Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/system3

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/system3

Last Thread Next Thread Next

Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/system3

David Martin

01-24-04 07:02 AM

Last night I experienced a server attack on IIS 5.0 - with all patches in
place (thankfully).
The logs are available on http://www.skill-it.com/Dave/www.asp and are quite
interesting
- as well as showing attempts to infect with the the CODE RED II worm they
show
what I think is a manual attempt to exploit the situation that the worm
would have caused.
(see the entries for IP address 217.40.142.3 commencing 23/01/2004 12:28:39
(CET))

What I don't understand is why dosome of the commands get a 200 response
such as
200  HEAD  /c/winnt/system32/cmd.exe     /c+dir+c:\winnt\system32\cmd2.exe

Can someone also explain what the HEAD command does.

Thanks in advance,
David Marin

[ Post a follow-up to this message ]

Re: Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/sys

Karl Levinson [x y] mvp

01-24-04 07:02 AM

Google:

http://www.google.com/search?hl=en&...q=http+head+get
http://www.webmasterworld.com/forum11/2231.htm

I assume you're not using URLScan.  You really should be.  It's free from
www.microsoft.com/technet/security  There are also a number of free
hardening checklists for Windows and IIS there that you should consider
using.


"David Martin" <David.Martin@skill-it.com> wrote in message
news:eO878am4DHA.1504@TK2MSFTNGP12.phx.gbl...quote:

> Last night I experienced a server attack on IIS 5.0 - with all patches in
> place (thankfully).
> The logs are available on http://www.skill-it.com/Dave/www.asp and are
quitequote:

> interesting
> - as well as showing attempts to infect with the the CODE RED II worm they
> show
> what I think is a manual attempt to exploit the situation that the worm
> would have caused.
> (see the entries for IP address 217.40.142.3 commencing 23/01/2004
12:28:39quote:

> (CET))
>
> What I don't understand is why dosome of the commands get a 200 response
> such as
> 200  HEAD  /c/winnt/system32/cmd.exe     /c+dir+c:\winnt\system32\cmd2.exe
>
> Can someone also explain what the HEAD command does.
>
> Thanks in advance,
> David Marin
>
>

[ Post a follow-up to this message ]

Re: Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/sys

David Martin

01-24-04 07:02 AM

Many thanks - Just installed URLScan.

David Martin.


"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:uPTdv1n4DHA.2756@TK2MSFTNGP09.phx.gbl...quote:

> Google:
>
> http://www.google.com/search?hl=en&...q=http+head+get
> http://www.webmasterworld.com/forum11/2231.htm
>
> I assume you're not using URLScan.  You really should be.  It's free from
> www.microsoft.com/technet/security  There are also a number of free
> hardening checklists for Windows and IIS there that you should consider
> using.
>
>
> "David Martin" <David.Martin@skill-it.com> wrote in message
> news:eO878am4DHA.1504@TK2MSFTNGP12.phx.gbl... 
in[QUOTE] 
> quite 
they[QUOTE] 
> 12:28:39 
/c+dir+c:\winnt\system32\cmd2.exe[QUOTE] 
>
>

[ Post a follow-up to this message ]

Re: Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/sys

Laura A. Robinson [MVP]

01-25-04 07:35 AM

circa Sat, 24 Jan 2004 11:42:15 +0100, in
microsoft.public.inetserver.iis.security, David Martin
(David.Martin@skill-it.com) said,quote:

> Last night I experienced a server attack on IIS 5.0 - with all patches in
> place (thankfully).
> The logs are available on http://www.skill-it.com/Dave/www.asp and are qui
te
> interesting
> - as well as showing attempts to infect with the the CODE RED II worm they
> show
> what I think is a manual attempt to exploit the situation that the worm
> would have caused.
> (see the entries for IP address 217.40.142.3 commencing 23/01/2004 12:28:3
9
> (CET))
>
> What I don't understand is why dosome of the commands get a 200 response
> such as
> 200  HEAD  /c/winnt/system32/cmd.exe     /c+dir+c:\winnt\system32\cmd2.exe
>
> Can someone also explain what the HEAD command does.
>
The HEAD command is like a GET, except that instead of asking for the
actual resource, it asks just for the headers associated with the
resource. Essentially, it's a check to see if the object exists
without downloading it.

Laura

[ Post a follow-up to this message ]

Re: Server attack IIS/5.0 but why does IIS show 200 return codes for HEAD /c/winnt/sys

David Martin

01-25-04 07:35 AM

news:MPG.1a7da76ac75a518b98a9da@msnews.microsoft.com...quote:

> circa Sat, 24 Jan 2004 11:42:15 +0100, in
> microsoft.public.inetserver.iis.security, David Martin
> (David.Martin@skill-it.com) said, 
in[QUOTE] 
quite[QUOTE] 
they[QUOTE] 
12:28:39[QUOTE] 
/c+dir+c:\winnt\system32\cmd2.exe[QUOTE] 
> The HEAD command is like a GET, except that instead of asking for the
> actual resource, it asks just for the headers associated with the
> resource. Essentially, it's a check to see if the object exists
> without downloading it.
>
> Laura
"Laura A. Robinson [MVP]" <geekwench@snippit.hotmail.com> wrote in message


Many thanks Laura,

David.

[ Post a follow-up to this message ]