with the the CODE RED II worm they
> show
> what I think is a manual attempt to exploit the situation that the worm
> would have caused.
> (see the entries for IP address 217.40.142.3 commencing 23/01/2004 12:28:39
> (CET))
>
> What I don't understand is why dosome of the commands get a 200 response
> such as
> 200 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\winnt\system32\cmd2.exe
>
> Can someone also explain what the HEAD command does.
>
The HEAD command is like a GET, except that instead of asking for the
actual resource, it asks just for the headers associated with the
resource. Essentially, it's a check to see if the object exists
without downloading it.
Laura
| |
| David Martin 2004-01-25, 2:35 am |
| news:MPG.1a7da76ac75a518b98a9da@msnews.microsoft.com...quote:
> circa Sat, 24 Jan 2004 11:42:15 +0100, in
> microsoft.public.inetserver.iis.security, David Martin
> (David.Martin@skill-it.com) said,
in[QUOTE][color=darkred]
quite[QUOTE][color=darkred]
they[QUOTE][color=darkred]
12:28:39[QUOTE][color=darkred]
/c+dir+c:\winnt\system32\cmd2.exe[QUOTE][color=darkred]
> The HEAD command is like a GET, except that instead of asking for the
> actual resource, it asks just for the headers associated with the
> resource. Essentially, it's a check to see if the object exists
> without downloading it.
>
> Laura
"Laura A. Robinson [MVP]" <geekwench@snippit.hotmail.com> wrote in message
Many thanks Laura,
David.
|
|
|
|
|